This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alexander_Lario
Explorer
‎2022-07-15 02:54 AM

Reverse Proxy, Exchange publush

Good day,


I am trying to publish a Microsoft Exchange server using ReverseProxy Check Point ver. – R80.40.
• Stand scheme:

Stand scheme.JPG

• Mobile Access portal address: https://sslvpn.infopark.uno

sslvpn.infopark.uno.jpg

• ReverseProxy rules:

ReverseProxy rules.jpg

Cannot connect from Outside_PC using Microsoft Outlook.

  • Logs:

logs.jpg

Do I understand correctly that when creating application Outlook_Anywhere in Reverse_Proxy, the necessary rules should be created automatically?

0 Kudos
13 Replies
_Val_
Admin
Admin
‎2022-07-17 11:08 PM

Yes and no.

Yes - for Mobile Portal configuration, there is nothing to add

No - you still need corresponding network security rules for the connectivity required.

0 Kudos
Alexander_Lario
Explorer
‎2022-07-17 11:53 PM
In response to _Val_

Thanks for your reply. The only rule that currently exists is this rule - allow everything.

rules.JPG

0 Kudos
_Val_
Admin
Admin
‎2022-07-17 11:59 PM

Please make sure you looked into sk110348

0 Kudos
Alexander_Lario
Explorer
‎2022-07-18 12:27 AM
In response to _Val_

Yes, I know about this sk. I also know about the Mobile Access Administration Guide R80.40.

 

0 Kudos
_Val_
Admin
Admin
‎2022-07-18 02:52 AM
In response to Alexander_Lario

By "know" you mean, "I read through and did not find a solution"?

What is the error on the client side? Any logs/errors on Exchange server? Are you using OWA or something else? What HTTPS logs above say?

0 Kudos
Alexander_Lario
Explorer
‎2022-07-18 05:22 AM
In response to _Val_

These guides didn't help me.

What is the error on the client side?

I'am using an "Exchange" connection type.

1.JPG

 An error after connection attempt:

2.JPG

Any logs/errors on Exchange server?

I record traffic using wireshark which is installed to Exhange machine at the time of connection. I don't see any attempts to access Exchange from the IP addresses of the external workstation or the internal ip address of the Check Point.

Are you using OWA or something else?

Yes, we can try to connect to OWA through external IP address of Check Point. Connection attempt failed from the Outside_PC station.

What HTTPS logs above say?

These are logs at the time of connection from the workstation Outside_PC with Outlook.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-07-18 09:13 AM

It's not clear why the PC is not connecting.
What troubleshooting have you done?
Might want to start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
Alexander_Lario
Explorer
‎2022-07-22 02:34 AM
In response to PhoneBoy

I looked at debug - arrival of Reverse Proxy requests to Reverse Proxy apache. There it was seen that requests were coming to autodiscover.infopark.uno. I added autodiscover.infopark.uno and mail.infopark.uno to ReverseProxy rules.

This is what the rules look like now:

1.JPG

After that, it was possible to connect using Outlook from Outside_PC. 

I removed all access rules from firewall and NAT:

2.JPG

3.JPG

5.JPG

4.JPG

This is a great victory. I have spent a lot of time on this task. Thank you so much for your help.

However, I think there are some difficulties.
Now I can open /owa and/ecp via https://mail.infopark.uno/owa , /ecp. This is the problem because these things have to be
published through the SSL portal.

Do I understand correctly that there is no way I can deny direct access to /owa and/ecp now?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-07-22 09:29 AM
In response to Alexander_Lario

That’s correct, you don’t have any user level access control with Reverse Proxy features.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
anstelios
Collaborator
‎2022-07-19 02:29 PM

I believe your Mobile Access Portal URL on SmartConsole and the External Server Name on the Reverse Proxy rule should not be the same.

You should change  the External Server Name on the Reverse Proxy rule to something different than https://sslvpn.infopark.uno (like https://extmail.infopark.uno) that should of course resolve to the same IP (Checkpoint's external IP)

0 Kudos
Alexander_Lario
Explorer
‎2022-07-20 02:28 AM
In response to anstelios

I changed External Server Name on the Reverse Proxy rule:

1.JPG

nslookup from Outside_PC:

2.JPG

Ping from Check Point gw:

3.JPG

but no positive effect. I still can't see any logs with wireshark on Exchange machine.

Check point GW logs at the time of the request:

4.JPG

0 Kudos
Alexander_Lario
Explorer
‎2022-07-20 05:02 AM
In response to Alexander_Lario

I can go to https://mail.infopark.uno/owa , the OWA Exchange page opens,

I can go to https://mail.infopark.uno/ecp , the ECP Exchange page opens.

reverseproxy logs are visible at the time of connection:

6.JPG

But attempts to connect using Outlook are still unsuccessful.

 

0 Kudos
_Val_
Admin
Admin
‎2022-07-20 05:24 AM
In response to Alexander_Lario

So it is probably not your FW that is at fault.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top