This is not really a question, but more for the knowlege base. I write with specific regard to issues we experienced with Microsoft Exchange, but the information should be useful to anyone running a web application on a Microsoft Windows Server behind the UTM's Web Application Firewall.
After setting up Microsoft Exchange behind the Sophos UTM, we received persistent complaints from users (and our own IT team) about frequent credential prompts from Microsoft Outlook.
A fair amount of troubleshooting and exhaustive log review revealed that the WAF was logging thousands of HTTP 502 events and/or session timeout events each day for our mail server's client access paths.
After some research, I found that the default timeout used by the UTM (300 seconds / 5 minutes) is generally on-par with Linux systems, but Windows servers use a default timeout of 2 hours, which means that the UTM will expire and drop connections long before the server will send keepalive messages.
At first I tried adjusting the keepalive timer on the UTM to match that of Windows (2 hours / 7200 seconds.) However, we're still experiencing occasional issues, so I decided to revisit the issue. Additional research into changing the keepalive settings on the Windows Server eventually landed me on an article that HP published quite a while ago. According to the article, the keepalive timer on the server should be set to half the value of the firewall. This ensures that the server sends keepalive messages before the firewall/load balancer expires the connection and closes it.
So, I'm going to try setting my "real" server on the UTM to use a keepalive timer of 30 minutes (1800 seconds) and on our mailbox server, I'm going to change the KeepAliveTime value in the registry (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\KeepAliveTime) to 900000ms (15 minutes).
I can't confirm this 100% yet, because I won't be able to restart our server until after-hours, but considering how much time it took me to track this issue down, I wanted to get this out there for others who may be unknowingly facing the same problem.
You can read the HP document here: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-kc0110047en_us
Further reading directly from Microsoft: https://docs.microsoft.com/en-us/archive/blogs/exchangechallengeaccepted/what-is-keepalivetime-used-for-in-regards-to-exchange
I just stumbled across this blog post from Microsoft's Exchange Team that provides a bunch of super useful information on troubleshooting Exchange client connectivity, particularly when upstream load balancers / firewalls are in play: https://techcommunity.microsoft.com/t5/exchange-team-blog/checklist-for-troubleshooting-performance-related-issues-in/ba-p/604792
Thanks for this post. We appreciate your efforts to improve the content on Sophos community.