This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF issues after updating to 9.709-3

Hi,

anyone else noticed that after updating to 9.709-3 Exchange Web Services is not working anymore? We get HTTP Error 500 when connecting to EWS published trhrough WAF. Also, the virtual server changes to orange when this error occurs. Accessing EWS through the browser shows the service page after authentication, but when interacting with EWS by using the Exchange Remote Connectivity Analyzer or EWS Editor generates the HTTP 500 error and the WAF rule turns orange.

When directly connecting to EWS and bypassing UTM works fine and we can interact with EWS.

Before the update everything worked fine.

Franc.



This thread was automatically locked due to age.
Parents Reply Children
  • Sorry to hear... No I don't, I just want to make sure before updating...

    There is another issue posted related to WAF and 9.709-3:
    https://community.sophos.com/utm-firewall/f/web-server-security/132950/websocket-passthrough-broken-since-last-update

    What service / application are you running which relies on EWS?
    Did you try to put the WAF firewall mode to "monitor" instead of "reject" to see if any rule or setting results in the HTTP 500?

  • We are in a hybrid configuration. Exchange online requires access to on-prem using EWS. We can't do mailbox migrations or free/busy information without EWS.

    Yes, I've tried setting it to monitor, but didn't help.

  • Hoi Franc,

    Did trying Albeck's suggestion give you any new information?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hoi,

    which suggestions are you referring to? Setting to monitor or even not applying a firewall profile at all didn’t help. Enabling sockets also doesn’t help. Everything worked fine for years, until installing 9.709-3.

  • Here's are the complete log entries for the issue:

    2022:03:02-13:07:00 firewall-1 httpd[29345]: [proxy_http:error] [pid 29345:tid 4084087664] [client <ip>:64185] AH01086: read less bytes of request body than expected (got 0, expected 634)
    2022:03:02-13:07:00 firewall-1 httpd[29345]: [proxy_http:error] [pid 29345:tid 4084087664] [client <ip>:64185] AH10154: pass request body failed to <ip>:443 (<ip>) from <ip> () with status 500
    2022:03:02-13:07:00 firewall-1 httpd: id="0299" srcip="<ip>" localip="<ip>" size="538" user="-" host="<ip>" method="POST" statuscode="500" reason="-" extra="-" exceptions="SkipURLHardening, SkipFormHardeningMissingToken" time="17848" url="/EWS/Exchange.asmx"

  • Hello Franc,

    I have left a note for the engineer about this and also reported to their manager to follow the process to arrange for the session properly, if you don't hear from the engineer by the end of your working day tomorrow, let me know! 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Have you had any update on this as I am having the same issue.  This is having an impact on our Hybrid setup with Office365.  One major headache, we can't migrate users.  This is affecting  Autodiscover and EWS.  I don't have the firewall profile set, so hardening should not be taking place.  All was working before the upgrade.

    This is the error you get back using the Microsoft connectivity Analyzer 

    The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
     
    Additional Details
    An HTTP 500 response was returned from Unknown.
    HTTP Response Headers: Connection: close
    Content-Length: 530
    Content-Type: text/html; charset=iso-8859-1
    Date: Sat, 05 Mar 2022 20:38:47 GMT
    Server: Apache
    The connection never makes it to the internal Exchange server.
  • No, I didn’t hear anything yet, but the support call goes through our supplier, but they didn’t inform me either that they received a response from Sophos support. Waiting for more than a week now to schedule a remote session.

    The error you get is the same as we are having. We took the UTM out and are using our Kemp load balancer now to do the proxying,

  • Is there any update on what Sophos Engineering have found on this?  When can we expect the fix?

  • Sophos Support still hasn't contacted us.