Does Anybody have WAF rules that work to allow OWA on Exchange 2010?

Tom,

can you share your WAF configuration? I did not try yet OWA though XG but I would like to do it soon.

Let's see if sharing the configuration we are able to correctly configure it.
Thanks

Hi,

we followed this guide and it has worked ok for us: http://networkguy.de/?p=998 

The guide is for UTM but we have used it on SFOS 15 and now 16 with no problems. 

Hope that helps...

Tom

The principle technology is still the same from UTM to XG, you should be able to translate Sophos' official guide and Network Guys to be used in the XG

Emile

I got OWA to work, our problem was that we have a webserver on listening on port 80 at the same public address as our exchange server. In the web server profile, I changed the type and port to encrypted 443 and now OWA works. However microsoft active sync does not work. Any ideas?

*EDIT Got OWA and Active Sync to work. Dumb mistake...We're using basic with passthrough for the Active Sync policy. I didn't have any groups or users specified. Everything is working now!

Hi,

have you had any issues with your OWA access since you set it up?

We've had a couple of instances where the WAF service stops and so all connections are dropped and we have to restart the service before anyone can log in again. I've got a support ticket open, but I wondered if you'd experienced any similar issues?

cheers,

Tom

This guide also worked for us on Exchange 2013 - http://networkguy.de/?p=998 .  It is slow though.

What we havent figured out is how to use the Sophos login form instead of the Exchange login form which would be preferable.

Just to recap the guide above as it took me forever to get it to work.

1. Click Web servers and then create a web server pointing to your exchange server, you will need to point your WAF rules to this in step 3. 

2. Create 2 protection policies under Web Servers. Exch General and Exch Activesync , they should look just like examples in the guide  - http://networkguy.de/?p=998

3. Create TWO WAF rules in your Firewall. One for "Exch General" with your cert and 1 domain like mail.domain.com and another WAF rule  for "Exch Activesync" using cert and 1 domain like activeysnc.domain.com.  There should only be 1 domain from your cert selected in each rule.

4. We did all the path specific routing in the protection policies(step 2), uncheck this option in the WAF rules.(Probably could do it here, just posting what we got working)

5. Set authentication to none in the both WAF firewall rules

6. Make 3 exception paths in Exch General WAF

    a. /owa/ev.owa*,/OWA/ev.owa* - skip antivirus

    b. /ECP/*,/ecp/*,/ews/*,/EWS/*,/Microsoft-Server-ActiveSync*,/oab/*,/OAB/*,/owa/*,/OWA/* - skip static url hardening and check Never change url during Static hardening...

    c. /rpc/*,/RPC/*,/mapi/*,/MAPI/*  - skip all checks and skip all categories

7. Point Exch General WAF Proection  to Exch General - (created in step2). This WAF is done

8. Make 1 exception path for the Exch Activesync WAF

    a. /autodiscover/*,/Autodiscover/* - skip static url hardening and check Never change url during Static hardening....

9. Point Exch Activesync WAF Proection  to Exch Activesync - (created in step2). This WAF is done.

Hopefully it all works.  If you have a laptop on an outside connection - Go to whatismypic.com and use the IP in in the log viewer as a filter to help troubleshoot.

I havent been able to test this, but Viic on the UTM forums used the following to get sophos forms to work with exchange.  Since XG uses the same WAF, hopefully it works.

https://community.sophos.com/products/unified-threat-management/f/web-server-security/50198/reverse-auth---custom-form-template

Here are the steps that I have done on Exchange side in order to correctly integrate it with UTM reverse form authentication:

• Added adittional IP address to the NIC.
• Created New Web Site "OWA UTM" in IIS binded to this new IP.
• New-OwaVirtualDirectory -Name "OwaUTM" -Websitename "OWA UTM".
• New-EcpVirtualDirectory -Server EX2010 -Websitename "OWA UTM".
• Set Basic Authentication on new OWA and ECP virtual through EMC.
• Set Basic authentication IIS default Domain/Realm.
• Created IIS redirection from root to /Owa virtual dir on the new web site.
• Checked Require SSL.

I havent been able to test this, but Viic on the UTM forums used the following to get sophos forms to work with exchange.  Since XG uses the same WAF, hopefully it works.

https://community.sophos.com/products/unified-threat-management/f/web-server-security/50198/reverse-auth---custom-form-template

Here are the steps that I have done on Exchange side in order to correctly integrate it with UTM reverse form authentication:

• Added adittional IP address to the NIC.
• Created New Web Site "OWA UTM" in IIS binded to this new IP.
• New-OwaVirtualDirectory -Name "OwaUTM" -Websitename "OWA UTM".
• New-EcpVirtualDirectory -Server EX2010 -Websitename "OWA UTM".
• Set Basic Authentication on new OWA and ECP virtual through EMC.
• Set Basic authentication IIS default Domain/Realm.
• Created IIS redirection from root to /Owa virtual dir on the new web site.
• Checked Require SSL.