This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM: Create WAF to allow traffic through Exchange 2016

Disclaimer: The content is published as-is, without any expectation of official support or guarantees. Please contact Sophos Professional Services if you require assistance with your specific environment.


This article contains steps to create a web application firewall to allow traffic through Exchange 2016.

Officially, web application firewall (WAF) does not support Microsoft Exchange versions later than 2013. An update of Apache to a new version in our Sophos UTM 9.7 MR9 release renders it incompatible with the non-standard protocol that Microsoft uses in many of its latest products. Should you need to continue using WAF with Microsoft Exchange, see Sophos UTM: WAF not working - [proxy_http:error] read less bytes of request body than expected.

Certain infrastructure rules are the core of the WAF ModSecurity operation. You should not disable them without possibly affecting other rules built upon them. If an infrastructure rule is added to the Skip Filter Rules list, you make yourself vulnerable to other possible attacks.

The following sections are covered:

Product and Environment

Sophos UTM 9


  • Microsoft Exchange 2016 must be properly configured and working.
  • Configure DNS to direct traffic to the external IP address of Sophos UTM for and if you are using default settings.
  • A wildcard or SAN certificate with hostnames and must be uploaded to Sophos UTM so WAF can handle SSL connections to Exchange.

Creating web application firewall for Exchange 2016

Creating a real webserver

  1. Click +New Real Webserver in Webserver Protection > Real Webservers.
  2. Enter the following details as shown below:

  3. Click Save.

Creating firewall profiles

  1. Click +New Firewall Profile in Webserver Protection > Firewall Profiles.
  2. Create the following profiles and details as shown in the examples below:
    Exchange 2016 Autodiscover profile

    Entry URLs
    • /autodiscover
    • /Autodiscover

    Skip Filter Rules
    • 960911
    • 960015

    Exchange 2016 Autodiscover profile

    Entry URLs
    • /
    • /ecp
    • /ECP
    • /rpc
    • /RPC
    • /mapi
    • /MAPI
    • /Microsoft-Server-ActiveSync
    • /ews
    • /EWS
    • /oab
    • /OAB
    • /owa
    • /OWA

    Skip Filter Rules
    • 960010
    • 960015
    • 960018
    • 960032
    • 981176
    • 981203
    • 981204

Note: When saving these profiles, consider the warning for turning off some of the Skip Filter Rules.

The list of skipped filter rules contains the following required infrastructure rules: 981176, 981203, 981204. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall.

Creating virtual webservers

  1. Click +New Virtual Webserver in Webserver Protection > Web Application Firewall > Virtual Webservers.
  2. Create the following virtual webservers and enter the details as shown in the examples below:


Creating exceptions

Certain exceptions need to be created for Exchange 2016 to function behind WAF.

  1. Click +New Exception List in Webserver Protection > Firewall Profiles > Exceptions.
  2. Create the following exceptions and details as shown in the examples below:

    Autodiscover exceptions

    • /autodiscover/*
    • /Autodiscover/*

    Webservices exceptions

    • /ecp/*
    • /ECP/*
    • /ews/*
    • /EWS/*
    • /Microsoft-Server-ActiveSync*
    • /oab/*
    • /OAB/*
    • /owa/*
    • /OWA/*

    OWA exceptions


    • /owa/ev.owa*
    • /OWA/ev.owa*

    Outlook Anywhere exceptions

    • /rpc/*
    • /RPC/*
    • /mapi/*
    • /MAPI/*

Related information
Sophos UTM: Configure and troubleshoot Web Application Firewall

Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products and Sophos Central services.

Missing period in the Disclaimer section.
[edited by: Dennis Huagan at 6:01 AM (GMT -7) on 15 Sep 2023]