Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 15426 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ADFS WAF Policy and Rule

AADD

Migrating from Windows Reverse Proxy to Sophos XG WAF.

See tutorial below.

Assumes you know how to add Real webservers to XG, have a functioning ADFS server, and Federated domain.



This thread was automatically locked due to age.
Parents
  • +1

    SFOS 18.0.1 MR-1-Build396 Update!!!

    The 18.x firmware requires additional checks to be bypassed. I will update this post for the complete protection policy and firewall rule as the screens are a little different.

    ADFS WAF Policy and Rule.

     

     

    Configure Protection Policy

    First we need to set up the Microsoft ADFS STS 2012R2 Protection policy.

    ADFS STS Protection Policy Configuration

      1. Navigate to Web Server > Protection Policies and click Add.
      2. Fill in the fields as shown below.

      • Name: Microsoft ADFS STS 2012R2
      • Pass Outlook Anywhere: Disabled
      • Mode: Reject
      • Cookie Signing: Disabled
      • Static URL Hardening: Disabled
      • Form Hardening: Disabled
      • Antivirus: Disabled
      • Block clients with bad reputation: On (Must create rule for Microsoft IP blocks and clients that may be on a block list)
      • Skip remote lookups for clients with bad reputation: Disabled
      • Common Threat Filter: Enable
        • Filter strength: Level 1
        • Skip Filter Rules:
          • 920420
          • 931130
          • 949110
          • 949190
          • 980130
        • (Check All Except)
          • SQL Injection Attacks: Disable
    2. Click on Save.

    Configure Firewall rule

    ADFS - STS Access Rule

    1. Navigate to Rules and policies.
    2. Click Add Firewall Rule and select Protect with web server protection from the Action drop down menu.
    3. Select None in the Preconfigured template drop down menu.
    4. Configure your Hosted server and protected server and any Access permission options desired.
    5. Fill in the required details:
      • Rule Name
      • Hosted Address
      • Listening Port
      • HTTPS
      • Certificate
      • Domains
      • Protected Server
    6. Check Path-Specific Routing
      Add new Path
      • Create Paths with the following options for: /adfs/ls, /adfs/portal, /adfs/services, /federationmetadata/, /FederationMetadata/
      • Web Server: Select Real Web Server
      • Authentication: None
      • Allowed Client Networks: Select desired Networks to be allowed access
      • Block Client Networks: Select desired Networks to be denied access
      • Sticky session cookie: Disabled
      • Hot standby mode: Disabled
      • WebSocket passthrough: Disabled
      • Click Save
    7. Create Exception
       
      1. Path: /adfs/services*
      2. Sources (Enter your desired criteria for the exception)
      3. All unchecked (except)
        1. Protocol enforcement
        2. Data leakage
      4. Save
    8. Create Exception

      1. Path: Leave empty
      2. Sources (Enter your desired criteria for the exception Microsoft IP Blocks and any client on a block list)
      3. All unchecked (except)
        1. Block clients with bad reputation
        2. Protocol enforcement
        3. Data leakage
      4. Save
    9. Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection.
    10. Now select Microsoft ADFS STS 2012R2
    11. Additional Options
      • Check Pass Host Header
    12. Save
Reply
  • +1

    SFOS 18.0.1 MR-1-Build396 Update!!!

    The 18.x firmware requires additional checks to be bypassed. I will update this post for the complete protection policy and firewall rule as the screens are a little different.

    ADFS WAF Policy and Rule.

     

     

    Configure Protection Policy

    First we need to set up the Microsoft ADFS STS 2012R2 Protection policy.

    ADFS STS Protection Policy Configuration

      1. Navigate to Web Server > Protection Policies and click Add.
      2. Fill in the fields as shown below.

      • Name: Microsoft ADFS STS 2012R2
      • Pass Outlook Anywhere: Disabled
      • Mode: Reject
      • Cookie Signing: Disabled
      • Static URL Hardening: Disabled
      • Form Hardening: Disabled
      • Antivirus: Disabled
      • Block clients with bad reputation: On (Must create rule for Microsoft IP blocks and clients that may be on a block list)
      • Skip remote lookups for clients with bad reputation: Disabled
      • Common Threat Filter: Enable
        • Filter strength: Level 1
        • Skip Filter Rules:
          • 920420
          • 931130
          • 949110
          • 949190
          • 980130
        • (Check All Except)
          • SQL Injection Attacks: Disable
    2. Click on Save.

    Configure Firewall rule

    ADFS - STS Access Rule

    1. Navigate to Rules and policies.
    2. Click Add Firewall Rule and select Protect with web server protection from the Action drop down menu.
    3. Select None in the Preconfigured template drop down menu.
    4. Configure your Hosted server and protected server and any Access permission options desired.
    5. Fill in the required details:
      • Rule Name
      • Hosted Address
      • Listening Port
      • HTTPS
      • Certificate
      • Domains
      • Protected Server
    6. Check Path-Specific Routing
      Add new Path
      • Create Paths with the following options for: /adfs/ls, /adfs/portal, /adfs/services, /federationmetadata/, /FederationMetadata/
      • Web Server: Select Real Web Server
      • Authentication: None
      • Allowed Client Networks: Select desired Networks to be allowed access
      • Block Client Networks: Select desired Networks to be denied access
      • Sticky session cookie: Disabled
      • Hot standby mode: Disabled
      • WebSocket passthrough: Disabled
      • Click Save
    7. Create Exception
       
      1. Path: /adfs/services*
      2. Sources (Enter your desired criteria for the exception)
      3. All unchecked (except)
        1. Protocol enforcement
        2. Data leakage
      4. Save
    8. Create Exception

      1. Path: Leave empty
      2. Sources (Enter your desired criteria for the exception Microsoft IP Blocks and any client on a block list)
      3. All unchecked (except)
        1. Block clients with bad reputation
        2. Protocol enforcement
        3. Data leakage
      4. Save
    9. Go to the Advanced section at the bottom of the Firewall rule and click the drop-down box beneath to Protection.
    10. Now select Microsoft ADFS STS 2012R2
    11. Additional Options
      • Check Pass Host Header
    12. Save
Children
No Data