Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 18064 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2013 not working through WAF

cstanley
I configured WAF for Exchange based on these instructions:  https://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202%20new.pdf

I use an AD CA so all of my certs are self-signed.  I also tried to generate new certs within Sophos UTM and neither is working.

When I go here: https://domain.com/owa, I receive this error:

Request blocked

The web application firewall has blocked access to /owa/auth/logon.aspx for the following reason:

No signature found

Not sure what is going on.  Any ideas?

UTM version is 9.210-20


This thread was automatically locked due to age.
  • 0
    CS, please update your last thread with the result you had then.

    In this case, please show the lines from the WAF log when this occurs.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Looking at the logs, it's redirecting to autodiscover URL even though I'm not attempting to go there.

    2014:12:14-00:00:57 UTM reverseproxy: [Sun Dec 14 00:00:57.466382 2014] [url_hardening:error] [pid 6181:tid 2813307760] [client 10.27.90.158:38613] Hostname in HTTP request (domain.com) does not match the server name (autodiscover.domain.com)
    2014:12:14-00:00:57 UTM reverseproxy: id="0299" srcip="10.27.90.158" localip="174.56.87.184" size="229" user="-" host="10.27.90.158" method="OPTIONS" statuscode="403" reason="-" extra="-" exceptions="-" time="4338" url="/Microsoft-Server-ActiveSync" server="autodiscover.domain.com" referer="-" cookie="-" set-cookie="-"
    2014:12:14-00:00:57 UTM reverseproxy: [Sun Dec 14 00:00:57.538509 2014] [url_hardening:error] [pid 6181:tid 2804915056] [client 10.27.90.158:58635] Hostname in HTTP request (domain.com) does not match the server name (autodiscover.domain.com)
    2014:12:14-00:00:57 UTM reverseproxy: id="0299" srcip="10.27.90.158" localip="174.56.87.184" size="229" user="-" host="10.27.90.158" method="OPTIONS" statuscode="403" reason="-" extra="-" exceptions="-" time="3050" url="/Microsoft-Server-ActiveSync" server="autodiscover.domain.com" referer="-" cookie="-" set-cookie="-"
    2014:12:14-00:00:57 UTM reverseproxy: [Sun Dec 14 00:00:57.609804 2014] [url_hardening:error] [pid 6181:tid 3023125360] [client 10.27.90.158:53593] Hostname in HTTP request (domain.com) does not match the server name (autodiscover.domain.com)

    I'm new to this (Kind of).  Fixing to go back to port forwarding it.
  • 0 in reply to Nemo
    Secure Exchange Webservices with Sophos UTM WAF | Network Guy 
    i wrote a working tutorial, it's working with Exchange 2013


    Thanks for doing a great job writing this [:)] - I have tested it out, just tried to fetch mail from my phone, but I get an error and the WAF logs shows this:

    [HTML]2015:07:15-20:55:31 mail-2 reverseproxy: id="0299" srcip="***.***.***.***" localip="YYY.YYY.YYY.YYY" size="224" user="-" host="***.***.***.***" method="POST" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="17581" url="/Microsoft-Server-ActiveSync" server="mail.domain.dk" referer="-" cookie="-" set-cookie="-"
    2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.101627 2015] [url_hardening:error] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] No signature found, URI: https://mail.domain.dk/Microsoft-Server-ActiveSync?User=user&DeviceId=2LHJU5HQL16VH1FBOBAA7I9U00&DeviceType=iPhone&Cmd=Ping
    2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.102686 2015] [cookie:error] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] No signature found, cookie: X-BackEndCookie
    2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.102703 2015] [cookie:warn] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] Dropping cookie 'X-BackEndCookie' from request due to missing/invalid signature
    2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.102712 2015] [cookie:error] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] No signature found, cookie: ClientId
    2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.102715 2015] [cookie:warn] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] Dropping cookie 'ClientId' from request due to missing/invalid signature
    2015:07:15-20:55:33 mail-2 reverseproxy: id="0299" srcip="***.***.***.***" localip="YYY.YYY.YYY.YYY" size="224" user="-" host="***.***.***.***" method="POST" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="16525" url="/Microsoft-Server-ActiveSync" server="mail.domain.dk" referer="-" cookie="-" set-cookie="-"
    2015:07:15-20:56:12 mail-2 reverseproxy: [Wed Jul 15 20:56:12.017871 2015] [url_hardening:error] [pid 30052:tid 4063079280] [client ***.***.***.***:33675] No signature found, URI: https://mail.domain.dk/Microsoft-Server-ActiveSync?User=user&DeviceId=2LHJU5HQL16VH1FBOBAA7I9U00&DeviceType=iPhone&Cmd=Ping
    2015[/HTML]

    Any advise?

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • 0
    I think i found out, you have this under exceptions: 

    Title: exception for OWA

    Skip: Static URL Hardening

    Virtual Webserver: “Exchange Autodiscover
    for paths:

    /ecp/*

    /ECP/*

    /ews/*

    /EWS/*

    /Microsoft-Server-ActiveSync*

    /oab/*

    /OAB/*

    /owa/*

    /OWA/*

    Advanced: Never change HTML during Static URL Hardening or Form Hardening


    Shoud it not be:

    Virtual Webserver: “Exchange OWA


    In the above settings?

    It works when I change that :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • 0
    Even though you use OTP, it would give good sence to leave out the /ecp /ECP from the WAF,  I still cannot see why people want they Exchange Control Panel Exposed to the Web where people can delete and modify AD user accounts [[:)]] - That design by Microsoft still seems odd to me [[:)]]

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • 0
    a normal User need /ecp for edit the options....just look at the URL
  • 0 in reply to Lesmona2020
    a normal User need /ecp for edit the options....just look at the URL


    You're right! - Did not think about that, we do not use this very often...hmmm..need to find different workaround...

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

Unfiltered HTML