This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2013 / 2016 Office 365 hybrid not working

Hi

i've been battling this with UTM 9.4 for a good number of hours now, and i'm pretty much at the end of straws to clutch at.

we have a pretty standard exchange environment, two multirole servers, currently running Exchange 2016, we have published URLs using a mix of the frankysweb and Sophos guidance, i have also identified that the hybrid also triggers the following false positives against autodiscover and ews

970901

960009

981200

981205

however it still wont work

it seems that we have to set both autodiscover and EWS to passthrough (rather than just EWS) but we keep getting 401 errors from the hybrid wizard.

office 365 hybrid uses OAuth, with the address autodiscover.domain.com/autodiscover/autodiscover.svc/WSSecurity and mail.domain.com/EWS/exchange.asmx/WSSecurity

both are set to passthrough, (no authentication profile) i see no more errors in the firewall log, i see nothing related in the authentication log, and no errors in the web application firewall log, but the requests dont seem to hit IIS, no record in the IIS logs for these requests, but other internal requests for wssecurity work and show in the IIS logs.

Is the only way to get 365 hybrid to work with UTM to use NAT? which would obviously mean that you cant use a back end web farm or any availability for that service, and also have no protection from the web server protection element.

is there anything at all from sophos on how to get 365 hybrid to work through UTM?



This thread was automatically locked due to age.
Parents
  • happy days, another customer with UTM (now 9.5) and seemingly the same /EWS/MRSProxy.asmx issues

     

    2017:06:27-15:57:40 utm1-1 httpd: id="0299" srcip="40.101.30.189" localip="DMZIP" size="381" user="-" host="40.101.30.189" method="POST" statuscode="401" reason="-" extra="-" exceptions="SkipURLHardening" time="32406" url="/EWS/mrsproxy.svc" server="owa.domain.co.uk" port="443" query="" referer="-" cookie="exchangecookie=486f9ba4140b4951929dbc34c7bf1e46" set-cookie="-" uid="WVJyZMColqAAAH6qkPsAAAAF"

     

    trying to get hybrid to work properly, including mailbox migration, with a UTM publishing OWA/EWS/Autodiscover, configured according to the (now slightly out of date) instructions for 9.3+ as published  by Sophos.

     

    is there anyone else actually trying to do hybrid 365 migrations with Sophos in the picture?

    my suspicion is that this is due to WSSecurity, as in, the UTM has no idea what to do with it, so the /EWS/* URL really wants to be configured to bypass authentication and allow Exchange to authenticate it. 

    is that possible? for just the ews url?

    i'm sure there used to be an option for no authentication (front end none - back end none) but i might well have been dreaming

  • I've tried just about everything I can think of to get this working properly, but it's definitely not a profile issue as if you configure the UTM virtual web-server with a Firewall Profile of "None" then you still get the same issues.

     

    The only way I've found to be able to get Exchange 2016 reliably connected is to use NAT - which means that the UTM is pretty much useless as a reverse proxy, and is not providing the security it should...

     

    I thought at one point I had cracked it playing with the keep-alive value, but that was just a red-herring.

     

    Nothing seems to work, all we get is constant disconnects from the outlook client, and have to close and re-open them to connect again.

     

    Not ideal...

    Tim Grantham

    Enterprise Architect & Business owner

  • thanks,

     

    this is the conclusion i'm coming to, which unfortunately throws UTM/Sophos platforms back towards the 'worthless if you are using hybrid' category.

    unfortunately Sophos sales and marketing like to gloss over this when saying its compatible with office 365 services.

     

    oh well, at least we didn't sell this one and have to deal with the impending fallout  :)

  • There are also issues with disconnection with using the WebFilter with a pure 100% on-premesis exchange solution.

     

    I don't blame Sophos, I suspect there has been some security changes with Exchange 2016, and this hasn't been communicated down to the security vendors, and they are playing catch-up.

     

    I suspect also, when Office 365 was launched it was 100% compatible, but things evolve and at the present time it's not compatible.

    Tim Grantham

    Enterprise Architect & Business owner

Reply
  • There are also issues with disconnection with using the WebFilter with a pure 100% on-premesis exchange solution.

     

    I don't blame Sophos, I suspect there has been some security changes with Exchange 2016, and this hasn't been communicated down to the security vendors, and they are playing catch-up.

     

    I suspect also, when Office 365 was launched it was 100% compatible, but things evolve and at the present time it's not compatible.

    Tim Grantham

    Enterprise Architect & Business owner

Children
No Data