Hello. Where can I find instructions for publishing OWA, ActiveSync, Outlook Anywhere and AutoDiscover. Myself, I was able to reach only certificates. I added on fortigate root certificate and certificate exchange. Next, I need to publish services. How do I do it. My device - fortigate 100d Firmware - v5.2.0, build0589 Exchange 2010 sp3
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi all
if you like to go for TMG replacement meaning the feature you used on the TMG you would like to implement on the FGT based on SSL Offloading for OWA and ActiveSync there is a document which tells you exactly step by step how to configure the stuff on the FGT. The document is called "How_to_configure_TMG_features_on_FGT.pdf". What is from my point of view important to know is that there was a change within the sig on Fortinet site which means normally you use within the application profile ActiveSync and SSL and/or SSLv2. At 13. May 2015 even it was running since month this configuration stopped working for IOS device only (customer feedback all at the same time). All customers are working with IOS 8.3 and no other device is impacted like android etc. Of course the virtual server can be troubleshooted with diag debug application vs -1 but the situation was indicating that something changed for the sig used. Because of this I was open a ticket and after some discussion I received the answer to ADD the sig HTTPS.BROWSER to the ActiveSync and SSL/SSLv2 because the SSL sig does not support anymore some stuff which means SSL sig part was moved to HTTPS.BROWSER. This sig is available over 5.2 by standard and also if you use 5.0 and even you would not see it you can download the IPS db manually and import it over the FortiGuard FGT site. DB can be found for 5.0 at link:
'5.00_000_6.648' available on https://support.fortinet.com > Download > FortiGuard Service Updates > V5.00
From this what I received by TAC the document from Fortinet "How_to_configure_TMG_features_on_FGT.pdf" is not anymore up to date. On my site I have forward the information to test on customer site but so far NO FEEDBACK yet from this point of view this what is written here is NOT YET confirmed. What I also received from TAC is following:
HTTPS.BROWSER => HTTP sessions with packet structure like GET/POST /xxxx/yyyy/ HTTP/1.1 User-Agent: xxxxx Host: xxxx ...... over SSL. SSL => Any non HTTP session, e.g. a proprietary protocol, over SSL. With the new HTTPS.BROWSER signature, most of the traffic is going to fall under it instead of SSL.
This would confirm why it does not anymore work with ActivSync and SSL sig because in SSL sig NEW some part are missing and therfore HTTPS.BROWSER has to be added.
This for your info...will update as soon as I have from customer a feedback.
have fun
Andrea
Andrea,
what about the https redirect and authentication with domain ?
got issues there?
Hi
no issue there only based on sig which means if you remove the both at the moment sig ActiveSync and/or SSL/SSLv2 all is working fine with IOS devices this confirms is sig based.
hope this helps
have fun
Andrea
actually I'm not using any app ctrl or ips or inspection there.
I should not need it right? (only if I need to inspect traffic for security reason, but I'm not that point yet)
Hi
as I said only if you are doing ssl-offloading meaning offloading encrypted traffic. Only in this way you are able to look into the TCP header and if you use so you can define if in application header ActiveSync and/or SSL/SSLv2 allow all other ones block. In this way you are sure that only related traffic is going to the Exchange and nothing else meaning nobodiy can inject within https something else. This is this what normaly TMG did and can be done on the FGT but needs some performance and of course certificate from Exchange on the FGT and the public cert from Exchange on the device which connects. Actually it is the same as you use for explicit proxy doing man of the middle but the otherway arround.
hope this helps
have fun
Andrea
Yes Andrea, thanks.
I'm exactly doing like that. I do offload with wanopt and ssl certs exchange (import cert etc etc)
Thanks
Hi
I confirm it works which means do following:
# execute update-ips
After some minutes check if all versions are up to date (min 6.648 for Attack definition):
# get system auto-update versions
After that go to your existing profile and open it. Add HTTPS.BROWSER to the ActivSync (you will only find this sig if you enable ALL Categories which is not the case by standard. The HTTPS.BROWSER is in the Web.Others which you can not see by default and which is not activated by default). Activate the profile again in corresponding policy and thats it...is working out of the box.
kind regards
have fun...
Andrea
Hi,
I still have ISA proxy, so it should be replaced, for publishing sharepoint; OWA, ActiveSync and AutoDiscover for exchange 2010. Is Fortigate a full working solution for that ? or better to use FortiWeb ?
ps. We also have windows mobile other then IPhone and Android.
FGT 5.0.11
hi!
from my experience FGT 5.2 does not redirect links (for example mail.mycompany.com is not redirect to https://mail.mycompany.com/owa ) and the autodiscover did not work with a lot of android / ios devices. (Indeed TMG fixed the autodiscover needs of filling the domain name and mail server name).
We had to write internally a plugin to fix all this stuff and migrate to FGT
Just put an index.html redirect in the inetpub/wwwroot/ or your CAS server to redirect like this:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <httpRedirect enabled="false" destination="/exchange" exactDestination="false" /> </system.webServer> </configuration>
We are using Exchange 2007 so /exchange in the above code might be /owa or /exchweb for your version. This takes care of the forward for you.
oliverlag wrote:hi!
from my experience FGT 5.2 does not redirect links (for example mail.mycompany.com is not redirect to https://mail.mycompany.com/owa ) and the autodiscover did not work with a lot of android / ios devices. (Indeed TMG fixed the autodiscover needs of filling the domain name and mail server name).
We had to write internally a plugin to fix all this stuff and migrate to FGT
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.