Completed (Content Update)

Completed

missing exception

hi

to complete WAF about exchange 2016/2019

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730

following this guide

https://support.sophos.com/support/s/article/KB-000040209?language=en_US

it miss about download.mydomain.com exception, and to SKIP "protocol enforcement"

if you don't select this exception and include the published domain the "download domain" , when you download attachment, this will return a "forbidden ecc" error

see you

Parents
  • Hi ,

    Thank you and we value your feedback towards our goal to improve our documentation.

    An existing note in the KB states that not all may work according to the steps in the KB because MS Exchange can be configured in many different ways. 

    Note: Sophos does not officially support Microsoft Exchange 2016 with WAF. Engineers have tested these settings and verified that the WAF can pass Exchange 2016 in some basic configurations. Given that Exchange 2016 can be configured in a number of different ways, keep in mind that all setups may not work or function as intended. Use the steps below with caution.

     

    We have added the following note to provide awareness of the vulnerability.

    Note:
    A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user. Go to Microsoft Exchange Server Spoofing Vulnerability for more information. You may try to add an exception for your specific download domain and skip Protocol Enforcement if you encounter issues with downloading attachments.

  • i've found another issue

    i cannot upload any files >1MB, i have to check these skip , with owa online webpage

    are all mandatory, otherwise attachment upload failed, into OWA WAF

  • microsoft exchange 2016, CU 22 update 1

    15.1.2375.17

    see you

Comment Children
No Data