Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 6078 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Which URLs have to be used in a SMC / EAS standalone configuration?

kerobra_retired

Hi folks,

I'm having some configuration trouble in a new SMC configuration. The usage scenario for the installation is:

  • Sophos SG230 with several external IPs
    • WAN / LAN / DMZ interfaces
    • no Webserver Protection Subscription
    • Firewall rules configured as in SMC server deployment guide (like in Figure 10, but without client certificate based authentication)
    • no Web Proxy involved in communication between the 3 servers.
  • two Windows Server 2012R2
    • Sophos MC 7.0.8 Server
      • server residing in LAN
      • URL resolvable over smc.company.com, public signed certificate installed
      • own external IP on SG230, DNATing 443 to Server, Firewall rule to allow https from Any InternetIPv4
    • Sophos EAS standalone proxy
      • server residing in DMZ
      • URL resolvable over eas.company.com,  public signed certificate installed
      • own external IP on SG230, DNATing 443 to Server, Firewall rule to allow https from Any InternetIPv4
      • mail user agent limited to only let traffic from Secure Mail Container App through the proxy
      • certificate I got after running the proxy wizard is imported in SMC server under "external EAS proxy"
  • one Windows SBS 2011 Server
    • Exchange 2010 residing in LAN
    • URL resolvable over exchange.company.com, public signed certificate (with SAN autodiscover.company.com) installed
    • no external IP, no DNAT
    • Active-Sync is externally disabled (not open) because customer only wants the Secure Mail Container being used
  • Split brain DNS config in DC / SG230 for all used URLs

So far, so good.

The SMC App communication and provisioning is functioning as expected, synchronisation and rolling out rulesets is also working fine. The Secure Mail App is functioning, BUT: i am able to configure a manual Active-Sync profile using "smc.company.com" which currently works. If I try with "eas.company.com" directly it is not working - as expected.

In the SMC customer's container configuration I configured "eas.domain.com" being the "Active Sync URL".

My problem seems to be somehow the "internal EAS Proxy" on the SMC-Server. There I configured the URL https://exchange.company.com/.... I tried to let this field blank but it's a mandatory entry. Disabling the windows service "smcproxy" resulted in an infunctional SMC server.

Which URL has to be entered for the "internal EAS proxy"? Just ANY URL that isn't currently working, https://eas.domain.com/... or where is my configuration mistake?



This thread was automatically locked due to age.
Unfiltered HTML