VPN and Exchange



  • This is an interesting one I've been guessing at. Here's the high points:

    • Provider supports Company 1.
    • 3 people leave Company 1 and start their own company, Company 2.
    • Company 2 is a direct competitor to Company 1.
    • Company 2 buys Company 1.
    • Company 2 wants to offboard Company 1's MSP, more of a one-man shop. This is because the MSP doesn't want to collaborate with us on supporting both companies under a proper merger can take place. I do want to collaborate, so they are telling him next week that we are taking over both companies.

    During my time of trying to help out Company 2 users remote in and VPN into the Company 1 network, there is something odd with the VPN. The firewall doesn't come with any VPN software, as the provider has been using Windows built-in.

    Here's the weird part that I can't get clarification with this person on... the VPN server hostname/address is exchange.domain.com ... putting in that info into the built-in VPN, it brings up an Outlook landing page within that window (not redirected to a web browser or anything of the sort). When I asked about the setup, and how the connection is interacting with Exchange, I'm told "they have one IP, so OWA https requests are forwarded".

    That doesn't exactly make sense to me. I was thinking maybe Outlook Anywhere was configured and it's really only connecting to Exchange, rather than also being able to access network shares (I didn't try at the time as the user was in a hurry). If network shares are also accessible, what I'm wondering is why is there an Outlook landing page? Is it connecting directly to Exchange? I've never saw that before since I've always connected a VPN client to the firewall, and often Exchange has its own public IP.



  • Is Exchange/OWA being published by a Forefont TMG box or some other proxy?



  • What kind of VPN is this? It's possible that the public address that they use is just called Exchange for some silly reason.

    What does DNS tell you?



  • @jt1001001 said in VPN and Exchange:

    Is Exchange/OWA being published by a Forefont TMG box or some other proxy?

    Knowing this provider, it's likely a ZyWall.



  • @bbigford said in VPN and Exchange:

    @jt1001001 said in VPN and Exchange:

    Is Exchange/OWA being published by a Forefont TMG box or some other proxy?

    Knowing this provider, it's likely a ZyWall.

    I mean is it IPSec, OpenSSL, that kind of thing.



  • @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @jt1001001 said in VPN and Exchange:

    Is Exchange/OWA being published by a Forefont TMG box or some other proxy?

    Knowing this provider, it's likely a ZyWall.

    I mean is it IPSec, OpenSSL, that kind of thing.

    I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.



  • @reid-cooper said in VPN and Exchange:

    What kind of VPN is this? It's possible that the public address that they use is just called Exchange for some silly reason.

    What does DNS tell you?

    I looked up their DNS and exchange.domain.com is resolved by an IP provided by their ISP, domain.com resolves to a GoDaddy IP.



  • @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @jt1001001 said in VPN and Exchange:

    Is Exchange/OWA being published by a Forefont TMG box or some other proxy?

    Knowing this provider, it's likely a ZyWall.

    I mean is it IPSec, OpenSSL, that kind of thing.

    I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.

    What tool are you using to connect?



  • @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    What kind of VPN is this? It's possible that the public address that they use is just called Exchange for some silly reason.

    What does DNS tell you?

    I looked up their DNS and exchange.domain.com is resolved by an IP provided by their ISP, domain.com resolves to a GoDaddy IP.

    Likely just their VPN IP. That it is called "Exchange" is probably just coincidental.



  • @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @jt1001001 said in VPN and Exchange:

    Is Exchange/OWA being published by a Forefont TMG box or some other proxy?

    Knowing this provider, it's likely a ZyWall.

    I mean is it IPSec, OpenSSL, that kind of thing.

    I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.

    What tool are you using to connect?

    Windows built-in. I asked about a VPN client and they said they don't have one. I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.



  • @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @jt1001001 said in VPN and Exchange:

    Is Exchange/OWA being published by a Forefont TMG box or some other proxy?

    Knowing this provider, it's likely a ZyWall.

    I mean is it IPSec, OpenSSL, that kind of thing.

    I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.

    What tool are you using to connect?

    Windows built-in. I asked about a VPN client and they said they don't have one. I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.

    Looking at Company 2 (configured before I took on their account), they have separate IPs for vpn.company2.com, mail.company2.com, and company2.com



  • @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @jt1001001 said in VPN and Exchange:

    Is Exchange/OWA being published by a Forefont TMG box or some other proxy?

    Knowing this provider, it's likely a ZyWall.

    I mean is it IPSec, OpenSSL, that kind of thing.

    I had set it to auto because I wasn't sure on the other end, but I would say IPSec if I had to guess.

    What tool are you using to connect?

    Windows built-in. I asked about a VPN client and they said they don't have one. I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.

    I don't believe that Windows has SSL VPN.



  • @bbigford said in VPN and Exchange:

    I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.

    Just port forwarding, most likely.



  • @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.

    Just port forwarding, most likely.

    So you're thinking that 'Exchange' coincidentally is what hostname was given to the vpn service. In a browser, 443 is just forwarded to the on-prem Exchange server when using https://exchange.domain.com... am I understanding you correctly?



  • @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.

    Just port forwarding, most likely.

    So you're thinking that 'Exchange' coincidentally is what hostname was given to the vpn service.

    Exactly, that's what I'm thinking. Someone was thinking of the VPN as existing to access OWA, so named it Exchange.



  • @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    @reid-cooper said in VPN and Exchange:

    @bbigford said in VPN and Exchange:

    I just tried a web browser to see what appliance I would hit, and it goes straight to OWA.

    Just port forwarding, most likely.

    So you're thinking that 'Exchange' coincidentally is what hostname was given to the vpn service.

    Exactly, that's what I'm thinking. Someone was thinking of the VPN as existing to access OWA, so named it Exchange.

    That'll get cleaned up. We already overhauled ~90% of what that provider had done for Company 2, and they've been very happy with the result. They have some serious pains with Company 1 setup.

    I went to add a Windows built-in VPN connection a moment ago, to show a colleague. The Outlook splash screen doesn't show in the credentials window, but it did on the user's laptop (also Windows 10, but a much earlier release I believe). I've honestly never saw that in a VPN connection window before; not sure what that is about unless it is forwarded to Exchange and credentials from the email system are used for authentication and they can then have access to network resources. But that would be a really goofy setup.



  • Also if the client only has one Static IP, it will be the same as the Exchange. Then the firewall takes care of the rest for IPsec or worst PPTP but not sure.



  • @bbigford you are totally overthinking this.

    They obviously have on site Exhange. That will require some kind of DNS entry for OWA and OA to work.

    They chose to use exchange.domain.com, this is perfectly normal.

    They only have a single IP, or only have their router configured to use a single IP. This is also very common.

    Then someone wants to use a VPN. They enable it in the firewall, or whatever device, and just use the existing FQDN that resolves to the site IP.

    This is also perfectly normal and 100% ok.

    Could they have added a CNAME, such as vpn.domain.com? Sure, but there is no technical reason to do so.



  • @jaredbusch said in VPN and Exchange:

    @bbigford you are totally overthinking this.

    They obviously have on site Exhange. That will require some kind of DNS entry for OWA and OA to work.

    They chose to use exchange.domain.com, this is perfectly normal.

    They only have a single IP, or only have their router configured to use a single IP. This is also very common.

    Then someone wants to use a VPN. They enable it in the firewall, or whatever device, and just use the existing FQDN that resolves to the site IP.

    This is also perfectly normal and 100% ok.

    Could they have added a CNAME, such as vpn.domain.com? Sure, but there is no technical reason to do so.

    I don't think they have web services, but if they were to, those wouldn't be able to use 443 I'm guessing since that port is already forwarded. I am definitely overthinking that one.



  • @bbigford said in VPN and Exchange:

    @jaredbusch said in VPN and Exchange:

    @bbigford you are totally overthinking this.

    They obviously have on site Exhange. That will require some kind of DNS entry for OWA and OA to work.

    They chose to use exchange.domain.com, this is perfectly normal.

    They only have a single IP, or only have their router configured to use a single IP. This is also very common.

    Then someone wants to use a VPN. They enable it in the firewall, or whatever device, and just use the existing FQDN that resolves to the site IP.

    This is also perfectly normal and 100% ok.

    Could they have added a CNAME, such as vpn.domain.com? Sure, but there is no technical reason to do so.

    I don't think they have web services, but if they were to, those wouldn't be able to use 443 I'm guessing since that port is already forwarded. I am definitely overthinking that one.

    HTTP Headers could make that work.



  • @bbigford said in VPN and Exchange:

    @jaredbusch said in VPN and Exchange:

    @bbigford you are totally overthinking this.

    They obviously have on site Exhange. That will require some kind of DNS entry for OWA and OA to work.

    They chose to use exchange.domain.com, this is perfectly normal.

    They only have a single IP, or only have their router configured to use a single IP. This is also very common.

    Then someone wants to use a VPN. They enable it in the firewall, or whatever device, and just use the existing FQDN that resolves to the site IP.

    This is also perfectly normal and 100% ok.

    Could they have added a CNAME, such as vpn.domain.com? Sure, but there is no technical reason to do so.

    I don't think they have web services, but if they were to, those wouldn't be able to use 443 I'm guessing since that port is already forwarded. I am definitely overthinking that one.

    L2TP VPN does not need port 443.


Log in to reply