Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 15426 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ADFS WAF Policy and Rule

AADD

Migrating from Windows Reverse Proxy to Sophos XG WAF.

See tutorial below.

Assumes you know how to add Real webservers to XG, have a functioning ADFS server, and Federated domain.



This thread was automatically locked due to age.
  • 0

    Hi AADD ,

    Let us know what you wish to configure in WAF ,

    Configuration as per KB article .

    https://community.sophos.com/kb/en-us/126470

  • +1

    ADFS WAF Policy and Rule.

    Caveat: Microsoft Edge Browser will not display the images on the page, however will still work for authentication.
    Solution Edited to correct Edge needing access to other paths for Style Sheet and imagery. See follow up post.

    Solution Edited to correct Outlook needing access to other paths and exceptions. See follow up post.

    SFOS 18.x Solution below in a different post.

     

    Configure Protection Policy

    First we need to set up the combined Microsoft ADFS STS 2012R2 Protection policy.

    ADFS STS Protection Policy Configuration

      1. Navigate to Web Server > Protection Policies and click Add.
      2. Fill in the fields as shown below.

      • Name: Microsoft ADFS STS 2012R2
      • Pass Outlook Anywhere: Disabled
      • Mode: Reject
      • Cookie Signing: Disabled
      • Static URL Hardening: Disabled
      • Form Hardening: Disabled
      • Antivirus: Disabled
      • Block clients with bad reputation: Disabled (edited 2018-7-31 for Bad Microsoft IPs)
      • Skip remote lookups for clients with bad reputation: Disabled
      • Common Threat Filter: Enabled (All Selected Except)
        • SQL Injection Attacks: Disable
      • Rigid Filtering: Disabled
      • Skip Filter Rules:
        • 950120
        • 981176 (edited 2018-6-8 for Outlook)
        • 981204 (edited 2018-6-8 for Outlook)
    2. Click on Save.

    Configure Firewall rule

    ADFS - STS Access Rule

    1. Navigate to Firewall.
    2. Click Add Firewall Rule and select Business Application Rule from the drop down menu.
    3. Select the WAF Server Protection template
    4. Fill in the required details:
      • Rule Name
      • Hosted Address
      • Listening Port
      • HTTPS
      • Certificate
      • Domains
      • Protected Server
    5. Check Path-Specific Routing
      Add new Path
      • Path: /adfs/ls/
      • Web Server: Select Real Web Server
      • Authentication: None
      • Allowed Client Networks: Select desired Networks to be allowed access
      • Block Client Networks: Select desired Networks to be denied access
      • Sticky session cookie: Disabled
      • Hot standby mode: Disabled
      • WebSocket passthrough: Disabled
      • Click Save
    6. Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection.
    7. Now select Microsoft ADFS STS 2012R2
    8. Additional Options
      • Check Pass Host Header
    9. Save
  • +1 in reply to AADD

    Edge requires an additional Path-specific routing entry.

     

    Add new Path

    • Path: /adfs/portal/
    • Web Server: Select Real Web Server
    • Authentication: None
    • Allowed Client Networks: Select desired Networks to be allowed access
    • Block Client Networks: Select desired Networks to be denied access
    • Sticky session cookie: Disabled
    • Hot standby mode: Disabled
    • WebSocket passthrough: Disabled
    • Click Save
  • 0 in reply to AADD

    Hi AADD,

    I just wanted to thank you for going through this and posting potential fixes.

    I will be trying these against 2016 as that has been the issue.  I'm crossing my fingers these all work on 2016 and I can go back to using WAF for these scenarios.

    Thanks,

    John

  • +1 in reply to AADD

    Outlook also requires special exemptions.

    See the Policy creation post and note the policy changes marked (edited 2018-6-8 for Outlook) 

    Make the following additions to the WAF Business Rule

     

     

    Add new Path

    • Path: /adfs/services/
    • Web Server: Select Real Web Server
    • Authentication: None
    • Allowed Client Networks: Select desired Networks to be allowed access
    • Block Client Networks: Select desired Networks to be denied access
    • Sticky session cookie: Disabled
    • Hot standby mode: Disabled
    • WebSocket passthrough: Disabled
    • Click Save

    Add new Exception

    • Paths: /adfs/services/*
    • Set Sources
    • Check Protocol Anomalies
    • Click Save
  • +1 in reply to AADD

    Update!

    Some of Microsoft's IPs used for Federation authentication tokens for Autodiscover are listed on the public black lists used for Block clients with bad reputation: enabled. This can affect some or all users from authenticating to Outlook MAPI and ActiveSync protocols.

    At this point, unless we can add specific IP blocks to a whitelist somewhere that over-rides  Block clients with bad reputation:, it must be disabled.

    See the Policy creation post and note the policy changes marked (edited 2018-7-31 for Bad Microsoft IPs)
  • 0 in reply to axsom1

    Axsom1,

     

    Have you had a chance to test the settings for Windows 2016?

    If so, what were the results for you, and please note: There have been some updates to my WAF policy post.

  • +1

    SFOS 18.0.1 MR-1-Build396 Update!!!

    The 18.x firmware requires additional checks to be bypassed. I will update this post for the complete protection policy and firewall rule as the screens are a little different.

    ADFS WAF Policy and Rule.

     

     

    Configure Protection Policy

    First we need to set up the Microsoft ADFS STS 2012R2 Protection policy.

    ADFS STS Protection Policy Configuration

      1. Navigate to Web Server > Protection Policies and click Add.
      2. Fill in the fields as shown below.

      • Name: Microsoft ADFS STS 2012R2
      • Pass Outlook Anywhere: Disabled
      • Mode: Reject
      • Cookie Signing: Disabled
      • Static URL Hardening: Disabled
      • Form Hardening: Disabled
      • Antivirus: Disabled
      • Block clients with bad reputation: On (Must create rule for Microsoft IP blocks and clients that may be on a block list)
      • Skip remote lookups for clients with bad reputation: Disabled
      • Common Threat Filter: Enable
        • Filter strength: Level 1
        • Skip Filter Rules:
          • 920420
          • 931130
          • 949110
          • 949190
          • 980130
        • (Check All Except)
          • SQL Injection Attacks: Disable
    2. Click on Save.

    Configure Firewall rule

    ADFS - STS Access Rule

    1. Navigate to Rules and policies.
    2. Click Add Firewall Rule and select Protect with web server protection from the Action drop down menu.
    3. Select None in the Preconfigured template drop down menu.
    4. Configure your Hosted server and protected server and any Access permission options desired.
    5. Fill in the required details:
      • Rule Name
      • Hosted Address
      • Listening Port
      • HTTPS
      • Certificate
      • Domains
      • Protected Server
    6. Check Path-Specific Routing
      Add new Path
      • Create Paths with the following options for: /adfs/ls, /adfs/portal, /adfs/services, /federationmetadata/, /FederationMetadata/
      • Web Server: Select Real Web Server
      • Authentication: None
      • Allowed Client Networks: Select desired Networks to be allowed access
      • Block Client Networks: Select desired Networks to be denied access
      • Sticky session cookie: Disabled
      • Hot standby mode: Disabled
      • WebSocket passthrough: Disabled
      • Click Save
    7. Create Exception
       
      1. Path: /adfs/services*
      2. Sources (Enter your desired criteria for the exception)
      3. All unchecked (except)
        1. Protocol enforcement
        2. Data leakage
      4. Save
    8. Create Exception

      1. Path: Leave empty
      2. Sources (Enter your desired criteria for the exception Microsoft IP Blocks and any client on a block list)
      3. All unchecked (except)
        1. Block clients with bad reputation
        2. Protocol enforcement
        3. Data leakage
      4. Save
    9. Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection.
    10. Now select Microsoft ADFS STS 2012R2
    11. Additional Options
      • Check Pass Host Header
    12. Save