According to Sophos and as several reports in this forum document, Mac clients are currently with UTM 9.2 not supported by WAF for accessing Exchange Servers from Mail.app, iCal.app or Outlook for OSX.
A did some analyzing about the root cause as no information was available so far which might help to find possible workarounds.
The known workaround is to use DNAT instead of WAF on the external address and port of your Exchange EWS URL. Though that would be comparable to directly attaching the Exchange Server to the Internet which disables any primary IP based and IPS protection and therefor isn't recommended.
Now to the cause:
In its default configuration, Exchange offers the following two authentication methods for its web based access: Negotiate and Basic. Negotiate usually is NTLM, sometimes added with SPNEGO Kerberos. Basic is the standard http basic auth, i.e. sending username and password base64 encoded.
Let's assume an Internet Mac client is accessing https://webmail.domain.com/EWS/Exchange.asmx to read Mail or Calendar data. The Exchange https server is requesting his authentication methods with http response headers "WWW-Authenticate: Negotiate" and "WWW-Authenticate: Basic". UTM WAF is forwarding those headers to the client and the client on the Mac then has to choose one of those methods. Mail.app and iCal.app decides for the most secure one, i.e. Negotiate NTLM.
For some unknown reason yet, for Mac clients the authentication via NTLM mostly fails immediately or succeeds after a long period of waiting time of about 1min or more. The most strange observation was, that is sometimes succeeds. If it always fails, it would be understandable as be design NTLM v2 should only work via authenticated proxy chains which is usually impossible for non-Microsoft systems like UTM. The result is, NTLM is unusable for Mac clients and leads to a complete failure of Exchange access as Mac clients have no options to either fall back to Basic or set the priority to Basic first. In addition, sometime sessions of different users get mixed up by the UTM and users can access calendar and mail data of others!
So I did an experiment with disabling NTLM authentication on the client side. As this is not possible for Mail.app and iCal.app directly, I used a client side Java based debugging web proxy for https and configured it to remove all response headers of "WWW-Authenticate: Negotiate".
In addition, I changed the stored username for the Exchange account in the settings of Mail.app and iCal.app from "username" to "DOMAIN\username". This is required for Basic auth as long as you are not changing the following data on the Exchange: http://www.urtech.ca/2013/01/solved-exchange-2010-owa-prompting-for-login-credentials-when-selecting-options-more-options-for-ecp/
The result is: Mail.app and iCal.app can be used from the Internet over WAF without any problems and without getting sessions mixed up! As using such client side proxy is no solution for corporations I would appreciate if Sophos could add a header rewrite option for UTM WAF, or at least a specialized header rewrite just for this single header value.
There might be options to disable NTLM on the Exchange https module for the /EWS WebApp and maybe some Exchange expert can give an explanation how to disable it only on this very URL /EWS.
This thread was automatically locked due to age.
