Hey, I was wondering if anyone who has their Exchange server(s) behind a Sophos UTM WAF (to publish OWA, Autodiscover and Outlook Anywhere) has activated 'Windows Extended Protection' yet and if there were any problems or not.
I just got the following feedback from MS:
based on my understanding, the Sophos UTM Webserver Protection intercepts the HTTPS connection (https://assets.sophos.com/X24WTUEQ/at/mb4stbjq36pjm77vn8kvn64z/sophos-utm-web-server-protection-ds.pdf) and so, is considered as a Man-in-the-Middle (MitM) and this is a scenario that Windows Extended Protection actively tries to prevent. Therefore, you see the credential prompts as the server doesn't accept the connection.
If the UTM uses SSL Bridging (Client --HTTPS-- UTM --HTTPS-- Exchange), it's required to use the same certificate on the device between the client and the server (in your case, the UTM). If you perform SSL Offloading (Client --HTTPS-- UTM --HTTP-- Exchange) this isn't supported and will not work together with Extended Protection turned on as we need the certificate for the Channel Binding Token (CBT).
For more information see: https://aka.ms/ExchangeEPDoc
That means the automated LetsEncrypt (on tool at the UTM and one at the EX Server) is dead?!