Exchange 2019 and WAF configuration - how to get ActiveSync working ?

Nothing ? Really ?
Again "lost in space" with XG ?

There are German external Posts about how to integrate this: https://www.frankysweb.de/sophos-xg-18-webserver-protection-und-exchange-2019/

Simply use MAPI and the predefined Policies, should work. 

Contact your Sophos Partner to get assistance for the configuration. 

On the other hand, maybe its time to look at O365 / Exchange Online for certain reasons. See the vulnerabilities coming up in Exchange on Prem,. 

Dear Toni,

thanks for the fast reply but the configuration recommended by you doesn't work.
This has been reported at least two times.

There have been some requests in the community, referring to this issue.
See here: https://community.sophos.com/sophos-xg-firewall/f/discussions/126770/sfos-18-waf-for-owa-exchange-2016-2019
and here: https://community.sophos.com/sophos-xg-firewall/f/discussions/127019/waf-with-exchange-2019-activesync-does-not-work
No solution was found and both discussions were closed.

Which is exactly the reason for my post.
In business environments an Exchange is pretty common.
Thus it would be helpful to
- resolve a known issue
- provide a KB article about best practice as there has been in the past

Especially in times of Hafnium and other security breaches, I prefer to have the strictest configuration possible.
And who else but the maintainer of the product cann tell, how to acheive this.
Thus I kindly ask for some assistance of the Sophos Team on this topic.

Best Regards
ranX

First of all, if you are concerned about Security (which you should) the better approach is to migrate to a hosted service like Microsoft Online. Simply because you cannot keep up with the up2date processes nowadays anymore. Weekly critical security vulnerabilities on Exchange seems to be a good indicator to move to a more stable platform. 

If you want to integrate a WAF with Exchange and it does not work, you should consider to contact a Sophos Partner or Sophos professional service. They can help you with the configuration and can figure out, if it is not supported anymore or if there is an issue. https://www.sophos.com/en-us/support/professional-services.aspx

Most of my customers in Germany migrate to O365 because of the security concerns and because they are not able to keep the exchange up to date anymore. 

To integrate a WAF with Exchange is a standard task,
so your company should still be able to provide guidelines about how to do it.
It was possible with UTM; why not with XG ?

Why should I contact a Sophos Partner ?
The first unanswered post: https://community.sophos.com/sophos-xg-firewall/f/discussions/126770/sfos-18-waf-for-owa-exchange-2016-2019
was opened by a Sophos Gold Partner, certified as XG Architect and Technician.
I bet, he had a similar customer request.
Even that guy wasn't able to resolve the issues and ended up here with no help.

By the way:
I did not ask for pros and cons of O365 versus self hosted on premise Exchange.
I asked for a technical advice and that's what I still hope to get here.

Doesn't Sophos have the expertise any more, to publish a direction like this
https://support.sophos.com/support/s/article/KB-000038003?language=en_US for their recent products ?

Best Regards
ranX

Hi RanX,

In regards to your suggestion about an XG-version of KB-000038003, here's the related KB:

• Sophos Firewall: Web Application Firewall for Exchange 2016

As well, here are related Product Documentation links to also reference:

• https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/FirewallWAFRules.html
• https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContent/WAFProtectWebServerAgainstAttacks.html 

Please note our Product Documentation Community group where you can provide feedback and suggestions to the team as well. 

Hi Flo,

at first thank you and your team for the reply and the fast publication of the KB article !
The more I'm sorry to say, there is some mistake in the proposed configuration.

I first created the rules as shown and then triple checked them before activation.
When activated, I'm not able to fetch mails on my mobile any more (iPhone with latest iOS) .
I receive the message, no contact to the server could be established.

When I checked the XG log first, I saw, that my phone's IP (german Telekom range) was blocked because of bad reputation.
So I disabled the reputation check in the respective policy.
Afterwards I did a relogin at my mobile network, to receive a different external IP.
Then I tried again but received the same message.

This time the log showed "Inbound anomaly score exceeded" for the reason of WAF Anomaly on the folder /Microsoft-Server-ActiveSync..

Thus I switched back to my working configuration, where only the sending of email attachments fails.

So I kindly ask your engineers, to re-check the published KB article.

About LuCar Toni's comment, to switch to O365 Exchange Online:
This is not an option because, I only replace one evil with another.
GDPR does not allow to use a hosting service, which is subjected to american regulations.
So I simply can't do this without getting in conflict with our law.

Best Regards

ranX

Just wondering, which law and country does restrict/prevent you from using O365? Just curious.

GDPR is mandatory all over Europe:
see https://gdpr.eu/

Here some more information about the impact on O365.
https://www.mondaq.com/germany/privacy-protection/1081800/eu-data-protection-officer-initiates-proceedings-against-institutions-of-the-european-union-for-using-amazon-aws-and-microsoft-office-365

To put it short:
In Europe you are not allowed to transfer your data to a country, which doesn't respect privacy and has the option to access personal data.
The US government forces all US companies, to give access on demand.
Thus the use of hosted services, which process personal data, like email in Exchange online, is not legal for a european company.

GDPR is mandatory all over Europe:
see https://gdpr.eu/

Here some more information about the impact on O365.
https://www.mondaq.com/germany/privacy-protection/1081800/eu-data-protection-officer-initiates-proceedings-against-institutions-of-the-european-union-for-using-amazon-aws-and-microsoft-office-365

To put it short:
In Europe you are not allowed to transfer your data to a country, which doesn't respect privacy and has the option to access personal data.
The US government forces all US companies, to give access on demand.
Thus the use of hosted services, which process personal data, like email in Exchange online, is not legal for a european company.

That would mean, O365 is actually 0 use cases and customers, but Microsoft reports XXX % Revenue increase per year. 

So how can they use O365, if this is not legally possible? I am just curious. Are all those customers simply ignoring the GDPR? Can i sue all O365 customers based on GDPR? Why is this not going on right now? I am just wondering. 

@ Toni:

Yes, all european customers using Exchange online do ignore GDPR.
Depending on the country, where you live, some authorities are strict, some don't care and I think some european countries don't even know, they're subjected to this ...

In Germany, they are pretty strict and it can become expensive.
It's pretty new and not widely known, that german courts started to make decisions against O365.

A short time ago, I took part in an online security workshop with a bunch of professionals.
One provider told, that a number of customers went to Exchange online after the Hafnium desaster.
And he pointed out, this was no wise decision, because they simply switched from one "unsafe playground" to another.

If you like to, you will be able to successfully sue O365 customers, as soon, as they decide to process personal data on Microsoft O365 services like Exchange online..
And e-mails are definetly persional data --> https://www.gdpreu.org/the-regulation/key-concepts/personal-data/

@Flo:

to keep the focus on the original topic, I remind you, the KB contains some error, as I cannot connect to ActiveSync, when applying the rules as suggested.
The clients get blocked because of bad reputation; when disabling the check, I receive WAF anomaly errors.
Any help on resolving this is highly appreciated.

Best Regards
ranX

I understand this, and i am coming from Germany as well, but the pure number of customers using Exchange online in Germany (even in the public sector) is stunning to me, if your case is correct. Because there are certain lawyers out there, using such grounds to sue every company (see Uploadfilter policies and German Copyright). I dont understand, why they do not start to sue every company based on GPDR, if its easy to win? 

I am not here to bring arguments for or against Microsoft Cloud, but i am just curious. There are to many customers, like you said, ignore GDPR. And this does not make sense to me. Especially as i know plenty of public (government) customers using O365. 

Microsoft came recently with a 90 Day plan to cover GDPR concerns. https://docs.microsoft.com/de-de/compliance/regulatory/gdpr-action-plan

My question would be, what is worse: Leaking all Emails cause of vulnerabilities, which are clearly in weekly cycle on Exchange on Prem, or a stable version, hosted by Microsoft? 

About your first request:
The intention of GDPR is, to protect the single individual from misuse of it's personal data.
A third person (e.g. a "lawyer") is not able to charge you money, when you or your company violates GDPR.
So they cannot earn any money on this, like it was the case with copyright infringment.

The only party getting money, are the authorities supervising GDPR.
Just like the street authorities, charging you for speeding or parking tickets.
So it's the same principle: many go too fast or park at the wrong place - but as controlling personnel is limited by far not all of them are caught.
But still the most of us agree, it's a reasonable behaviour, to keep an eye on the pace most of the time.

GDPR is realtively new; so there is little common experience and lots of confusion.
And for a long time there had been no court decisions.
In this vacuum many customers started with O365.

But there were also many, that were aware, they couldn't make legal use of O365, the way, it is designed now.
Those asked MS to provide a GDPR compliant solution.
Therefore MS published this "pseudo" guideline.
"Pseudo" because ist doesn't name a solution to the most crucial point:
all data is processed on MS systems, which can be accessed by US government authorities.
As long as these have access, O365 will not be GDPR compliant.

From admin sight there's no good solution:
- Exchange on prem is unsafe, due to missing updates
- Exchange online is also no good advice because of missing GDPR compliance

Possible workarounds:
- to stop publishing the on prem Webservices use VPN as entrypoint
- switch to other mailservice+groupware, which has less known vulnerabilities

I cannot comment on such topics, as i am not a IT lawyer nor have the experiences. I just acknowledge the big movement to O365 and still consider this to be a valid path, even for GDPR concerns. But this is something, which needs to be discussed in different forms on different levels. 

As LuCar Toni pointed out it is a HUGE security risk at the moment to be running Exchange on premise with WAF. I butt out of the GDPR discussion but IMHO opinion at the moment MS is doing a very poor job at protecting on premise Exchange servers against hackers of which some are on the pay roll of countries wanting to undermine the west. You don't live under a stone so you have knowledge of the flood of ransomware attacks going on and the vulnerabilities in Exchange. Yes, IMHO MS wants us all to move to MS online. Have a look at what they are trying with Office. 2019 is probably the last perpetual version you can buy. 

So if you are adamant about using on premise Exchange, switch to Sophos Mobile with Secure Email Client for IOS and put the Exchange behind the Sophos EASproxy and configure it to only allow known clients and select Sophos Secure Email Client as the allowed client. 

Never allow OWA or ECP through WAF!

just my 0,02.

At the time i was asking for Exchange 2019/WAF documentation, there was no word about Sophos Professional Services.
Even Exchange 2019 was unknown to Sophos support (in 2020)...
Even Germany Support was closed at all.

I know, Exchange behind a WAF is a huge risk, but still better than no WAF at all.

But i think a "good" Firewall might be some sort of help.

But with Firewall Rules for Windows 2008 R2, SharePoint 2010 ... and old stuff like that, Sophos is not the firewall i see here.

At least Sophos should have some uptodate of documentation for current Products.

Microsoft is selling Office 2021

Related to your Product Documentation feedback, I would advise raising any content suggestions you have, on our Product Documentation Community group.

Good Moning @ all,

returning to the desk this morning, I was pretty surprised, to find a number of answers on my topic.
I'm awfully sorry to say, I have to agree with Jürgen.

Sophos advertises the WAF as special feature.
But when it comes to putting this to use, you're left in the dark.
The above post of Flo is a good example of this attitude towards customers.

In the past there was always updated documentation about common use cases of these features.
There was no need to specifically ask for it.
Now theres only outdated documentation and for a Sophos customer it's a hard struggle, to get information.

About this very topic "WAF for Exchange 2019" there have been at least two requests at this board some time ago.
This is the first one who triggered at least a bit of a result.
To be true, this kind of result frightens me more than a bit.
Take a closer look at it:

In the first, I had to be the "awkward customer" to make Sophos come up with a documentation.
(to be true, I was surprised, they did this at all ...)
Then I had to find, the settings given in this documentation were not thoroughly tested, as they did not work.
After reporting this, Sophos themselves did not know how to resolve the issue (strange enough, isn't it ??!)
So they passed it over to Convergent.
Bruce found the root cause, but pointed out, he did not know, what impact the skipped rule (920420) would have.
No explanation from the Sophos' side on this ...

As they are the "manufacturer" it should be a breeze for them to give profound advice.
Instead the overall impression: even on the Sophos side there's little knowledge about the own product.

And this is, what frightens me - at least as much as Microsoft not fixing their security breaches ...

Best Regards
ranX

I can only point to professional service about this. Because its a third party integration. The Change of the way Exchange works in the last years is the reason for changing the behavior of WAF in the first place. They moved from RPC to MAPI. 

And to be clear: Sophos Support is to work on Bug within the product, not configuration. This means, if you have a setup running, and notice behavior changes etc, this is a topic to go to Sophos Support. If you call for "how to install this product" this is not covered by Sophos Support. 

The installation is usually done by the Sophos Partner or the Sophos Professional Service. And i did not notice any issues with Partners coming up to me integrating this. If this is a pretty usual use case, it seems to work for most partners to integrate this. 

The WAF itself works fine and does what it should do. The integration with third party seems to be the issue here. Sophos would have to host and maintain such configuration them self to address those configuration in a secure manner. If the documentation, which Sophos provides, has some issues, this needs to be updated.

PS: The KB https://support.sophos.com/support/s/article/KB-000040209?language=en_US was updated yesterday. 

Did you contact your Sophos Partner and ask about configuration support? They can refer them self to the next AP to get this sorted out.