This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2019 and WAF configuration - how to get ActiveSync working ?

Dear Sophos support team,

there have been several requests about this topic, but digging through them didn't provide a proper solution.
In the past Sophos provided a guideline for the UTM how to publish an Exchange server with WAF.

I did not find an equivalent for the XG.

So can you please provide a guideline how to publish Exchange over XG WAF with ActiveSync working and keeping WAF as secure as possible ?
Any help is appreciated.

Best Regards
ranX



This thread was automatically locked due to age.
Parents
  • Nothing ? Really ?
    Again "lost in space" with XG ?

  • There are German external Posts about how to integrate this: https://www.frankysweb.de/sophos-xg-18-webserver-protection-und-exchange-2019/

    Simply use MAPI and the predefined Policies, should work. 

    Contact your Sophos Partner to get assistance for the configuration. 

    On the other hand, maybe its time to look at O365 / Exchange Online for certain reasons. See the vulnerabilities coming up in Exchange on Prem,. 

    __________________________________________________________________________________________________________________

  • Hi Flo, hi Bruce,

    thanks for the update - I just gave it a try.
    Only adding this exception didn't fix my issue.
    When activating the proposed rules the mobile client (iPhone with latest iOS) still was not able to logon.
    The log shows, that it still triggered a "Bad reputation - SXL category IPCAT_BOTS" message.

    So I had to disable the option "Block clients with bad reputation" in the respective policy.
    I don't know, if this is recommendable or if there is a more secure setting.
    At the momen it's only a temporary "trial and error" setting to me.
    So I really would appreciate a feedback on this !

    After this change I was able logon and send at least mails with small attachments.
    Sending of larger attachments wasn't possible.
    On the iPhone's mail app I receive the message, the mail was rejected because of it's size.

    The Exchange server behind the XG is configured to accept ActiveSync attachments over 100 MB.
    -- > In C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Sync\web.config the maxRequestLength was set to 136192
    Also I didn't find a corresponding entry in it's transport logs.

    Thus I suspected the XG's reverse proxy.
    # grep "Request body no files data length" /log/reverseproxy.log
    on the advanced shell revealed my assumption was right

    Shouldn't his already have been resolved ?  --> https://community.sophos.com/sophos-xg-firewall/f/discussions/122274/problems-with-activ-sync-exchang-after-update-to-18

    From a customer's view, this is a pretty rocky road to go.
    On UTM the same thing was way much easier to configure.

    Best regards
    ranX

  • Hi RanX,

    "save yourself the trouble"

    I had the same problems with publishing Exchange 2016/2019.

    Sophos has no interest at all 

    I asked the same questions to Sophos support,
    they didn´t even read my support requests properly and send me outdated documenation.

    Sophos has only Documentation for outdated Microsoft Products.

    Windows 2008 R2
    Sharepoint 2010
    Lync

    .Even Exchange seams to stuck at 2010/2013

    They don´t understand the need of the customers out there.

  • PS: Customers can always contact Professional Service to get a configuration done. Sophos Support is not to cover installations and/or config changes in the first place. 

    __________________________________________________________________________________________________________________

  • As LuCar Toni pointed out it is a HUGE security risk at the moment to be running Exchange on premise with WAF. I butt out of the GDPR discussion but IMHO opinion at the moment MS is doing a very poor job at protecting on premise Exchange servers against hackers of which some are on the pay roll of countries wanting to undermine the west. You don't live under a stone so you have knowledge of the flood of ransomware attacks going on and the vulnerabilities in Exchange. Yes, IMHO MS wants us all to move to MS online. Have a look at what they are trying with Office. 2019 is probably the last perpetual version you can buy. 

    So if you are adamant about using on premise Exchange, switch to Sophos Mobile with Secure Email Client for IOS and put the Exchange behind the Sophos EASproxy and configure it to only allow known clients and select Sophos Secure Email Client as the allowed client. 

    Never allow OWA or ECP through WAF!

    just my 0,02.

  • At the time i was asking for Exchange 2019/WAF documentation, there was no word about Sophos Professional Services.
    Even Exchange 2019 was unknown to Sophos support (in 2020)...
    Even Germany Support was closed at all.

    I know, Exchange behind a WAF is a huge risk, but still better than no WAF at all.

    But i think a "good" Firewall might be some sort of help.

    But with Firewall Rules for Windows 2008 R2, SharePoint 2010 ... and old stuff like that, Sophos is not the firewall i see here.

    At least Sophos should have some uptodate of documentation for current Products.

    Microsoft is selling Office 2021

  • Related to your Product Documentation feedback, I would advise raising any content suggestions you have, on our Product Documentation Community group.


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Good Moning @ all,

    returning to the desk this morning, I was pretty surprised, to find a number of answers on my topic.
    I'm awfully sorry to say, I have to agree with Jürgen.

    Sophos advertises the WAF as special feature.
    But when it comes to putting this to use, you're left in the dark.
    The above post of Flo is a good example of this attitude towards customers.

    In the past there was always updated documentation about common use cases of these features.
    There was no need to specifically ask for it.
    Now theres only outdated documentation and for a Sophos customer it's a hard struggle, to get information.

    About this very topic "WAF for Exchange 2019" there have been at least two requests at this board some time ago.
    This is the first one who triggered at least a bit of a result.
    To be true, this kind of result frightens me more than a bit.
    Take a closer look at it:

    In the first, I had to be the "awkward customer" to make Sophos come up with a documentation.
    (to be true, I was surprised, they did this at all ...)
    Then I had to find, the settings given in this documentation were not thoroughly tested, as they did not work.
    After reporting this, Sophos themselves did not know how to resolve the issue (strange enough, isn't it ??!)
    So they passed it over to Convergent.
    Bruce found the root cause, but pointed out, he did not know, what impact the skipped rule (920420) would have.
    No explanation from the Sophos' side on this ...

    As they are the "manufacturer" it should be a breeze for them to give profound advice.
    Instead the overall impression: even on the Sophos side there's little knowledge about the own product.

    And this is, what frightens me - at least as much as Microsoft not fixing their security breaches ...

    Best Regards
    ranX

  • I can only point to professional service about this. Because its a third party integration. The Change of the way Exchange works in the last years is the reason for changing the behavior of WAF in the first place. They moved from RPC to MAPI. 

    And to be clear: Sophos Support is to work on Bug within the product, not configuration. This means, if you have a setup running, and notice behavior changes etc, this is a topic to go to Sophos Support. If you call for "how to install this product" this is not covered by Sophos Support. 

    The installation is usually done by the Sophos Partner or the Sophos Professional Service. And i did not notice any issues with Partners coming up to me integrating this. If this is a pretty usual use case, it seems to work for most partners to integrate this. 

    The WAF itself works fine and does what it should do. The integration with third party seems to be the issue here. Sophos would have to host and maintain such configuration them self to address those configuration in a secure manner. If the documentation, which Sophos provides, has some issues, this needs to be updated.

    PS: The KB https://support.sophos.com/support/s/article/KB-000040209?language=en_US was updated yesterday. 

    Did you contact your Sophos Partner and ask about configuration support? They can refer them self to the next AP to get this sorted out. 

    __________________________________________________________________________________________________________________

  • So let me see if I go this right.

    You say, In the past there had been no reports by Sophos Partners with integration of Exchange ...
    If this were really the case, what about this request ?
    --> https://community.sophos.com/sophos-xg-firewall/f/discussions/126770/sfos-18-waf-for-owa-exchange-2016-2019
    When I look at the information about the OP, I see he is Sophos Gold Partner.

    You say, Sophos Support is to work on Bug within the product, not configuration.
    When call for "how to install this product" this is not covered by Sophos Support. 
    This is the new kind of "quality" at Sophos, which I really dislike.

    When using UTM, there was a KB article about how to configure these standard implementations.
    With this documentation it was a breeze for me, to get the very same Exchange we still have,
    working by simply following the KB
    For XG at first no KB; now a KB, which still doesn't work 100% with an Exchange standard installation.

    So even our Sophos Partner, who did the migration and configuration was left alone in the rain.
    (like the OP of the above linked posting)
    The first attempt ended up with a rollback, as several mandatory configurations did not work.
    E.g. routing from VPN Client tunnels to site-to-site tunnels and Exchange WAF.
    The second attempt was working thus far, we were at least able to avoid another rollback.
    The Sophos Partner engineer and I were happy, it was roughly working.

    But now it's my "homework" to fix the last "loose ends" like ActiveSync attachments not working etc.
    I don't blame the Partner for this, as I saw, which struggle it was for him, to get the needed information from your company.
    You surely understand, telling me, I simply have to request the necessary configuration from the Partner, sounds like a joke to me at the given circumstances.

    Best Regards
    ranX




  • I cannot comment on this matter with more information than the classic information hierarchic, which is the same since i work for Sophos (7 Years). Partners have a direct touch to Sophos or can refer to the Distribution to get configuration assistance. 

    This particular case in the community - I cannot comment on this either, as i dont know, what the resolution was. What i do know, the UTM template should work like the SFOS template for Exchange.

    __________________________________________________________________________________________________________________

Reply
  • I cannot comment on this matter with more information than the classic information hierarchic, which is the same since i work for Sophos (7 Years). Partners have a direct touch to Sophos or can refer to the Distribution to get configuration assistance. 

    This particular case in the community - I cannot comment on this either, as i dont know, what the resolution was. What i do know, the UTM template should work like the SFOS template for Exchange.

    __________________________________________________________________________________________________________________

Children
  • I use the UTM since 10 years when it still was Astaro.
    At that time suppot requests got resolved pretty quick.
    At present our partner's request took about two weeks until it was answered.

    The UTM template should work ...
    The "should" is the important word, as it doesn't,
    which I can confirm by personal experience.
    I repeat:
    Nothing in our environment changed; only the UTM was migrated to XG.
    On the UTM the template worked perfect "out of the box', on the XG it didn't.

    If that were the case, mine and the previous posters' requests wouldn't have been necessary ...

  • Ah, and by the way: the settings proposed in the new KB article still don't work, when I follow them exactly.
    As already mentioned I have to disable the option "Block clients with bad reputation" in the Webservices policy.
    Otherwise mobile clients which come with IPs from the german Telekom network will be blocked from login to ActiveSync.

  • Block clients with bad reputation is a old option from UTM, which, in fact uses the same database like UTM did. So this database of blocking clients should be the same but your IP, you are trying to use, seems to be blacklisted. 

    You see this kind of information in both online helps:

    UTM:

    SFOS: 

    __________________________________________________________________________________________________________________

  • I think most mobile Devices will have a bad IP reputation,
    this is normal and should not be used.

    Where can i reach this Sophos Professional Partners?

    If these are the Sophos Platin Partners, i see no hope, i asked one Platin Partner for IPv6 support
    and he said that he had zero to know nowledge about this.

  • Hi Juergen,

    thanks for sharing this experience regarding bad reputation of mobile clients.
    If it is like this, then why does Sophos propose, to activate this setting in their KB ?

    As already mentioned a few posts above, it's pretty hard to find someone with profound knowledge about the XG.
    Convergent suggests to skip rule 920420 but doesn't know, what this rule actually does.
    Support simply adds this to the KB without any clarification about this rule.
    ...

    Since Sophos took Astaro, the overall customer experience has become growing pain.  

  • Sophos support is for fixing bugs, not for updating documentation See no evil.

    I had a call from Sophos today.
    There is no direct Sophos Professional Servies (from Sophos).
    The burden is at the Sophos Partner.

    He although suggested to call Microsoft for Help.

    Sophos upgraded the documentation 
    Sophos Firewall: Web Application Firewall for Exchange 2016