Thread Info
  • State Verified Answer
  • +9 person also asked this people also asked this
  • Locked Locked
  • Replies 105 replies
  • Answers 1 answer
  • Subscribers 23 subscribers
  • Views 16822 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF issues after updating to 9.709-3

FrancWest

Hi,

anyone else noticed that after updating to 9.709-3 Exchange Web Services is not working anymore? We get HTTP Error 500 when connecting to EWS published trhrough WAF. Also, the virtual server changes to orange when this error occurs. Accessing EWS through the browser shows the service page after authentication, but when interacting with EWS by using the Exchange Remote Connectivity Analyzer or EWS Editor generates the HTTP 500 error and the WAF rule turns orange.

When directly connecting to EWS and bypassing UTM works fine and we can interact with EWS.

Before the update everything worked fine.

Franc.



This thread was automatically locked due to age.

Top Replies

  • in reply to Jay Jay +4 verified

    It's related to the handling of the '100 Continue' message in the HTTP protocol. This message is sent by a Server after receiving the headers for a request to indicate that it is ready to receive the body of the request from the client - it allows a server to check the headers and potentially reject the request before the client unecessarily sends all the data. Normally, the client would send an additional "Expect:" header to indicate that it is going to wait for the server to send this message before it sends the request body.

    The recent update to Apache changed how this process is handled by the proxy, in a way that didn't work well with Exchange.

    The old behaviour was that the proxy would itself respond to the client with a '100 Continue' and would not wait for the server to do so. The new behaviour of Apache forwards the "Expect:" header to the server and waits for the server to respond with 100 Continue before passing the "100 Continue" to the client. This change defends against potential issues where a client could send a very large request, which the WAF proxy would have to buffer until the server is ready for it.

    The change should be fine for servers that respond to 'Expect' headers and use 100 Continue strictly according to the HTTP specification, but it seems that Exchange does not.

    Changing the configuration option as specified reverts this behaviour so that the proxy itself responds with a "100 Continue" message instead of waiting for the Server to do so. The risk of this behaviour is that the proxy has to buffer the entire body of the request before the server is ready to receive it. This shouldn't be a problem in most situations because request bodies are usually quite small.

    Jump to answer
Parents
  • 0

    We finally got a response from Sophos support, but not the one we wanted:

    We've received the following feedback from our Dev and PM teams:

    The issue that the customer encountered is related to some custom extensions to the HTTP protocol that Microsoft started using. It seems like these were not always critical, so many customers found that WAF still worked even though we could not support these extensions. However, with the recent necessary changes to Apache on the UTM, it seems like we've run out of leeway there.

    The solution to this would require us to substantially re-write the WAF code to handle these Microsoft-specific protocol extensions, which does not seem to happen in the near future.

    This is a Feature Request as confirmed and you can post an idea on this portal for the requirement: https://ideas.sophos.com/, where, the concerned teams actively look for requirements reported by users and take further decisions based on the volume impacted.
      

    As Technical Support does not follow up on feature requests, your case will be closed.  If you wish to have more information about a feature request, please contact your Reseller or local Sales Engineer. 

  • 0 in reply to FrancWest

    I find this answer unbelievable to be honest. If something worked before (be it intentionally or not) it's strange that now all of a sudden Sophos doesn't support EWS anymore without any warning. It isn't mentioned anywhere that EWS through WAF wasn't supported before. Now when it doesn't work anymore due to changes to Apache, Sophos states bad luck you are on your own. We as customers have to find a different solution now. We already solved it by using our Kemp loadbalancer to do the WAF for EWS, but not every customer has that option.

    They even have a KB article where they show how to configure EWS through WAF.

    Way to go Sophos :-(



    .
    [edited by: FrancWest at 10:39 AM (GMT -7) on 29 Apr 2022]
Reply
  • 0 in reply to FrancWest

    I find this answer unbelievable to be honest. If something worked before (be it intentionally or not) it's strange that now all of a sudden Sophos doesn't support EWS anymore without any warning. It isn't mentioned anywhere that EWS through WAF wasn't supported before. Now when it doesn't work anymore due to changes to Apache, Sophos states bad luck you are on your own. We as customers have to find a different solution now. We already solved it by using our Kemp loadbalancer to do the WAF for EWS, but not every customer has that option.

    They even have a KB article where they show how to configure EWS through WAF.

    Way to go Sophos :-(



    .
    [edited by: FrancWest at 10:39 AM (GMT -7) on 29 Apr 2022]
Children
  • 0 in reply to FrancWest

    Exactly this! This is unacceptable.

    Basically the answer from support means, that they won't fix NUTM-13425 because they would have to rewrite the WAF code, however they converted this issue into a feature request...because...you know...it is UTM...and we listen to your needs and requests....lulz

    Clearly there was no further development since years and therefore implementing this "feature request" will never happen.
    Support playing funny games right here!

    But, I think I did not miss a notice about retiring the UTM until now. So it still is a fully supported device.
    And this device got crippled with an update.
    So you should get your hands dirty rewriting that code.

    EWS functionality is part of UTM as stated in KB support.sophos.com/.../KB-000038003