Haproxy exchange

nikkope · March 20, 2021, 7:58pm

Hi.

Topical question about Exchange vulnerabilities.
How should I configure the pfsense haproxy in front of on premices Exchange.
I already configured Acme cert and haproxy for owa (Outlook web access) and this works just great for port 443 and ssl offloading.
However I would also need to have ports 25, 143, 465 and 993 for incoming mail. Are these just plain TCP proxy fronts and should I also offload ssl for ports 465 and 993.
Sorry if this has been answerred already.

And ps. Thanks Tom for great videos, those are really helpful and easy to follow.

br, Pete

LTS_Tom · March 21, 2021, 12:25pm

I have not testing putting HAProxy in front of on prem Exchange., but you don’t have to proxy all the ports, just the ones you want to use HAProxy for and port forward the others.

egftechman · March 21, 2021, 2:20pm

I use a Apache proxy in front of exchange OWA, proxying only the paths necessary for OWA and ActiveSync to work, paths and scripts not part of the OWA tree do not get proxied, and will get a 404 error - also requests to domain names other than our OWA domain will get a 404 error, so web crawlers and Shodan type stuff won’t find anything with random IP addresses, etc.

SMTP is relayed both directions through a courier-MTA server and Anti-Spam SMTP proxy (ASSP)

IMAP access is relayed through stunnel, but I see NGINX has an IMAP proxy that might be worth checking out

So our exchange server has no direct connections to the Internet, limiting it’s exposure a bit…still staying current on patches though

nikkope · March 22, 2021, 4:51am

Thanks Tom and Corey.

We ended up to do everything with haproxy.

We placed the certificate for 443, 465, 587 and 993 ports. For 465 and 587 we do ssl-offload and decided to use backend 25 for these. For 993 the backend is 143 (plain IMAP), for 443 the backend is 443, and also for 25 and 143 (TCP) the backends are corresponding 25, 143.

As Tom wrote it would be the same to just port forward, more like matter of taste, but now all the “port forwardings” are on the same “page” in haproxy

And one other thing is that since we are offloading 465, 587 and 993 and backend traffic is plain we could maybe later on use ex. snort to examine traffix.

Thanks everyone.

br, pete