Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 11675 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

o365 hybrid, X-MS-Exchange-Organization-AuthAs: Anonymous - office 365 and working with sophos XG firewall

givemecontrol

Ok so here we go. I am currently working on moving our organization to office365. We are currently running on prem exchange 2016 and office365 in the cloud. Sophos XG firewall is configured for transparent filtering between the two mailservers.


The problem I have is that there is a header in the emails when they come from office 365. This header is "X-MS-Exchange-Organization-AuthAs: Anonymous". It should be ' X-MS-Exchange-Organization-AuthAs: Internal ' when everything is working properly. I went through all the office365 receive connector and transport rules and everything. Couldnt find the problem. I saw many references that you cant have mail appliances in the way, so i made a rule so that the traffic would bypass the SMTP and SMTPS checks. Lo and behold everything works. So 100% sophos XG is the problem.

I find it interesting that i cant find many other people with the same problem here. I found this post ( community.sophos.com/.../office365-deployment-best-practice ) that basically says we should run a long ass script that periodically updates the sophos XG with the correct IP address ranges for whitelisting. I dont really find this to be the most elegant solution, if i can even get it working.

So i am posting here. I had some ideas that i am going to try today, like making a parallel route from office365 to a different public IP address that then redirects to the mailserver for inbound messages and bypasses all the checks.

So this post is to document my progress towards a solution, and see if anyone else has this problem as well. Since we all now have to move to o365 as MS sunsets on prem exchange, I think its timely to have a good solution from the sophos side, as this will keep coming up again and again for people. I would go so far as to ask sophos to fix this problem on their end so we don't have to come up with crazy hacks. Office365 mail is going to become a bigger and bigger contender over the next few years till it is most likely the defacto standard like exchange was. Sophos should be able to deal with it in transparent mode by default.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    The configuration of the Hybrid Exchange is indeed a bit complicated. The main reason behind the different sets of user accounts, some being on-prem while others on O365. For the Hybrid exchange to function properly, what you need is an unscanned connection between on-prem and O365. The idea of configuring a parallel route outside of XG to your on-prem is good but then again you will need to restrict that connection for your O365 account only.

    I might be doing an oversimplification for the setup but the Firewall rule for communication between on-prem and O365 should be higher than the default SMTP scanning rule configured by XG. But I guess that's the main issue, to create a rule to allow the connection between on-prem and O365. The list of IPs and URLs provided by Microsoft is a big admin task to do that.


    Please post your progress here. I'll post any developments from XG to make this process easier.

    THANKS.

  • 0 in reply to Jaydeep

    This issue has raised it head again. I have mail rules in place. These mail rules trigger when a mail is "outside of the organization". Due to us using teams more during the pandemic, we are emailing teams groups more and more making this problem pop up again.

     

    As above, if i turn off smtps and smtp scanning, the mail is marked as internal. Otherwise, the mail is given the header X-MS-Exchange-Organization-AuthAs: Anonymous

     

     

    i think i will create a sophos case now to see if there is a method or work around. Surprised more people dont have this issue with the XG in hybrid configuration with o365, as there is no response on this in the last year.

  • 0 in reply to givemecontrol

    Did you ever get this working?

    I am at the stage of trying to get the O365 and Exchange On-Premise Hybrid connector to work to allow O365 to talk with Exchange On-Premise, ready for migration.

     

    What did you configure on Firewall rule(s) to get the two talking?

    Many thanks

Reply Children
  • 0 in reply to Paul Digby

    they talk fine with no real firewall rules specifically for this. THe issue is that the messages are marked as anonymous, not internal when smtps scanning is enabled.

    i mean from the sophos side of it, i didnt have to do anything. But its also currently not working properly as i said above. I am talking to sophos support daily about it.

    Their latest idea is to whitelist all the office365 ip netblocks. But then all office365 mail would bypass the scanners including spam, so i dont really like that approach. When i have time i will try it though. I had a similar idea last year but thought that because they have so many ip addresses, that likely change, that it was unworkable.

     

    anyways my point is that hybrid mail flow does work right now for the most part and that had nothing to do with sophos. I forget the tutorial that i had watched to get it working as now it was several years ago. its just not flagging the mails as internal.