Jump to content

A question for the uberdorks in the group

Guest 71airstrike

By Guest 71airstrike
in Off Topic

 Share

Recommended Posts

Guest 71airstrike

Guest 71airstrike

Posted
Posted

Im running into brick walls with this one I need help. OK Here is the scoop, Ive got a client that cant get there OWA working from the outside.

Here are the facts, Win 03 standard with exchange 03 and IIS running on the box.

When I type in http://domain.com/exchange From the outside

I get a error 403;3 ?you need to use SSL you dummy?

OK I enter https://domain.com/exchange from the outside

I get an error 400 ?Bad address, Page cannot be found?

Here is the kicker. If I use https://domain.com/exchange from the local network all is well I get directed to the OWA login page.

The odd part is the CA I get from the local network is issued from the local server, but when trying from the outside the CA I get is issued from the Fortinet Firewall? I dunno if the firewall is tweaking the name as its security or if its generating CA to establish its own SSL communication?

Any advice to get me in the right direction would be appreciated

Cheers

Chad

Link to comment
Share on other sites
Togo

Togo

Posted
Posted

ok, ok, i thought my first response was pretty funny -

can i ask a question in response to this?

OK I enter https://domain.com/exchange from the outside

I get an error 400 ?Bad address, Page cannot be found?

Here is the kicker. If I use https://domain.com/exchange from the local network all is well I get directed to the OWA login page.

The odd part is the CA I get from the local network is issued from the local server, but when trying from the outside the CA I get is issued from the Fortinet Firewall? I dunno if the firewall is tweaking the name as its security or if its generating CA to establish its own SSL communication?

if you are OK on the inside but not on the outside - it sounds like the firewall is giving out the "token" or CA as you call it - but the firewall is not permitting outside traffic in - it could be a small tweak on the router (or firewall if it's a software firewall)

also, do you have the correct tunneling protocol on the workstation to allow that? i think you need PPP installed if you don't have a direct connection to the inside (like dialing in with a modem to the server) or is it PPTP - oh crap, i don't remember - i'm sure i'll read it again in my book tonight!

:cfdeadagain

Link to comment
Share on other sites
Guest 71airstrike

Guest 71airstrike

Posted
Posted
if i were you i'd call your help desk! 

Har har har.. I am the help desk beeeotch

if you are OK on the inside but not on the outside - it sounds like the firewall is giving out the "token" or CA as you call it - but the firewall is not permitting outside traffic in - it could be a small tweak on the router (or firewall if it's a software firewall)

CA= Cartificate Authorty.

The Firewall is hardware based. iT normally keeps port 443 (SSL + Http= HTTPS) closed until a proper request is made from the inside out to open it up for this session.

example

Inbound request from the out side world on http://bla.com/exchange (port 80)

the FW sees its a proper destnation and passes it through.

The server that handels this (IIS in this senaro) See the request but is snobby and will only communicate via Http with a SSL (er go https). IT will send back a redirect command to the Internet browser of the person who made the request. THat re direct says " I dont talk in public, I only talk dirty in private, meet me at port 443" THe IIS will make a command to the Firewall "Hey buddy Ive got this John comming through on port 443. This is his IP. Here is $20 to let him pass".

Once the Browser of the Requester (the John) arrives the FW will let him pass. THe IIS will issue a CA that this Person can be trusted and the Secure Socket Layer can now be established. Let the dirty talking commence.

in my case the Redirect is not happening. When I enter in HTTPS by hand I am making a SSL connection to the FW but not the IIS.

chad

Link to comment
Share on other sites
Desertdawg

Desertdawg

Posted
Posted

Have you tried switching to synthetic blinker fluid???

Who know, stranger things have happened!!!!

Link to comment
Share on other sites
Togo

Togo

Posted
Posted
if i were you i'd call your help desk! 

Har har har.. I am the help desk beeeotch

if you are OK on the inside but not on the outside - it sounds like the firewall is giving out the "token" or CA as you call it - but the firewall is not permitting outside traffic in - it could be a small tweak on the router (or firewall if it's a software firewall)

CA= Cartificate Authorty.

The Firewall is hardware based. iT normally keeps port 443 (SSL + Http= HTTPS) closed until a proper request is made from the inside out to open it up for this session.

example

Inbound request from the out side world on http://bla.com/exchange (port 80)

the FW sees its a proper destnation and passes it through.

The server that handels this (IIS in this senaro) See the request but is snobby and will only communicate via Http with a SSL (er go https). IT will send back a redirect command to the Internet browser of the person who made the request. THat re direct says " I dont talk in public, I only talk dirty in private, meet me at port 443" THe IIS will make a command to the Firewall "Hey buddy Ive got this John comming through on port 443. This is his IP. Here is $20 to let him pass".

Once the Browser of the Requester (the John) arrives the FW will let him pass. THe IIS will issue a CA that this Person can be trusted and the Secure Socket Layer can now be established. Let the dirty talking commence.

in my case the Redirect is not happening. When I enter in HTTPS by hand I am making a SSL connection to the FW but not the IIS.

chad

:banghead where's the spel chek when you need it! :smilelol

ok ok, it sounds like the firewall appliance is not doing the hand off, is he sure he knows' he's the traffic cop? if the theory you describe were to work, it sounds pretty self explanatory - but what i don't get is that it's sending a redirect - is it automatic? or is it actually sending back a link to click on to go "private"

and something else -

THat re direct says " I dont talk in public, I only talk dirty in private, meet me at port 443" THe IIS will make a command to the Firewall "Hey buddy Ive got this John comming through on port 443. This is his IP. Here is $20 to let him pass".

how does IIS send a command to the firewall if the user is never getting past the firewall to the IIS - does that make sense? something appears to be out of order.

if what you describe is really happening, it sounds like you have the IIS doing a job it shouldn't be doing - that job needs to be done by the firewall THEN pass it to IIS

Link to comment
Share on other sites
BSeery

BSeery

Posted
Posted

Well, I am not one of those certificate carrying uberdorks for network -- but --- doesn't port 443 have to be open and directed to your webserver for https to actually get to the webserver ?

I only work on simple fireboxes that have firewall and Network Address Translation. We just take incoming 443 on the external IP address and route it to an internal IP address and that's it.

Link to comment
Share on other sites
Togo

Togo

Posted
Posted
Well, I am not one of those certificate carrying uberdorks for network -- but --- doesn't port 443 have to be open and directed to your webserver for https to actually get to the webserver ?

I only work on simple fireboxes that have firewall and Network Address Translation. We just take incoming 443 on the external IP address and route it to an internal IP address and that's it.

wow - so simple, but sounds so right.

i do port forwarding on my NETGEAR router at home - for downloading torrents - i have 2 ports forwarded to my torrent machine.

the confusing part is that when the browser is opened up he is pointing to a different port originally (440 i think he said) and is then being redirected to port 443 - so i'm not sure how that works, perhaps port 440 requests need to be forwarded to your IIS box as well as 443?????

Link to comment
Share on other sites
Eddie44

Eddie44

Posted
Posted
Can someone pass me the "Computers for Dummies" book?  :lol  :lol

think either of these would help?

0764504827.jpg

0764540483.jpg :D

I'd need more help than that! :leaving

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...