Web server protection: How do I use both port 443 and 993 at the same time?

No need to configure port 993, WAF doesn't support IMAP, only HTTP!

Hi,

Thanks for the response! Just to be clear I'm looking to do ssl over imap (port 993) not imap (port 143).  Assuming you definitely meant ssl over imap is not possible through the WAF then I assume I could only forward https (port 443) through the WAF and would have to NAT any connections on port 993 to the mail server through the UTM. This would only then give me access to the UTMs standard firewall for port 993, correct?

If that last sentence is correct then I think I'm left in a bit of a pickle. The reason I'm doing this is my mail server is vulnerable to the DROWN vulnerability and I need to have a way to drop all sslv2 traffic coming in on all ssl/tls connections. This is easy to do with all our web servers with the exception of our mail server because it accepts ssl connections on 443 and 993. 

So assuming all my assumptions are correct and thats a big if then how would I drop sslv2 connections used for imap over ssl coming into our mail server on port 993?

Thanks!

UTM doesn't support IMAP at all, only SMTP and POP3. So you're correct, all you can do is configure a NAT rule for port 993. Which of course won't help you with your SSLv2 problem.

BTW, XG supports IMAP.

Scott SISCO said:

Hi,

Assuming you definitely meant ssl over imap is not possible through the WAF then I assume I could only forward https (port 443) through the WAF and would have to NAT any connections on port 993 to the mail server through the UTM. This would only then give me access to the UTMs standard firewall for port 993, correct?

Correct.

Make an WAF for OWA/https/443

Make an dnat for 993/imaps

If you use Microsoft Exchange, it is tunneling (schanneling) imaps over the same SSL/TLS ciphers as HTTPS.

All client-server protocols in Exchange use the Secure Channel (or schannel) as a security support provider, this is at the Windows OS level and is not Exchange specific. Exchange uses IIS for HTTPS, and that in turn uses schannel. For SMTP, IMAP and POP Exchange now has it’s own protocols, but those also use the schannel configuration. This means that your supported protocols and ciphers list from HTTP traffic is also used by SMTP, IMAP and POP. So just disable SSL v1/2/3 on the IIS for Exchange and you're fine.

Source:

The easiest way to secure the Exchange IIS is this tool:

I hope this helps you a bit.

Hi traxxus,

Thanks for your response! We do not use Microsoft Exchange, but thanks for the info. I was able to move only our https traffic to the WAF and then left the rest of our mail services to dealt with using NAT and the UTM's basic Firewall.  I then solved our DROWN vulnerability by finally getting an openssl patch in place for our mail server. Looks like this issue is resolved.

Thanks everyone!

Hi traxxus,

Thanks for your response! We do not use Microsoft Exchange, but thanks for the info. I was able to move only our https traffic to the WAF and then left the rest of our mail services to dealt with using NAT and the UTM's basic Firewall.  I then solved our DROWN vulnerability by finally getting an openssl patch in place for our mail server. Looks like this issue is resolved.

Thanks everyone!