Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 28 subscribers
  • Views 22672 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exchange 2016 MAPI over HTTP with NTLM

HeikoSchuler

Hi all,

we are currently in the process of enabling the new MAPI over HTTP protocol on our Exchange Servers.

Therefore we added the /mapi/* and /MAPI/* subdirectories as exclusions in our WAF rule for Exchange as we had it before with the /RPC/* Directory.

Works all well with one caveeat - NTLM passthrough seems not to be possible, there is always a fallback to Basic authentication which leads to a Password prompt each time the user opens Outlook from external.

Any idea who to fix this or if it not possible in the current release (we are using the latest SFOS 16.05), in which release this will be supported?



This thread was automatically locked due to age.
Parents
  • 0

    Heiko,

    NTLM over WAF module is not yet supported. Switch to basic authentication.

    Hope that in Sophos they will add NTLM support soon. It is one of the missing feature from who is coming from ISA Server.

    Here the feature request to vote:

    http://ideas.sophos.com/forums/330219-sophos-xg-firewall/suggestions/10793424-waf-more-authentication-type

    Regards

  • 0 in reply to lferrara

    Hi Luk,

    thanks for your reply. However, it does not fit directly to my question. I know that NTLM as pre-authentication is not supported at the moment with XG. However, my problem is another one.
    We are not using any pre-authentication upfront of the published Exchange Server.

    But the Exchange Server itself uses MAPI over HTTP (new Protocol introduced with Exchange 2013 as a replacement for the know RPCoverHTTP).
    And there it looks like Sophos doesn't support this to 100% (same like the "new" RPC over HTTP with the Remote Desktop Gateway if you use Windows versions newer than 2008 R2).
    It works but it always want's to have a separete authentication instead of just using the NTML credentials.

Reply
  • 0 in reply to lferrara

    Hi Luk,

    thanks for your reply. However, it does not fit directly to my question. I know that NTLM as pre-authentication is not supported at the moment with XG. However, my problem is another one.
    We are not using any pre-authentication upfront of the published Exchange Server.

    But the Exchange Server itself uses MAPI over HTTP (new Protocol introduced with Exchange 2013 as a replacement for the know RPCoverHTTP).
    And there it looks like Sophos doesn't support this to 100% (same like the "new" RPC over HTTP with the Remote Desktop Gateway if you use Windows versions newer than 2008 R2).
    It works but it always want's to have a separete authentication instead of just using the NTML credentials.

Children