Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 26246 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot Get Exchange WAF Rules to Work for Outlook Anywhere or Outlook Web Access (OWA). Outlook Mobile Access and Autodiscover work.

AllanD

I'll start by saying I attempted to replace my aging Forefront TMG 2010 server this past weekend with a XG310 running firmware 16.05 and after 6 hours of fighting with the Exchange rules I gave up and reverted back to the TMG. 

 

I have already went though every post I could find on the subject on the forums (https://community.sophos.com/products/xg-firewall/f/email-protection/74660/publish-exchange-server-through-xg-firewall, https://community.sophos.com/products/xg-firewall/f/network-and-routing/40733/exchange-2013-waf-publishing, https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/80910/does-anybody-have-waf-rules-that-work-to-allow-owa-on-exchange-2010, https://community.sophos.com/products/xg-firewall/f/web-protection/75282/sophos-xg-breaks-ssl-when-connecting-to-outlook-anywhere) and also the most refereed to post outside the forums (https://networkguy.de/?p=998).  Some have helped but none got my system up and running.  It also seems other people are having the same issue with no resolutions (https://community.sophos.com/products/xg-firewall/f/firewall-and-policies/87745/exchange-outlook-anywhere-waf-not-working)

 

After multiple hours I was able to get Autodiscover working (with its own rule) and Exchange Mobile Sync (again with it's own rule).  But the "Exchange General" rule will not work which I need for Outlook Anywhere and Outlook Web Access.   The biggest issue is Outlook will prompt for a username and password, which you shouldn't need.  Also no combination of user/password works.  Same with OWA, we get the forms based authentication but nothing works.   Also I can't seem to get it to redirect to /oma which TMG does without issue.  

 

I've verified under Protect -> Web Server -> Authentication Policies that a user group is selected for both Basic and Forms Based authentication.  I also know this works since I setup a different webserver using the forms based and that works fine.   Also under Protect -> Web Server -> Web Servers my Exchange server is listed as "Encrypted (HTTPS)" which it is. 

 

I'm at a loss of what to try next.  Any suggestions?  Is there a more up to date guide then one based on the UTM?   All my other firewall rules (30+) and web server publishing rules (8) work fine, just the Exchange ones do not.  I tried a simple web server publishing rule, not using the Exchange template, and I had limited success with that but it was hit or miss so that's not the answer either.

 

-Allan



This thread was automatically locked due to age.
Parents
  • +1

    So things went better today.  - looking at your settings I realized that you appeared to be using the built in Exchange forms based authentication.  Since I was coming from TMG I was using basic and had the form on the TMG.  This tripped me up a lot.....mainly because I cannot get the Sophos forms based to work even with a standard website I'm trying to protect.  Login simply fails each time and I can't figure out why.  But that's another issue (at least now it is).

     

    First I used two external IP's  from your three.  However I used 4 rules in total. 

    Rule 1 - Exchange Autodiscover - IP Address #1 - autodiscover.mydomain.com

    Rule 2 - Exchange Outlook Anywhere - IP Address #1 - email.mydomain.com

    Rule 3 - Exchange General - IP Address # 1 - owa.mydomain.com

    Rule 4 - Exchange ActiveSync - IP Address # 2 - oma.mydomain.com

    Looking at it I could probably put everything on a single IP address since I am using unique names for everything (move mobile to same IP as the other three) but it works so I'm leaving it alone.

     

    Second since I was no longer using basic passthrough or forms passthrough I reset the Exchange virtual directories back to their defaults (removing basic authentication from a couple) using the settings here: https://technet.microsoft.com/en-us/library/gg247612(v=exchg.150).aspx

     

    Third of course I had to change to forms based authentication for the OWA and ECP directories through Exchange.

     

    Fourth was in Rule 3 (Exchange General) I added /* to the Static URL Hardening exception list.  I did that because I have a redirect to /owa on the exchange box (using the first set of these instructions: https://support.microsoft.com/en-us/help/975341/how-to-configure-exchange-to-redirect-owa-http-requests-to-https-requests-in-iis-7).  That combined with the Redirect HTTP checkbox on the Sophos rule lets my users just type in owa.mydomain.com in a browser then Sophos redirects to secure at https://owa.mydomain.com/ and then Exchange redirects to the subdirectory at https://owa.mydomain.com/owa and everything works.  I cant see this being a security issue with the redirect...maybe someone else can weigh it.  It does make it a lot easier for the users.

     

    Lastly since Outlook Anywhere needs EWS for mailtips and Out Of Office (OOF) I added "/EWS/Exchange.asmx" to the exception in Rule 2 above and also in the "Exchange Outlook Anywhere" protection policy.  That fixed that issue, a issue I had before on TMG but never could fix. 

     

     

    All in all things are working well.  Still some other things to work out but they are not Exchange related.

     

    -Allan

     

  • 0 in reply to AllanD

    Allan,

    thank you for sharing your experience.

    This is the meaning of the Community!

    Thanks again.

Reply Children
No Data