https://community.sophos.com/utm-firewall/f/web-server-security/95012/can-t-publish-owa-web-page---no-signature-found-errorI&#39;m migrating from TMG to Sophos firewall and I have faced a problem - I can&#39;t setup the OWA webpage to work .. All rules set according to Sophos manual ( see : sophserv.sophos.com/.../Exchange WAF Guide - UTM 9.3 - Nov 2015.pdf). ActiveSync serviceen-USTelligent Community 12https://community.sophos.com/thread/344787?ContentTypeID=1Fri, 18 Aug 2017 09:26:36 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:31e6661d-166d-4397-8bd7-5df811188a3bMichael Altynikov<p>Hi Bob,</p> <p>Yes, Form hardening option is unchecked for this WAF profile ... and after adding &quot;/owa*&quot; exception the logging form began to appear. WAF probably does know how to handle form&#39; url that looks like that &quot;/owa_xxxxxxxxxx_form..&quot;&nbsp;</p><div style="clear:both;"></div>https://community.sophos.com/thread/344657?ContentTypeID=1Thu, 17 Aug 2017 12:03:32 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:3e128916-21d0-4b27-9435-e6043f0168c5BAlfson<p>Have you tried to skip form hardening for that Virtual Server?</p> <p>Cheers - Bob</p><div style="clear:both;"></div>https://community.sophos.com/thread/344381?ContentTypeID=1Tue, 15 Aug 2017 13:45:03 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:6f12b384-1108-455b-8610-9827ec476d3aMichael Altynikov<p>Well, all OWA WAF rules have been set exactly according to that manual .. By the way, ActiveSync, that sat in the same WAF rule works fine .. autodiscovery rule - works too ..only OWA web page - does not ... :(</p> <p>Update: After adding additional exclusion like that &quot;/owa*&quot; the sophos default login form is finally start to appear when hitting <a href="https://owa.domain.com/owa">https://owa.domain.com/owa</a>&nbsp;page .. but after entring login credentials popups a new window with login to owa web server ... Probably, there is a reverse auth problem... Still looking :)&nbsp;</p> <p>Update2: After playing with URL hardening exceptions and Reverse Auth profiles here what I have found (Sophos Firmware version is 9.502-4):</p> <p>1. All OWA Sophos manuals define some URL exceptions to set, but in my case I needed to add one more URL exception &quot;/owa*&quot; (all manual says you only need &quot;/owa/*&quot; exclusion to work )</p> <p>2. After solving the problem of utm&#39; frontend form authentication I have faced another problem - the backend auth to exchange server in case of OWA webpage account did not work (but ActiveSync and autodiscovery services work fine at that time). In my case there were 2 Reverse auth profiles (as it was written in OWA Sophos manual) one for form based and another for basic authentication method.</p> <p>In my case in the basic method form I have an Active Direct auth on fronend and basic on Real server backend with Suffix like &quot;domain.com&quot;. In that case the UTM form worked good, but the backend auth did not worked and the CAS server asked for login credential again... Long story in short - I have created another Reverse auth profile with different Domain Suffix like &quot;@domain.com&quot; .. for /owa and /ecp site path routes, and finally OWA webpage start to work properly.&nbsp;</p> <p>So, maybe its a bug of reverse proxy mechanism?</p> <p>Regards,</p> <p>Michael</p><div style="clear:both;"></div>https://community.sophos.com/thread/344351?ContentTypeID=1Tue, 15 Aug 2017 09:15:26 GMT4be5eb7d-caa4-4ff5-8e60-8f9463545a35:4c2885eb-8cd1-4576-a94d-98be91bc731dShaun Raven<p>Hi.</p> <p>I suggest checking your method against the one found here, which works fine.</p> <p>&nbsp;</p> <p><a href="https://networkguy.de/?p=998">https://networkguy.de/?p=998</a></p> <p>&nbsp;</p><div style="clear:both;"></div>