Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2019 and WAF configuration - how to get ActiveSync working ?

Dear Sophos support team,

there have been several requests about this topic, but digging through them didn't provide a proper solution.
In the past Sophos provided a guideline for the UTM how to publish an Exchange server with WAF.

I did not find an equivalent for the XG.

So can you please provide a guideline how to publish Exchange over XG WAF with ActiveSync working and keeping WAF as secure as possible ?
Any help is appreciated.

Best Regards
ranX



This thread was automatically locked due to age.
Parents
  • Nothing ? Really ?
    Again "lost in space" with XG ?

  • There are German external Posts about how to integrate this: https://www.frankysweb.de/sophos-xg-18-webserver-protection-und-exchange-2019/

    Simply use MAPI and the predefined Policies, should work. 

    Contact your Sophos Partner to get assistance for the configuration. 

    On the other hand, maybe its time to look at O365 / Exchange Online for certain reasons. See the vulnerabilities coming up in Exchange on Prem,. 

  • I cannot comment on this matter with more information than the classic information hierarchic, which is the same since i work for Sophos (7 Years). Partners have a direct touch to Sophos or can refer to the Distribution to get configuration assistance. 

    This particular case in the community - I cannot comment on this either, as i dont know, what the resolution was. What i do know, the UTM template should work like the SFOS template for Exchange.

  • I use the UTM since 10 years when it still was Astaro.
    At that time suppot requests got resolved pretty quick.
    At present our partner's request took about two weeks until it was answered.

    The UTM template should work ...
    The "should" is the important word, as it doesn't,
    which I can confirm by personal experience.
    I repeat:
    Nothing in our environment changed; only the UTM was migrated to XG.
    On the UTM the template worked perfect "out of the box', on the XG it didn't.

    If that were the case, mine and the previous posters' requests wouldn't have been necessary ...

  • Ah, and by the way: the settings proposed in the new KB article still don't work, when I follow them exactly.
    As already mentioned I have to disable the option "Block clients with bad reputation" in the Webservices policy.
    Otherwise mobile clients which come with IPs from the german Telekom network will be blocked from login to ActiveSync.

  • Block clients with bad reputation is a old option from UTM, which, in fact uses the same database like UTM did. So this database of blocking clients should be the same but your IP, you are trying to use, seems to be blacklisted. 

    You see this kind of information in both online helps:

    UTM:

    SFOS: 

  • I think most mobile Devices will have a bad IP reputation,
    this is normal and should not be used.

    Where can i reach this Sophos Professional Partners?

    If these are the Sophos Platin Partners, i see no hope, i asked one Platin Partner for IPv6 support
    and he said that he had zero to know nowledge about this.

  • Hi Juergen,

    thanks for sharing this experience regarding bad reputation of mobile clients.
    If it is like this, then why does Sophos propose, to activate this setting in their KB ?

    As already mentioned a few posts above, it's pretty hard to find someone with profound knowledge about the XG.
    Convergent suggests to skip rule 920420 but doesn't know, what this rule actually does.
    Support simply adds this to the KB without any clarification about this rule.
    ...

    Since Sophos took Astaro, the overall customer experience has become growing pain.  

  • Sophos support is for fixing bugs, not for updating documentation See no evil.

    I had a call from Sophos today.
    There is no direct Sophos Professional Servies (from Sophos).
    The burden is at the Sophos Partner.

    He although suggested to call Microsoft for Help.

    Sophos upgraded the documentation 
    Sophos Firewall: Web Application Firewall for Exchange 2016

  • Why are your fighting and arguing with someone who is looking for help?
    You Sir, shouldn't be allowed to post anything in here, since all you do is playing smart boy, who knows everything better.
    The GDPR/DSGVO is preventing some companies to use any cloud service at all, as long as the server is not in Europe and the data will not stay in Europe! So no backups or replication from German Servers to American Servers, where my data can be accessed by calling the patriot act, for example.

  • Thanks for your feedback. 

    I was simply asking questions, as i am not a Exchange expert nor IT lawyer but i could not resist to ask, why everybody is still using O365, if this is not allowed. Looking at most customers, they all use Microsoft services in most ways. And it seems to be odd to me, that even government customers uses those services, which are not allowed to use. 

  • Hi Lucar Toni,

    I'MHO there is no need to defend yourself. We know your intention is to help and you helped many of us in the past.

    You are right that many EU institutions and governments are also using cloud services based in the US. It is still an ongoing process and some of it is not law as stated by some here but also self regulation and therefor unclear.  Maybe the investigations will make it clearer in the future.

    https://edps.europa.eu/press-publications/press-news/press-releases/2021/edps-opens-two-investigations-following-schrems_en

Reply Children
No Data