We'd love to hear about it! Click here to go to the product suggestion community
I have just deployed a personal Exchange 2019 setup for myself and published through the XG WAF and had some trouble getting it to work on a clean setup through the pre-configured templates. Now, I'm not an Exchange engineer by any means so a lot of my Exchange configuration is surface knowledge and extrapolation from the variety of guides out there. But when I set up the templates I ran into two issues preventing proper WAF setup and successful Microsoft Remote Connectivity Anlyzer (MRCA) from giving me the endorphin hit of green ticks across the board.
Firstly, I encountered an issue in two areas and they were:
Firstly, some notes on the build:
On a clean Destination NAT on HTTP/HTTPS to the Exchange server, it is a clean pass from the MRCA.
Regarding the MAPI error, I noted that the connectivity analyzer was trying to reach a site path with:
[Wed Apr 8 15:10:02.359432 2020] timestamp="1586355002" srcip="184.108.40.206" localip="x.x.x.x" user="-" method="POST" statuscode="404" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardeningMissingToken" duration="1752" url="/mapi/emsmdb/" server="webmail.domain.blah" referer="-" cookie="-" set-cookie="-" recvbytes="659" sentbytes="4402" protocol="HTTP/1.1" ctype="text/html" uagent="Microsoft Office/15.0 (Windows NT 6.2; Microsoft Outlook 15.0.4615; Pro; MS Connectivity Analyzer)" querystring="?MailboxIdfirstname.lastname@example.org" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="6"
And on the MRCA:
Testing HTTP Authentication Methods for URL webmail.domain.blah/.../ The HTTP authentication test failed. Additional Details A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.HTTP Response Headers:Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Length: 196Content-Type: text/html; charset=iso-8859-1Date: Wed, 08 Apr 2020 15:33:10 GMTServer: ApacheElapsed Time: 102 ms.
The following I tested in various permutations until finally all 3 elements were needed to make this work (/MAPI may not be required but I added anyway for consistency).
So I added to the webmail WAF profile in the site paths /mapi and /MAPI as site paths pointed to my Exchange, added to the exceptions with /mapi/* and /MAPI/* alongside "/owa/*,/OWA/*,/ews/*,/EWS/*,/ecp/*,/ECP/*,/oab/*,/OAB/*,/oma/*,/OMA/*,/Microsoft-Server-ActiveSync?". I also had to edit the "Exchange General" protection profile to add /mapi and /MAPI to the Static URL hardening entry urls, screenshots below:
Entry into site path routing on the rule:
Entry into the exceptions for the rule:
Static URL Hardening entries for the Exchange General:
This resolved the MAPI authentication issue but then I received the following error post this being fixed on the MRCA:
"Attempting to ping RPC proxy oa.domain.blah. RPC Proxy can't be pinged. Additional Details An unexpected network-level exception was encountered. Exception details:Message: The remote server returned an error: (405) Method Not Allowed.Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportExceptionStack trace:at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)at Microsoft.Exchange.Tools.ExRca.Tests.MapiPingProxyTest.PerformTestReally()Exception details:Message: The remote server returned an error: (405) Method Not Allowed.Type: System.Net.WebExceptionStack trace:at System.Net.HttpWebRequest.GetResponse()at RpcPingLib.RpcPing.PingProxy(String internalServerFqdn, String endpoint)at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)Elapsed Time: 115 ms."
Looking in the WAF log, this is shown up:
[Wed Apr 8 14:34:10.425381 2020] timestamp="1586352850" srcip="220.127.116.11" localip="x.x.x.x" user="-" method="RPC_IN_DATA" statuscode="405" reason="-" extra="-" exceptions="-" duration="231" url="/Rpc/RpcProxy.dll" server="oa.domain.blah" referer="-" cookie="-" set-cookie="-" recvbytes="589" sentbytes="4432" protocol="HTTP/1.1" ctype="text/html" uagent="MSRPC" querystring="?email@example.com:6001" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="7"
To resolve this, I modified my rule that was using the Exchange Outlook Anywhere for /rpc & /RPC and added /Rpc to Exceptions, Site Path Routing and the Static URL Hardening in the Exchange Outlook Anywhere Profile. It was very odd and I checked IIS and lo and behold all references to RPC were in /Rpc. Now, I've not deployed many Exchange installations (one before and this being the second) but have done many WAF configurations and they are all either "/rpc" or "/RPC". Screenshots below:
Rpc Site-Path Routing addition
Exchange Outlook Anywhere Protection policy:
Now, I strongly suspect there is no further requirement for the old /rpc and /RPC as doing some further reading led me to these articles (available at time writing of 2020-04-08): https://cdn2.hubspot.net/hubfs/38080/Understand%20how%20MAPI%20over%20HTTP%20is%20changing%20your%20Outlook%20.pdf
The need for the MAPI in Exchange General and the adjustment to the RPC site path for the Outlook Anywhere seems to be directly related to the replacement/migration to MAPI-over-HTTP instead of RPC-over-HTTP.
I may test the removal of /rpc and /RPC at a later date but after a lot of pain, sleeping dogs and all that. I will be reporting this to Sophos Support shortly to highlight as there may need to be a new Exchange 2019 template added to the XG.