This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't publish OWA web page - No signature found error

I'm migrating from TMG to Sophos firewall and  I have faced a problem - I can't setup the OWA webpage to work .. All rules set according to Sophos manual ( see : sophserv.sophos.com/.../Exchange WAF Guide - UTM 9.3 - Nov 2015.pdf).

ActiveSync service is working, but OWA webpage does not. WAF rule was set with form based authentication in frontend (with default sophos form) and basic authentication on backend to CAS server. When trying to access the OWA webpage from outside (https://owa.xxxxx.xxxx.xx/owa) the firewall presents the following error:

Request blocked: The web application firewall has blocked access to /owa_uxtlcrcuw_form for the following reason: No signature found

I have checked the firewall profile for OWA and it does contains /owa and /OWA urls.. Also there are Exceptions for static URL hardening with /owa/* and /etc/* ...

Without checking Static URL hardening in the WAF profile the loging form is displaying, but after entering the login credentials popups window with windows login box again..

On CAS exchange server checked both Integrated Windows Authentication and Basic Authentification for OWA and ECP sites.. 

The question is - where I need to look for problem to fix OWA application? Please help!

Regards,

Michael



This thread was automatically locked due to age.
Parents Reply Children
  • Well, all OWA WAF rules have been set exactly according to that manual .. By the way, ActiveSync, that sat in the same WAF rule works fine .. autodiscovery rule - works too ..only OWA web page - does not ... :(

    Update: After adding additional exclusion like that "/owa*" the sophos default login form is finally start to appear when hitting https://owa.domain.com/owa page .. but after entring login credentials popups a new window with login to owa web server ... Probably, there is a reverse auth problem... Still looking :) 

    Update2: After playing with URL hardening exceptions and Reverse Auth profiles here what I have found (Sophos Firmware version is 9.502-4):

    1. All OWA Sophos manuals define some URL exceptions to set, but in my case I needed to add one more URL exception "/owa*" (all manual says you only need "/owa/*" exclusion to work )

    2. After solving the problem of utm' frontend form authentication I have faced another problem - the backend auth to exchange server in case of OWA webpage account did not work (but ActiveSync and autodiscovery services work fine at that time). In my case there were 2 Reverse auth profiles (as it was written in OWA Sophos manual) one for form based and another for basic authentication method.

    In my case in the basic method form I have an Active Direct auth on fronend and basic on Real server backend with Suffix like "domain.com". In that case the UTM form worked good, but the backend auth did not worked and the CAS server asked for login credential again... Long story in short - I have created another Reverse auth profile with different Domain Suffix like "@domain.com" .. for /owa and /ecp site path routes, and finally OWA webpage start to work properly. 

    So, maybe its a bug of reverse proxy mechanism?

    Regards,

    Michael

  • Have you tried to skip form hardening for that Virtual Server?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Yes, Form hardening option is unchecked for this WAF profile ... and after adding "/owa*" exception the logging form began to appear. WAF probably does know how to handle form' url that looks like that "/owa_xxxxxxxxxx_form.."