Allow Outlook To Work Through SafeSquid

From Secure Web Gateway

Many a times our team has been reported saying that MS Outlook isn't working when we enable authentication (Negotiate or basic) and/or SSL inspection. Remember that SafeSquid is generally deployed in an environment which has a firewall in front, that allows only 80 and 443 traffic from SafeSquid through it and blocks the rest.

Debugging a bit deep into this gave us certain interesting results. It was observed that Outlook not only uses HTTP and HTTPS protocols, but also uses certain other protocols like SMTP(S), IMAP(S) and POP(S) which are typically non HTTP(S) traffic. Outlook also fires DNS queries on UDP and interacts with LDAP on 389 and 636 ports.

Surprisingly, Outlook is found to support proxy authentications (Negotiate and basic) and can also perform SSL negotiation using certificate deployed in Internet Explorer. So a solution to this kind of problem is to allow the necessary traffic in your firewall and block the rest.

There are a couple of methods to achieve this. We can either allow and block the traffic by configuring iptables rules on the SafeSquid server or configure these policies in the firewall of your organization.

The findings in allowing the Outlook traffic using the iptables rules are shown below:

/*This rule is to allow the established incoming connections to the server*/
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

/*This rule is to allow the loopback connections to the server*/
iptables -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT

/*This rule is to allow the incoming ping requests to the server*/
iptables -A INPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT

/*This rule is to allow the incoming connections on the following ports to the server, 22(SSH), 25(SMTP), 53(DNS), 110(POP), 389(LDAP), 587(SMTPS), 636(LDAPS), 953(RNDC), 993(IMAPS), 995(POP3S) */
iptables -A INPUT -p tcp -m multiport --dports 22,25,53,110,389,465,587,636,953,993,995 -j ACCEPT

/*This rule is to allow the incoming connections on the following ports to the server, 1023(Reserved), 3268(MSGC), 3269(MSGCS), 5222(XMPP client connections), 5269(XMPP server-to-server), 5280(XMPP over synchronous HTTP), 8080(SafeSquid port) */
iptables -A INPUT -p tcp -m multiport --dports 1023,3268,3269,5222,5269,5280,8080 -j ACCEPT

(Note that both the above rules are one and the same excepting the ports. iptables will not allow us to add all the above mentioned ports at one go, which is the reason to separate them into two rules)

/*This rule is to allow the incoming UDP connections to the server on the following ports, 53(DNS), 953(RNDC)*/
iptables -A INPUT -p udp -m multiport --dports 53,953 -j ACCEPT

/*This rule is to allow the established outbound connections from the server*/
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

/*This rule is to allow the loopback connections from the server*/
iptables -A FORWARD -i lo -m comment --comment "Allow loopback connections" -j ACCEPT

/*This rule is to allow the ping outside from the server*/
iptables -A FORWARD -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT

/*This rule is to allow the connections on the following ports from the server, 22(SSH), 25(SMTP), 53(DNS), 110(POP), 389(LDAP), 587(SMTPS), 636(LDAPS), 953(RNDC), 993(IMAPS), 995(POP3S) */
iptables -A FORWARD -p tcp -m multiport --dports 22,25,53,110,389,465,587,636,953,993,995 -j ACCEPT

/*This rule is to allow the connections on the following ports from the server, 1023(Reserved), 3268(MSGC), 3269(MSGCS), 5222(XMPP client connections), 5269(XMPP server-to-server), 5280(XMPP over synchronous HTTP), 8080(SafeSquid port)*/
iptables -A FORWARD -p tcp -m multiport --dports 1023,3268,3269,5222,5269,5280,8080 -j ACCEPT

/*This rule is to allow the UDP connections from the server on the following ports 53(DNS), 953(RNDC)*/
iptables -A FORWARD -p udp -m multiport --dports 53,953 -j ACCEPT

/*This rule is to DROP the remaining input traffic to the server*/
iptables -P INPUT DROP

/*This rule is to drop the forward output traffic from the server*/
iptables -P FORWARD DROP


The above iptables rules are enough for Outlook to work in an environment where authentication and/or SSL inspection in SafeSquid are enabled.