New Sophos Support Phone Numbers in Effect July 1st, 2023

Sophos UTM: Create WAF to allow traffic through Exchange 2016

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.


This article contains steps to create a web application firewall to allow traffic through Exchange 2016.

Officially, web application firewall (WAF) does not support Microsoft Exchange versions later than 2013. An update of Apache to a new version in our Sophos UTM 9.7 MR9 release renders it incompatible with the non-standard protocol that Microsoft uses in many of its latest products. Should you need to continue using WAF with Microsoft Exchange, see Sophos UTM: WAF not working - [proxy_http:error] read less bytes of request body than expected.

The following sections are covered:

Product and Environment

Sophos UTM 9


  • Microsoft Exchange 2016 must be properly configured and working.
  • Configure DNS to direct traffic to the external IP address of Sophos UTM for and if you are using default settings.
  • A wildcard or SAN certificate with hostnames and must be uploaded to Sophos UTM so WAF can handle SSL connections to Exchange.

Creating web application firewall for Exchange 2016

Creating a real webserver

  1. Click +New Real Webserver in Webserver Protection > Real Webservers.
  2. Enter the following details as shown below:

  3. Click Save.

Creating firewall profiles

  1. Click +New Firewall Profile in Webserver Protection > Firewall Profiles.
  2. Create the following profiles and details as shown in the examples below:
    Exchange 2016 Autodiscover profile

    Entry URLs
    • /autodiscover
    • /Autodiscover

    Skip Filter Rules
    • 960911
    • 960015
    Exchange 2016 Autodiscover profile

    Entry URLs
    • /
    • /ecp
    • /ECP
    • /rpc
    • /RPC
    • /mapi
    • /MAPI
    • /Microsoft-Server-ActiveSync
    • /ews
    • /EWS
    • /oab
    • /OAB
    • /owa
    • /OWA

    Skip Filter Rules
    • 960010
    • 960015
    • 960018
    • 960032
    • 981176
    • 981203
    • 981204

Note: When saving these profiles, consider the warning for turning off some of the Skip Filter Rules.

The list of skipped filter rules contains the following required infrastructure rules: 981176, 981203, 981204. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall.

Creating virtual webservers

  1. Click +New Virtual Webserver in Webserver Protection > Web Application Firewall > Virtual Webservers.
  2. Create the following virtual webservers and enter the details as shown in the examples below:
    Exchange 2016 Autodiscover virtual webserver

    Exchange 2016 Webservices virtual webserver


Creating exceptions

Certain exceptions need to be created for Exchange 2016 to function behind WAF.

  1. Click +New Exception List in Webserver Protection > Firewall Profiles > Exceptions.
  2. Create the following exceptions and details as shown in the examples below:
    Autodiscover exceptions

    • /autodiscover/*
    • /Autodiscover/*
    Webservices exceptions

    • /ecp/*
    • /ECP/*
    • /ews/*
    • /EWS/*
    • /Microsoft-Server-ActiveSync*
    • /oab/*
    • /OAB/*
    • /owa/*
    • /OWA/*
    OWA exceptions

    • /owa/ev.owa*
    • /OWA/ev.owa*
    Outlook Anywhere exceptions

    • /rpc/*
    • /RPC/*
    • /mapi/*
    • /MAPI/*

Related information
Sophos UTM: Configure and troubleshoot Web Application Firewall

Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products and Sophos Central services.