Exchange 2019 and WAF configuration - how to get ActiveSync working ?

Block clients with bad reputation is a old option from UTM, which, in fact uses the same database like UTM did. So this database of blocking clients should be the same but your IP, you are trying to use, seems to be blacklisted. 

You see this kind of information in both online helps:

UTM:

SFOS: 

I think most mobile Devices will have a bad IP reputation,
this is normal and should not be used.

Where can i reach this Sophos Professional Partners?

If these are the Sophos Platin Partners, i see no hope, i asked one Platin Partner for IPv6 support
and he said that he had zero to know nowledge about this.

Hi Juergen,

thanks for sharing this experience regarding bad reputation of mobile clients.
If it is like this, then why does Sophos propose, to activate this setting in their KB ?

As already mentioned a few posts above, it's pretty hard to find someone with profound knowledge about the XG.
Convergent suggests to skip rule 920420 but doesn't know, what this rule actually does.
Support simply adds this to the KB without any clarification about this rule.
...

Since Sophos took Astaro, the overall customer experience has become growing pain.  

Sophos support is for fixing bugs, not for updating documentation .

I had a call from Sophos today.
There is no direct Sophos Professional Servies (from Sophos).
The burden is at the Sophos Partner.

He although suggested to call Microsoft for Help.

Sophos upgraded the documentation 
Sophos Firewall: Web Application Firewall for Exchange 2016

Why are your fighting and arguing with someone who is looking for help?
You Sir, shouldn't be allowed to post anything in here, since all you do is playing smart boy, who knows everything better.
The GDPR/DSGVO is preventing some companies to use any cloud service at all, as long as the server is not in Europe and the data will not stay in Europe! So no backups or replication from German Servers to American Servers, where my data can be accessed by calling the patriot act, for example.

Thanks for your feedback. 

I was simply asking questions, as i am not a Exchange expert nor IT lawyer but i could not resist to ask, why everybody is still using O365, if this is not allowed. Looking at most customers, they all use Microsoft services in most ways. And it seems to be odd to me, that even government customers uses those services, which are not allowed to use. 

Hi Lucar Toni,

I'MHO there is no need to defend yourself. We know your intention is to help and you helped many of us in the past.

You are right that many EU institutions and governments are also using cloud services based in the US. It is still an ongoing process and some of it is not law as stated by some here but also self regulation and therefor unclear.  Maybe the investigations will make it clearer in the future.

https://edps.europa.eu/press-publications/press-news/press-releases/2021/edps-opens-two-investigations-following-schrems_en

Hi Lucar Toni,

the simple answer to your question is: there is no real alternative product to Office365.

Regarding his statements about the GDPR, RanX is 100% right if you take the GDPR text literally (even if you repeatedly can't believe it).

In practice, this is ignored by all sides. Where else should a public authority migrate to, for example?
Microsoft gives numerous more or less helpful assurances, clear court decisions do not exist yet, as far as I know. We are dealing with a situation that has not yet been fully clarified!

But this is already enough for many of my customers to NOT want to use US cloud products under ANY circumstances until clarity is provided.

So I'm in the dilemma of not being allowed to use O365 (at the direction of my customers) but not being able to run Exchange OnPremise securely.

Anyway, I have not been able to get the Sophos WAF to work completely, just like RanX. And even if I could get it to work, the instructions largely deal with disabling filter rules, the exact meaning of which is not documented. That doesn't feel very secure.

Even if I could somehow get this to work, no real confidence would grow. I interpret Sophos' lack of documentation to mean that Sophos doesn't have that confidence in its own WAF either, at least not in combination with Exchange. Pretty much the most important and widespread product for which you need a WAF at all...

It's really silly to promote a great feauture for OnPremises products (WAF), but then recommend your customers to go to the cloud....

Alltogether I share the opinion of one of the previous speakers: Exchange not via WAF but via VPN. Everything else is insecure until Sophos does its homework and provides a clear statement and working documentation.

Regards
Paris (Sophos Silver Partner)

Hello Paris,

that's exactly my opinion; thank you for putting this to clear words.

It is pretty ridiculous, Sophos advertising the WAF feature, but on the other hand recommending the customers not to use it, because they themeselves do not thorougly trust it.
Nor can they explain, what the WAF really covers at present.

As I lost all my confidence these days, I was happy to find an agreement with our managment, to stop publishing Exchange and only use it via VPN any more.

Best Regards
ranX