Can not get OWA to work with business rules and WAF rules and I'm stumped as to where the hangup is. Hoping someone with a working configuration has a guide. Thanks
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
Can not get OWA to work with business rules and WAF rules and I'm stumped as to where the hangup is. Hoping someone with a working configuration has a guide. Thanks
I got OWA to work, our problem was that we have a webserver on listening on port 80 at the same public address as our exchange server. In the web server profile, I changed the type and port to encrypted 443 and now OWA works. However microsoft active sync does not work. Any ideas?
*EDIT Got OWA and Active Sync to work. Dumb mistake...We're using basic with passthrough for the Active Sync policy. I didn't have any groups or users specified. Everything is working now!
Hi,
have you had any issues with your OWA access since you set it up?
We've had a couple of instances where the WAF service stops and so all connections are dropped and we have to restart the service before anyone can log in again. I've got a support ticket open, but I wondered if you'd experienced any similar issues?
cheers,
Tom
This guide also worked for us on Exchange 2013 - http://networkguy.de/?p=998 . It is slow though.
What we havent figured out is how to use the Sophos login form instead of the Exchange login form which would be preferable.
Just to recap the guide above as it took me forever to get it to work.
1. Click Web servers and then create a web server pointing to your exchange server, you will need to point your WAF rules to this in step 3.
2. Create 2 protection policies under Web Servers. Exch General and Exch Activesync , they should look just like examples in the guide - http://networkguy.de/?p=998
3. Create TWO WAF rules in your Firewall. One for "Exch General" with your cert and 1 domain like mail.domain.com and another WAF rule for "Exch Activesync" using cert and 1 domain like activeysnc.domain.com. There should only be 1 domain from your cert selected in each rule.
4. We did all the path specific routing in the protection policies(step 2), uncheck this option in the WAF rules.(Probably could do it here, just posting what we got working)
5. Set authentication to none in the both WAF firewall rules
6. Make 3 exception paths in Exch General WAF
a. /owa/ev.owa*,/OWA/ev.owa* - skip antivirus
b. /ECP/*,/ecp/*,/ews/*,/EWS/*,/Microsoft-Server-ActiveSync*,/oab/*,/OAB/*,/owa/*,/OWA/* - skip static url hardening and check Never change url during Static hardening...
c. /rpc/*,/RPC/*,/mapi/*,/MAPI/* - skip all checks and skip all categories
7. Point Exch General WAF Proection to Exch General - (created in step2). This WAF is done
8. Make 1 exception path for the Exch Activesync WAF
a. /autodiscover/*,/Autodiscover/* - skip static url hardening and check Never change url during Static hardening....
9. Point Exch Activesync WAF Proection to Exch Activesync - (created in step2). This WAF is done.
Hopefully it all works. If you have a laptop on an outside connection - Go to whatismypic.com and use the IP in in the log viewer as a filter to help troubleshoot.
I havent been able to test this, but Viic on the UTM forums used the following to get sophos forms to work with exchange. Since XG uses the same WAF, hopefully it works.
Here are the steps that I have done on Exchange side in order to correctly integrate it with UTM reverse form authentication:
I havent been able to test this, but Viic on the UTM forums used the following to get sophos forms to work with exchange. Since XG uses the same WAF, hopefully it works.
Here are the steps that I have done on Exchange side in order to correctly integrate it with UTM reverse form authentication: