Need to disable 443
Results 1 to 7 of 7

Thread: Need to disable 443

  1. #1
    Active Member
    Join Date
    Feb 2013
    Posts
    14

    I Need to disable 443

    Hello gentlemen

    I own the zxmobile and realized that after I disabled the external port 443 on my firewall, I started having problems with cell phones.

    I need to disable the external 443 because I will not give more access to webmail for the user ...

    Can anyone help me?

    Thank you.
    Last edited by fredmdl; 11-12-2014 at 07:19 PM.

  2. #2
    CTO ZeXtras Employee d0s0n's Avatar
    Join Date
    Apr 2011
    Posts
    565
    Hi fredmdl and welcome to our forums!

    The activesync protocol uses same ports of webmail services, so if want to disable the external web access but preserving the mobile sync protocol, you shoud setup a reverse proxy service (eg. zimbra-proxy) only for external access, authorizing only the /Microsoft-Server-ActiveSync url location (but this isn't a standard zimbra use, so I cannot give you a specific configuration).

    Have a nice day.

    D0s0n
    ZeXtras Website # ZeXtras Wiki # ZeXtras Store

    Head of ZeXtras System Administrators

  3. #3
    Active Member
    Join Date
    Feb 2013
    Posts
    14
    Quote Originally Posted by d0s0n View Post
    Hi fredmdl and welcome to our forums!

    The activesync protocol uses same ports of webmail services, so if want to disable the external web access but preserving the mobile sync protocol, you shoud setup a reverse proxy service (eg. zimbra-proxy) only for external access, authorizing only the /Microsoft-Server-ActiveSync url location (but this isn't a standard zimbra use, so I cannot give you a specific configuration).

    Have a nice day.

    D0s0n
    Hi d0s0n
    Tks for reply,
    I'll search about it ...
    there any way to disable https for webmail and leave only the http?
    This would solve also.

  4. #4
    ZeXtras Community Manager ZeXtras Employee Cine's Avatar
    Join Date
    Apr 2011
    Posts
    2,342
    Hello fredmdl!
    Quote Originally Posted by fredmdl View Post
    there any way to disable https for webmail and leave only the http?
    This would solve also.
    It's possible to disable https access, but it would affect both the webmail and the mobile sync...

    Have a nice day,
    Cine
    the ZeXtras Team
    IT Support Team Contact Form
    Sales Team Contact Form

    ZeXtras Website
    # ZeXtras Wiki # ZeXtras Store

    Have ZeXtras Suite or ZeXtras Migration Tool been helpful to you?
    Share your experience in the Zimbra Gallery!

    ZeXtras Suite on the Zimbra Gallery
    ZeXtras Migration Tool on the Zimbra Gallery

  5. #5
    Active Member
    Join Date
    Feb 2013
    Posts
    14
    Quote Originally Posted by Cine View Post
    Hello fredmdl!


    It's possible to disable https access, but it would affect both the webmail and the mobile sync...

    Have a nice day,
    Cine
    the ZeXtras Team
    Hi Cine,
    I tried the following
    zmtlsctl http
    restart zmcontrol

    But zxmobile sync stopped working. If I use "zmtlsctl both" and use the proxy as suggested earlier will have the best chances?

  6. #6
    ZeXtras Community Manager ZeXtras Employee Cine's Avatar
    Join Date
    Apr 2011
    Posts
    2,342
    Quote Originally Posted by fredmdl View Post
    Hi Cine,
    I tried the following
    zmtlsctl http
    restart zmcontrol

    But zxmobile sync stopped working. If I use "zmtlsctl both" and use the proxy as suggested earlier will have the best chances?
    Hello fredmdl!

    As mentioned before, disabling https access (in your case by setting the webserver mode to "http-only" via zmtlsctl) affects both the webmail and the EAS synchronization, while adding a zimbra-proxy to your infrastructure as suggested by D0s_0n will surely accomplish the desired results...

    Have a nice day,
    Cine
    the ZeXtras Team
    IT Support Team Contact Form
    Sales Team Contact Form

    ZeXtras Website
    # ZeXtras Wiki # ZeXtras Store

    Have ZeXtras Suite or ZeXtras Migration Tool been helpful to you?
    Share your experience in the Zimbra Gallery!

    ZeXtras Suite on the Zimbra Gallery
    ZeXtras Migration Tool on the Zimbra Gallery

  7. #7
    Active Member
    Join Date
    Feb 2013
    Posts
    14

    Cool it was hard but it worked

    Hi guys,
    Just returning if someone has to do the same

    objective:
    Block external access to webmail zimbra keeping the activesync zxmobile.

    For this you need to install nginx proxy on zimbra or another server like antispam
    Configure the firewall to forward port 443 requests sent to port 4443 for Zimbra or antispam (NAT)

    The key configuration file:
    /etc/nginx/sites-enabled/default
    Change/add lines bellow
    Code:
    ######################################
    server {
        listen       4443;
        server_name  mail.ZIMBRA.com.br;
    
    ssl  on;
    ssl_certificate  /etc/nginx/server.crt;
    ssl_certificate_key  /etc/nginx/server.key;
    ssl_session_timeout  5m;
    
        access_log /var/log/nginx/nginx.access.log;
        error_log /var/log/nginx/nginx_error.log debug;
        #location /Microsoft-Server-ActiveSync
        location ^~ /Microsoft-Server-ActiveSync
    {
        proxy_redirect        off;
        proxy_set_header        Host            $host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        client_max_body_size    10m;
        client_body_buffer_size 128k;
        proxy_connect_timeout   90;
        proxy_send_timeout      90;
        proxy_read_timeout      90;
    #    proxy_buffers           324k;
        proxy_pass http://ZIMBRA-IP/Microsoft-Server-ActiveSync;
     }
    }
    ########################################
    that's it
    Last edited by fredmdl; 12-09-2014 at 06:04 PM. Reason: discover a better way to do the same.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •