New Sophos Support Phone Numbers in Effect July 1st, 2023

Sophos UTM: Create WAF to allow traffic through Exchange 2016

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article contains steps to create a web application firewall to allow traffic through Exchange 2016.

Important:
Officially, web application firewall (WAF) does not support Microsoft Exchange versions later than 2013. An update of Apache to a new version in our Sophos UTM 9.7 MR9 release renders it incompatible with the non-standard protocol that Microsoft uses in many of its latest products. Should you need to continue using WAF with Microsoft Exchange, see Sophos UTM: WAF not working - [proxy_http:error] read less bytes of request body than expected.

The following sections are covered:

Product and Environment

Sophos UTM 9
 

Prerequisite

  • Microsoft Exchange 2016 must be properly configured and working.
  • Configure DNS to direct traffic to the external IP address of Sophos UTM for mail.domain.com and autodiscover.domain.com if you are using default settings.
  • A wildcard or SAN certificate with hostnames mail.domain.com and autodiscover.domain.com must be uploaded to Sophos UTM so WAF can handle SSL connections to Exchange.

Creating web application firewall for Exchange 2016

Creating a real webserver

  1. Click +New Real Webserver in Webserver Protection > Real Webservers.
  2. Enter the following details as shown below:

    tidy_fix_alt
     
  3. Click Save.

Creating firewall profiles

  1. Click +New Firewall Profile in Webserver Protection > Firewall Profiles.
  2. Create the following profiles and details as shown in the examples below:
     
    Exchange 2016 Autodiscover profile

    tidy_fix_alt
     
    Entry URLs
     
    • /autodiscover
    • /Autodiscover

    Skip Filter Rules
     
    • 960911
    • 960015
     
     
    Exchange 2016 Autodiscover profile

    tidy_fix_alt
     
    Entry URLs
     
    • /
    • /ecp
    • /ECP
    • /rpc
    • /RPC
    • /mapi
    • /MAPI
    • /Microsoft-Server-ActiveSync
    • /ews
    • /EWS
    • /oab
    • /OAB
    • /owa
    • /OWA

    Skip Filter Rules
     
    • 960010
    • 960015
    • 960018
    • 960032
    • 981176
    • 981203
    • 981204
     


Note: When saving these profiles, consider the warning for turning off some of the Skip Filter Rules.

The list of skipped filter rules contains the following required infrastructure rules: 981176, 981203, 981204. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall.
 

Creating virtual webservers

  1. Click +New Virtual Webserver in Webserver Protection > Web Application Firewall > Virtual Webservers.
  2. Create the following virtual webservers and enter the details as shown in the examples below:
     
    Exchange 2016 Autodiscover virtual webserver

    tidy_fix_alt
    Exchange 2016 Webservices virtual webserver

    tidy_fix_alt

Creating exceptions

Certain exceptions need to be created for Exchange 2016 to function behind WAF.
 

  1. Click +New Exception List in Webserver Protection > Firewall Profiles > Exceptions.
  2. Create the following exceptions and details as shown in the examples below:
     
    Autodiscover exceptions

    tidy_fix_alt
     
    Paths
     
    • /autodiscover/*
    • /Autodiscover/*
     
    Webservices exceptions

    tidy_fix_alt
     
    Paths
     
    • /ecp/*
    • /ECP/*
    • /ews/*
    • /EWS/*
    • /Microsoft-Server-ActiveSync*
    • /oab/*
    • /OAB/*
    • /owa/*
    • /OWA/*
     
    OWA exceptions

    tidy_fix_alt
     
    Paths
     
    • /owa/ev.owa*
    • /OWA/ev.owa*
     
    Outlook Anywhere exceptions

    tidy_fix_alt
     
    Paths
     
    • /rpc/*
    • /RPC/*
    • /mapi/*
    • /MAPI/*

Related information
Sophos UTM: Configure and troubleshoot Web Application Firewall

Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products and Sophos Central services.