Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 26 subscribers
  • Views 1346 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outlook anywhere WAF problem

IT PEL

Hi I have problem to configure WAF rule for Outlook anywhere, The activesync and OWA is working fine but outlookanywhere did not working following are rule i created for that:

 

combine WAF: rule for ActiveSync, OWA and outlookanywhere 

all three services point to single domain domain name i.e abc.domain.com

exemption for OWA and activesynce:

/owa/*,/OWA/*,/ews/*,/EWS/*,/ecp/*,/ECP/*,/oab/*,/OAB/*,/oma/*,/OMA/*,/Microsoft-Server-ActiveSync?*,/

/owa/ev.owa

exemption for anywhere:

/RPC/*,/rpc/*

 

seprate WAF: rule for auto discovery

for domain i.e autodiscover.domain.com

exemption for autodiscover:

/autodiscover/*,/Autodiscover/*

 

following are the logs of reverseproxy service in this regard

[Tue Mar 19 20:12:11.994435 2019] [proxy_http:error] [pid 14057:tid 140601819342592] (104)Connection reset by peer: [client 1.1.1.1:49945] AH01095: prefetch request body failed to 192.168.0.6:443 (192.168.0.6) from 1.1.1.1 ()
[Tue Mar 19 20:12:11.937255 2019] timestamp="1553008331" srcip="1.1.1.1" localip="2.2.2.2" user="-" host="1.1.1.1" method="RPC_IN_DATA" statuscode="400" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" duration="57241" url="/rpc/rpcproxy.dll" server="abc.domain.com" referer="-" cookie="OutlookSession=\"{6E04B45E-5621-4D48-AC88-99A9A5874F95} Outlook=15.0.4420.1017 OS=10.0.16299\"; ClientId=GTOJYBRN0WHIHLKKIHZAQ" set-cookie="-" recvbytes="1198" sentbytes="0" protocol="HTTP/1.1" ctype="text/html" uagent="MSRPC" querystring="?abc.domain.com:6004" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="37"

 

[Tue Mar 19 20:11:32.837071 2019] timestamp="1553008292" srcip="1.1.1.1" localip="2.2.2.2" user="-" host="1.1.1.1" method="RPC_OUT_DATA" statuscode="401" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipURLHardening, SkipFormHardening, SkipCookieSigning, SkipThreatsFilter" duration="18025" url="/rpc/rpcproxy.dll" server="abc.domain.com" referer="-" cookie="OutlookSession=\"{EA2598A6-7230-445C-85E8-F7FD4ACF0AC3} Outlook=12.0.6665.5000 OS=6.2.9200\"" set-cookie="ClientId=UGPRJL0KSVNNWYWRW; expires=Wed, 18-Mar-2020 15:13:39 GMT; path=/; HttpOnly" recvbytes="806" sentbytes="5348" protocol="HTTP/1.1" ctype="-" uagent="MSRPC" querystring="?09d91851-14a9-4c59-b9a2-2dbf9da3340e@domain.com:6001" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="37"

 



This thread was automatically locked due to age.