Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
2
Replies

Outlook clients accessing Exchange through 515e from behine firewall

Jim.Kiddoo
Level 1
Level 1

‎08-29-2002 01:23 PM - edited ‎03-09-2019 12:07 AM

I have a 515e in place but outlook users do not recieve email unless they click on another message or send/receive. How do I permit the exchange server on the outside of the firewall to be able to send email to clients behind the firewall? Say the exchange server is at 24.24.24.25 and the clients sit behind the firewall with a outside interface of 33.33.33.34 and inside clients are in the 10.0.0.1 range. Thanks

Jim Kiddoo

Network Admin

jkiddoo@ualberta.ca

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎09-02-2002 11:12 PM

I think the problem here is that when new mail comes in, the Outlook server needs to initiate the conversation to the inside hosts so that the email is shown on the inside client. The PIX will disallow this though due to it's normal security policies (everything from outside to inside is dropped unless specifically allowed).

When your inside users hit the Send/Receive button or click on another message the inside PC initiates a connection to the external server to see if there's any new email, and that works fine cause the PIX allows it.

The trouble is, what IP address is the Outlook server trying to connect to when it tries to send new emails to your inside clients? If you set up debugging on the PIX you'll probably see a bunch of denies from the Outlook server going to your firewall address (assuming you're PAT'ing everything to that address, that is) on various ports.

It is probably as simple as allowing all SMTP type traffic from the Outlook server to come into the PIX, but then you need a static translation for all your internal hosts as well, since a static AND an access-list is required for outside-to-inside communication. This means you would need a valid external address for every internal address, probably not something you have I imagine.

Not sure there's a way around this. You're sort of doing it backwards to everyone else where they have the Outlook server on the inside and the clients on the outside, then you just need a static translation for the Outlook server rather than for every internal host.

0 Helpful

Jim.Kiddoo
Level 1
Level 1
In response to gfullage

‎09-03-2002 11:15 AM

Thanks, yeah I was just hoping to pu the exchange server behind the firewall last and have the clients there first. All makes sense.

Thanks

Jim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents