Exchange 2019 and WAF configuration - how to get ActiveSync working ?

Nothing ? Really ?
Again "lost in space" with XG ?

There are German external Posts about how to integrate this: https://www.frankysweb.de/sophos-xg-18-webserver-protection-und-exchange-2019/

Simply use MAPI and the predefined Policies, should work. 

Contact your Sophos Partner to get assistance for the configuration. 

On the other hand, maybe its time to look at O365 / Exchange Online for certain reasons. See the vulnerabilities coming up in Exchange on Prem,. 

I understand this, and i am coming from Germany as well, but the pure number of customers using Exchange online in Germany (even in the public sector) is stunning to me, if your case is correct. Because there are certain lawyers out there, using such grounds to sue every company (see Uploadfilter policies and German Copyright). I dont understand, why they do not start to sue every company based on GPDR, if its easy to win? 

I am not here to bring arguments for or against Microsoft Cloud, but i am just curious. There are to many customers, like you said, ignore GDPR. And this does not make sense to me. Especially as i know plenty of public (government) customers using O365. 

Microsoft came recently with a 90 Day plan to cover GDPR concerns. https://docs.microsoft.com/de-de/compliance/regulatory/gdpr-action-plan

My question would be, what is worse: Leaking all Emails cause of vulnerabilities, which are clearly in weekly cycle on Exchange on Prem, or a stable version, hosted by Microsoft? 

About your first request:
The intention of GDPR is, to protect the single individual from misuse of it's personal data.
A third person (e.g. a "lawyer") is not able to charge you money, when you or your company violates GDPR.
So they cannot earn any money on this, like it was the case with copyright infringment.

The only party getting money, are the authorities supervising GDPR.
Just like the street authorities, charging you for speeding or parking tickets.
So it's the same principle: many go too fast or park at the wrong place - but as controlling personnel is limited by far not all of them are caught.
But still the most of us agree, it's a reasonable behaviour, to keep an eye on the pace most of the time.

GDPR is realtively new; so there is little common experience and lots of confusion.
And for a long time there had been no court decisions.
In this vacuum many customers started with O365.

But there were also many, that were aware, they couldn't make legal use of O365, the way, it is designed now.
Those asked MS to provide a GDPR compliant solution.
Therefore MS published this "pseudo" guideline.
"Pseudo" because ist doesn't name a solution to the most crucial point:
all data is processed on MS systems, which can be accessed by US government authorities.
As long as these have access, O365 will not be GDPR compliant.

From admin sight there's no good solution:
- Exchange on prem is unsafe, due to missing updates
- Exchange online is also no good advice because of missing GDPR compliance

Possible workarounds:
- to stop publishing the on prem Webservices use VPN as entrypoint
- switch to other mailservice+groupware, which has less known vulnerabilities

I cannot comment on such topics, as i am not a IT lawyer nor have the experiences. I just acknowledge the big movement to O365 and still consider this to be a valid path, even for GDPR concerns. But this is something, which needs to be discussed in different forms on different levels. 

Florentino, you may want to inform support that they need to add another rule to the list of exclusions in the KB Sophos Firewall: Web Application Firewall for Exchange 2016 -- I'm not sure if my customer had Exchange 2016 or 2019, but another rule that we had to exclude was rule ID 920420

Hi Bruce,

that's interesting, can you show us, where this rule has to be skipped? And what's it about?

If you look at the KB article I referenced, there's a list of ruie IDs they list to skip for the "webservices" policy.  Just added 920420 to the list.  What's it about?  I don't know, all I know is that regular activesync traffic was triggering it falsely... so we disabled it.

Hi Bruce,

Appreciate the feedback, I'll reach out to the team to have this updated.

Thanks!

Hi Flo, hi Bruce,

thanks for the update - I just gave it a try.
Only adding this exception didn't fix my issue.
When activating the proposed rules the mobile client (iPhone with latest iOS) still was not able to logon.
The log shows, that it still triggered a "Bad reputation - SXL category IPCAT_BOTS" message.

So I had to disable the option "Block clients with bad reputation" in the respective policy.
I don't know, if this is recommendable or if there is a more secure setting.
At the momen it's only a temporary "trial and error" setting to me.
So I really would appreciate a feedback on this !

After this change I was able logon and send at least mails with small attachments.
Sending of larger attachments wasn't possible.
On the iPhone's mail app I receive the message, the mail was rejected because of it's size.

The Exchange server behind the XG is configured to accept ActiveSync attachments over 100 MB.
-- > In C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Sync\web.config the maxRequestLength was set to 136192
Also I didn't find a corresponding entry in it's transport logs.

Thus I suspected the XG's reverse proxy.
# grep "Request body no files data length" /log/reverseproxy.log
on the advanced shell revealed my assumption was right

Shouldn't his already have been resolved ?  --> https://community.sophos.com/sophos-xg-firewall/f/discussions/122274/problems-with-activ-sync-exchang-after-update-to-18

From a customer's view, this is a pretty rocky road to go.
On UTM the same thing was way much easier to configure.

Best regards
ranX

Hi RanX,

"save yourself the trouble"

I had the same problems with publishing Exchange 2016/2019.

Sophos has no interest at all 

I asked the same questions to Sophos support,
they didn´t even read my support requests properly and send me outdated documenation.

Sophos has only Documentation for outdated Microsoft Products.

Windows 2008 R2
Sharepoint 2010
Lync

.Even Exchange seams to stuck at 2010/2013

They don´t understand the need of the customers out there.

PS: Customers can always contact Professional Service to get a configuration done. Sophos Support is not to cover installations and/or config changes in the first place. 

PS: Customers can always contact Professional Service to get a configuration done. Sophos Support is not to cover installations and/or config changes in the first place.