ADFS WAF Policy and Rule

Question

Migrating from Windows Reverse Proxy to Sophos XG WAF. 
 See tutorial below. 
 Assumes you know how to add Real webservers to XG, have a functioning ADFS server, and Federated domain.

AADD · Accepted Answer

ADFS WAF Policy and Rule. 
 Caveat: Microsoft Edge Browser will not display the images on the page, however will still work for authentication. Solution Edited to correct Edge needing access to other paths for Style Sheet and imagery. See follow up post. 
 Solution Edited to correct Outlook needing access to other paths and exceptions. See follow up post. 
 SFOS 18.x Solution below in a different post. 
 
 Configure Protection Policy 
 First we need to set up the combined Microsoft ADFS STS 2012R2 Protection policy. 
 ADFS STS Protection Policy Configuration

Navigate to Web Server > Protection Policies and click Add . 
 Fill in the fields as shown below.

Name: Microsoft ADFS STS 2012R2 
 Pass Outlook Anywhere: Disabled 
 Mode: Reject 
 Cookie Signing: Disabled 
 Static URL Hardening: Disabled 
 Form Hardening: Disabled 
 Antivirus: Disabled 
 Block clients with bad reputation: Disabled (edited 2018-7-31 for Bad Microsoft IPs) 
 Skip remote lookups for clients with bad reputation: Disabled 
 Common Threat Filter: Enabled (All Selected Except)
 
 SQL Injection Attacks: Disable

Rigid Filtering: Disabled 
 Skip Filter Rules: 
 
 950120 
 981176 (edited 2018-6-8 for Outlook) 
 981204 (edited 2018-6-8 for Outlook)

Click on Save . 
 
 Configure Firewall rule 
 ADFS - STS Access Rule 
 
 Navigate to Firewall. 
 Click Add Firewall Rule and select Business Application Rule from the drop down menu. 
 Select the WAF Server Protection template 
 Fill in the required details:
 
 Rule Name 
 Hosted Address 
 Listening Port 
 HTTPS 
 Certificate 
 Domains 
 Protected Server

Check Path-Specific Routing Add new Path 
 
 Path: /adfs/ls/ 
 Web Server: Select Real Web Server 
 Authentication: None 
 Allowed Client Networks: Select desired Networks to be allowed access 
 Block Client Networks: Select desired Networks to be denied access 
 Sticky session cookie: Disabled 
 Hot standby mode: Disabled 
 WebSocket passthrough: Disabled 
 Click Save

Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection. 
 Now select Microsoft ADFS STS 2012R2 
 Additional Options 
 
 Check Pass Host Header

Save

AADD · Answer

Edge requires an additional Path-specific routing entry.

Add new Path 
 
 Path: /adfs/portal/ 
 Web Server: Select Real Web Server 
 Authentication: None 
 Allowed Client Networks: Select desired Networks to be allowed access 
 Block Client Networks: Select desired Networks to be denied access 
 Sticky session cookie: Disabled 
 Hot standby mode: Disabled 
 WebSocket passthrough: Disabled 
 Click Save

AADD · Answer

Outlook also requires special exemptions. 
 See the Policy creation post and note the policy changes marked (edited 2018-6-8 for Outlook) 
 Make the following additions to the WAF Business Rule

Add new Path 
 
 Path: /adfs/services/ 
 Web Server: Select Real Web Server 
 Authentication: None 
 Allowed Client Networks: Select desired Networks to be allowed access 
 Block Client Networks: Select desired Networks to be denied access 
 Sticky session cookie: Disabled 
 Hot standby mode: Disabled 
 WebSocket passthrough: Disabled 
 Click Save 
 
 Add new Exception

Paths: /adfs/services/* 
 Set Sources 
 Check Protocol Anomalies 
 Click Save

AADD · Answer

Update! 
 Some of Microsoft's IPs used for Federation authentication tokens for Autodiscover are listed on the public black lists used for Block clients with bad reputation: enabled. This can affect some or all users from authenticating to Outlook MAPI and ActiveSync protocols. 
 At this point, unless we can add specific IP blocks to a whitelist somewhere that over-rides Block clients with bad reputation: , it must be disabled. 
 See the Policy creation post and note the policy changes marked (edited 2018-7-31 for Bad Microsoft IPs)

AADD · Answer

SFOS 18.0.1 MR-1-Build396 Update!!! 
 The 18.x firmware requires additional checks to be bypassed. I will update this post for the complete protection policy and firewall rule as the screens are a little different. 
 ADFS WAF Policy and Rule.

Configure Protection Policy 
 First we need to set up the Microsoft ADFS STS 2012R2 Protection policy. 
 ADFS STS Protection Policy Configuration

Navigate to Web Server > Protection Policies and click Add . 
 Fill in the fields as shown below.

Name: Microsoft ADFS STS 2012R2 
 Pass Outlook Anywhere: Disabled 
 Mode: Reject 
 Cookie Signing: Disabled 
 Static URL Hardening: Disabled 
 Form Hardening: Disabled 
 Antivirus: Disabled 
 Block clients with bad reputation: On (Must create rule for Microsoft IP blocks and clients that may be on a block list) 
 Skip remote lookups for clients with bad reputation: Disabled 
 Common Threat Filter: Enable
 
 Filter strength: Level 1 
 Skip Filter Rules: 
 
 920420 
 931130 
 949110 
 949190 
 980130

(Check All Except)
 
 SQL Injection Attacks: Disable

Click on Save . 
 
 Configure Firewall rule 
 ADFS - STS Access Rule 
 
 Navigate to Rules and policies. 
 Click Add Firewall Rule and select Protect with web server protection from the Action drop down menu. 
 Select None in the Preconfigured template drop down menu. 
 Configure your Hosted server and protected server and any Access permission options desired. 
 Fill in the required details:
 
 Rule Name 
 Hosted Address 
 Listening Port 
 HTTPS 
 Certificate 
 Domains 
 Protected Server

Check Path-Specific Routing Add new Path 
 
 Create Paths with the following options for: /adfs/ls, /adfs/portal, /adfs/services, /federationmetadata/, /FederationMetadata/ 
 Web Server: Select Real Web Server 
 Authentication: None 
 Allowed Client Networks: Select desired Networks to be allowed access 
 Block Client Networks: Select desired Networks to be denied access 
 Sticky session cookie: Disabled 
 Hot standby mode: Disabled 
 WebSocket passthrough: Disabled 
 Click Save

Create Exception 
 
 Path: /adfs/services* 
 Sources (Enter your desired criteria for the exception) 
 All unchecked (except)
 
 Protocol enforcement 
 Data leakage

Save

Create Exception 
 
 Path: Leave empty 
 Sources (Enter your desired criteria for the exception Microsoft IP Blocks and any client on a block list) 
 All unchecked (except)
 
 Block clients with bad reputation 
 Protocol enforcement 
 Data leakage

Save

Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection. 
 Now select Microsoft ADFS STS 2012R2 
 Additional Options 
 
 Check Pass Host Header

Save