UTM 9 WAF Outlook Anywhere login failed

Hi there,

I’ve configured WAF for an Exchange Server 2019 according to this guide:

https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016-ohne-rpcoverhttp/

OWA and ActiveSync works fine but I have trouble getting Outlook Anywhere working.

Outlook shows a login prompt for username and password and reject the login.

Everything works when WAF is disabled and a HTTPS DNAT rule is setup. No errors are shown in Microsoft Remote Connectivity Analyzer.

If DNAT is disabled and WAF is setup, the login with Outlook Anywhere does not work. Even changing the firewall profile from reject to monitor doesn’t do anything.

Microsoft Remote Connectivity Analyzer shows an error accessing MAPI Endpoint HttpStatusCode: 401.

WAF log says:

2024:05:29-13:54:46 login httpd: id="0299" srcip="xxx.xxx.xxx.xxx" localip="192.168.xxx.xxx" size="0" user="-" host="xxx.xxx.xxx.xxx." method="POST" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="8639" url="/mapi/emsmdb/" server="exchange.domain.de" port="443" query="?MailboxId=ae0ba1c8-xxxx-xxxx-xxxx-24ad5118c4fd@domain.de" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZlcXhiMERRXTxxxxxqNgAAACk"

Can anyone help?

0 Vivek Jagad 24 days ago

Hi Olli-204 ,

Thank you for reaching out to the community, is site path routing enabled ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Olli-204 24 days ago in reply to Vivek Jagad

Hi, thanks for answering.

Yes, it is enabled by default without reverse authentication.

Path is: /
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vivek Jagad 24 days ago in reply to Olli-204

can you check by disabling the site path routing and check the reverse proxy logs again...?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Olli-204 22 days ago in reply to Vivek Jagad

I disabled site path routing and got the error:

Webserver Protection → Web Application Firewall → Virtual Webservers:

Virtual Webserver will be disabled because it neither has any operational site path routes nor any operational redirections left.

And also a lot of 404 errors in the log:

method="GET" statuscode="404" reason="-" extra="-" exceptions="SkipURLHardening" time="1282" url="/owa/auth/Current/themes/iismeta8813.aspx" server="exchange.xxx.de" port="443"
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Vivek Jagad 22 days ago in reply to Olli-204

So that option did not help, please enable it and considering the previous status code 401, it indicates Unauthorized: Access is denied due to invalid credentials, please check what options are selected for the web server authentication ?

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel