topic Re: Cisco FTD is blocking outlook traffic to Exchange server 2010 in Network Security

Cisco FTD is blocking outlook traffic to Exchange server 2010

telesymbol — Fri, 03 Jun 2022 14:30:33 GMT

Dear All,

we've installed two 2130 FTDs in HA, managed with FMCv, we've configured a rule to allow traffic from outlook clients to exchange server 2010 which is installed behind the firewall. below are ports we've included but the outlook shows Disconnected & can not download email. but when we change the ports to Any, it works and please advise on the issue.

443/TCP, 80/TCP, 143/TCP, 993/TCP,110/TCP, 995/TCP, 587/TCP, 25/TCP, 50636/TCP,135/TCP,26602/TCP, 135/TCP, 465, 593, 585

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

Marvin Rhoads — Fri, 03 Jun 2022 14:46:50 GMT

When the rule is ion place, search the connection events to the Exchange server with Action = Block. That should tell you what else needs to be allowed.

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

Mohammed al Baqari — Sat, 04 Jun 2022 02:57:19 GMT

Hi,

I also suggest to check MS documents for required ports. There are many
other ports needed such as endpoint mapper, CAS/HUB, etc.

**** please remember to rate useful posts

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

telesymbol — Sat, 04 Jun 2022 20:28:13 GMT

I tried to to search events for traffic from outlook to exchange server 2010, which is behind the firewall but i couldn't found a block action, all are Allowed traffics. is there another way to resolve this issue pls ?

regards

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

Mohammed al Baqari — Sun, 05 Jun 2022 01:07:19 GMT

Your rule which is blocking might not have logging enabled. From CLISH try
system support trace (turn in firewall debugs when asked). Use sample
client IP that you can test from and your server IP. Leave rest of fields
blank.

Then test and see which rules are matched along with actions.

***** please remember to rate useful posts

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

telesymbol — Sun, 05 Jun 2022 09:25:16 GMT

please see attached logs and le me know what is required to allow exchange traffic.

regards

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

Mohammed al Baqari — Sun, 05 Jun 2022 09:53:19 GMT

Hi,

>From the logs it seems connection is reset from the server (see the rst
flag in the logs).

10.100.20.55-49233 - 10.100.5.74-135 6 AS 1-1 CID 0 Packet: TCP, ACK,
RST, seq 4003994852, ack 3917801564
10.100.20.55-49233 - 10.100.5.74-135 6 AS 1-1 CID 0 AppID: service
DCE/RPC (603), application unknown (0)
10.100.20.55-49233 - 10.100.5.74-135 6 AS 1-1 CID 0 Firewall: allow
rule, 'EIC_MS-Exchange_Access', allow
10.100.20.55-49233 - 10.100.5.74-135 6 AS 1-1 CID 0 Snort id 4, NAP id
2, IPS id 0, Verdict PASS
10.100.20.55-49233 > 10.100.5.74-135 6 AS 1-1 I 4 Got end of flow
event from hardware with flags 00010001. Rule Match Data: rule_id 0,
rule_action 0 rev_id 0, rule_flags 2
10.100.20.55-49233 > 10.100.5.74-135 6 AS 1-1 I 4 Logging EOF for
event from hardware with rule_id = 268437546 ruleAction = 2 ruleReason
= 0
10.100.20.55-49233 > 10.100.5.74-135 6 AS 1-1 I 4 : Received EOF,
deleting the snort session

Check your server. If you have esmtp inspection enables, try to disable it
and check.

***** please remember to rate useful posts

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

telesymbol — Sun, 05 Jun 2022 14:33:54 GMT

I've disabled ESMTP inspection but still outlook can not connect to exchange server 2010. here attached is the new log from the FTD.

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

Mohammed al Baqari — Sun, 05 Jun 2022 16:39:19 GMT

This is better trace. As suspected, there are missing ports from your ACP
which are not allowed and falling in default action. Sample below.

Review MS documentation to ensure all required ports are allowed.

10.100.20.55-53796 > 10.100.5.74-62003 6 AS 1-1 I 5 match rule order
52, 'Default Action', action Block
10.100.20.55-53796 > 10.100.5.74-62003 6 AS 1-1 I 5 MidRecovery data
sent for rule id: 268435577,rule_action:4, rev id:1052613730,
rule_match flag:0x0
10.100.20.55-53796 > 10.100.5.74-62003 6 AS 1-1 I 5 HitCount data sent
for rule id: 268435577,
10.100.20.55-53796 > 10.100.5.74-62003 6 AS 1-1 I 5 deny action
10.100.20.55-53796 - 10.100.5.74-62003 6 AS 1-1 CID 0 Firewall: block
rule, 'Default Action', drop
10.100.20.55-53796 - 10.100.5.74-62003 6 AS 1-1 CID 0 Snort: processed
decoder alerts or actions queue, drop
10.100.20.55-53796 > 10.100.5.74-62003 6 AS 1-1 I 5 Deleting session
10.100.20.55-53796 > 10.100.5.74-62003 6 AS 1-1 I 5 deleting firewall
session flags = 0x0, fwFlags = 0x1000, session->logFlags = 0ec4008c0
10.100.20.55-53796 - 10.100.5.74-62003 6 AS 1-1 CID 0 Snort id 5, NAP
id 2, IPS id 0, Verdict BLACKLIST
10.100.20.55-53796 - 10.100.5.74-62003 6 AS 1-1 CID 0 ===> Blocked by Firewall

**** please remember to rate useful posts

Re: Cisco FTD is blocking outlook traffic to Exchange server 2010

telesymbol — Mon, 20 Jun 2022 11:31:15 GMT

Hi Mohammed,

as per your suggestion, system support trace solved the problem by listing missed ports.

Thanks !