This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2013 not working through WAF

I configured WAF for Exchange based on these instructions:  https://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202%20new.pdf

I use an AD CA so all of my certs are self-signed.  I also tried to generate new certs within Sophos UTM and neither is working.

When I go here: https://domain.com/owa, I receive this error:

Request blocked

The web application firewall has blocked access to /owa/auth/logon.aspx for the following reason:

No signature found

Not sure what is going on.  Any ideas?

UTM version is 9.210-20

This thread was automatically locked due to age.

0 BAlfson over 10 years ago

CS, please update your last thread with the result you had then.

In this case, please show the lines from the WAF log when this occurs.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
0 cstanley over 10 years ago

Looking at the logs, it's redirecting to autodiscover URL even though I'm not attempting to go there.

2014:12:14-00:00:57 UTM reverseproxy: [Sun Dec 14 00:00:57.466382 2014] [url_hardening:error] [pid 6181:tid 2813307760] [client 10.27.90.158:38613] Hostname in HTTP request (domain.com) does not match the server name (autodiscover.domain.com)
2014:12:14-00:00:57 UTM reverseproxy: id="0299" srcip="10.27.90.158" localip="174.56.87.184" size="229" user="-" host="10.27.90.158" method="OPTIONS" statuscode="403" reason="-" extra="-" exceptions="-" time="4338" url="/Microsoft-Server-ActiveSync" server="autodiscover.domain.com" referer="-" cookie="-" set-cookie="-"
2014:12:14-00:00:57 UTM reverseproxy: [Sun Dec 14 00:00:57.538509 2014] [url_hardening:error] [pid 6181:tid 2804915056] [client 10.27.90.158:58635] Hostname in HTTP request (domain.com) does not match the server name (autodiscover.domain.com)
2014:12:14-00:00:57 UTM reverseproxy: id="0299" srcip="10.27.90.158" localip="174.56.87.184" size="229" user="-" host="10.27.90.158" method="OPTIONS" statuscode="403" reason="-" extra="-" exceptions="-" time="3050" url="/Microsoft-Server-ActiveSync" server="autodiscover.domain.com" referer="-" cookie="-" set-cookie="-"
2014:12:14-00:00:57 UTM reverseproxy: [Sun Dec 14 00:00:57.609804 2014] [url_hardening:error] [pid 6181:tid 3023125360] [client 10.27.90.158:53593] Hostname in HTTP request (domain.com) does not match the server name (autodiscover.domain.com)

I'm new to this (Kind of). Fixing to go back to port forwarding it.
0 Nemo over 10 years ago

Secure Exchange Webservices with Sophos UTM WAF | Network Guy
i wrote a working tutorial, it's working with Exchange 2013

and here is my OTP tutorial:
Using OTP token for accessing Outlook Web App | Network Guy
- 0 twister5800 over 10 years ago in reply to Nemo
  
  Secure Exchange Webservices with Sophos UTM WAF | Network Guy
  i wrote a working tutorial, it's working with Exchange 2013
  
  Thanks for doing a great job writing this [:)] - I have tested it out, just tried to fetch mail from my phone, but I get an error and the WAF logs shows this:
  
  [HTML]2015:07:15-20:55:31 mail-2 reverseproxy: id="0299" srcip="***.***.***.***" localip="YYY.YYY.YYY.YYY" size="224" user="-" host="***.***.***.***" method="POST" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="17581" url="/Microsoft-Server-ActiveSync" server="mail.domain.dk" referer="-" cookie="-" set-cookie="-"
  2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.101627 2015] [url_hardening:error] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] No signature found, URI: https://mail.domain.dk/Microsoft-Server-ActiveSync?User=user&DeviceId=2LHJU5HQL16VH1FBOBAA7I9U00&DeviceType=iPhone&Cmd=Ping
  2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.102686 2015] [cookie:error] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] No signature found, cookie: X-BackEndCookie
  2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.102703 2015] [cookie:warn] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] Dropping cookie 'X-BackEndCookie' from request due to missing/invalid signature
  2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.102712 2015] [cookie:error] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] No signature found, cookie: ClientId
  2015:07:15-20:55:33 mail-2 reverseproxy: [Wed Jul 15 20:55:33.102715 2015] [cookie:warn] [pid 30052:tid 4071471984] [client ***.***.***.***:34964] Dropping cookie 'ClientId' from request due to missing/invalid signature
  2015:07:15-20:55:33 mail-2 reverseproxy: id="0299" srcip="***.***.***.***" localip="YYY.YYY.YYY.YYY" size="224" user="-" host="***.***.***.***" method="POST" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="16525" url="/Microsoft-Server-ActiveSync" server="mail.domain.dk" referer="-" cookie="-" set-cookie="-"
  2015:07:15-20:56:12 mail-2 reverseproxy: [Wed Jul 15 20:56:12.017871 2015] [url_hardening:error] [pid 30052:tid 4063079280] [client ***.***.***.***:33675] No signature found, URI: https://mail.domain.dk/Microsoft-Server-ActiveSync?User=user&DeviceId=2LHJU5HQL16VH1FBOBAA7I9U00&DeviceType=iPhone&Cmd=Ping
  2015[/HTML]
  
  Any advise?
  
  -----
  
  Best regards
  Martin
  
  Sophos XGS 2100 @ Home | Sophos v20 Technician

0 twister5800 over 10 years ago

I think i found out, you have this under exceptions:

Title: exception for OWA

Skip: Static URL Hardening

Virtual Webserver: “Exchange Autodiscover”

for paths:

/ecp/*

/ECP/*

/ews/*

/EWS/*

/Microsoft-Server-ActiveSync*

/oab/*

/OAB/*

/owa/*

/OWA/*

Advanced: Never change HTML during Static URL Hardening or Form Hardening

Shoud it not be:

Virtual Webserver: “Exchange OWA

In the above settings?

It works when I change that :-)

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v20 Technician

0 twister5800 over 10 years ago

Even though you use OTP, it would give good sence to leave out the /ecp /ECP from the WAF, I still cannot see why people want they Exchange Control Panel Exposed to the Web where people can delete and modify AD user accounts [[:)]] - That design by Microsoft still seems odd to me [[:)]]

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v20 Technician
0 Lesmona2020 over 10 years ago

a normal User need /ecp for edit the options....just look at the URL
- 0 twister5800 over 10 years ago in reply to Lesmona2020
  
  a normal User need /ecp for edit the options....just look at the URL
  
  You're right! - Did not think about that, we do not use this very often...hmmm..need to find different workaround...
  
  -----
  
  Best regards
  Martin
  
  Sophos XGS 2100 @ Home | Sophos v20 Technician