The last part of this series of articles is about connecting the Exchange organization to the Internet. This requires a few more steps. I have already described the configuration of the web application firewall of the UTM in detail here and the configuration is copied one-to-one from the article.
A little hint: This complete environment can also be operated with the Sophos UTM Home Edition. All the UTM features used and described here are available in the Home Edition. I used the demo version for this environment, but I also use the Home Edition in conjunction with this configuration privately.
Configuration of the Fritzbox
Two port shares must be created on the Fritzbox so that the Web Protection of the UTM and thus also Exchange can be reached on the Internet.
Port 80 (HTTP) TCP and port 443 (HTTPS) TCP must be forwarded to the WAN IP of the Sophos UTM:
Here is the detailed view, the same applies to port 80:
That's all that needs to be set on the Fritzbox.
Configuration Sub Domains at Strato
In order to access Exchange, the respective subdomains must be made known to Strato. As already described in the previous articles, the Exchange services are accessed via the FQDN outlook.frankysweb.org, Autodiscover runs via the name autodiscover.frankysweb.org. These two subdomains must be updated dynamically due to the dynamic IP. Two subdomains for frankysweb.org are created in the Strato Customer Center for this purpose:
Nach dem Klick auf „Subdomain anlegen“ wird der Name vergeben. In diesem Fall „outlook“:
In der Domain Übersicht kann die Subdomain „outlook.frankysweb.org“ nun auf dynamische Aktualisierung umgestellt werden:
Nachdem bei der Subdomain auf „Verwalten“ geklickt wurde, muss die „DNS Verwaltung“ ausgeklappt werden. Dort lässt sich wiederrum bei dem Punkt „Dynamic DNS“ auf „Verwalten klicken:
Note: Dynamic DNS may only be activated for the subdomains.
The procedure is repeated for autodiscover.frankysweb.org so that both subdomains can be updated dynamically:
Finally, Strato's own autodiscover must be switched off, as we want to use the autodiscover of our Exchange server with our settings and not maintain any Strato settings. Strato Autodiscover can be switched off on the frankysweb.org domain:
Dynamic DNS update with Sophos UTM
To ensure that the DNS entries for autodiscover.frankysweb.org and outlook.frankysweb.org remain current despite the dynamic IP, they must be updated accordingly. The UTM supports Strato DynDNS directly and can therefore take over this task.
The settings must be made for both subdomains:
The domain and the Strato Customer Center password are entered as the user name and password. After the entries have been created, both entries must be activated:
After a short wait, the entries are updated.
Export Exchange certificate and transfer to UTM
The web server protection of the UTM also requires a certificate, as a valid certificate has already been issued by StartSSL for the Exchange Server, this can also be used for the web server protection of the UTM. To do this, the certificate must first be exported to the Exchange Server. The export can be carried out easily via the MMC and the certificate snap-in:
Important: The certificate must be exported with the private key:
The export can include the certificate chain:
Assign a password and then save the certificate
After the export, the certificate can be installed on the UTM:
If the process was successful, it looks like this:
Set up Sophos UTM Webserver Protection for Exchange 2016
We'll do the setup of the web server protection in quick succession now, as I have this Topic here already have described in detail.
First save the Exchange Server as a real server:
Create firewall profiles for Autodiscover and Exchange web services:
Firewall profile for Autodiscover
Entry URLs:
/autodiscover /autodiscover
Skip Filter Rules:
- 960015
- 960911
Firewall profile for Exchange web services
Entry URLs:
/ecp /ECP /ews /EWS /Microsoft-Server-ActiveSync /oab /OAB /owa /OWA /rpc /RPC /mapi /Mapi /
Skip Filter Rules:
- 960015
- 981203
- 960010
- 960018
- 981204
- 960032
- 981176
Virtual web server
The virtual web servers can now be created. Two virtual web servers are also created here, one for Autodiscover and one for the remaining web services:
If the steps up to this point have been successful, it looks like this:
Exceptions
Exceptions are still required for all services to function correctly
Autodiscover:
Paths:
/autodiscover/* /autodiscover/*
OWA Antivirus:
Paths:
/owa/ev.owa* /OWA/ev.owa*
Outlook Anywhere (RPCoverHTTP and MAPIoverHTTP)
Paths:
/rpc/* /RPC/* /mapi/* /MAPI/*
Exchange web services
Paths:
/ecp/* /ECP/* /ews/* /EWS/* /Microsoft-Server-ActiveSync* /oab/* /OAB/* /owa/* /OWA/*
Summary
These were the last steps to configure a test environment or a very small Exchange organization. I don't think the creation of mailboxes needs to be described here. In the meantime, I have received a few questions about the hardware used in my environment, which I would like to answer briefly here.
Für meine private „produktive“ Exchange Umgebung setze ich folgendes ein:
Standard PC as ESXi server: Core i7-6500, 32GB DDR4 RAM, 1 x 64 GB SSD for ESX and VM swap, 1 x 250 GB SSD datastore for VMs as datastore for the operating systems, 1 x 2 TB HDD SATA as datastore for Exchange DBs and other data. 2 x Intel Pro 1000 PT server adapters as network cards. The VMs are backed up via Veeam to a Synology DS415+ with 4 x 2 TB in RAID5.
There are currently 7 VMs running on the ESXi: DC (2 CPUs, 4 GB RAM), Exchange (2 CPUs, 12 GB RAM), UTM (2 CPUs, 4 GB RAM), Veeam (2 CPUs, 4 GB RAM), the rest are Linux VMs for various tasks.
The operating systems are all stored on the 250 SSD, VM swap files on the 64 SSD. The VM data is stored on the 2 TB HDD.
I am very satisfied with this configuration for my private environment so far, measured in terms of performance it consumes pleasantly little power, but fulfills all my wishes.
As always, please leave any questions in the comments or use the contact form.