Cannot Get Exchange WAF Rules to Work for Outlook Anywhere or Outlook Web Access (OWA). Outlook Mobile Access and Autodiscover work.

Question

I'll start by saying I attempted to replace my aging Forefront TMG 2010 server this past weekend with a XG310 running firmware 16.05 and after 6 hours of fighting with the Exchange rules I gave up and reverted back to the TMG. 
 
 I have already went though every post I could find on the subject on the forums ( https://community.sophos.com/products/xg-firewall/f/email-protection/74660/publish-exchange-server-through-xg-firewall, https://community.sophos.com/products/xg-firewall/f/network-and-routing/40733/exchange-2013-waf-publishing, https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80910/does-anybody-have-waf-rules-that-work-to-allow-owa-on-exchange-2010, https://community.sophos.com/products/xg-firewall/f/web-protection/75282/sophos-xg-breaks-ssl-when-connecting-to-outlook-anywhere) and also the most refereed to post outside the forums ( https://networkguy.de/?p=998 ). Some have helped but none got my system up and running. It also seems other people are having the same issue with no resolutions ( https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/87745/exchange-outlook-anywhere-waf-not-working ) 
 
 After multiple hours I was able to get Autodiscover working (with its own rule) and Exchange Mobile Sync (again with it's own rule). But the "Exchange General" rule will not work which I need for Outlook Anywhere and Outlook Web Access. The biggest issue is Outlook will prompt for a username and password, which you shouldn't need. Also no combination of user/password works. Same with OWA, we get the forms based authentication but nothing works. Also I can't seem to get it to redirect to /oma which TMG does without issue. 
 
 I've verified under Protect -> Web Server -> Authentication Policies that a user group is selected for both Basic and Forms Based authentication. I also know this works since I setup a different webserver using the forms based and that works fine. Also under Protect -> Web Server -> Web Servers my Exchange server is listed as "Encrypted (HTTPS)" which it is. 
 
 I'm at a loss of what to try next. Any suggestions? Is there a more up to date guide then one based on the UTM? All my other firewall rules (30+) and web server publishing rules (8) work fine, just the Exchange ones do not. I tried a simple web server publishing rule, not using the Exchange template, and I had limited success with that but it was hit or miss so that's not the answer either. 
 
 -Allan

Adriano Almeida · Accepted Answer

Hi Allan, 
 Attached are the rules and policies. 
 The Outook Anywhere rule has two domain entries that I forgot to mention in the previous post. 
 I hope it helps 
 
 5287.Sophos XG - Exchange Publish.pdf

AllanD · Answer

So things went better today. Adriano Almeida - looking at your settings I realized that you appeared to be using the built in Exchange forms based authentication. Since I was coming from TMG I was using basic and had the form on the TMG. This tripped me up a lot.....mainly because I cannot get the Sophos forms based to work even with a standard website I'm trying to protect. Login simply fails each time and I can't figure out why. But that's another issue (at least now it is). 
 
 First I used two external IP's from your three. However I used 4 rules in total. 
 Rule 1 - Exchange Autodiscover - IP Address #1 - autodiscover.mydomain.com 
 Rule 2 - Exchange Outlook Anywhere - IP Address #1 - email.mydomain.com 
 Rule 3 - Exchange General - IP Address # 1 - owa.mydomain.com 
 Rule 4 - Exchange ActiveSync - IP Address # 2 - oma.mydomain.com 
 Looking at it I could probably put everything on a single IP address since I am using unique names for everything (move mobile to same IP as the other three) but it works so I'm leaving it alone. 
 
 Second since I was no longer using basic passthrough or forms passthrough I reset the Exchange virtual directories back to their defaults (removing basic authentication from a couple) using the settings here: https://technet.microsoft.com/en-us/library/gg247612(v=exchg.150).aspx 
 
 Third of course I had to change to forms based authentication for the OWA and ECP directories through Exchange. 
 
 Fourth was in Rule 3 (Exchange General) I added /* to the Static URL Hardening exception list. I did that because I have a redirect to /owa on the exchange box (using the first set of these instructions: https://support.microsoft.com/en-us/help/975341/how-to-configure-exchange-to-redirect-owa-http-requests-to-https-requests-in-iis-7 ). That combined with the Redirect HTTP checkbox on the Sophos rule lets my users just type in owa.mydomain.com in a browser then Sophos redirects to secure at https://owa.mydomain.com/ and then Exchange redirects to the subdirectory at https://owa.mydomain.com/owa and everything works. I cant see this being a security issue with the redirect...maybe someone else can weigh it. It does make it a lot easier for the users. 
 
 Lastly since Outlook Anywhere needs EWS for mailtips and Out Of Office (OOF) I added "/EWS/Exchange.asmx" to the exception in Rule 2 above and also in the "Exchange Outlook Anywhere" protection policy. That fixed that issue, a issue I had before on TMG but never could fix.

All in all things are working well. Still some other things to work out but they are not Exchange related. 
 
 -Allan