Publish Email (Exchange On-premises) behind USG FLEX 200 Firewall

EdC
EdC Posts: 3
Having a very hard time migrating from Sophos UTM to USG FLex 200.   I can't get my Exchange servers to be properly published.  I have tried both Virtual Server and 1:1NAT with limited success.  I have 5 Static IPs and per the KB, it seems 1:1Nat is most appropriate, but I am not sure.  But the bigger problem is how do I associate my domain-wide SSL certificates with those servers.  Apparently quite often when a remote client (Exchange ActiveSync or Outlook Remote) queries for the Server Certificate, the USG Flex 200 answers with its instead.  How do I get the USG Flex 200 to either pass through to the servers themselves to respond, or get it to respond properly with my domain wildcard?  I don't see anywhere in either Virtual Server or 1:1NAT to assign a certificate (which I do have loaded on the USG Flex 200)

Best Answers

All Replies

  • jasailafan
    jasailafan Posts: 189  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    ActiveSync uses port 443. Make sure the management port of flex 200 doesn't not conflict with 443. Here is a similar post. Follow the steps to change the management port of flex 200 to another.   
  • EdC
    EdC Posts: 3
    I fixed that and that will likely address the issue with getting the wrong certificate.  But I still have two questions -- why use Virtual Server vs. 1:1Nat.  The reference article says Virtual Server and several other KBs say 1:1Nat.  Not sure which is which.

    And the second question is why does the Microsoft Remote Connectivity Analyzer not work?  This is very strange... during Autodiscover I get this snippet..

    The Microsoft Connectivity Analyzer is probing the TCP endpoint 63.142.58.221 on port 443 to detect which SSL/TLS protocols and cipher suites are enabled.
    We were able to detect the enabled protocols and cipher suites.
    Additional Details
    TLS Protocol: SSL v3, Not enabled. TLS Protocol: TLS 1.0, Not enabled. TLS Protocol: TLS 1.1, Not enabled. TLS Protocol: TLS 1.2, Enabled cipher suites: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    But then just seconds later I get this during the actual connect to validate Activesync settings:

    The Microsoft Connectivity Analyzer is probing the TCP endpoint 63.142.58.221 on port 443 to detect which SSL/TLS protocols and cipher suites are enabled.
    We were unable to determine which SSL and TLS protocols are enabled. This is usually because we couldn't connect.

    Has me stumped.  Does using 1:1NAT force only a single connection?  Is there another connection limit?  

    Thanks for the help so far... 

    -ed

  • jasailafan
    jasailafan Posts: 189  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
  • EdC
    EdC Posts: 3
    Answer ✓
    AHA -- so for an email server where IP address matters (because of DKIM, SPF, DMARC, etc.  1:1Nat is the way to go....   Thank you again

Security Highlight