MSExchange ActiveSync Issue - Firewall Rules



  • I am a noob with pfsense, but getting better. :)

    Problem: Cannot access OWA/ActiveSync from guest network

    Network Information:

    pfsense firewall 1.2
                  LAN interface - 192.168.1.x/24
                  DMZ interface - 192.168.2.x/24
                  WAN interface - Dynamic IP (single IP)
                  port forward 443 for exchange server WAN>LAN

    Using NoIP for resolution of Exchange server if IP changes
    Exchange server on LAN  -  192.168.1.x
    guest network resides in DMZ    -  192.168.2.x
    Wireless Access Point serving DHCP    -  192.168.2.x

    The only port needed open for ActiveSync to work is port 443.  I have that port open on the DMZ interface.
    Device such as my phone gets an IP from pfsense DMZ interface 192.168.2.x but fails to connect to ActiveSync running on the Exchange server that resides in 192.168.1.x. . If I move my device to the 192.168.1.x subnet, the phone connects fine to ActiveSync.

    From my wireshark captures, I believe the issue is having only a single external IP address. When a guest goes outbound
    to connect to my AS it is NAT'd as external IP. The return traffic is also bound for the same
    external IP as it is my host serving OWA. I am not sure if pfsense will handle the session(s) correctly.

    I have been fighting with this forever and hope you guys could help me with the issue.

    Thanks for any help



  • I suspect your guests are accessing the AS by name (rather than IP address) and the name server it uses returns a public IP address rather than 1992.168.1.x.

    If you are using the pfSense DNS forwarder you can add a host override so that the name gets translated to address 192.168.1.x.



  • You have to have port 80 forwarded also for OWA. There are some components that need to use port 80



  • You dont have to open up port 80 at all! all there should be is port 443 secure SSL. make sure loop back for NAT is disabled.

    go into Advanced the firewall/NAt

    Disable NAT Reflection for 1:1 NAT

    Tick the box.


Locked