Hello,
I used to have the Exchange WebServices exposed to the internet over DNAT. Because of the recent Exchange exploits, we decided to start using the WAF again and to use the 2FA possibilities of the UTM.
It all works fine except the reason we used DNAT and not WAF in the first place: the Teams Calendar. It randomly comes and goes with users when connected through the WAF, which cripples their usage of Teams. My impression is that Microsoft queries the (on-premises) /ews very often and that Sophos blocks this because it is suspicious behaviour. I'm experimenting with the Firewall profile Exception List (eg. skip "Request limits"), but I'm not entirely sure what I am doing.
The current configuration is taken from https://support.sophos.com/support/s/article/KB-000038003?language=en_US, but it's not a good sign that it starts with "Sophos does not officially support Microsoft Exchange 2016 with WAF." I don't want to change firewall from several customers just because of a Teams issue.
Hi J.Janssens,
Thanks for reaching out to the Community!
Could you please replicate the issue and provide the reverseproxy logs from your firewall?
You can view the WAF log files from the following locations:
tail -f /var/log/reverseproxy.log
Thanks,
I posted a part of the log file, but the forum decided it was spam and removed it ...
--------------------
J. Janssens
Sophos Certified Architect Sophos Certified EngineerSophos Certified Sales ConsultantGold Partner
Can you send the logs via personal message?
J.Janssens
My apologies for the inconvenience.
This was a false-positive related to an anti-spam moderation feature we have in place for URL links. I'm also following up to investigate and resolve the code editor issue you reported (likely due to a character limit we have in-place).
As mentioned, please share any logs through PM for now.
I removed it again because it made the post unreadable.
I've followed up with you via PM.
Hi, we have also the same problem. Is there any solution?
So far, nothing. I disabled
But I just got the message that again calendars are disappearing. I will open a support case with Sophos. If no solution can be found, we will have to move away from Sophos UTM for customers using Teams.
Okay, thanks for your reply. I hope there will be a solution.
The same is happening for us, using NAT for Exchange works perfectly, but as soon as I enable WAF (using the same guide in the link above) nobody can see their Teams calendar (we have Exchange 2016 CU19 in hybrid mode). I've looked in the WAF logs and don't see anything obvious.