we tried to get WAF working to publish our Exchange 2013 Services like our good old ISA with Exchange 2003 did.
We had referred to the guide "Sophos UTM Web Application Firewall for Microsoft Exchange connectivity" for version 9.2.
So we finally got OWA/ECP working but we have trouble to get Outlook Anywhere working.
We think that there must be a Problem with the reverse authentication because when we set the reverse authentication Profile under site path routing for /rpc/ to "no Profile" Outlook Anywhere works just fine.
From the virtual web server live log we got the following:
2014:09:10-16:49:03 test-fw reverseproxy: [Wed Sep 10 16:49:03.382212 2014] [auth_basic:error] [pid 14844:tid 2897529712] [client 192.168.200.104:55135] AH01617: user DOMAIN\USER: authentication failure for "/rpc/rpcproxy.dll": Password Mismatch
2014:09:10-16:49:03 test-fw reverseproxy: [Wed Sep 10 16:49:03.416168 2014] [auth_basic:error] [pid 14844:tid 2998242160] [client 192.168.200.104:55136] AH01617: user DOMAIN\USER: authentication failure for "/rpc/rpcproxy.dll": Password Mismatch
2014:09:10-16:49:03 test-fw reverseproxy: id="0299" srcip="192.168.200.104" localip="192.168.200.254" size="381" user="DOMAIN\USER" host="192.168.200.104" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="114750" url="/rpc/rpcproxy.dll" server="mail.DOMAIN.local" referer="-" cookie="OutlookSession=\"{D5A26529-8208-4BEE-A9E9-9D0F0E15C4CE} Outlook=12.0.6672.5000 OS=6.1.7601\"" set-cookie="-"
2014:09:10-16:49:03 test-fw reverseproxy: id="0299" srcip="192.168.200.104" localip="192.168.200.254" size="381" user="DOMAIN\USER" host="192.168.200.104" method="RPC_IN_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="145572" url="/rpc/rpcproxy.dll" server="mail.DOMAIN.local" referer="-" cookie="OutlookSession=\"{D5A26529-8208-4BEE-A9E9-9D0F0E15C4CE} Outlook=12.0.6672.5000 OS=6.1.7601\"" set-cookie="-"
We had a call with our reseller support, they told us that the problem should be the username. The username should only be "USER" and not "DOMAIN\USER" or "USER@DOMAIN.TLD".
When this is the real problem we don't know how to solve this. When no domain is given in the Outlook authentication window the username in the live log will be MAILSERVERNAME.DOMAIN.TLD\USER.
The reverse authentication (AD) itself works, we can successfully query usernames and group memberships.
Our reseller support turns on the option to create users automatically (Definitions&Users ->Authentication Services->Globael Settings).
With this Option turned on we can now, for testing purpose, login to the user portal with an Active Directory user.
Information about our test enviroment:
- Exchange Server 2013 Sp1
- Windows Server 2012 R2
- Sophos UTM 9.206-35
- Outlook 2007 SP3 (build 12.0.6691.5000 / 12.0.6683.5000)
Hope anybody can help us.
Regards,
Tobias
This thread was automatically locked due to age.
