This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange server with 'Windows Extended Protection' behind WAF

Hey, I was wondering if anyone who has their Exchange server(s) behind a Sophos UTM WAF (to publish OWA, Autodiscover and Outlook Anywhere) has activated 'Windows Extended Protection' yet and if there were any problems or not.

Info:
techcommunity.microsoft.com/.../3593862
microsoft.github.io/.../



This thread was automatically locked due to age.
Parents
  • I just got the following feedback from MS:

    based on my understanding, the Sophos UTM Webserver Protection intercepts the HTTPS connection (https://assets.sophos.com/X24WTUEQ/at/mb4stbjq36pjm77vn8kvn64z/sophos-utm-web-server-protection-ds.pdf) and so, is considered as a Man-in-the-Middle (MitM) and this is a scenario that Windows Extended Protection actively tries to prevent. Therefore, you see the credential prompts as the server doesn't accept the connection.
    
    If the UTM uses SSL Bridging (Client --HTTPS-- UTM --HTTPS-- Exchange), it's required to use the same certificate on the device between the client and the server (in your case, the UTM). If you perform SSL Offloading (Client --HTTPS-- UTM --HTTP-- Exchange) this isn't supported and will not work together with Extended Protection turned on as we need the certificate for the Channel Binding Token (CBT).
    
    For more information see: https://aka.ms/ExchangeEPDoc

    That means the automated LetsEncrypt (on tool at the UTM and one at the EX Server) is dead?!

Reply
  • I just got the following feedback from MS:

    based on my understanding, the Sophos UTM Webserver Protection intercepts the HTTPS connection (https://assets.sophos.com/X24WTUEQ/at/mb4stbjq36pjm77vn8kvn64z/sophos-utm-web-server-protection-ds.pdf) and so, is considered as a Man-in-the-Middle (MitM) and this is a scenario that Windows Extended Protection actively tries to prevent. Therefore, you see the credential prompts as the server doesn't accept the connection.
    
    If the UTM uses SSL Bridging (Client --HTTPS-- UTM --HTTPS-- Exchange), it's required to use the same certificate on the device between the client and the server (in your case, the UTM). If you perform SSL Offloading (Client --HTTPS-- UTM --HTTP-- Exchange) this isn't supported and will not work together with Extended Protection turned on as we need the certificate for the Channel Binding Token (CBT).
    
    For more information see: https://aka.ms/ExchangeEPDoc

    That means the automated LetsEncrypt (on tool at the UTM and one at the EX Server) is dead?!

Children
No Data