Need to disable 443

[fredmdl]

Hello gentlemen

I own the zxmobile and realized that after I disabled the external port 443 on my firewall, I started having problems with cell phones.

I need to disable the external 443 because I will not give more access to webmail for the user ...

Can anyone help me?

Thank you.

[d0s0n]

Hi fredmdl and welcome to our forums!

The activesync protocol uses same ports of webmail services, so if want to disable the external web access but preserving the mobile sync protocol, you shoud setup a reverse proxy service (eg. zimbra-proxy) only for external access, authorizing only the /Microsoft-Server-ActiveSync url location (but this isn't a standard zimbra use, so I cannot give you a specific configuration).

Have a nice day.

D0s0n

[fredmdl]

Hi fredmdl and welcome to our forums!

The activesync protocol uses same ports of webmail services, so if want to disable the external web access but preserving the mobile sync protocol, you shoud setup a reverse proxy service (eg. zimbra-proxy) only for external access, authorizing only the /Microsoft-Server-ActiveSync url location (but this isn't a standard zimbra use, so I cannot give you a specific configuration).

Have a nice day.

D0s0n

Hi d0s0n
Tks for reply,
I'll search about it ...
there any way to disable https for webmail and leave only the http?
This would solve also.

[Cine]

Hello fredmdl!

there any way to disable https for webmail and leave only the http?
This would solve also.

It's possible to disable https access, but it would affect both the webmail and the mobile sync...

Have a nice day,
Cine
the ZeXtras Team

[fredmdl]

Hello fredmdl!


It's possible to disable https access, but it would affect both the webmail and the mobile sync...

Have a nice day,
Cine
the ZeXtras Team

Hi Cine,
I tried the following
zmtlsctl http
restart zmcontrol

But zxmobile sync stopped working. If I use "zmtlsctl both" and use the proxy as suggested earlier will have the best chances?

[Cine]

Hi Cine,
I tried the following
zmtlsctl http
restart zmcontrol

But zxmobile sync stopped working. If I use "zmtlsctl both" and use the proxy as suggested earlier will have the best chances?

Hello fredmdl!

As mentioned before, disabling https access (in your case by setting the webserver mode to "http-only" via zmtlsctl) affects both the webmail and the EAS synchronization, while adding a zimbra-proxy to your infrastructure as suggested by D0s_0n will surely accomplish the desired results...

Have a nice day,
Cine
the ZeXtras Team

[fredmdl]

Hi guys,
Just returning if someone has to do the same

objective:
Block external access to webmail zimbra keeping the activesync zxmobile.

For this you need to install nginx proxy on zimbra or another server like antispam
Configure the firewall to forward port 443 requests sent to port 4443 for Zimbra or antispam (NAT)

The key configuration file:
/etc/nginx/sites-enabled/default
Change/add lines bellow

Code:

######################################
server {
    listen       4443;
    server_name  mail.ZIMBRA.com.br;

ssl  on;
ssl_certificate  /etc/nginx/server.crt;
ssl_certificate_key  /etc/nginx/server.key;
ssl_session_timeout  5m;

    access_log /var/log/nginx/nginx.access.log;
    error_log /var/log/nginx/nginx_error.log debug;
    #location /Microsoft-Server-ActiveSync
    location ^~ /Microsoft-Server-ActiveSync
{
    proxy_redirect        off;
    proxy_set_header        Host            $host;
    proxy_set_header X-Real-IP       $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    client_max_body_size    10m;
    client_body_buffer_size 128k;
    proxy_connect_timeout   90;
    proxy_send_timeout      90;
    proxy_read_timeout      90;
#    proxy_buffers           324k;
    proxy_pass http://ZIMBRA-IP/Microsoft-Server-ActiveSync;
 }
}
########################################

that's it