Sophos UTM: Create WAF to allow traffic through Exchange 2016

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article contains steps to create a web application firewall to allow traffic through Exchange 2016.

Important:
Officially, web application firewall (WAF) does not support Microsoft Exchange versions later than 2013. An update of Apache to a new version in our Sophos UTM 9.7 MR9 release renders it incompatible with the non-standard protocol that Microsoft uses in many of its latest products. Should you need to continue using WAF with Microsoft Exchange, see Sophos UTM: WAF not working - [proxy_http:error] read less bytes of request body than expected.

The following sections are covered:

• Creating a real webserver
• Creating firewall profiles
• Creating virtual webservers
• Creating exceptions

Product and Environment

Sophos UTM 9
 

Prerequisite

• Microsoft Exchange 2016 must be properly configured and working.
• Configure DNS to direct traffic to the external IP address of Sophos UTM for mail.domain.com and autodiscover.domain.com if you are using default settings.
• A wildcard or SAN certificate with hostnames mail.domain.com and autodiscover.domain.com must be uploaded to Sophos UTM so WAF can handle SSL connections to Exchange.

Creating web application firewall for Exchange 2016

Creating a real webserver

1. Click +New Real Webserver in Webserver Protection > Real Webservers.
2. Enter the following details as shown below:
   
   
    
3. Click Save.

Creating firewall profiles

1. Click +New Firewall Profile in Webserver Protection > Firewall Profiles.
2. Create the following profiles and details as shown in the examples below:
    

   Exchange 2016 Autodiscover profile

   Entry URLs   /autodiscover /Autodiscover Skip Filter Rules   960911 960015

    

   Exchange 2016 Autodiscover profile

   Entry URLs   / /ecp /ECP /rpc /RPC /mapi /MAPI /Microsoft-Server-ActiveSync /ews /EWS /oab /OAB /owa /OWA Skip Filter Rules   960010 960015 960018 960032 981176 981203 981204

Note: When saving these profiles, consider the warning for turning off some of the Skip Filter Rules.

The list of skipped filter rules contains the following required infrastructure rules: 981176, 981203, 981204. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall.
 

Creating virtual webservers

1. Click +New Virtual Webserver in Webserver Protection > Web Application Firewall > Virtual Webservers.
2. Create the following virtual webservers and enter the details as shown in the examples below:
    

   Exchange 2016 Autodiscover virtual webserver

   Exchange 2016 Webservices virtual webserver

Creating exceptions

Certain exceptions need to be created for Exchange 2016 to function behind WAF.
 

1. Click +New Exception List in Webserver Protection > Firewall Profiles > Exceptions.
2. Create the following exceptions and details as shown in the examples below:
    

   Autodiscover exceptions

   Paths   /autodiscover/* /Autodiscover/*

    

   Webservices exceptions

   Paths   /ecp/* /ECP/* /ews/* /EWS/* /Microsoft-Server-ActiveSync* /oab/* /OAB/* /owa/* /OWA/*

    

   OWA exceptions

   Paths   /owa/ev.owa* /OWA/ev.owa*

    

   Outlook Anywhere exceptions

   Paths   /rpc/* /RPC/* /mapi/* /MAPI/*

Related information
Sophos UTM: Configure and troubleshoot Web Application Firewall

Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products and Sophos Central services.