Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot Get Exchange WAF Rules to Work for Outlook Anywhere or Outlook Web Access (OWA). Outlook Mobile Access and Autodiscover work.

I'll start by saying I attempted to replace my aging Forefront TMG 2010 server this past weekend with a XG310 running firmware 16.05 and after 6 hours of fighting with the Exchange rules I gave up and reverted back to the TMG. 

 

I have already went though every post I could find on the subject on the forums (https://community.sophos.com/products/xg-firewall/f/email-protection/74660/publish-exchange-server-through-xg-firewall, https://community.sophos.com/products/xg-firewall/f/network-and-routing/40733/exchange-2013-waf-publishing, https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80910/does-anybody-have-waf-rules-that-work-to-allow-owa-on-exchange-2010, https://community.sophos.com/products/xg-firewall/f/web-protection/75282/sophos-xg-breaks-ssl-when-connecting-to-outlook-anywhere) and also the most refereed to post outside the forums (https://networkguy.de/?p=998).  Some have helped but none got my system up and running.  It also seems other people are having the same issue with no resolutions (https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/87745/exchange-outlook-anywhere-waf-not-working)

 

After multiple hours I was able to get Autodiscover working (with its own rule) and Exchange Mobile Sync (again with it's own rule).  But the "Exchange General" rule will not work which I need for Outlook Anywhere and Outlook Web Access.   The biggest issue is Outlook will prompt for a username and password, which you shouldn't need.  Also no combination of user/password works.  Same with OWA, we get the forms based authentication but nothing works.   Also I can't seem to get it to redirect to /oma which TMG does without issue.  

 

I've verified under Protect -> Web Server -> Authentication Policies that a user group is selected for both Basic and Forms Based authentication.  I also know this works since I setup a different webserver using the forms based and that works fine.   Also under Protect -> Web Server -> Web Servers my Exchange server is listed as "Encrypted (HTTPS)" which it is. 

 

I'm at a loss of what to try next.  Any suggestions?  Is there a more up to date guide then one based on the UTM?   All my other firewall rules (30+) and web server publishing rules (8) work fine, just the Exchange ones do not.  I tried a simple web server publishing rule, not using the Exchange template, and I had limited success with that but it was hit or miss so that's not the answer either.

 

-Allan



This thread was automatically locked due to age.
Parents
  • Hi Allan,


    I also came from TMG 2010 and I use Exchange 2007. I used this setting:

      - Certificate with SAN (I use internal CA), for example:
        owa.<domain> for the Exchange General rule (OWA and ActiveSync)
        autodiscover.<domain> for the Exchange Autodiscover rule
        oan.<domain> for the Outlook Anywhere rule.
      - I published each rule with its CN domain, removing the others from the rule, and using different IPs (alias)
      - In Outlook Anywhere Police, I have added these filters: 960032, 960035, 960904, 960911
      - I use NTLM authentication

  • Sounds like we have a similar setup.  We are also using a certificate with SAN, also using NTML authentication.  Exchange 2013 instead of 2007.

     

    My san has three subs for Exchange:

    - autodiscover.mydomain.com - IP address #1

    - email.mydomain.com for both OA and OWA - IP address #1

    - oma.mydomain.com (mobile access) - IP Address #2

     

    OA and OWA are currently set to use the same external IP in DNS and that works fine with TMG so I tried putting them into the same rule.  Per that post (https://networkguy.de/?p=998) they had only two rules for everything but I couldn't get that to work at all.

     

    I added and removed so many filter rules I don't remember if I did exactly what you did for OA.  I know under Policies -> Protection I turned it off during testing and still couldn't get it to work either.

     

    Would you be willing to post screenshots of your config with your domain info blurred out?

     

    Or if anyone else has any suggestions please feel free.  I'm going to reattempt the install this Sunday so the more examples I can see the better chance I have.  I don't understand why the built-in rules don't just "work" out of the box.

     

    -Allan

  • Hi Allan,

    Attached are the rules and policies.

    The Outook Anywhere rule has two domain entries that I forgot to mention in the previous post.

    I hope it helps
     
  • Ahhh.....your not using the path specific routing.  I think I tried it like that and that was when I did have limited results.  I also didn't have as many exceptions in my protection policy. Thanks for posting....I'll retry this weekend.

     

    -Allan

Reply Children
No Data