missing exception

to complete WAF about exchange 2016/2019

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730

following this guide

https://support.sophos.com/support/s/article/KB-000040209?language=en_US

it miss about download.mydomain.com exception, and to SKIP "protocol enforcement"

if you don't select this exception and include the published domain the "download domain" , when you download attachment, this will return a "forbidden ecc" error

see you

Igino Leporati

Top Comments

Rodim Suarez over 3 years ago +1

Hi Igino Leporati , Thank you and we value your feedback towards our goal to improve our documentation. An existing note in the KB states that not all may work according to the steps in the KB because…

Parents

Rodim Suarez over 3 years ago

Hi Igino Leporati,

Thank you and we value your feedback towards our goal to improve our documentation.

An existing note in the KB states that not all may work according to the steps in the KB because MS Exchange can be configured in many different ways.

Note: Sophos does not officially support Microsoft Exchange 2016 with WAF. Engineers have tested these settings and verified that the WAF can pass Exchange 2016 in some basic configurations. Given that Exchange 2016 can be configured in a number of different ways, keep in mind that all setups may not work or function as intended. Use the steps below with caution.

We have added the following note to provide awareness of the vulnerability.

Note:
A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user. Go to Microsoft Exchange Server Spoofing Vulnerability for more information. You may try to add an exception for your specific download domain and skip Protocol Enforcement if you encounter issues with downloading attachments.
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel

Comment

Rodim Suarez over 3 years ago

Hi Igino Leporati,

Thank you and we value your feedback towards our goal to improve our documentation.

An existing note in the KB states that not all may work according to the steps in the KB because MS Exchange can be configured in many different ways.

Note: Sophos does not officially support Microsoft Exchange 2016 with WAF. Engineers have tested these settings and verified that the WAF can pass Exchange 2016 in some basic configurations. Given that Exchange 2016 can be configured in a number of different ways, keep in mind that all setups may not work or function as intended. Use the steps below with caution.

We have added the following note to provide awareness of the vulnerability.

Note:
A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user. Go to Microsoft Exchange Server Spoofing Vulnerability for more information. You may try to add an exception for your specific download domain and skip Protocol Enforcement if you encounter issues with downloading attachments.
- Cancel
- Vote Up +1 Vote Down
- More
- Cancel

Children

Igino Leporati over 3 years ago in reply to Rodim Suarez

i've found another issue

i cannot upload any files >1MB, i have to check these skip , with owa online webpage

are all mandatory, otherwise attachment upload failed, into OWA WAF
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
Igino Leporati over 3 years ago in reply to Igino Leporati

microsoft exchange 2016, CU 22 update 1

15.1.2375.17

see you
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel