- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: publishing OWA, ActiveSync, Outlook Anywhere ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
publishing OWA, ActiveSync, Outlook Anywhere and AutoDiscover.
Hello. Where can I find instructions for publishing OWA, ActiveSync, Outlook Anywhere and AutoDiscover. Myself, I was able to reach only certificates. I added on fortigate root certificate and certificate exchange. Next, I need to publish services. How do I do it. My device - fortigate 100d Firmware - v5.2.0, build0589 Exchange 2010 sp3
Labels:
- Labels:
-
5.2
- « Previous
-
- 1
- 2
- Next »
19 REPLIES 19
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
if you like to go for TMG replacement meaning the feature you used on the TMG you would like to implement on the FGT based on SSL Offloading for OWA and ActiveSync there is a document which tells you exactly step by step how to configure the stuff on the FGT. The document is called "How_to_configure_TMG_features_on_FGT.pdf". What is from my point of view important to know is that there was a change within the sig on Fortinet site which means normally you use within the application profile ActiveSync and SSL and/or SSLv2. At 13. May 2015 even it was running since month this configuration stopped working for IOS device only (customer feedback all at the same time). All customers are working with IOS 8.3 and no other device is impacted like android etc. Of course the virtual server can be troubleshooted with diag debug application vs -1 but the situation was indicating that something changed for the sig used. Because of this I was open a ticket and after some discussion I received the answer to ADD the sig HTTPS.BROWSER to the ActiveSync and SSL/SSLv2 because the SSL sig does not support anymore some stuff which means SSL sig part was moved to HTTPS.BROWSER. This sig is available over 5.2 by standard and also if you use 5.0 and even you would not see it you can download the IPS db manually and import it over the FortiGuard FGT site. DB can be found for 5.0 at link:
'5.00_000_6.648' available on https://support.fortinet.com > Download > FortiGuard Service Updates > V5.00
From this what I received by TAC the document from Fortinet "How_to_configure_TMG_features_on_FGT.pdf" is not anymore up to date. On my site I have forward the information to test on customer site but so far NO FEEDBACK yet from this point of view this what is written here is NOT YET confirmed. What I also received from TAC is following:
HTTPS.BROWSER => HTTP sessions with packet structure like GET/POST /xxxx/yyyy/ HTTP/1.1 User-Agent: xxxxx Host: xxxx ...... over SSL. SSL => Any non HTTP session, e.g. a proprietary protocol, over SSL. With the new HTTPS.BROWSER signature, most of the traffic is going to fall under it instead of SSL.
This would confirm why it does not anymore work with ActivSync and SSL sig because in SSL sig NEW some part are missing and therfore HTTPS.BROWSER has to be added.
This for your info...will update as soon as I have from customer a feedback.
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Andrea,
what about the https redirect and authentication with domain ?
got issues there?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
no issue there only based on sig which means if you remove the both at the moment sig ActiveSync and/or SSL/SSLv2 all is working fine with IOS devices this confirms is sig based.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
actually I'm not using any app ctrl or ips or inspection there.
I should not need it right? (only if I need to inspect traffic for security reason, but I'm not that point yet)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
as I said only if you are doing ssl-offloading meaning offloading encrypted traffic. Only in this way you are able to look into the TCP header and if you use so you can define if in application header ActiveSync and/or SSL/SSLv2 allow all other ones block. In this way you are sure that only related traffic is going to the Exchange and nothing else meaning nobodiy can inject within https something else. This is this what normaly TMG did and can be done on the FGT but needs some performance and of course certificate from Exchange on the FGT and the public cert from Exchange on the device which connects. Actually it is the same as you use for explicit proxy doing man of the middle but the otherway arround.
hope this helps
have fun
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes Andrea, thanks.
I'm exactly doing like that. I do offload with wanopt and ssl certs exchange (import cert etc etc)
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I confirm it works which means do following:
# execute update-ips
After some minutes check if all versions are up to date (min 6.648 for Attack definition):
# get system auto-update versions
After that go to your existing profile and open it. Add HTTPS.BROWSER to the ActivSync (you will only find this sig if you enable ALL Categories which is not the case by standard. The HTTPS.BROWSER is in the Web.Others which you can not see by default and which is not activated by default). Activate the profile again in corresponding policy and thats it...is working out of the box.
kind regards
have fun...
Andrea
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I still have ISA proxy, so it should be replaced, for publishing sharepoint; OWA, ActiveSync and AutoDiscover for exchange 2010. Is Fortigate a full working solution for that ? or better to use FortiWeb ?
ps. We also have windows mobile other then IPhone and Android.
FGT 5.0.11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi!
from my experience FGT 5.2 does not redirect links (for example mail.mycompany.com is not redirect to https://mail.mycompany.com/owa ) and the autodiscover did not work with a lot of android / ios devices. (Indeed TMG fixed the autodiscover needs of filling the domain name and mail server name).
We had to write internally a plugin to fix all this stuff and migrate to FGT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just put an index.html redirect in the inetpub/wwwroot/ or your CAS server to redirect like this:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <httpRedirect enabled="false" destination="/exchange" exactDestination="false" /> </system.webServer> </configuration>
We are using Exchange 2007 so /exchange in the above code might be /owa or /exchweb for your version. This takes care of the forward for you.
oliverlag wrote:hi!
from my experience FGT 5.2 does not redirect links (for example mail.mycompany.com is not redirect to https://mail.mycompany.com/owa ) and the autodiscover did not work with a lot of android / ios devices. (Indeed TMG fixed the autodiscover needs of filling the domain name and mail server name).
We had to write internally a plugin to fix all this stuff and migrate to FGT
Fortigate 1240B
FAZ 4000A
Fortigate 1240B FAZ 4000A
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Exchange 2016 mfa for activesync/mapi 1492 Views
- Activesync publication. 1847 Views
- ... 37216 Views
Labels
-
FortiGate
6,772 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
347 -
FortiClient EMS
274 -
FortiMail
265 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
162 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
SSL-VPN
70 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
23 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.