How to secure owa & activesync exchange 2010/2013 w reverse proxy squid3 & more



  • Please respond to thread with suggestions for best practices to secure exchange 2010 & 2013 owa and activesync on the web.

    First question: HOWTO DISABLE OWA and keep activesync functioning?

    I successfully got exchange 2010 sp3 syncing with the android 4.4.2 email corporate app thru pfsense 2.0.1-RELEASE (i386) using squid3 reverse proxy 3.1.20 pkg 2.0.6.

    Successful connections appear to require checkboxing both:
    -Enable OWA reverse proxy
    -Enable ActiveSync

    Is 'Enable OWA reverse proxy' required for activesync to function? Is there any way to perform activesync reverse proxy without OWA reverse proxy or deny access to sync.domain.com/owa? Is it possible to develop this option for security reasons if activesync is only required?

    If enabling OWA is required for now what are the best methods to secure OWA from attacks?

    In testing Exchange 2010 sp3 by default it does NOT appear to lockout/ban usernames or ips for OWA or activesync after several security audit failures: account failed to logon.

    I found a free .Net application named "Cyberarms Intrusion Detection and Defence System" that in realtime reviews event logs and can be configured to automatically after x number of failed logins to deny ip connection for x amount of time.
    Using a reverse proxy on pfsense makes using a windows host IDS a bad solution because the windows CAS server logs and the Cyberarms application running on CAS server see the ip of the pfsense gateway as the threat network address attempting authentication, not the wan ip address of the hacker that is in the pfsense logs:
    cyberarms.net
    https://www.youtube.com/watch?v=OaUqCZv7DmI

    pfsense has pfBlocker enabled and ACL ip whitelists will be setup. What else should be setup on pfsense to secure OWA from attacks and brute force?