Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot Get Exchange WAF Rules to Work for Outlook Anywhere or Outlook Web Access (OWA). Outlook Mobile Access and Autodiscover work.

I'll start by saying I attempted to replace my aging Forefront TMG 2010 server this past weekend with a XG310 running firmware 16.05 and after 6 hours of fighting with the Exchange rules I gave up and reverted back to the TMG. 

 

I have already went though every post I could find on the subject on the forums (https://community.sophos.com/products/xg-firewall/f/email-protection/74660/publish-exchange-server-through-xg-firewall, https://community.sophos.com/products/xg-firewall/f/network-and-routing/40733/exchange-2013-waf-publishing, https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80910/does-anybody-have-waf-rules-that-work-to-allow-owa-on-exchange-2010, https://community.sophos.com/products/xg-firewall/f/web-protection/75282/sophos-xg-breaks-ssl-when-connecting-to-outlook-anywhere) and also the most refereed to post outside the forums (https://networkguy.de/?p=998).  Some have helped but none got my system up and running.  It also seems other people are having the same issue with no resolutions (https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/87745/exchange-outlook-anywhere-waf-not-working)

 

After multiple hours I was able to get Autodiscover working (with its own rule) and Exchange Mobile Sync (again with it's own rule).  But the "Exchange General" rule will not work which I need for Outlook Anywhere and Outlook Web Access.   The biggest issue is Outlook will prompt for a username and password, which you shouldn't need.  Also no combination of user/password works.  Same with OWA, we get the forms based authentication but nothing works.   Also I can't seem to get it to redirect to /oma which TMG does without issue.  

 

I've verified under Protect -> Web Server -> Authentication Policies that a user group is selected for both Basic and Forms Based authentication.  I also know this works since I setup a different webserver using the forms based and that works fine.   Also under Protect -> Web Server -> Web Servers my Exchange server is listed as "Encrypted (HTTPS)" which it is. 

 

I'm at a loss of what to try next.  Any suggestions?  Is there a more up to date guide then one based on the UTM?   All my other firewall rules (30+) and web server publishing rules (8) work fine, just the Exchange ones do not.  I tried a simple web server publishing rule, not using the Exchange template, and I had limited success with that but it was hit or miss so that's not the answer either.

 

-Allan



This thread was automatically locked due to age.
Parents
  • So things went better today.  - looking at your settings I realized that you appeared to be using the built in Exchange forms based authentication.  Since I was coming from TMG I was using basic and had the form on the TMG.  This tripped me up a lot.....mainly because I cannot get the Sophos forms based to work even with a standard website I'm trying to protect.  Login simply fails each time and I can't figure out why.  But that's another issue (at least now it is).

     

    First I used two external IP's  from your three.  However I used 4 rules in total. 

    Rule 1 - Exchange Autodiscover - IP Address #1 - autodiscover.mydomain.com

    Rule 2 - Exchange Outlook Anywhere - IP Address #1 - email.mydomain.com

    Rule 3 - Exchange General - IP Address # 1 - owa.mydomain.com

    Rule 4 - Exchange ActiveSync - IP Address # 2 - oma.mydomain.com

    Looking at it I could probably put everything on a single IP address since I am using unique names for everything (move mobile to same IP as the other three) but it works so I'm leaving it alone.

     

    Second since I was no longer using basic passthrough or forms passthrough I reset the Exchange virtual directories back to their defaults (removing basic authentication from a couple) using the settings here: https://technet.microsoft.com/en-us/library/gg247612(v=exchg.150).aspx

     

    Third of course I had to change to forms based authentication for the OWA and ECP directories through Exchange.

     

    Fourth was in Rule 3 (Exchange General) I added /* to the Static URL Hardening exception list.  I did that because I have a redirect to /owa on the exchange box (using the first set of these instructions: https://support.microsoft.com/en-us/help/975341/how-to-configure-exchange-to-redirect-owa-http-requests-to-https-requests-in-iis-7).  That combined with the Redirect HTTP checkbox on the Sophos rule lets my users just type in owa.mydomain.com in a browser then Sophos redirects to secure at https://owa.mydomain.com/ and then Exchange redirects to the subdirectory at https://owa.mydomain.com/owa and everything works.  I cant see this being a security issue with the redirect...maybe someone else can weigh it.  It does make it a lot easier for the users.

     

    Lastly since Outlook Anywhere needs EWS for mailtips and Out Of Office (OOF) I added "/EWS/Exchange.asmx" to the exception in Rule 2 above and also in the "Exchange Outlook Anywhere" protection policy.  That fixed that issue, a issue I had before on TMG but never could fix. 

     

     

    All in all things are working well.  Still some other things to work out but they are not Exchange related.

     

    -Allan

     

  • "Fourth was in Rule 3 (Exchange General) I added /* "

     

    IMO this completely destroys all your url hardening, someone can try to go to any address they choose.

     

    Instead I would add a path entry point that goes to your redirection address, never want to /* as an eception.

     

    So where you have /owa,/OWA,/mapi,/MAPI,/rpc,/RPC,/   -  add one more path - /index.php or /index.html

     

    I posted my steps here

    https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80910/does-anybody-have-waf-rules-that-work-to-allow-owa-on-exchange-2010

Reply Children
No Data