Preface

The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.

Ongoing development of the standard will provide for feedback from the Advisory Board and other participating organizations. All key stakeholders are encouraged to provide input, during the creation and review of proposed additions or modifications to the PCI DSS.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

To further the adoption of the PCI DSS, the PCI Security Standards Council defines credentials and qualifications for QSAs and ASVs. The PCI Security Standards Council also manages a global training and certification program for QSAs and ASVs, and will publish a directory of certified providers on this Web site.

The new Astaro Licensing Model which will come into effect on February 1st, however we will have a transition period until March 31st, 2010 in which both the former and the new licensing model will be valid.

What’s new:

We rearranged the former Base License: Out of the advanced network security features we created a dedicated subscription called “Network Security”, while our free “Essential Firewall” contains basic networking and network security features. We also adjusted the maintenance and support.

There are several reasons for the changes in our licensing: We wanted to create a more flexible licensing so that customers can buy exactly what they need. With this new model the clustering and user upgrades processes are much easier. We also developed a more competitive price point for smaller appliances. 

With this new strategy there is no longer a need for our multipoint appliances, the Astaro Mail Gateway and the Astaro Web Gateway. These appliances will no longer be sold after March 31st, 2010. Mail Security and Web Security applications will be available as subscriptions for the Astaro Security Gateway but no longer as separate hardware appliances.

We want to offer you the following introductory promotions as part of the launch of our new licensing model:

• A customer signing for 3 years Full Guard will receive the appropriate hardware appliance for free.
• A customer signing for 5 years Full Guard will receive two hardware appliances in Active/Passive HA Mode for free.

This offer is valid until March 29th, 2010.

If you have further questions or want to personally discuss the new licensing model with us, we invite you to conact us.

Best regards,

2Secure Team

Preface

This post is about a known issue with Astaro SSL VPN client installed on Windows Vista and Windows 7. You can install and run the application, make a connection to the Astaro Firewall, but you can not access the internal network. In order to create a path to the Internal network a dos command “route add destination mask gateway interface metric” should be executed after connecting to the Astaro Firewall. Running this command in dos prompt will show an error message that elevation is needed. Windows Vista/7 requires re-validation before running dangers commands to prevent malicious software installations.

Solution 1:
One way to go is to run Astaro VPN client application by right click on the .exe file and chooses Run As Administrator, Windows will ask you to approve this. Now try to connect to your Internal network.

Solution 2:
I found a small VB script that can do the trick and run the application automatically. You will need to tweak it your needs.

<-SCRIPT->
set WshShell = WScript.CreateObject(“WScript.Shell”)
WshShell.run “runas /user:computer_name\User_name %comspec%” ‘Open command prompt
WScript.Sleep 500 ‘ wait for the above command to complete
WshShell.SendKeys “Password” ’send password
WshShell.SendKeys “{ENTER}”
WScript.Sleep 1000 wait for the above command to complete
‘ Open Astaro vpn client
WshShell.SendKeys Chr(34) + “C:\Program Files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui” + Chr(34)
WshShell.SendKeys “{ENTER}”
WshShell.SendKeys “exit” ‘Close command prompt
WshShell.SendKeys “{ENTER}”
WScript.Sleep 200
set wshshell = nothing

<- END SCRIPT ->

Open a new text document and copy and paste the above code, save the file as VPN.vbs. Make changes to computer name, user name, password, and time to wait for each command (Don’t make it too smaller than 500)
Before you run make sure the program is not running by checking the toolbar, otherwise you will get an error message.
Next we need to stop the program from running at boot time, to do so run the command msconfig, click the services tab and locate the Astaro application, and uncheck the box, save and exit.
Restart the system to make sure it’s clean. Now double click VPN.vbs. Connect to the Firewall and try to ping the internal network.

Done!

1. Simple single-homed Profense implementation

Figure 9.1. Simple single-homed Profense implementation

This scenario is the easiest to implement, since Profense can be introduced in the already established network without any major reconfigurations. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to the web systems) is using a single ethernet interface.

Profense is placed on the same network (DMZ) with the web systems web1 and web2) it is protecting.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.0.2.

The web systems’ default gateway is unaltered and is still the router with IP address 192.168.0.1.

Figure 9.2. Firewall’ed single-homed Profense implementation

This scenario requires an extra interface in the firewall since Profense is deployed in a DMZ-segment separated from the segment in which the web servers are placed. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to web systems) is using a single ethernet interface.

A separate network segment (subnet 2) is configured between Profense and the firewall.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.10.

Outbound traffic from Profense to web systems is again inspected by the firewall and sent to the web systems on subnet 3.

The web systems’ default gateway is the firewall with IP address 192.168.0.1.

Figure 9.3. Firewalled Profense implementation with a fail-over/backup Profense

In this scenario Profense is deployed in a high avalibility configuration with an extra Profense (backup) used for fail-over. A dedicated network or crossover cable is used to connect the Profense cluster and a separate interface is used for synchronization of various information between the active and the backup Profense. Inbound and outbound traffic share the same interface.

The two Profense systems share a virtual (VIP) IP address 192.168.1.12.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s VIP address 192.168.1.12.

In case the active Profense system fails or looses the connectivity, the backup will take over the VIP and start handling the requests from clients.

The web systems’ default gateway is the firewall with IP address 192.168.0.1.

Figure 9.4. Dual-homed performance optimized Profense implementation

In this scenario Profense is configured in a dual-homed setup with separation of inbound and outbound web traffic. 2 ethernet interfaces are utilized. Client requests are terminated in VLAN2 and responses from web systems are terminated in VLAN3. This setup (or similar) potentially provides greater performance (since 2 interfaces are used) and security.

A separate network segment (VLAN2) is configured between Profense and the layer 3 switch.

HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.9.

Outbound traffic (downstream) from Profense is sent to web systems via VLAN3.

The layer 3 switch is configured only to allow traffic on the necessary ports (typically 80/tcp for HTTP and 443/tcp for HTTPS to pass from Profense to the web systems.

The web systems’ default gateway is the layer 3 switch with IP address 192.168.0.1.

!!!! 50% Discount !!!!

Safeguard Sensitive Data. Enforce Security Policies with Web Application Firewall.

Advanced Web Application Security and Compliance Solution

Profense Web application firewall (WAF) is software that secures Web applications. It enables PCI compliance by mitigating Web application security threats and vulnerabilities to prevent data theft and manipulation of sensitive corporate and credit card information. Profense incorporates advanced Web application security filtering technologies to seamlessly detect threats, block attacks and report events. Profense improves the security and availability of business-critical Web applications and creates a higher return on investment (ROI) for Web-based applications.

» Armorlogic

  

Sort: 

• » Ascending
• » Descending

  Show:  

• » 10 per page
• » 20 per page
• » 50 per page
• » Show All

Profense Web Application Firewall - Single Node License 8/5 Support

Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup.

Includes 1 year 8/5 business day support by phone, email and web, automated updates, all upgrades. Annual support renewal: $ 1495

License: Single node license . Allows for installation of one node in production
environment. Additional nodes in non-production environment for development and testing are allowed.

Support: Standard support – first year. 8/5 business day support by phone, email and web, automated updates, all upgrades.

Support upgrade and renewal options:
Upgrade to Premium support (24/7) first year: $595 
Standard support renewal one year : $1,495
Premium support renewal one year: $1,995

Profense Web Application Firewall - Single Node License 8/5 Support: Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup. Includes 1 year 8/5 business day support by phone, email and web, automated updates, all upgrades. Annual support renewal: $ 1495 License: Single node license . Allows for installation of one node in production environment. Additional nodes in non-production environment for development and testing are allowed. Support: Standard support - first year. 8/5 business day support by phone, email and web, automated updates, all upgrades. Support upgrade and renewal options: Upgrade to Premium support (24/7) first year: $595 Standard support renewal one year : $1,495 Premium support renewal one year: $1,995

Quantity:

Price: $5,950.00
$2,995.00Price:
$0.00P&P:

Updating...

Profense Web Application Firewall - Single Node License 24/7 Support

Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup.

Includes 1 year 24/7 business day support by phone, email and web, automated updates, all upgrades. 

License: Single node license . Allows for installation of one node in production
environment. Additional nodes in non-production environment for development and testing are allowed.

Support upgrade and renewal options:
Premium support renewal one year: $1,995

Profense Web Application Firewall - Single Node License 24/7 Support: Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup. Includes 1 year 8/5 business day support by phone, email and web, automated updates, all upgrades. Annual support renewal: $ 1495 License: Single node license . Allows for installation of one node in production environment. Additional nodes in non-production environment for development and testing are allowed. Support: Standard support - first year. 8/5 business day support by phone, email and web, automated updates, all upgrades. Support upgrade and renewal options: Upgrade to Premium support (24/7) first year: $595 Standard support renewal one year : $1,495 Premium support renewal one year: $1,995

Quantity:

Price: $5,950.00
$3,590.00Price:
$0.00P&P:

Updating...

Profense Web Application Cluster - Two Node License 8/5 Support

Profense™ Cluster Two Node License Standard support

Perfect for companies who with high traffic volumes who also want the comfort of instant backup for their security.

Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup, active/active clustering with policy synchronization.

License: Two node license. Allows for installation of one master node and one
slave node in production environment. Additional nodes in non-production environment for development and testing are allowed.

Unlike most traditional web application firewall appliances, Profense cluster nodes run side by side, sharing the traffic load and providing instant backup for each other.

These nodes “self balance” so no additional hardware is required for high volume environments, giving you performance you’d have to pay a minimum of 50% more for with traditional solutions.

Includes 1 year 8/5 business day support by phone, email and web, automated updates, all upgrades.

Support and upgrade options:

Upgrade to Premium support (24/7) first year: $845
Standard support renewal one year : $1,995 
Premium support renewal one year: $2,495

Quantity:

Price: $8,450.00
$4,995.00Price:
$0.00P&P:

Updating...

Profense Web Application Cluster - Two Node License 24/7 Support

Profense™ Cluster Two Node License Includes Premium support (24/7) first year

Perfect for companies who with high traffic volumes who also want the comfort of instant backup for their security.

Unlike most traditional web application firewall appliances, Profense cluster nodes run side by side, sharing the traffic load and providing instant backup for each other.

Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup, active/active clustering with policy synchronization.
License: Two node license .

Allows for installation of one master node and one slave node in production environment. Additional nodes in non-production environment for
development and testing are allowed.

These nodes “self balance” so no additional hardware is required for high volume environments, giving you performance you’d have to pay a minimum of 50% more for with traditional solutions.

Includes 1 year 24/7 business day support by phone, email and web, automated updates, all upgrades.
Premium support renewal one year: $2,495

Quantity:

Price: $8,450.00
$5,840.00Price:
$0.00P&P:

Updating...

Profense Base Web Application Firewall - Single Node License 8/5 Support

Features include Auto mode with instant protection and adaptive learning, positive and negative filtering, load balancing with session persistence, acceleration, automated learning.

License: Single node license. Allows for installation of one node in production environment. Additional nodes in non-production environment for development and testing are allowed.

Includes 1 year Web and email based technical support, automated updates.

Support upgrade and renewal options:
Upgrade to Standard Profense version, standard first year: $300
Basic support renewal one year: $995
Standard support renewal one year: $1,250

Quantity:

Price: $2,950.00
$1,995.00Price:
$0.00P&P:

Updating...

Loading...

Why it matters?

 You can’t afford down time or an IT security breech when implementing mission-critical business solutions. Our security services & solutions are designed to minimize your risk and deliver results that will impact your business by keeping your IT system current, secure and available when you need them.

Before we begin, ask yourself:

 Question: Who has access to data?

Answer: You should examine your user account policy, delete unused accounts, and set an audit policy.

Question: Can someone from outside access my data and how?

Answer: You should check every entry point; wireless access points, modem installations, flash drives, and remote access.

Question: Can someone from the inside misuse my data?

Answer:You should need to run an assessment to check file permissions on network shares.

Question: Is my Antivirus software effective?

Answer: Having a central point of management is a key requirement for maintaining updated software on desktops, laptops, servers, and network gateways.

Question: Is my database safe?

Answer: You should examine database account users, install patches, enforce audit, access control, and may recommending DB firewall installation.

Question: Is my website safe?

Answer: You should run vulnerability scans verifying that your website is a. configured correctly & b. no vulnerabilities exist within the web application c. Check perimeter Firewall policy.

Question: Can my business recover from a disaster?

Answer: If you have a backup, it’s a good starting point. Setting a HOT Bare Metal recovery with disk to disk to tape is a good solution for providing faster & reliable recovery.

Yigal Behar

Automated blocking at the network level: New automated blocking at the network level makes it harder for attackers to identify vulnerabilities at the application level. The new network blocking features extends protection beyond the standard denial of service (DoS) mitigation blocking of IP addresses exceeding request numbers and frequency thresholds. Profense now includes the ability to automatically block IP addresses from which hostile requests have been logged. This new form of blocking will be triggered by hostile requests across listed websites based on risk levels of request or number of requests with predetermined risk levels.

Improved health checking of backend servers: Improved health checking of web servers improves website and web application availability ensuring a safe, consistent and uninterrupted experience for website visitors. Profense proactively checks webserver availability and allows programmed event based disabling of failed or overburdened web servers with immediate alerting of the event via email or Syslog. Both HTTP  response code and response body checksum methods are supported.

Improved support for web 2.0: Expanded support for web 2.0 applications by adding support for JSON and SOAP web services request format

A dashboard providing a much better overview of what is going on in the website proxies: Improved reporting features and functionality that give greater visibility to threatening activity and allows for aggregate and individual website deny log viewing, highly specific policy building and highly onfigurable event reporting. The new Profense Dashboard allows for individual and cross website analysis.

Want to take Profense for a test drive?

Download the fully functional 60-day trial.

Yigal Behar

The Astaro Security Gateway integrates complete Network, Web and Mail Security through an intuitive browser-based user interface. The Astaro Unified Threat Management appliance is the most easy-to-use and cost-effective “all-in-one” solution available, working to effectively shield businesses from internet based threats. Networks need to be protected against a wide variety of Internet threats, including denial of service attacks, port scans, worms, trojans, botnets and application exploits. Organizations often implement point products like IPS systems, VPN routers and firewalls as a solution. This not only requires the maintenance of multiple products, but users also need to be continuously assured that these products are fully integrated in order to effectively protect their network. The Astaro Security Gateway Network Security eliminates these issues, providing a single security application suite, integrated into an easy-to-manage Unified Threat Management solution. The Astaro Security Gateway also protects Email.  More than 80% of all email messages are spam related, phishing attacks are on the rise, and email spreads the majority of virus and spyware infections. Email security is therefore a major business requirement for organizations of all sizes. Furthermore, as the majority of emails are sent unprotected, comparable to a traditional postcard, organizations are exposed to major risks, including the loss of vital information and violating industry regulations when disclosing confidential or proprietary information. The Astaro Security Gateway embodies a unified solution for all of these risks, combining email filtering and encryption in one powerful appliance.  The Astaro Security Gateway also includes Web Filtering.  Web surfing, file downloads, and programs which tunnel over HTTPS can put your computer and network at risk from spyware, viruses, and exploits. Furthermore, applications such as Skype, Instant Messaging and Peer-to-Peer present many new risks for the company network that circumvent established protection mechanisms. Employee access to inappropriate sites could potentially induce legal consequences or reduce business productivity. Astaro Security Gateway unifies the entire web filtering scope in one easy-to-use appliance, eliminating the complexity and high costs associated with the deployment of dedicated URL filtering, antivirus and IM control tools.

We also have two point solutions for customers that already are using a Firewall or want the “layered approach.”

The Astaro Web Gateway provides complete protection and control over data transferred over the web. The All-In-One web security appliance features Malware Detection, Application Control, URL Filtering and Bandwidth Management, fully integrated and manageable through a single and intuitive browser-based user interface.

The Astaro Mail Gateway provides complete protection and control over spam, viruses, worms and Trojans transferred through email. The All-In-One mail security appliance features comprehensive features for spam detection and malware filtering. An easy to use UserPortal gives end-users at any time control over a personal quarantine and e-mail log. Integrated encryption features allow a secure way to transmit emails and VPN access secures the native access to internal e-mail servers for mobile users from anywhere in the world.
 

All Astaro Products are available in Hardware, Software or Virtual.  We can tailor the best solution for your specific need.

Yigal Behar

Requirement:

You want to allow connections from the Internet to your local LAN.

Assumptions:

You want to access RDP server such as Windows XP or Windows 2003 server

You have xDSL connection to the Internet

You don’t have a firewall between your network and the Internet

Port: 3389 TCP

Server/Workstation IP: 192.168.0.100

WAN fix address: 123.123.123.123

Netgear Router

Problem

Since IP communications can not be passing from the Internet to an internal address such as 192.168.0.0 since these IP subnets are assigned for internal use.

The solution

We need to have some mechanism that will forward communication based on the Port to the internal address.

What you will need?

User name and password to your router.

Router’s IP address.

Make the server or XP workstation ready to accept connections.

Any Cable modem or xDSL connection have an IP address on the WAN side assigned by the ISP. Note your WAN IP address by accessing this site: www.whatismyip.com this address is dynamic (can be changed next time…)

1. Login to the router using web browser
2. Under the advanced section click on Port Forwarding

Click the “Add Custom Service” 

Under the service name type the name you want such as “RDP”

Under the starting Port: type 1

Ending port: 3389

Server IP Address: 192.168.0.100

Click Apply

The next step is to test it.. go to another station from the Internet and launch the RDP and type the WAN address 123.123.123.123 and click connect…

Good luck!

Warning: anyone from the Internet would be able to access this workstation or server, make sure you are using

1. Strong password (at least 8 charters long numbers, small/CAPS letters)
2. All security patches are installed
3. Antivirus installed and updated

Please note: You are using the information above at your own risk.

Yigal Behar

Task:

Require servers or systems behind the ASG to be accessible to internet connections.  This requires specific services to be forwarded through by opening service ports.Common implentations used are Webservers (HTTP, HTTPS) FTP servers, Remote Desktop Proctocol (RDP), Outlook Web Access (OWA)4 common scenarios to setup:Scenario 1 – Common port on public interface
Scenario 2 – New service port creation needed to forward
Scenario 3 – Additional public address
Scenario 4 – Additional public address and new service port

Steps:

For all scenarios it is recommended to first spend some time creating host definitions for webservers, email servers, ftp servers etc.
Example: Webserver host definition
Goto Definitions>>Networks
New Network Definition
Name: Webserver
Type: Host
Address: 10.200.200.10
Comment: My internal webserver IPFor all Scenarios it is also possible to simply select the option for auto packet filter rules to be applied if you do not wish to create the rule seperately.
 
Scenario 1 – Common port on public interface
  Example: Webserver on HTTP TCP port 801) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: Webserver
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTP
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Webserver
Destination Service: left blank
Click Save
Once created click traffic light  from Red to Green2) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTP
Destination: Webserver
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow http traffic to webserver
Click Save
Once created click traffic light  from Red to Green

Scenario 2 – New service port creation needed to forward
  Example: Remote Desktop Protocol (RDP) on TCP port 10040 public to Exchange Server on TCP port 3389
  Normally Microsoft RDP uses predefined service of TCP 3389 however it can be changed to a different port for access to multiple servers behind the ASG

1) Create a new service definition
Goto Definitions>>Services
New Service Definition
Name: RDP_10040
Type of Definition: TCP
Destination port: 10040
Source port: 1024:65535
Comment: RDP on port 10040

2) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: RDP_10040 to Exchange Server
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: RDP_10040
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: Microsoft Remote Desktop (RDP)
Click Save
Once created click traffic light  from Red to Green

3) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Microsoft Remote Desktop (RDP)
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow RDP traffic to Server
Click Save
Once created click traffic light  from Red to Green

Scenario 3 – Additional public address
 Example: Outlook Web Access TCP port 443 (HTTPS) on second address translated to Exchange server

1) Create Additional public address
Goto Network>>Interfaces
Select Additional Addresses
New Additional Address
Name: Exchange_Public
On interface: External
Address: 150.0.0.1
Netmask: /32 (255.255.255.255)
Comment: Exchange Public address
Click Save

2) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: OWA Access
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTPS
Traffic Destination: Exchange_Public (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service:  left blank
Click Save
Once created click traffic light to Green

3) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTPS
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow OWA HTTPS traffic to Exchange Server
Click Save
Once created click traffic light to Green

Scenario 4 – Additional public address and new service port
 Example: Remote Desktop Protocol (RDP) on TCP port 10040 on second public address to Exchange server on Microsoft Remote Desktop Protocol (RDP) TCP port 3389

1) Create Additional public address
Goto Network>>Interfaces
Select Additional Addresses
New Additional Address
Name: Exchange_Public
On interface: External
Address: 150.0.0.1
Netmask: /32 (255.255.255.255)
Comment: Exchange Public address
Click Save

2) Create a new service definition
Goto Definitions>>Services
New Service Definition
Name: RDP_10040
Type of Definition: TCP
Destination port: 10040
Source port: 1024:65535
Comment: RDP on port 10040

3) Create a DNAT rule
Goto Network Security>>NAT
Select DNAT/SNAT tab
New NAT rule
Name: RDP_10040 to Exchange Server
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: RDP_10040
Traffic Destination: Exchange_Public (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: Microsoft Remote Desktop (RDP)
Click Save
Once created click traffic light  from Red to Green

4) Create Packet filter access
Goto Network Security>>Packet filter
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Microsoft Remote Desktop (RDP)
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow RDP traffic to Server
Click Save
Once created click traffic light  from Red to Green

Yigal Behar