Many WAF errors [security2:error] and no sync from iPhones

Hello Sophos Community,

 

I am facing actually the issue, that Samsung Smartphones are perfectly synchronising through the WAF with my Exchange server, but iPhones won't work.

 

At the WAF log is an entry which is showing the following error:

2019:02:13-12:46:12 myutm httpd[31818]: [security2:error] [pid 31818:tid 4127116144] [client sourceip:50693] [client sourceip] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "destinationurl"] [uri "/mapi/emsmdb/"] [unique_id "XGQDhMCosQEAAHxKV3kAAAAA"]
2019:02:13-12:46:12 myutm httpd: id="0299" srcip="sourceip" localip="192.168.177.1" size="0" user="-" host="sourceip" method="POST" statuscode="401" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" time="34287" url="/mapi/emsmdb/" server="destinationurl" port="443" query="?MailboxId=58293306-49ed-4ae5-8ff4-21a2a2dcbd40@domain.com" referer="-" cookie="MapiContext=MAPIAAAAAOy/7L7orfXF9Nfl1eTd8MDy3+7f/838xvXB+8j8poW0jLyNtIa0hrSHOBMAAAAAAAA=;MapiRouting=UlVNOjQ4YzgwOGY0LTY1MDQtNGM5NS04MzQ1LTU0MDEzODE5MDZkNDrlxH/RqJHWCA==;MapiSequence=41-drpENg==;X-BackEndCookie=58296706-49ed-4ae5-8ff5-21a2a2dcbd40=u56Lnp2ejJqByMmbz87Ny8fSz8vNm9LLxpnO0p6dx53SnMvHmZnIx87Iy8zHgYHNz87G0s/M0s7Kq87OxcvKxcrI" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XGQDhMCosQEAAHxKV3kAAAAA"

 

Has anybody an idea what that error means and how to get rid of it?

 

Thank you and best regards,

Johnny

 

Edit: I just wanted to add, that the iPhone sync was running for a couple of years without a problem. If the iPhones are connected to the company wifi (no Sophos between Phones and Exchange) the sync is working. BUT: Even with the Outlook App for iPhones the sync is working outside the company wifi. Very strange.

  • Hallo Johnny,

    What does Sophos Support say about this?

    Cheers - Bob

  • We have Exchange and ActiveSync mostly working with the WAF, but my logs are super noisy with these messages (>12,000 per day)

    2020:01:29-11:20:12 {redacted} httpd[32512]: [security2:error] [pid 32512:tid 4068469616] [client {redacted}] [client {redacted}] ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file "/usr/apache/conf/waf/base.conf"] [line "14"] [id "900000"] [hostname "{redacted}"] [uri "/mapi/emsmdb/"] [unique_id "{redacted}"]

    I would love to eliminate this, as I believe it is causing performance issues in our environment.

     

    For Johnny, have you read through these:

    https://community.sophos.com/kb/en-us/131787

    https://networkguy.de/secure-exchange-webservices-with-sophos-utm-waf/ (in German, but Google/Chrome translates it pretty well.)

  • Hi Johnny,

    did you consider that IOS also has bugs in the activesync protocol from time to time? Did your problem start after a certain update of IOS? Does the behavior differ with different versions of IOS?

    Best regards 

    Alex 

  • In reply to Alexander Busch:

    Hi everyone,

     

    since this thread is nearly a year old, I was able to fix that issue in the meantime.

    The customer was always against autodiscover and so a fan of "security through obscurity".

    But after I configured autodiscover for that customer the iPhones restarted to sync right away.

    I don't get/know why, but it seems that they don't work with Exchange without autodiscover anymore.

     

    Best regards,

    Johnny