This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2013 / 2016 Office 365 hybrid not working

Hi

i've been battling this with UTM 9.4 for a good number of hours now, and i'm pretty much at the end of straws to clutch at.

we have a pretty standard exchange environment, two multirole servers, currently running Exchange 2016, we have published URLs using a mix of the frankysweb and Sophos guidance, i have also identified that the hybrid also triggers the following false positives against autodiscover and ews

970901

960009

981200

981205

however it still wont work

it seems that we have to set both autodiscover and EWS to passthrough (rather than just EWS) but we keep getting 401 errors from the hybrid wizard.

office 365 hybrid uses OAuth, with the address autodiscover.domain.com/autodiscover/autodiscover.svc/WSSecurity and mail.domain.com/EWS/exchange.asmx/WSSecurity

both are set to passthrough, (no authentication profile) i see no more errors in the firewall log, i see nothing related in the authentication log, and no errors in the web application firewall log, but the requests dont seem to hit IIS, no record in the IIS logs for these requests, but other internal requests for wssecurity work and show in the IIS logs.

Is the only way to get 365 hybrid to work with UTM to use NAT? which would obviously mean that you cant use a back end web farm or any availability for that service, and also have no protection from the web server protection element.

is there anything at all from sophos on how to get 365 hybrid to work through UTM?



This thread was automatically locked due to age.
Parents
  • We have the same problem. We're trying to setup a hybrid exchange 2016 to office 365 environment, but having issues with the remote connectivity analyzer (https://testconnectivity.microsoft.com/)

     

    We were told by the contractor doing the office 365 part, to turn off pre-authentication, however as far as I can see, we're not doing pre-authentication.

     

    Going to try Sophos phone support and see if I have any luck

  • does your EWS URL have authentication? such as, do you have forms auth, or any authentication, configured for the domain (e.g. mail.domain.com)? that will break it, as the URL based exemption for pass through doesn't work.

    if you are publishing using the WAF rather than a NAT rule, then that is likely the issue.

    you could try using another external IP and another name for EWS such as EWS.domain.com, and configuring that for NAT

     

    this provides no security at the border, rendering the UTM pointless for involvement in the publishing

Reply
  • does your EWS URL have authentication? such as, do you have forms auth, or any authentication, configured for the domain (e.g. mail.domain.com)? that will break it, as the URL based exemption for pass through doesn't work.

    if you are publishing using the WAF rather than a NAT rule, then that is likely the issue.

    you could try using another external IP and another name for EWS such as EWS.domain.com, and configuring that for NAT

     

    this provides no security at the border, rendering the UTM pointless for involvement in the publishing

Children