Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 4714 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

MacOS clients and Exchange 2010 - OWA and Outlook

Josh Seifferlein

Hello!

Got a question for the forums here.  I'm just getting started with Sophos firewalls, and have some basic setups in place, and starting to delve into more advanced configurations.  I have a remote site with a XG125 as the head-end.  PC's on that network can connect to Exchange (2010) with no issues.   However, I have one user at this location with a MBP (mid 2014, running El Capitan) who can't access owa via Safari (it just hangs), nor can said user use Outlook for Mac 2016.  Continually says "connecting to domain".  

I've been able to replicate the issue exactly with a Mac mini, so I know its not the device.

XG125 is running SFOS 16.01.2

 

Any help would be appreciated.

 

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • 0

    Hi Josh,

    Check #1 in the guide here. What do you see in the drop logs? Also, check in the log-viewer if you see any denial for this connection.

    Thanks

  • 0 in reply to sachingurung

    Ok, so we've been able to do some troubleshooting and we've dressed down this issue a little bit more.  As I mentioned before, apple devices (macOS or iOS) can't access OWA (https://mail.ourdomain.com/owa) on our exchange server that is located on the other side of the VPN.  Client -> Sophos -> IPsec VPN -> SonicWALL (NSA240) ->  Exchange server.   However, in our research what we've found is that any client behind the Sophos mentioned above (windows or apple) cannot access websites that are hosted behind that NSA 240 that have an SSL cert.   For example.  We have a selfhosted CRM software solution behind the SonicWALL.   This has a Go-Daddy ssl cert attached to it.  If a windows (or apple) machine behind the Sophos device tries to access that, it fails.  

    So, trying to access any self-hosted, SSL signed website behind the SonicWALL, and using our internal DNS (also behind the SonicWALL), fails.  If I manually set the devices DNS to an external DNS (say Google), magically, everything works.   So it appears to be an issue specifically over the VPN related to resolving self-hosted, SSL signed websites.

    Thanks for any insight you can provide!

Reply
  • 0 in reply to sachingurung

    Ok, so we've been able to do some troubleshooting and we've dressed down this issue a little bit more.  As I mentioned before, apple devices (macOS or iOS) can't access OWA (https://mail.ourdomain.com/owa) on our exchange server that is located on the other side of the VPN.  Client -> Sophos -> IPsec VPN -> SonicWALL (NSA240) ->  Exchange server.   However, in our research what we've found is that any client behind the Sophos mentioned above (windows or apple) cannot access websites that are hosted behind that NSA 240 that have an SSL cert.   For example.  We have a selfhosted CRM software solution behind the SonicWALL.   This has a Go-Daddy ssl cert attached to it.  If a windows (or apple) machine behind the Sophos device tries to access that, it fails.  

    So, trying to access any self-hosted, SSL signed website behind the SonicWALL, and using our internal DNS (also behind the SonicWALL), fails.  If I manually set the devices DNS to an external DNS (say Google), magically, everything works.   So it appears to be an issue specifically over the VPN related to resolving self-hosted, SSL signed websites.

    Thanks for any insight you can provide!

Children
  • 0 in reply to Josh Seifferlein

    John,

    on the firewall rule you are allowing HTTP traffic from LAN to VPN side, can you select as web filtering "none"?

    The other option is to disable pharming protection under Web > Advanced

    Let us know.

    Regards

  • 0 in reply to lferrara

    Luk,

    Thanks for the quick response!  I just got off the phone with Sophos Support and we figured out what it was.  (In direct answer to your question... web filtering was already set to "none", so that wasn't the issue). 

    The issue was being cause by what was called a "possible bug" by the tech in microapp discovery.   As soon as we turned that off in the console, (SSH, option 4) run command:

     system application_classification microapp-discovery off

    Fixed all my issues.  

    Thanks again for your help!

  • 0 in reply to Josh Seifferlein

    Josh,

    Thanks for sharing it. Micro-app scanning is causing a lot of issue. Sophos has to find the way to get it work properly.

    Hope that Sachin will take a note of it and share a Jira about it asap.

    Thanks again. Your answer will help a lot of users.