VPN and Exchange
-
Is Exchange/OWA being published by a Forefont TMG box or some other proxy?
-
What kind of VPN is this? It's possible that the public address that they use is just called Exchange for some silly reason.
What does DNS tell you?
-
@jt1001001 said in VPN and Exchange:
Is Exchange/OWA being published by a Forefont TMG box or some other proxy?
Knowing this provider, it's likely a ZyWall.
-
@bbigford said in VPN and Exchange:
@jt1001001 said in VPN and Exchange:
Is Exchange/OWA being published by a Forefont TMG box or some other proxy?
Knowing this provider, it's likely a ZyWall.
I mean is it IPSec, OpenSSL, that kind of thing.
-
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@jt1001001 said in VPN and Exchange:
Is Exchange/OWA being published by a Forefont TMG box or some other proxy?
Knowing this provider, it's likely a ZyWall.
I mean is it IPSec, OpenSSL, that kind of thing.
I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.
-
@reid-cooper said in VPN and Exchange:
What kind of VPN is this? It's possible that the public address that they use is just called Exchange for some silly reason.
What does DNS tell you?
I looked up their DNS and exchange.domain.com is resolved by an IP provided by their ISP, domain.com resolves to a GoDaddy IP.
-
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@jt1001001 said in VPN and Exchange:
Is Exchange/OWA being published by a Forefont TMG box or some other proxy?
Knowing this provider, it's likely a ZyWall.
I mean is it IPSec, OpenSSL, that kind of thing.
I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.
What tool are you using to connect?
-
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
What kind of VPN is this? It's possible that the public address that they use is just called Exchange for some silly reason.
What does DNS tell you?
I looked up their DNS and exchange.domain.com is resolved by an IP provided by their ISP, domain.com resolves to a GoDaddy IP.
Likely just their VPN IP. That it is called "Exchange" is probably just coincidental.
-
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@jt1001001 said in VPN and Exchange:
Is Exchange/OWA being published by a Forefont TMG box or some other proxy?
Knowing this provider, it's likely a ZyWall.
I mean is it IPSec, OpenSSL, that kind of thing.
I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.
What tool are you using to connect?
Windows built-in. I asked about a VPN client and they said they don't have one. I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.
-
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@jt1001001 said in VPN and Exchange:
Is Exchange/OWA being published by a Forefont TMG box or some other proxy?
Knowing this provider, it's likely a ZyWall.
I mean is it IPSec, OpenSSL, that kind of thing.
I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.
What tool are you using to connect?
Windows built-in. I asked about a VPN client and they said they don't have one. I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.
Looking at Company 2 (configured before I took on their account), they have separate IPs for vpn.company2.com, mail.company2.com, and company2.com
-
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@jt1001001 said in VPN and Exchange:
Is Exchange/OWA being published by a Forefont TMG box or some other proxy?
Knowing this provider, it's likely a ZyWall.
I mean is it IPSec, OpenSSL, that kind of thing.
I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.
What tool are you using to connect?
Windows built-in. I asked about a VPN client and they said they don't have one. I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.
I don't believe that Windows has SSL VPN.
-
@bbigford said in VPN and Exchange:
I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.
Just port forwarding, most likely.
-
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.
Just port forwarding, most likely.
So you're thinking that 'Exchange' coincidentally is what hostname was given to the vpn service. In a browser, 443 is just forwarded to the on-prem Exchange server when using https://exchange.domain.com... am I understanding you correctly?
-
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.
Just port forwarding, most likely.
So you're thinking that 'Exchange' coincidentally is what hostname was given to the vpn service.
Exactly, that's what I'm thinking. Someone was thinking of the VPN as existing to access OWA, so named it Exchange.
-
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
@reid-cooper said in VPN and Exchange:
@bbigford said in VPN and Exchange:
I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.
Just port forwarding, most likely.
So you're thinking that 'Exchange' coincidentally is what hostname was given to the vpn service.
Exactly, that's what I'm thinking. Someone was thinking of the VPN as existing to access OWA, so named it Exchange.
That'll get cleaned up. We already overhauled ~90% of what that provider had done for Company 2, and they've been very happy with the result. They have some serious pains with Company 1 setup.
I went to add a Windows built-in VPN connection a moment ago, to show a colleague. The Outlook splash screen doesn't show in the credentials window, but it did on the user's laptop (also Windows 10, but a much earlier release I believe). I've honestly never saw that in a VPN connection window before; not sure what that is about unless it is forwarded to Exchange and credentials from the email system are used for authentication and they can then have access to network resources. But that would be a really goofy setup.
-
Also if the client only has one Static IP, it will be the same as the Exchange. Then the firewall takes care of the rest for IPsec or worst PPTP but not sure.
-
@bbigford you are totally overthinking this.
They obviously have on site Exhange. That will require some kind of DNS entry for OWA and OA to work.
They chose to use exchange.domain.com, this is perfectly normal.
They only have a single IP, or only have their router configured to use a single IP. This is also very common.
Then someone wants to use a VPN. They enable it in the firewall, or whatever device, and just use the existing FQDN that resolves to the site IP.
This is also perfectly normal and 100% ok.
Could they have added a CNAME, such as vpn.domain.com? Sure, but there is no technical reason to do so.
-
@jaredbusch said in VPN and Exchange:
@bbigford you are totally overthinking this.
They obviously have on site Exhange. That will require some kind of DNS entry for OWA and OA to work.
They chose to use exchange.domain.com, this is perfectly normal.
They only have a single IP, or only have their router configured to use a single IP. This is also very common.
Then someone wants to use a VPN. They enable it in the firewall, or whatever device, and just use the existing FQDN that resolves to the site IP.
This is also perfectly normal and 100% ok.
Could they have added a CNAME, such as vpn.domain.com? Sure, but there is no technical reason to do so.
I don't think they have web services, but if they were to, those wouldn't be able to use 443 I'm guessing since that port is already forwarded. I am definitely overthinking that one.
-
@bbigford said in VPN and Exchange:
@jaredbusch said in VPN and Exchange:
@bbigford you are totally overthinking this.
They obviously have on site Exhange. That will require some kind of DNS entry for OWA and OA to work.
They chose to use exchange.domain.com, this is perfectly normal.
They only have a single IP, or only have their router configured to use a single IP. This is also very common.
Then someone wants to use a VPN. They enable it in the firewall, or whatever device, and just use the existing FQDN that resolves to the site IP.
This is also perfectly normal and 100% ok.
Could they have added a CNAME, such as vpn.domain.com? Sure, but there is no technical reason to do so.
I don't think they have web services, but if they were to, those wouldn't be able to use 443 I'm guessing since that port is already forwarded. I am definitely overthinking that one.
HTTP Headers could make that work.
-
@bbigford said in VPN and Exchange:
@jaredbusch said in VPN and Exchange:
@bbigford you are totally overthinking this.
They obviously have on site Exhange. That will require some kind of DNS entry for OWA and OA to work.
They chose to use exchange.domain.com, this is perfectly normal.
They only have a single IP, or only have their router configured to use a single IP. This is also very common.
Then someone wants to use a VPN. They enable it in the firewall, or whatever device, and just use the existing FQDN that resolves to the site IP.
This is also perfectly normal and 100% ok.
Could they have added a CNAME, such as vpn.domain.com? Sure, but there is no technical reason to do so.
I don't think they have web services, but if they were to, those wouldn't be able to use 443 I'm guessing since that port is already forwarded. I am definitely overthinking that one.
L2TP VPN does not need port 443.
