I have two questions in relation to the Web Application Firewall
#1 Why is the internal IP showing up in the URL for OWA?
Example:
mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f192. x.x.10%2fowa%2f
Output from WAF LiveLog:
" 2013:08:16-18:55:22 mail-1 reverseproxy: srcip="108.x.x.58" localip="63.x.x.161" size="9303" user="-" host="108.x.x.58" method="GET" statuscode="200" reason="-" extra="-" time="278570" url="/owa/14.1.438.0/themes/resources/lgnbotl.gif" server="mail.domain.com" referer="https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f192. x.x.10%2fowa%2f" cookie="OutlookSession=2ab2b673ed9541f69707a53e196 889cc" set-cookie="-"
#2 Is there no way to export the local x509 cert so I can change that to what the exchange server uses for https? I ask because if I attempt to add a phone to the exchange server I clearly see the cert it's using is the UTM's cert which is not currently the https cert used by exchange. Now if my only option is to purchase a cert from a recognized CA then so be it, but I was curious if there is a way around this issue?
#1 Why is the internal IP showing up in the URL for OWA?
Example:
mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f192. x.x.10%2fowa%2f
Output from WAF LiveLog:
" 2013:08:16-18:55:22 mail-1 reverseproxy: srcip="108.x.x.58" localip="63.x.x.161" size="9303" user="-" host="108.x.x.58" method="GET" statuscode="200" reason="-" extra="-" time="278570" url="/owa/14.1.438.0/themes/resources/lgnbotl.gif" server="mail.domain.com" referer="https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f192. x.x.10%2fowa%2f" cookie="OutlookSession=2ab2b673ed9541f69707a53e196 889cc" set-cookie="-"
#2 Is there no way to export the local x509 cert so I can change that to what the exchange server uses for https? I ask because if I attempt to add a phone to the exchange server I clearly see the cert it's using is the UTM's cert which is not currently the https cert used by exchange. Now if my only option is to purchase a cert from a recognized CA then so be it, but I was curious if there is a way around this issue?