This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2016 MAPI over HTTP with NTLM

Hi all,

we are currently in the process of enabling the new MAPI over HTTP protocol on our Exchange Servers.

Therefore we added the /mapi/* and /MAPI/* subdirectories as exclusions in our WAF rule for Exchange as we had it before with the /RPC/* Directory.

Works all well with one caveeat - NTLM passthrough seems not to be possible, there is always a fallback to Basic authentication which leads to a Password prompt each time the user opens Outlook from external.

Any idea who to fix this or if it not possible in the current release (we are using the latest SFOS 16.05), in which release this will be supported?

This thread was automatically locked due to age.

0 lferrara over 8 years ago

Heiko,

NTLM over WAF module is not yet supported. Switch to basic authentication.

Hope that in Sophos they will add NTLM support soon. It is one of the missing feature from who is coming from ISA Server.

Here the feature request to vote:

http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10793424-waf-more-authentication-type

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 HeikoSchuler over 8 years ago in reply to lferrara

Hi Luk,

thanks for your reply. However, it does not fit directly to my question. I know that NTLM as pre-authentication is not supported at the moment with XG. However, my problem is another one.
We are not using any pre-authentication upfront of the published Exchange Server.

But the Exchange Server itself uses MAPI over HTTP (new Protocol introduced with Exchange 2013 as a replacement for the know RPCoverHTTP).
And there it looks like Sophos doesn't support this to 100% (same like the "new" RPC over HTTP with the Remote Desktop Gateway if you use Windows versions newer than 2008 R2).
It works but it always want's to have a separete authentication instead of just using the NTML credentials.
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 8 years ago in reply to HeikoSchuler

Heiko,

did you have a look at this documentation:

https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/

WAF on XG is the same one as UTM9.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Steven Schmitt over 8 years ago

Hi Heiko,

did you find a solution for that problem?

I also recently switched to Mapi over HTTP - and have the same problem that NTLM does not work via WAF.

Thanks in advance,

Best

Steven
Cancel
Vote Up 0 Vote Down

Cancel
0 HeikoSchuler over 8 years ago in reply to Steven Schmitt

Hi Steven,

unfortunately no solution so far.

But havent't tested it with the latest release yet

Best,
Heiko
Cancel
Vote Up 0 Vote Down

Cancel
0 lior me over 8 years ago in reply to HeikoSchuler

Hi Steven

we are facing the same problem of password prompts (i think it's only happening with outlook 2016 but i'm not sure)

so what are you doing to "live" with the problem? are you simply re-opening outlook or reinserting a password? or do you have some sort of a workaround for now?

thank you
Cancel
Vote Up 0 Vote Down

Cancel