This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 18 WAF for OWA Exchange 2016/2019

Related KBA Link:


I've tried implementing WAF for an Exchange 2016 and an Exchange 2019 on an XG with SFOS 18.0.4

I've used the configuration from Frankys Website, which is usually a highly reliable source of good advice.

www.frankysweb.de/.../

Unfortunately it doesn't seem to be working at all. 

Even lowering the protection level in the WAF Policy to "Level 1" - as some of the postings in the Frankys Website suggest - doesn't work.

The big stumbling block appears to be the URL Hardening part of the WAF policy. I always get an error for URL hardening "No signature found"

Here the LOG entries from the "REVERSEPROXY.LOG" for an Exchange 2016 (all entries have been redacted to remove IP addresses and Server Names)

[Sat Mar 20 16:26:12.984439 2021] timestamp="1616253972" srcip="AAA.BBB.CCC.DDD" localip="XXX.YYY.WWW.ZZZ" user="-" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" duration="44627" url="/owa" server="email.A-MAILSERVER.de" referer="-" cookie="-" set-cookie="-" recvbytes="1030" sentbytes="6549" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="3"
[Sat Mar 20 16:26:13.064765 2021] timestamp="1616253973" srcip="AAA.BBB.CCC.DDD" localip="XXX.YYY.WWW.ZZZ" user="-" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" duration="27573" url="/owa/auth/logon.aspx" server="email.A-MAILSERVER.de" referer="-" cookie="-" set-cookie="-" recvbytes="494" sentbytes="9958" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" querystring="?url=https%3a%2f%2femail.A-MAILSERVER.de%2fowa&reason=0" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="3"
[Sat Mar 20 16:26:13.144164 2021] [url_hardening:error] [pid 19228:tid 140567958685440] [client AAA.BBB.CCC.DDD:57146] No signature found, URI: email.A-MAILSERVER.de/.../logon.aspx, referer: email.A-MAILSERVER.de/.../logon.aspx
[Sat Mar 20 16:26:13.142495 2021] timestamp="1616253973" srcip="AAA.BBB.CCC.DDD" localip="XXX.YYY.WWW.ZZZ" user="-" method="GET" statuscode="403" reason="Static URL Hardening" extra="No signature found" exceptions="-" duration="7128" url="/owa/auth/logon.aspx" server="email.A-MAILSERVER.de" referer="">email.A-MAILSERVER.de/.../logon.aspx cookie="-" set-cookie="-" recvbytes="601" sentbytes="537" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" querystring="?replaceCurrent=1&url=https%3a%2f%2femail.A-MAILSERVER.de%2fowa" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="3"

And here the same logs for an Exchange 2019 Cluster

[Mon Mar 22 09:59:35.705039 2021] timestamp="1616403575" srcip="AAA.BBB.CCC.DDD" localip="XXX.YYY.WWW.ZZZ" user="-" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" duration="65485" url="/owa/auth/logon.aspx" server="mail.B-MAILSERVER.de" referer="-" cookie="-" set-cookie="-" recvbytes="728" sentbytes="9695" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57" querystring="?url=https%3a%2f%2fmail.B-MAILSERVER.de%2fowa&reason=0" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="6"
[Mon Mar 22 09:59:35.873101 2021] [url_hardening:error] [pid 2185:tid 140147366541056] [client AAA.BBB.CCC.DDD:56465] No signature found, URI: mail.B-MAILSERVER.de/.../logon.aspx, referer: mail.B-MAILSERVER.de/.../logon.aspx
[Mon Mar 22 09:59:35.871851 2021] timestamp="1616403575" srcip="AAA.BBB.CCC.DDD" localip="XXX.YYY.WWW.ZZZ" user="-" method="GET" statuscode="403" reason="Static URL Hardening" extra="No signature found" exceptions="-" duration="5983" url="/owa/auth/logon.aspx" server="mail.B-MAILSERVER.de" referer="">mail.B-MAILSERVER.de/.../logon.aspx cookie="-" set-cookie="-" recvbytes="818" sentbytes="537" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57" querystring="?replaceCurrent=1&url=https%3a%2f%2fmail.B-MAILSERVER.de%2fowa" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="6"
[Mon Mar 22 09:59:35.940898 2021] [url_hardening:warn] [pid 2185:tid 140147366541056] [client AAA.BBB.CCC.DDD:56465] No signature found in Referer: mail.B-MAILSERVER.de/.../logon.aspx, referer: mail.B-MAILSERVER.de/.../logon.aspx
[Mon Mar 22 09:59:35.940989 2021] [url_hardening:error] [pid 2185:tid 140147366541056] [client AAA.BBB.CCC.DDD:56465] No signature found, URI: mail.B-MAILSERVER.de/favicon.ico, referer: mail.B-MAILSERVER.de/.../logon.aspx
[Mon Mar 22 09:59:35.939495 2021] timestamp="1616403575" srcip="AAA.BBB.CCC.DDD" localip="XXX.YYY.WWW.ZZZ" user="-" method="GET" statuscode="403" reason="Static URL Hardening" extra="No signature found" exceptions="-" duration="5186" url="/favicon.ico" server="mail.B-MAILSERVER.de" referer="">mail.B-MAILSERVER.de/.../logon.aspx cookie="-" set-cookie="-" recvbytes="617" sentbytes="533" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="6"
[Mon Mar 22 09:59:55.561050 2021] timestamp="1616403595" srcip="AAA.BBB.CCC.DDD" localip="XXX.YYY.WWW.ZZZ" user="-" method="-" statuscode="408" reason="-" extra="-" exceptions="-" duration="22" url="-" server="-" referer="-" cookie="-" set-cookie="-" recvbytes="568" sentbytes="152" protocol="HTTP/1.0" ctype="-" uagent="-" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="-"

The errors are exactly the same.

I've tried including the "/owa/auth" and "/owa/auth/logon.aspx" to the URL entries in the URL hardening, but to no avail.

And this is just OWA.

I haven't even started trying and testing autodiscover, MAPI-over-HTTPS or ActiveSync yet.
One error-sour e at a time :-)



added KB link
[edited by: FloSupport at 3:46 PM (GMT -7) on 30 Sep 2021]
[edited by: FloSupport at 3:46 PM (GMT -7) on 30 Sep 2021]
  • FormerMember
    0 FormerMember 6 months ago

    Hi ,

    Thanks for reaching out to the Community! 

    The log entry "reason="Static URL Hardening" extra="No signature found"" suggests that static URL hardening is turned on,  and the entries for the URL path becomes case sensitive. Can you confirm if the users are trying to connect to the correct URL? 

    You could try to skip the static URL hardening from the firewall rule by adding an exception. Could you try to add the following entries and see if that helps? 

    • /owa/auth/logon.aspx?*
    • /owa/auth/*

    Thanks,

  • Hi H_Patel,

    thanks for the answer.

    Unfortunately it desn't seem to be working.

    I've tried including all the possible entries into the exclusion.
    At the end I had an exclusion with all the following paths.

    • /owa
    • /owa/
    • /OWA
    • /OWA/
    • /owa/auth
    • /owa/auth/
    • /owa/auth/logon.aspx
    • /owa/auth/logon.aspx?
    • /owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.ANYMAILSERVER.de%2fowa%2f

    The last one is the exact replacement the server does on opening the root or /owa path.

    I've also checked all the exclusion options except "Antivirus" and "Bad Reputation Clients"

    Still nothing. I still get the same URL Hardening error.

    My question here is also: am I the only one having a hard time protecting an Exchange server behind an XG WAF?

    I've tried three different servers (2013/2016/2019) and on all I get the same errors. 

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • FormerMember
    0 FormerMember 6 months ago in reply to AlexanderPoettinger

    Hi ,

    Thank you for the update. For testing, what if you turn off static URL hardening? Does it work? 

    Thanks,

  • Hi H_Patel,

    yes, the moment I switch URL Hardening off, I can open OWA...QED.

    No luck there. Unfortunately URL hardening is extremely important in an Exchange enviroment.
    Hafnium has proven that very strongly.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • I've also tried on an Exchange 2013 a another site through another XG with SFOS 18.0.4.
    Same result

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • __________________________________________________________________________________________________________________

  • Had already tried with exceptions from that Frankys web entry.
    Unfortunaltely it doesn't work.

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • Can you link your config in screenshots? Because the OWA will do a redirect to the FORM based auth page. 

    __________________________________________________________________________________________________________________

  • I tried working around with the exception as in your link from Frankys.
    The "never change..." is not enough.
    The entire "URL Hardening" has to be deactivated from the OWA paths.
    Which unfortunately beats one of the most important tools in the protection to one very public entry point to Exchange.

    Here the setting, that did the trick:

    I tried narrowing down the paths for the exception but unfortunately only by putting the entire "OWA" paths in the exception does it work correctly.

    In any case this setting works for Exchange 2013/2016/2019

    Now I'm ging to try the next steps:

    • Autodiscover
    • ActiveSync
    • MAPI

    The work has just began :-)

    Alexander Poettinger

    Sophos Certified Architect - XG
    Sophos Certified Technician - XG
    Sophos Certified Engineer - UTM

    xame gmbh
    Sophos Gold Partner

  • Actually do you use Form Authentication for OWA? 

    Because OWA should use a redirect to the Form based Auth first. I am using a OWA behind XG without this exception and working URL harding. 

    __________________________________________________________________________________________________________________