Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot Get Exchange WAF Rules to Work for Outlook Anywhere or Outlook Web Access (OWA). Outlook Mobile Access and Autodiscover work.

I'll start by saying I attempted to replace my aging Forefront TMG 2010 server this past weekend with a XG310 running firmware 16.05 and after 6 hours of fighting with the Exchange rules I gave up and reverted back to the TMG. 

 

I have already went though every post I could find on the subject on the forums (https://community.sophos.com/products/xg-firewall/f/email-protection/74660/publish-exchange-server-through-xg-firewall, https://community.sophos.com/products/xg-firewall/f/network-and-routing/40733/exchange-2013-waf-publishing, https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80910/does-anybody-have-waf-rules-that-work-to-allow-owa-on-exchange-2010, https://community.sophos.com/products/xg-firewall/f/web-protection/75282/sophos-xg-breaks-ssl-when-connecting-to-outlook-anywhere) and also the most refereed to post outside the forums (https://networkguy.de/?p=998).  Some have helped but none got my system up and running.  It also seems other people are having the same issue with no resolutions (https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/87745/exchange-outlook-anywhere-waf-not-working)

 

After multiple hours I was able to get Autodiscover working (with its own rule) and Exchange Mobile Sync (again with it's own rule).  But the "Exchange General" rule will not work which I need for Outlook Anywhere and Outlook Web Access.   The biggest issue is Outlook will prompt for a username and password, which you shouldn't need.  Also no combination of user/password works.  Same with OWA, we get the forms based authentication but nothing works.   Also I can't seem to get it to redirect to /oma which TMG does without issue.  

 

I've verified under Protect -> Web Server -> Authentication Policies that a user group is selected for both Basic and Forms Based authentication.  I also know this works since I setup a different webserver using the forms based and that works fine.   Also under Protect -> Web Server -> Web Servers my Exchange server is listed as "Encrypted (HTTPS)" which it is. 

 

I'm at a loss of what to try next.  Any suggestions?  Is there a more up to date guide then one based on the UTM?   All my other firewall rules (30+) and web server publishing rules (8) work fine, just the Exchange ones do not.  I tried a simple web server publishing rule, not using the Exchange template, and I had limited success with that but it was hit or miss so that's not the answer either.

 

-Allan



This thread was automatically locked due to age.
  • Hi Allan,


    I also came from TMG 2010 and I use Exchange 2007. I used this setting:

      - Certificate with SAN (I use internal CA), for example:
        owa.<domain> for the Exchange General rule (OWA and ActiveSync)
        autodiscover.<domain> for the Exchange Autodiscover rule
        oan.<domain> for the Outlook Anywhere rule.
      - I published each rule with its CN domain, removing the others from the rule, and using different IPs (alias)
      - In Outlook Anywhere Police, I have added these filters: 960032, 960035, 960904, 960911
      - I use NTLM authentication

  • Sounds like we have a similar setup.  We are also using a certificate with SAN, also using NTML authentication.  Exchange 2013 instead of 2007.

     

    My san has three subs for Exchange:

    - autodiscover.mydomain.com - IP address #1

    - email.mydomain.com for both OA and OWA - IP address #1

    - oma.mydomain.com (mobile access) - IP Address #2

     

    OA and OWA are currently set to use the same external IP in DNS and that works fine with TMG so I tried putting them into the same rule.  Per that post (https://networkguy.de/?p=998) they had only two rules for everything but I couldn't get that to work at all.

     

    I added and removed so many filter rules I don't remember if I did exactly what you did for OA.  I know under Policies -> Protection I turned it off during testing and still couldn't get it to work either.

     

    Would you be willing to post screenshots of your config with your domain info blurred out?

     

    Or if anyone else has any suggestions please feel free.  I'm going to reattempt the install this Sunday so the more examples I can see the better chance I have.  I don't understand why the built-in rules don't just "work" out of the box.

     

    -Allan

  • Hi Allan,

    Attached are the rules and policies.

    The Outook Anywhere rule has two domain entries that I forgot to mention in the previous post.

    I hope it helps
     
  • Ahhh.....your not using the path specific routing.  I think I tried it like that and that was when I did have limited results.  I also didn't have as many exceptions in my protection policy. Thanks for posting....I'll retry this weekend.

     

    -Allan

  • I'm going to attempt the upgrade from my TMG to the XG this Sunday again.  I'll try your instructions.  I also re-keyed our SSL and added owa.mydomain.com in case I do have to have a separate rule between outlook anywhere and outlook web access.  I'm hoping I don't have to since its so much easier to use email.mydomain.com for everything but we'll see.

     

    -Allan

  • So things went better today.  - looking at your settings I realized that you appeared to be using the built in Exchange forms based authentication.  Since I was coming from TMG I was using basic and had the form on the TMG.  This tripped me up a lot.....mainly because I cannot get the Sophos forms based to work even with a standard website I'm trying to protect.  Login simply fails each time and I can't figure out why.  But that's another issue (at least now it is).

     

    First I used two external IP's  from your three.  However I used 4 rules in total. 

    Rule 1 - Exchange Autodiscover - IP Address #1 - autodiscover.mydomain.com

    Rule 2 - Exchange Outlook Anywhere - IP Address #1 - email.mydomain.com

    Rule 3 - Exchange General - IP Address # 1 - owa.mydomain.com

    Rule 4 - Exchange ActiveSync - IP Address # 2 - oma.mydomain.com

    Looking at it I could probably put everything on a single IP address since I am using unique names for everything (move mobile to same IP as the other three) but it works so I'm leaving it alone.

     

    Second since I was no longer using basic passthrough or forms passthrough I reset the Exchange virtual directories back to their defaults (removing basic authentication from a couple) using the settings here: https://technet.microsoft.com/en-us/library/gg247612(v=exchg.150).aspx

     

    Third of course I had to change to forms based authentication for the OWA and ECP directories through Exchange.

     

    Fourth was in Rule 3 (Exchange General) I added /* to the Static URL Hardening exception list.  I did that because I have a redirect to /owa on the exchange box (using the first set of these instructions: https://support.microsoft.com/en-us/help/975341/how-to-configure-exchange-to-redirect-owa-http-requests-to-https-requests-in-iis-7).  That combined with the Redirect HTTP checkbox on the Sophos rule lets my users just type in owa.mydomain.com in a browser then Sophos redirects to secure at https://owa.mydomain.com/ and then Exchange redirects to the subdirectory at https://owa.mydomain.com/owa and everything works.  I cant see this being a security issue with the redirect...maybe someone else can weigh it.  It does make it a lot easier for the users.

     

    Lastly since Outlook Anywhere needs EWS for mailtips and Out Of Office (OOF) I added "/EWS/Exchange.asmx" to the exception in Rule 2 above and also in the "Exchange Outlook Anywhere" protection policy.  That fixed that issue, a issue I had before on TMG but never could fix. 

     

     

    All in all things are working well.  Still some other things to work out but they are not Exchange related.

     

    -Allan

     

  • Allan,

    thank you for sharing your experience.

    This is the meaning of the Community!

    Thanks again.

  • "Fourth was in Rule 3 (Exchange General) I added /* "

     

    IMO this completely destroys all your url hardening, someone can try to go to any address they choose.

     

    Instead I would add a path entry point that goes to your redirection address, never want to /* as an eception.

     

    So where you have /owa,/OWA,/mapi,/MAPI,/rpc,/RPC,/   -  add one more path - /index.php or /index.html

     

    I posted my steps here

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80910/does-anybody-have-waf-rules-that-work-to-allow-owa-on-exchange-2010