This article explains how to set up the Web Application Firewall to allow traffic through in Exchange 2016.
Note: Sophos does not officially support Microsoft Exchange 2016 with WAF. Engineers have tested these settings and have verified that the WAF can pass traffic for Exchange 2016 in some basic configurations. Given that Exchange 2016 can be configured in a number of different ways, keep in mind that all setups may not work or function as intended. Use the steps below with caution.
The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM
This article understands that Exchange 2016 is already working and that DNS is configured to direct to the UTM, see Prerequisites above for more details.
In this section we will be creating two Firewall Profiles, one for Exchange Autodiscover and the other for Exchange Webservices.
Configure the Exchange 2016 Autodiscover profile as shown below:
Skip Filter Rules
Note: When saving this profile please consider the warning for disabling some of the Skip filter Rules
The list of skipped filter rules contains the following required infrastructure rules: 981176, 981203, 981204. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall.
Here we create two virtual webservers, one for Autodiscover and one for Webservices.
Create the virtual webserver as shown in this example:
Certain exceptions need to be made in order for Exchange 2016 to function behind the WAF.
Create the exception as shown in this example:
Create the exception as shown in this example.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.