This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2013 / 2016 Office 365 hybrid not working

Hi

i've been battling this with UTM 9.4 for a good number of hours now, and i'm pretty much at the end of straws to clutch at.

we have a pretty standard exchange environment, two multirole servers, currently running Exchange 2016, we have published URLs using a mix of the frankysweb and Sophos guidance, i have also identified that the hybrid also triggers the following false positives against autodiscover and ews

970901

960009

981200

981205

however it still wont work

it seems that we have to set both autodiscover and EWS to passthrough (rather than just EWS) but we keep getting 401 errors from the hybrid wizard.

office 365 hybrid uses OAuth, with the address autodiscover.domain.com/autodiscover/autodiscover.svc/WSSecurity and mail.domain.com/EWS/exchange.asmx/WSSecurity

both are set to passthrough, (no authentication profile) i see no more errors in the firewall log, i see nothing related in the authentication log, and no errors in the web application firewall log, but the requests dont seem to hit IIS, no record in the IIS logs for these requests, but other internal requests for wssecurity work and show in the IIS logs.

Is the only way to get 365 hybrid to work with UTM to use NAT? which would obviously mean that you cant use a back end web farm or any availability for that service, and also have no protection from the web server protection element.

is there anything at all from sophos on how to get 365 hybrid to work through UTM?



This thread was automatically locked due to age.
Parents
  • We have the same problem. We're trying to setup a hybrid exchange 2016 to office 365 environment, but having issues with the remote connectivity analyzer (https://testconnectivity.microsoft.com/)

     

    We were told by the contractor doing the office 365 part, to turn off pre-authentication, however as far as I can see, we're not doing pre-authentication.

     

    Going to try Sophos phone support and see if I have any luck

  • does your EWS URL have authentication? such as, do you have forms auth, or any authentication, configured for the domain (e.g. mail.domain.com)? that will break it, as the URL based exemption for pass through doesn't work.

    if you are publishing using the WAF rather than a NAT rule, then that is likely the issue.

    you could try using another external IP and another name for EWS such as EWS.domain.com, and configuring that for NAT

     

    this provides no security at the border, rendering the UTM pointless for involvement in the publishing

  • no forms or authentication on this and yes, we are using the WAF

     

    thanks for your response

  • yeah the WAF is the problem.

    it breaks OAuth, which have been used since Exchange 2013 for parts of Exchange (released February 2013)

  • it turns out that the connectivity analyzer isn't exactly reliable, however the problem in our case was that the discovery endpoint was set incorrectly on the office 365 connector.

     

    the contractor ended up getting microsoft on the case and they worked it out.

     

    from the contractor:

    Glad to hear it’s working. The solution was to change DiscoveryEndpoint value on the O365 connector from

    DiscoveryEndpoint    : webmail.ourdomain.com/.../autodiscover.svc

    To

    DiscoveryEndpoint    : autodiscover.ourdomain.com/.../autodiscover.svc

    This value is set during hybrid configuration and its usually not a problem because both names resolve to the same thing, the problem on this scenario was the WAP rejecting webmail.shoalhaven.nsw.gov.au/.../autodiscover.svc , when changing it to the new value the rule was matching properly.

    The value is changed with the following command (to be run on the O365 tenancy, not on local exchange)

    Set-IntraOrganizationConnector -DiscoveryEndpoint autodiscover.ourdomain.com/.../autodiscover.svc

    And if you ever run hybrid assistant as well, the command might need to be re-run to reset this value, this notes will be added to the as built documentation.

Reply
  • it turns out that the connectivity analyzer isn't exactly reliable, however the problem in our case was that the discovery endpoint was set incorrectly on the office 365 connector.

     

    the contractor ended up getting microsoft on the case and they worked it out.

     

    from the contractor:

    Glad to hear it’s working. The solution was to change DiscoveryEndpoint value on the O365 connector from

    DiscoveryEndpoint    : webmail.ourdomain.com/.../autodiscover.svc

    To

    DiscoveryEndpoint    : autodiscover.ourdomain.com/.../autodiscover.svc

    This value is set during hybrid configuration and its usually not a problem because both names resolve to the same thing, the problem on this scenario was the WAP rejecting webmail.shoalhaven.nsw.gov.au/.../autodiscover.svc , when changing it to the new value the rule was matching properly.

    The value is changed with the following command (to be run on the O365 tenancy, not on local exchange)

    Set-IntraOrganizationConnector -DiscoveryEndpoint autodiscover.ourdomain.com/.../autodiscover.svc

    And if you ever run hybrid assistant as well, the command might need to be re-run to reset this value, this notes will be added to the as built documentation.

Children
No Data