This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2013 / 2016 Office 365 hybrid not working

Hi

i've been battling this with UTM 9.4 for a good number of hours now, and i'm pretty much at the end of straws to clutch at.

we have a pretty standard exchange environment, two multirole servers, currently running Exchange 2016, we have published URLs using a mix of the frankysweb and Sophos guidance, i have also identified that the hybrid also triggers the following false positives against autodiscover and ews

970901

960009

981200

981205

however it still wont work

it seems that we have to set both autodiscover and EWS to passthrough (rather than just EWS) but we keep getting 401 errors from the hybrid wizard.

office 365 hybrid uses OAuth, with the address autodiscover.domain.com/autodiscover/autodiscover.svc/WSSecurity and mail.domain.com/EWS/exchange.asmx/WSSecurity

both are set to passthrough, (no authentication profile) i see no more errors in the firewall log, i see nothing related in the authentication log, and no errors in the web application firewall log, but the requests dont seem to hit IIS, no record in the IIS logs for these requests, but other internal requests for wssecurity work and show in the IIS logs.

Is the only way to get 365 hybrid to work with UTM to use NAT? which would obviously mean that you cant use a back end web farm or any availability for that service, and also have no protection from the web server protection element.

is there anything at all from sophos on how to get 365 hybrid to work through UTM?



This thread was automatically locked due to age.
  • happy days, another customer with UTM (now 9.5) and seemingly the same /EWS/MRSProxy.asmx issues

     

    2017:06:27-15:57:40 utm1-1 httpd: id="0299" srcip="40.101.30.189" localip="DMZIP" size="381" user="-" host="40.101.30.189" method="POST" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="32406" url="/EWS/mrsproxy.svc" server="owa.domain.co.uk" port="443" query="" referer="-" cookie="exchangecookie=486f9ba4140b4951929dbc34c7bf1e46" set-cookie="-" uid="WVJyZMColqAAAH6qkPsAAAAF"

     

    trying to get hybrid to work properly, including mailbox migration, with a UTM publishing OWA/EWS/Autodiscover, configured according to the (now slightly out of date) instructions for 9.3+ as published  by Sophos.

     

    is there anyone else actually trying to do hybrid 365 migrations with Sophos in the picture?

    my suspicion is that this is due to WSSecurity, as in, the UTM has no idea what to do with it, so the /EWS/* URL really wants to be configured to bypass authentication and allow Exchange to authenticate it. 

    is that possible? for just the ews url?

    i'm sure there used to be an option for no authentication (front end none - back end none) but i might well have been dreaming

  • I've tried just about everything I can think of to get this working properly, but it's definitely not a profile issue as if you configure the UTM virtual web-server with a Firewall Profile of "None" then you still get the same issues.

     

    The only way I've found to be able to get Exchange 2016 reliably connected is to use NAT - which means that the UTM is pretty much useless as a reverse proxy, and is not providing the security it should...

     

    I thought at one point I had cracked it playing with the keep-alive value, but that was just a red-herring.

     

    Nothing seems to work, all we get is constant disconnects from the outlook client, and have to close and re-open them to connect again.

     

    Not ideal...

    Tim Grantham

    Enterprise Architect & Business owner

  • thanks,

     

    this is the conclusion i'm coming to, which unfortunately throws UTM/Sophos platforms back towards the 'worthless if you are using hybrid' category.

    unfortunately Sophos sales and marketing like to gloss over this when saying its compatible with office 365 services.

     

    oh well, at least we didn't sell this one and have to deal with the impending fallout  :)

  • There are also issues with disconnection with using the WebFilter with a pure 100% on-premesis exchange solution.

     

    I don't blame Sophos, I suspect there has been some security changes with Exchange 2016, and this hasn't been communicated down to the security vendors, and they are playing catch-up.

     

    I suspect also, when Office 365 was launched it was 100% compatible, but things evolve and at the present time it's not compatible.

    Tim Grantham

    Enterprise Architect & Business owner

  • We have the same problem. We're trying to setup a hybrid exchange 2016 to office 365 environment, but having issues with the remote connectivity analyzer (https://testconnectivity.microsoft.com/)

     

    We were told by the contractor doing the office 365 part, to turn off pre-authentication, however as far as I can see, we're not doing pre-authentication.

     

    Going to try Sophos phone support and see if I have any luck

  • does your EWS URL have authentication? such as, do you have forms auth, or any authentication, configured for the domain (e.g. mail.domain.com)? that will break it, as the URL based exemption for pass through doesn't work.

    if you are publishing using the WAF rather than a NAT rule, then that is likely the issue.

    you could try using another external IP and another name for EWS such as EWS.domain.com, and configuring that for NAT

     

    this provides no security at the border, rendering the UTM pointless for involvement in the publishing

  • no forms or authentication on this and yes, we are using the WAF

     

    thanks for your response

  • yeah the WAF is the problem.

    it breaks OAuth, which have been used since Exchange 2013 for parts of Exchange (released February 2013)

  • it turns out that the connectivity analyzer isn't exactly reliable, however the problem in our case was that the discovery endpoint was set incorrectly on the office 365 connector.

     

    the contractor ended up getting microsoft on the case and they worked it out.

     

    from the contractor:

    Glad to hear it’s working. The solution was to change DiscoveryEndpoint value on the O365 connector from

    DiscoveryEndpoint    : webmail.ourdomain.com/.../autodiscover.svc

    To

    DiscoveryEndpoint    : autodiscover.ourdomain.com/.../autodiscover.svc

    This value is set during hybrid configuration and its usually not a problem because both names resolve to the same thing, the problem on this scenario was the WAP rejecting webmail.shoalhaven.nsw.gov.au/.../autodiscover.svc , when changing it to the new value the rule was matching properly.

    The value is changed with the following command (to be run on the O365 tenancy, not on local exchange)

    Set-IntraOrganizationConnector -DiscoveryEndpoint autodiscover.ourdomain.com/.../autodiscover.svc

    And if you ever run hybrid assistant as well, the command might need to be re-run to reset this value, this notes will be added to the as built documentation.