https://community.sophos.com/utm-firewall/f/web-server-security/50352/waf-on-v9-3-for-exchange-2013-on-single-server-ip-fqdn-certificateHello all, Is it at all possible to set up WAF on v9.3 for Exchange 2013 OWA, Outlook Anywhere and ActiveSync on the same URL, on one server, a single IP address, and with the same certificate (with only one server name in it)? I have tried to followen-USTelligent Community 12https://community.sophos.com/thread/185301?ContentTypeID=1Sun, 29 Mar 2015 01:47:27 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:e19578ad-e6ca-46e4-a40e-2f855427573eMrOlrichOk,&nbsp;my&nbsp;set&nbsp;up&nbsp;and&nbsp;settings&nbsp;are&nbsp;as&nbsp;follows:<br /><br /><b>Preparations</b><br />Registered&nbsp;two&nbsp;certificates&nbsp;for&nbsp;free&nbsp;at&nbsp;startssl.com;&nbsp;mail.domain.com&nbsp;and&nbsp;autodiscover.domain.com.<br />Created&nbsp;public&nbsp;DNS&nbsp;A&nbsp;and&nbsp;MX&nbsp;records&nbsp;pointing&nbsp;to&nbsp;my&nbsp;single&nbsp;public&nbsp;IP.<br />Created&nbsp;the&nbsp;host&nbsp;&quot;labserver.internal.domain.com&quot;,&nbsp;with&nbsp;IP&nbsp;and&nbsp;DNS&nbsp;hostname&nbsp;specified.<br />No&nbsp;firewall&nbsp;rules&nbsp;or&nbsp;NAT&nbsp;set&nbsp;up.&nbsp;Traffic&nbsp;is&nbsp;forwarded&nbsp;when&nbsp;everything&nbsp;below&nbsp;is&nbsp;enabled.<br /><br /><b>Virtual&nbsp;webserver&nbsp;&quot;Exchange&nbsp;Autodiscover&quot;</b><br />Interface:&nbsp;External&nbsp;(Address)<br />Type:&nbsp;Encrypted&nbsp;(HTTPA)&nbsp;&amp;&nbsp;Redirect<br />Port:&nbsp;443<br />Certificate:&nbsp;autodiscover.domain.com<br />Domain:&nbsp;autodiscover.domain.com<br />Real&nbsp;webserver:&nbsp;Exchange<br />Firewall&nbsp;profile:&nbsp;Exchange&nbsp;Autodiscover<br />Rewrite&nbsp;HTML:&nbsp;checked<br />Rewrite&nbsp;cookies:&nbsp;checked<br />Pass&nbsp;Host&nbsp;Header:&nbsp;checked<br /><br /><b>Virtual&nbsp;webserver&nbsp;&quot;Exchange&nbsp;OWA+OA+AS&quot;</b><br />Interface:&nbsp;External&nbsp;(Address)<br />Type:&nbsp;Encrypted&nbsp;(HTTPA)&nbsp;&amp;&nbsp;Redirect<br />Port:&nbsp;443<br />Certificate:&nbsp;mail.domain.com<br />Domain:&nbsp;mail.domain.com<br />Real&nbsp;webserver:&nbsp;Exchange<br />Firewall&nbsp;profile:&nbsp;Exchange&nbsp;OWA+OA+AS<br />Rewrite&nbsp;HTML:&nbsp;checked<br />Rewrite&nbsp;cookies:&nbsp;checked<br />Pass&nbsp;Host&nbsp;Header:&nbsp;checked<br /><br /><b>Real&nbsp;webserver&nbsp;&quot;Exchange&quot;</b><br />Name:&nbsp;Exchange<br />Host:&nbsp;labserver.internal.domain.com<br />Type:&nbsp;Encrypted&nbsp;(HTTPS)<br />Port:&nbsp;443<br />HTTP&nbsp;keepalive:&nbsp;300<br /><br /><b>Firewall&nbsp;profile&nbsp;&quot;Exchange&nbsp;Autodiscover&quot;</b><br />Mode:&nbsp;Reject<br />Static&nbsp;URL&nbsp;Hardening:&nbsp;/autodiscover&nbsp;and&nbsp;/Autodiscover<br />Form&nbsp;Hardening:&nbsp;checked.<br />Block&nbsp;clients&nbsp;with&nbsp;bad&nbsp;reputation:&nbsp;checked.<br /><br /><b>Firewall&nbsp;profile&nbsp;&quot;Exchange&nbsp;OWA+OA+AS&quot;</b><br />Mode:&nbsp;Reject<br />Static&nbsp;URL&nbsp;Hardening:&nbsp;/owa,&nbsp;/OWA,&nbsp;/ecp,&nbsp;/ECP,&nbsp;/rpc,&nbsp;/RPC,&nbsp;/oab,&nbsp;/OAB,&nbsp;/microsoft-server-activesync,&nbsp;/Microsoft-Server-ActiveSync<br />Antivirus:&nbsp;Dual&nbsp;scan,&nbsp;uploads&nbsp;and&nbsp;downloads.<br />Block&nbsp;unscannable&nbsp;content:&nbsp;checked.<br />Block&nbsp;clients&nbsp;with&nbsp;bad&nbsp;reputation:&nbsp;checked.<br /><br /><b>Exception&nbsp;&quot;Exchange&nbsp;Autodiscover&quot;</b><br />Static&nbsp;URL&nbsp;Hardening:&nbsp;skipped&nbsp;(checked)<br />XSS&nbsp;Attacks:&nbsp;skipped&nbsp;(checked)<br />Virtual&nbsp;webserver:&nbsp;Exchange&nbsp;Autodiscover<br />Web&nbsp;requests&nbsp;matching&nbsp;this&nbsp;path:&nbsp;/autodiscover/*,&nbsp;/Autodiscover/*<br /><br /><b>Exception&nbsp;&quot;Exchange&nbsp;OWA+OA+AS&quot;</b><br />Static&nbsp;URL&nbsp;Hardening:&nbsp;skipped&nbsp;(checked)<br />Virtual&nbsp;webserver:&nbsp;Exchange&nbsp;OWA+OA+AS<br />Web&nbsp;requests&nbsp;matching&nbsp;this&nbsp;path:<br />/owa/*,&nbsp;/OWA/*,&nbsp;/ecp/*,&nbsp;/ECP/*,&nbsp;/rpc/*,&nbsp;/RCP/*,&nbsp;/oab/*,&nbsp;/OAB/*,&nbsp;/microsoft-server-activesync*,&nbsp;/Microsoft-Server-ActiveSync*<br /><br />Default&nbsp;site&nbsp;path&nbsp;routes&nbsp;are&nbsp;unmodified.<br />Secrets&nbsp;under&nbsp;the&nbsp;Advanced&nbsp;tab&nbsp;are&nbsp;unmodified.<br />Reverse&nbsp;authentication:&nbsp;Nothing&nbsp;configured.<br /><br />Setting&nbsp;up&nbsp;Outlook&nbsp;2013&nbsp;both&nbsp;on&nbsp;the&nbsp;LAN&nbsp;and&nbsp;outside&nbsp;through&nbsp;Autodiscover&nbsp;works&nbsp;flawlessly,&nbsp;as&nbsp;does&nbsp;a&nbsp;corporate&nbsp;account&nbsp;on&nbsp;a&nbsp;Cyanogenmod&nbsp;Android&nbsp;mobile.<br /><br />Please&nbsp;note&nbsp;that&nbsp;I&nbsp;have&nbsp;no&nbsp;idea&nbsp;if&nbsp;these&nbsp;settings&nbsp;are&nbsp;the&nbsp;optimal&nbsp;ones&nbsp;for&nbsp;either&nbsp;security&nbsp;or&nbsp;performance,&nbsp;all&nbsp;I&nbsp;know&nbsp;is&nbsp;that&nbsp;they&nbsp;seem&nbsp;to&nbsp;work&nbsp;fine.&nbsp;Perhaps&nbsp;someone&nbsp;can&nbsp;provide&nbsp;input&nbsp;and&nbsp;comments&nbsp;on&nbsp;that?<br /><br />Also&nbsp;note&nbsp;that&nbsp;several&nbsp;howtos&nbsp;here&nbsp;and&nbsp;there&nbsp;mention&nbsp;both&nbsp;&quot;Microsoft-Server-ActiveSync&quot;&nbsp;and&nbsp;&quot;Exchange-Server-ActiveSync&quot;,&nbsp;but&nbsp;apparently&nbsp;&quot;Microsoft-Server-ActiveSync&quot;&nbsp;ones&nbsp;are&nbsp;correct&nbsp;(both&nbsp;capitalisations).<br /><br />And&nbsp;to&nbsp;answer&nbsp;your&nbsp;question,&nbsp;Bob:&nbsp;I&nbsp;created&nbsp;two&nbsp;virtual&nbsp;servers,&nbsp;A&nbsp;records&nbsp;and&nbsp;certificates&nbsp;because&nbsp;every&nbsp;guide&nbsp;and&nbsp;howto&nbsp;afaik&nbsp;state&nbsp;that&nbsp;AutoDiscover&nbsp;needs&nbsp;a&nbsp;separate&nbsp;one.&nbsp;Sounds&nbsp;legit,&nbsp;so&nbsp;I&nbsp;simply&nbsp;haven&#39;t&nbsp;tested&nbsp;with&nbsp;just&nbsp;a&nbsp;single&nbsp;virtual&nbsp;server&nbsp;setup.&nbsp;But&nbsp;since&nbsp;the&nbsp;the&nbsp;firewall&nbsp;profiles&nbsp;and&nbsp;exceptions&nbsp;in&nbsp;my&nbsp;setup&nbsp;are&nbsp;not&nbsp;tuned&nbsp;for&nbsp;neither&nbsp;security&nbsp;or&nbsp;performance&nbsp;and&nbsp;therefore&nbsp;are&nbsp;pretty&nbsp;similar,&nbsp;I&nbsp;suppose&nbsp;it&#39;s&nbsp;possible&nbsp;to&nbsp;set&nbsp;up&nbsp;and&nbsp;get&nbsp;it&nbsp;to&nbsp;work&nbsp;with&nbsp;just&nbsp;a&nbsp;single&nbsp;server,&nbsp;though.<br /><br />Thanks.<br />MrOlrich<div style="clear:both;"></div>https://community.sophos.com/thread/185300?ContentTypeID=1Sat, 28 Mar 2015 16:47:12 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:92d671c6-61de-4de7-ba0c-f393d2f3a112BAlfsonYes,&nbsp;Please&nbsp;do&nbsp;post&nbsp;your&nbsp;settings.&nbsp;&nbsp;Did&nbsp;you&nbsp;create&nbsp;two&nbsp;Virtual&nbsp;Servers&nbsp;because&nbsp;you&nbsp;had&nbsp;a&nbsp;cert&nbsp;that&nbsp;you&nbsp;could&nbsp;use,&nbsp;or&nbsp;were&nbsp;you&nbsp;unable&nbsp;to&nbsp;get&nbsp;it&nbsp;to&nbsp;work&nbsp;with&nbsp;a&nbsp;single&nbsp;one?<br /><br />Cheers&nbsp;-&nbsp;Bob<div style="clear:both;"></div>https://community.sophos.com/thread/185299?ContentTypeID=1Sat, 28 Mar 2015 11:37:32 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:083dafe5-661a-4fc9-a0a2-4e5806717da5MrOlrichHi,&nbsp;and&nbsp;thanks,&nbsp;Bob. <br /> <br />Just&nbsp;to&nbsp;clarify:&nbsp;When&nbsp;I&nbsp;said&nbsp;I&nbsp;followed&nbsp;Sophos&#39;&nbsp;&quot;official&nbsp;9.2&nbsp;pdf&nbsp;guide&quot;,&nbsp;I&nbsp;meant&nbsp;the&nbsp;one&nbsp;at&nbsp;<a href="http://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202.pdf">http://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202.pdf</a>. <br /> <br />Anyway,&nbsp;I&nbsp;took&nbsp;your&nbsp;suggestion&nbsp;and&nbsp;got&nbsp;it&nbsp;to&nbsp;work&nbsp;with&nbsp;two&nbsp;virtual&nbsp;servers,&nbsp;one&nbsp;for&nbsp;Autodiscover&nbsp;and&nbsp;one&nbsp;for&nbsp;OWA+OA+AS.&nbsp;(I&nbsp;had&nbsp;a&nbsp;certificate&nbsp;and&nbsp;DNS&nbsp;record&nbsp;for&nbsp;autodiscover.domain.com&nbsp;pointing&nbsp;to&nbsp;the&nbsp;same&nbsp;server,&nbsp;so&nbsp;that&#39;s&nbsp;why&nbsp;I&nbsp;did&nbsp;a&nbsp;two-server&nbsp;solution.)&nbsp;I&nbsp;even&nbsp;got&nbsp;Autodiscover&nbsp;to&nbsp;work,&nbsp;externally&nbsp;tested&nbsp;both&nbsp;Outlook&nbsp;2013&nbsp;and&nbsp;an&nbsp;Android&nbsp;client,&nbsp;and&nbsp;both&nbsp;smacked&nbsp;right&nbsp;in&nbsp;place. <br /> <br />Thank&nbsp;you&nbsp;for&nbsp;your&nbsp;hint,&nbsp;really&nbsp;appreciated.&nbsp;Just&nbsp;wishing&nbsp;Sophos&nbsp;would&nbsp;keep&nbsp;their&nbsp;how-tos&nbsp;up&nbsp;to&nbsp;date&nbsp;with&nbsp;the&nbsp;UTM&nbsp;versions. <br /> <br />If&nbsp;anyone&nbsp;wants,&nbsp;I&nbsp;can&nbsp;post&nbsp;my&nbsp;settings&nbsp;here.&nbsp;Just&nbsp;let&nbsp;me&nbsp;know. <br /> <br />Happy&nbsp;weekend&nbsp;and&nbsp;things. <br />MrOlrich<div style="clear:both;"></div>https://community.sophos.com/thread/185298?ContentTypeID=1Fri, 27 Mar 2015 16:44:10 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:9af54c11-6d4b-445d-a648-82cb6ec3b667BAlfsonIf&nbsp;you&nbsp;have&nbsp;only&nbsp;a&nbsp;single&nbsp;server,&nbsp;you&nbsp;don&#39;t&nbsp;need&nbsp;to&nbsp;add&nbsp;a&nbsp;site-path&nbsp;route.&nbsp;&nbsp;It&nbsp;sounds&nbsp;like&nbsp;all&nbsp;you&nbsp;need&nbsp;is&nbsp;different&nbsp;Exceptions&nbsp;for&nbsp;OWA,&nbsp;Outlook&nbsp;Anywhere&nbsp;and&nbsp;ActiveSync&nbsp;after&nbsp;having&nbsp;configured&nbsp;a&nbsp;single&nbsp;Filter&nbsp;and&nbsp;Virtual&nbsp;Server.&nbsp;&nbsp;Instead&nbsp;of&nbsp;that&nbsp;extract,&nbsp;refer&nbsp;to&nbsp;the&nbsp;complete&nbsp;document&nbsp;on&nbsp;the&nbsp;KnowledgeBase:&nbsp;<a href="https://sophserv.sophos.com/repo_kb/120454/file/Configuring%20UTM%20firewall%20for%20Exchange.pdf">How&nbsp;to&nbsp;configure&nbsp;the&nbsp;UTM&nbsp;firewall&nbsp;for&nbsp;Microsoft&nbsp;Exchange&nbsp;connectivity</a>.&nbsp;&nbsp;Any&nbsp;luck&nbsp;with&nbsp;that?<br /><br />Cheers&nbsp;-&nbsp;Bob<div style="clear:both;"></div>