Zywall 110 microsoft exchange activesync problem

Rene_Kroes
Rene_Kroes Posts: 2  Freshman Member
First Comment
edited April 2021 in Security
Hi Community,

I installed a Zywall-110 in our network to improve security of our company network.
For this we did not have a proper firewall and only a modem from our isp. After having configured everything and having the zywall110 installed in the network everything worked fine. Except that the mobile devices can no longer connect to the exchange via internet.

I have read that this may have to do with the https request time out setting. Unfortunately, I can not find any settings in the zyall110 here.

Can you help me with this problem because I do not know where to look anymore.

thanks in advanced,

Rene Kroes

All Replies

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    Hello Rene Kroes,
    I think you already created the same topic on ZyWALL USG Series page.
    The suggestion please check 
    https://businessforum.zyxel.com/discussion/951/mobile-devices-cant-connect-to-exchange-server#latest
    Charlie

  • Rene_Kroes
    Rene_Kroes Posts: 2  Freshman Member
    First Comment
    thanks, Charlie,

    indeed a colleague has also ended up on this forum with this problem.

    we will get started with the answer!

    greeting,
    Rene

  • vdbm2
    vdbm2 Posts: 6  Freshman Member
    First Comment Second Anniversary
    I think this is due following as mobile it launches an so called app or extension, the reality is that it's just a connect with the difference the parent is the browser , because a browser has to do what originaly was made , by the W3C HTML static pages displaying into the window , so a webserver allow a connect TCP over port 80 or 443 but this is not a requirement as ya look into what the url stands for has no relation with TCP/IP , but all TCP ports under 1024 are reserved , so they assigned port 80 for connecting to webservers laters on 443 the difference lies not on the TCP port but what http://<prefix>."domain".<suffix > , so a site talks over TCP but TCP is a connected port meaning once connected the port stays open, now if you listen on port 80 and 443 on a web server this makes as it's designed for static data a max off 6 TCP ports once the html is all sended the server drops these TCP ports because the max connects is in IP4 65535 TCP connections. This is very important since a browser today also service servers uses so your mobile app is build for the UI on a webserver ,the content comes from a REST or SOAP,in JSON or XML, these ports are for mail when Internet was no chaos like now agreed using pop3 or TCP 110 incomming mail and TCP 25 SMTP outgoing, together with relays your mail which is based on same html paradigm but uses so called mx records since the package can travel from user@domain.xxx , this is on mobile therotecily possible but due Exchange the mail was for microsoft an opportunity to use IMAP TCP 450 that can travels outside the DNS as mail but binds users on the MS servers as no relay server from a offical dns.<country> is allowed hosting so called root-it or most known DynDNS servers , if your mobile is apple it runs safari as UI IOS desktop is a simple pre rendered safari , same with any MS version after 95 using .NET as desktop shell (stolen by Netscapes open source btw) , as MS had no browser IE was never meant to have a function but the WEB was a danger for MS as OS running single desktop as OS ,and NETBIOS has no WWW connect same for Novell IPX/SPX , the TCP/IP is designed to travel as data but can split the data in fragments , so depending on the router and provider this was the fastest way to move data from LAN to WAN the .nl or .it,.fr tells the package don't stop on every country since it contains .fr and is in germany the dns server of germany will help the fragment forwarding to the fastest path so it reaches .fr France , So what you do with Zyxel as router is same only your borders ends when the WAN port is outgoing , now incomming is by default handled through the Zywall as DNS,ICMP,RIP NP,and outgoing rule was not denyed as "match default" , but otgoing traffic slips the Zywall by usng UDP and broadcast every port to mDNS , so the LAN has outgoing standard TCP 80,443 allowed for web, UDP has no connection so incomming was no danger, today the browser or exchange lives on the web but doesn't follow the rules , so as ya may remember wannacry was targetted to IMAP servers port 450 , as reaction off the www stands for public purpuse and not for inboxing an open standard into a commercial company trying isolating users on a public system, since 2015 the W3C rules are then no open standard anymore Android is owned by Google inc. And as all what Google launches had nothing to do with open source and free of charge , yahoo and netscape were the web search and browser, free off charge, suddenly Google popped up and today people say I google it ( do a search on yahoo your results will have more hits , this is same for msn,bing,live,iTunes (that cashes 30% commision on every transaction a app sells , but as iTunes originaly targetted music as portal 30% commission on every track off a CD album is $$$$$$$) Same happens with android devices all vendors using android now work for Google as android was free but copyrighted , win mobile tries now a third attempt by win10 and UWP isolating users on theire devices, this makes it as security that your mobile uses not outlook like inside and is protecting incomming or outgoing that don't uses dns port 53 blocked by the firewall policies , and not against SPAM or whatever but the browser sends to the googlecontent.com and googleanalytics,your inside port 80 443 as outgoing allowed but if it uses a dns not known by the zywall it wil block , so this is a long answer but I DO THIS AS DEVELOPPER think very hard before making the rule WAN to LAN source any destination HOST EXCHANGE service IMAP 450 as this opens port 450 incomming  the outgoing must also be allowed , but the Zywall doesn't check the content, so open this in out can litterly make a DoS attack from inside , Zyxell has with Kaspersky the best relation as detecting malicious mail and data using IMAP but sends as content something alse will protect ya from incomming traffic through the WAN , most users think the LAN is no danger zone , in fact the risk off attack is higher as every IP is allowed connecting to port 80,443, but once the connect is made the Zywall doesn't know it is an attack since it passes the outgoig port designed for webtraffic , he will block incomming traffic but the TCP port outgoing and stays connected is not a violation but your connect to a site targets one port 80 or 443 , on your inside it will randomly take an available port so the connect is open , but stays open 
    if you define the rule aloowed From Lan to any (excludingà zywall source any destination any 
    will litterly making an explosion off trafic and stopping services on exchange , but luckily we have zyxel and zyxel also has developpers knowong the TCP/IP as protocol behaving so as solution you have Zones LAN1 LAN2 and DMZ and 1 or 2 WAN , if you place the exchange in ZONE LAN2 and use DHCP by MAC binding you can define the servers IP interface not o the server but on the Zyxel so standard 1192.168.2.33 has a dhcp pool for 200 due MAC binding the zywall will watch these IP and report abnomality you can assign your IP this way the HOST server placing in DHCP and on a switch,hub, depends on your servers but the IP will be assigned to this server and all trying same IP contact will be dropped , so all the servers on a LAN and placing this LAN into the port LAN2 zonde LAN2, for all workplaces you have already a LAN so putting that on LAN1 zone LAN1 (I strongly advice same IP MAC binding,but thats up to you if you don't do this virtual IP will pass and the rule will not protect your LAN1 , but setting rule LAN1 to LAN2 will be handled through the zywall , the gateway on LAN 1 must be different than LAN 2 else it makes no effect, if you follow then this ZONE rule and set you exchange as HOST destination , with services in group that the server has to process it's LAN1 to LAN 2 source LAN1_SUBNET,destination HOST address off the exchange server and services setting this to allowed next rule you make WAN to LAN2 same allow 3th rule Any to LAN2 destination HOST exhange sevrer all ports deny
    for the admin very important define a ZONE to ZYWALL source is the pc or device that you assign as long you set services http and https allowed followed by a rule same ZONE to Zywall but any any all ports deny, else you allow any user entering the zyxell, don't think on it's protected by password as it can attack the zywall by a simple app knowing the gateway is also LAN to Zywall every device able connecting and overprocessing the zyxell , and certainly if approaching with browsers like chrome,Edge,..., as the UI is a WEB SPA based on Sencha frameework extjs , so be sure first placing the startup-config.conf as file you can open it as it's just text but it defines your config and rules , and be sure off your DNS as 8.8.8.8 is no DNS confirmed by the W3C it's googles domain and no government can stop this simply the web is global but the world has borders so 8.8.8.8 is a com and has in every country several DNS servers that asks the DNS master all domains but resolves it in other countrys under a IP without domain located in Japan, Korea,India, and by geolocation pinpointing your data a route so it passes google that grabs the data and forwards it.
    don't think https protects you as everyone believes i'm having on all platforms so called beta version today called insider , chrome releases every week WIn10 every 3 months so open a simple service like groove today spotify is replacement for groove , open spotify , Skype comes in,Google,and WinStore with akawai as sreaming service all using TCP 80,443 but not for web , purpose , I live in Belgium and have direct contact with the dnsmasterof DNS.BE by phone as this happens in sice the first time ever , he knows me but traffic was always by mail ,so he can make a formal violation , but that's all he can do , but we work on a real kill-zone without harming users but litterly all "ghost" servers labelling a ticket EOL :) , and giving people back controll ,as I run a company myself but stopped 

Security Highlight