I'm working with a secure customer who's looking at opening up Outlook Anywhere (RPC over HTTPS) to their Exchange 2010 environment, but they also want to restrict the OA access only to known external machines.
They already have SA 6500 SSL VPN appliances implemented as part of another secure access use case. Is it possible to publish Outlook Anywhere via these SA appliances and enable host checking for MAC address, source IP, client certificates etc.?
I can see this question has been raised before, but not answered conclusively ( it just says "Juniper is investigating options for support; check with your account team for the current status."):
Is this now supported on the SA series appliances?
Sorry, I haven't deployed wsam/jsam and I can't find confirmation in the documenation whether host checker polcies apply or not.
But it would be different than opening rpc over https because the wsam client tunnels traffic. So you would not be opening the ports to the internet in this configuration.
Thanks for the clarifications.
I think what you are looking for is to implement Outlook access using the WSAM profile. WSAM installs on the client PC and kicks in automatically when the program is launched. You have a configuration on the SA that permits this application level traffic and the user does not need to log into the VPN.
I've only labbed this feature, as I have always deployed the layer 3 vpn solutions. But the instructions are in the admin guide on page 499 to create the SA resource profile.
Main documentation to select your running version:
I don't know the answer to the host checker query.
But you will also need to consider that opening access to the Exchange CAS for RPC over https by definition will expose the Outlook Web access portal to the internet as well. The same ports and server are used for this function.
I assume you looked at using WSAM, network connect or pulse to allow the outlook connection remotely without exposing the exchange connection generally. Naturally, these would all support host checker.
Thanks for the reply.
My customer's requirements state that they are happy to have the user do explicit logn to Outlook Anywhere (i.e. there should be a login box pop up to authenticate them to their remote mailbox) but they don't want to do an additional VPN login (e.g.. This should be either client-less or at least seamless, and they don't want two factor etc.).
Unless I'm misunderstanding the product, you can't do host checking without a Junos Pulse client over an SSL VPN tunnel, is that correct? For example, can you do host checking from a session initiated from an Outlook Client where the transport is RPC over HTTPS via the SA appliance to the Exchange CAS servers.
Ideally we can do Outlook Anywhere from an Outlook 2010 client and have the SA appliance do MAC address checking and / or client certificate checking on the client machine. I'm just not sure whether that's possible.
Any assistance welcome on this, am just trying to understand the SA appliances capabilities here.
Thanks Steve, I'll read through that information.
So, does WSAM allow host checking (e.g. MAC address, client certificate, IP address etc.) for an Outlook Anywhere (RPC over HTTPS) session initiated from Outlook?
If not, then its not really adding anything as all it's really doing is proxying, for which we could presumably just use RPC over HTTPS to a load balancer or proxy in the DMZ before hitting the Exchange CAS servers.