Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2019 and WAF configuration - how to get ActiveSync working ?

Dear Sophos support team,

there have been several requests about this topic, but digging through them didn't provide a proper solution.
In the past Sophos provided a guideline for the UTM how to publish an Exchange server with WAF.

I did not find an equivalent for the XG.

So can you please provide a guideline how to publish Exchange over XG WAF with ActiveSync working and keeping WAF as secure as possible ?
Any help is appreciated.

Best Regards

This thread was automatically locked due to age.
  • Nothing ? Really ?
    Again "lost in space" with XG ?

  • There are German external Posts about how to integrate this:

    Simply use MAPI and the predefined Policies, should work. 

    Contact your Sophos Partner to get assistance for the configuration. 

    On the other hand, maybe its time to look at O365 / Exchange Online for certain reasons. See the vulnerabilities coming up in Exchange on Prem,. 


  • Hi Flo,

    at first thank you and your team for the reply and the fast publication of the KB article !
    The more I'm sorry to say, there is some mistake in the proposed configuration.

    I first created the rules as shown and then triple checked them before activation.
    When activated, I'm not able to fetch mails on my mobile any more (iPhone with latest iOS) .
    I receive the message, no contact to the server could be established.

    When I checked the XG log first, I saw, that my phone's IP (german Telekom range) was blocked because of bad reputation.
    So I disabled the reputation check in the respective policy.
    Afterwards I did a relogin at my mobile network, to receive a different external IP.
    Then I tried again but received the same message.

    This time the log showed "Inbound anomaly score exceeded" for the reason of WAF Anomaly on the folder /Microsoft-Server-ActiveSync..

    Thus I switched back to my working configuration, where only the sending of email attachments fails.

    So I kindly ask your engineers, to re-check the published KB article.

    About LuCar Toni's comment, to switch to O365 Exchange Online:
    This is not an option because, I only replace one evil with another.
    GDPR does not allow to use a hosting service, which is subjected to american regulations.
    So I simply can't do this without getting in conflict with our law.

    Best Regards


  • Just wondering, which law and country does restrict/prevent you from using O365? Just curious.


  • GDPR is mandatory all over Europe:

    Here some more information about the impact on O365.

    To put it short:
    In Europe you are not allowed to transfer your data to a country, which doesn't respect privacy and has the option to access personal data.
    The US government forces all US companies, to give access on demand.
    Thus the use of hosted services, which process personal data, like email in Exchange online, is not legal for a european company.

  • That would mean, O365 is actually 0 use cases and customers, but Microsoft reports XXX % Revenue increase per year. 

    So how can they use O365, if this is not legally possible? I am just curious. Are all those customers simply ignoring the GDPR? Can i sue all O365 customers based on GDPR? Why is this not going on right now? I am just wondering. 


  • @ Toni:

    Yes, all european customers using Exchange online do ignore GDPR.
    Depending on the country, where you live, some authorities are strict, some don't care and I think some european countries don't even know, they're subjected to this ...

    In Germany, they are pretty strict and it can become expensive.
    It's pretty new and not widely known, that german courts started to make decisions against O365.

    A short time ago, I took part in an online security workshop with a bunch of professionals.
    One provider told, that a number of customers went to Exchange online after the Hafnium desaster.
    And he pointed out, this was no wise decision, because they simply switched from one "unsafe playground" to another.

    If you like to, you will be able to successfully sue O365 customers, as soon, as they decide to process personal data on Microsoft O365 services like Exchange online..
    And e-mails are definetly persional data -->


    to keep the focus on the original topic, I remind you, the KB contains some error, as I cannot connect to ActiveSync, when applying the rules as suggested.
    The clients get blocked because of bad reputation; when disabling the check, I receive WAF anomaly errors.
    Any help on resolving this is highly appreciated.

    Best Regards

  • I understand this, and i am coming from Germany as well, but the pure number of customers using Exchange online in Germany (even in the public sector) is stunning to me, if your case is correct. Because there are certain lawyers out there, using such grounds to sue every company (see Uploadfilter policies and German Copyright). I dont understand, why they do not start to sue every company based on GPDR, if its easy to win? 

    I am not here to bring arguments for or against Microsoft Cloud, but i am just curious. There are to many customers, like you said, ignore GDPR. And this does not make sense to me. Especially as i know plenty of public (government) customers using O365. 

    Microsoft came recently with a 90 Day plan to cover GDPR concerns.

    My question would be, what is worse: Leaking all Emails cause of vulnerabilities, which are clearly in weekly cycle on Exchange on Prem, or a stable version, hosted by Microsoft? 


  • About your first request:
    The intention of GDPR is, to protect the single individual from misuse of it's personal data.
    A third person (e.g. a "lawyer") is not able to charge you money, when you or your company violates GDPR.
    So they cannot earn any money on this, like it was the case with copyright infringment.

    The only party getting money, are the authorities supervising GDPR.
    Just like the street authorities, charging you for speeding or parking tickets.
    So it's the same principle: many go too fast or park at the wrong place - but as controlling personnel is limited by far not all of them are caught.
    But still the most of us agree, it's a reasonable behaviour, to keep an eye on the pace most of the time.

    GDPR is realtively new; so there is little common experience and lots of confusion.
    And for a long time there had been no court decisions.
    In this vacuum many customers started with O365.

    But there were also many, that were aware, they couldn't make legal use of O365, the way, it is designed now.
    Those asked MS to provide a GDPR compliant solution.
    Therefore MS published this "pseudo" guideline.
    "Pseudo" because ist doesn't name a solution to the most crucial point:
    all data is processed on MS systems, which can be accessed by US government authorities.
    As long as these have access, O365 will not be GDPR compliant.

    From admin sight there's no good solution:
    - Exchange on prem is unsafe, due to missing updates
    - Exchange online is also no good advice because of missing GDPR compliance

    Possible workarounds:
    - to stop publishing the on prem Webservices use VPN as entrypoint
    - switch to other mailservice+groupware, which has less known vulnerabilities

  • I cannot comment on such topics, as i am not a IT lawyer nor have the experiences. I just acknowledge the big movement to O365 and still consider this to be a valid path, even for GDPR concerns. But this is something, which needs to be discussed in different forms on different levels. 


  • Florentino, you may want to inform support that they need to add another rule to the list of exclusions in the KB Sophos Firewall: Web Application Firewall for Exchange 2016 -- I'm not sure if my customer had Exchange 2016 or 2019, but another rule that we had to exclude was rule ID 920420

    CTO, Convergent Information Security Solutions, LLC

    Sophos Platinum Partner


    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • Hi Bruce,

    that's interesting, can you show us, where this rule has to be skipped? And what's it about?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • If you look at the KB article I referenced, there's a list of ruie IDs they list to skip for the "webservices" policy.  Just added 920420 to the list.  What's it about?  I don't know, all I know is that regular activesync traffic was triggering it falsely... so we disabled it.

    CTO, Convergent Information Security Solutions, LLC

    Sophos Platinum Partner


    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.