Publish Email (Exchange On-premises) behind USG FLEX 200 Firewall
Having a very hard time migrating from Sophos UTM to USG FLex 200. I can't get my Exchange servers to be properly published. I have tried both Virtual Server and 1:1NAT with limited success. I have 5 Static IPs and per the KB, it seems 1:1Nat is most appropriate, but I am not sure. But the bigger problem is how do I associate my domain-wide SSL certificates with those servers. Apparently quite often when a remote client (Exchange ActiveSync or Outlook Remote) queries for the Server Certificate, the USG Flex 200 answers with its instead. How do I get the USG Flex 200 to either pass through to the servers themselves to respond, or get it to respond properly with my domain wildcard? I don't see anywhere in either Virtual Server or 1:1NAT to assign a certificate (which I do have loaded on the USG Flex 200)
0
Best Answers
-
The difference between virtual server and 1:1Nat.
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=016308&lang=EN
0 -
AHA -- so for an email server where IP address matters (because of DKIM, SPF, DMARC, etc. 1:1Nat is the way to go.... Thank you again0
All Replies
-
ActiveSync uses port 443. Make sure the management port of flex 200 doesn't not conflict with 443. Here is a similar post. Follow the steps to change the management port of flex 200 to another.0
-
I fixed that and that will likely address the issue with getting the wrong certificate. But I still have two questions -- why use Virtual Server vs. 1:1Nat. The reference article says Virtual Server and several other KBs say 1:1Nat. Not sure which is which.
And the second question is why does the Microsoft Remote Connectivity Analyzer not work? This is very strange... during Autodiscover I get this snippet..
The Microsoft Connectivity Analyzer is probing the TCP endpoint 63.142.58.221 on port 443 to detect which SSL/TLS protocols and cipher suites are enabled.We were able to detect the enabled protocols and cipher suites.Additional DetailsTLS Protocol: SSL v3, Not enabled. TLS Protocol: TLS 1.0, Not enabled. TLS Protocol: TLS 1.1, Not enabled. TLS Protocol: TLS 1.2, Enabled cipher suites: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
But then just seconds later I get this during the actual connect to validate Activesync settings:
The Microsoft Connectivity Analyzer is probing the TCP endpoint 63.142.58.221 on port 443 to detect which SSL/TLS protocols and cipher suites are enabled.We were unable to determine which SSL and TLS protocols are enabled. This is usually because we couldn't connect.
Has me stumped. Does using 1:1NAT force only a single connection? Is there another connection limit?
Thanks for the help so far...
-ed0 -
The difference between virtual server and 1:1Nat.
https://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=016308&lang=EN
0 -
AHA -- so for an email server where IP address matters (because of DKIM, SPF, DMARC, etc. 1:1Nat is the way to go.... Thank you again0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight