Publishing Exchange on Pfsense

How to Publish Exchange on Pfsense (Old Version)

This page will guide you through the steps of publishing Microsoft Exchange web services on Pfsense’s last version 2.1.5. 
If you don’t have it already installed, you can check out my guide on how to install Pfsense and prepare it on your environment. 

Note:

Before starting you must know that if you’re going to use the same Public IP (WAN) for Pfsense for Exchange Web service then you must set Pfsense to use a non-standard HTTP/HTTPS port.

First thing, we will have to install Squid3 plugin to Pfsense

Installing Package

I will click on the Plus sign + next to the Squid3 package to install it.

Now I will go to the Reverse proxy after I check if it’s installed on the Services Menu

Will have to export the Certificate from our Exchange and import it to the Certificate store in Pfsense.

I’ll click on the + on the CAs to import the Certification Authority root certificate

 I opened the CA certificate in Notepad++ and copied it all then give it a name and clicked on Save

After clicking on Save here is what I got.

Add the Exchange’s personal certificate and Key and use Digicert’s tool to export the key as in the following screenshot

Now I’ll go back to Pfsense’s portal to the Certificate section to add the Exchange’s certificate, I will go to Certificates tab and click on the + sign to add the cert.

I will paste the certificate data and the key as well and save.

I added the Cert’s code data and the cert’s Key as well, and after I clicked on Save here’s what it looks like.

Now I will go on the reverse proxy tab and configure it for Exchange. First thing I should do is Enable HTTP and HTTPS ports and choose the certificate for Exchange.

NOTE: placing the standard ports e.g. (80, 443) for http and  https might work in earlier versions of Pfsense like 1.5 and 2.0 but not 2.1 and 2.2, in order for the reverse proxy to work on the new versions you’ll have to use the port field empty if you decide to use the standard ports. 

Here I have enabled all the ports and choose the right certificate, I will also import the Intermediate certificate in case it was needed.

I will go back to the Exchange Server where I have all the certificates and export the Intermediate Certificate

In order to know the intermediate Certificate, I will go to the MMC and click on the personal certificate and check it’s path. 

I will double click on the certificate and check its certification path

Opening the Intermediate certificate store.

 I will use MMC Wizard to export the Certificate with Base 64 Encoded option.

 After I exported

Now I will enable OWA and fill the information related to it as following.

Next I will go to the firewall (NAT) part to configure the required ports and IPS. Click on Firewall tab and NAT

I will only need to configure the port 25 and 443 since I have a certificate already and want to use HTTPS instead of http.

Here ıs what my firewall looks like right now.

Note: On Exchange server the default gateway should be the LAN IP of the Pfsense or at least there should be a persistent route to the local IP of Pfsense. 

I will save this rule and check if I can browse to OWA from my browser, note that I am connecting remotely and I have Exchange server hosted on hyper V from a different place.

WHOA, It works without any issues but still I’ll sign in and make sure I can still login without any problem.

Now I will check if I can send e-mail back and forth to Gmail and Exchange. starting by sending an e-mail from Exchange. I can get an e-mail to Gmail.

Now I am replying the e-mail from Gmail to Exchange.

Everything seems to be working as expected… 

Now it’s time to make sure that ActiveSync is working properly as well. I will first of all test active sync with Remote Connectivity Analyzer www.testexchangeconnectivity.com or https://testconnectivity.microsoft.com

I will have to go to Exchange Server tab and select “Exchange ActiveSync” option for testing and click continue down right the window 

Then here I will enter my credentials as you can see below

Test will take about 15-30 seconds to finish

Then here it will show the expected result.

detailed result of the test

Note: 

I have also tested it on my iPhone and it worked without any issue as well.

9 thoughts on “Publishing Exchange on Pfsense”

  1. If you NAT the Exchange HTTPS port to the Internal IP of Exchange Server you will bypass the Squid Reverse proxy! This configuration is wrong

    1. Hi Federico, Yes you’re right I have fixed that but was lazy to update my article.
      I will correct the article.
      Thanks a lot

  2. Hello,
    I Would like to publish my Exchange 2016 DAG 2 servers with pfSense 2.5.1.
    This how-to seems to suit but isn’t there some missing pictures between text lines ?
    Thanks for your help.
    Pascal

    1. Hi Pascal,
      I would rather recommend using HAProxy for Exchange on Pfsense. It really works perfect and does SSL Offloading and load balancing if you have DAG.
      I can help you with the configuration. Please drop me an email info@moh10ly.com
      Regards

      1. Hello Mohhamed,
        Sorry I missed you answer…
        Well, this job were suspended for a few weeks.
        I’ll get back to it these days.
        My issue for displaying pictures on your web site were solved (Edge filtering….), so now I can see pictures.
        I’ll ask for your help once I worked on it.
        Thank you very much for your aid proposal !
        Pascal

  3. Hello, I have an exchange 2013 SP1, I exported my certificate (.pfx) generated by a certifier, imported it into my pfsense without problems, but my outlook and owa services don’t work from WAM to LAN.

    I’m using Squid proxy reverse and Pfsense updated.

    in the tests I performed on https://testconnectivity.microsoft.com/tests/o365 it works, however Outlook and OWA nothing.

    1. Hi, Since you’re not using any load balancer then you still need to import it to Exchange server as SQUID will not perform any SSL offload process.
      Please install the same certificate on your Exchange server and make sure you restart IIS service.

  4. Hi moh10ly, the certificate is already installed and correctly configured on my Exchange and IIS server, it worked correctly in TMG, and is now working on a Cisco small business firewall, however PFsense will give me more administration resources.

Leave a Reply

Your email address will not be published. Required fields are marked *