Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1909 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Exchange 2010 issues

Seikai
I have two questions in relation to the Web Application Firewall

#1 Why is the internal IP showing up in the URL for OWA?

Example:
mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f192.x.x.10%2fowa%2f

Output from WAF LiveLog:
" 2013:08:16-18:55:22 mail-1 reverseproxy: srcip="108.x.x.58" localip="63.x.x.161" size="9303" user="-" host="108.x.x.58" method="GET" statuscode="200" reason="-" extra="-" time="278570" url="/owa/14.1.438.0/themes/resources/lgnbotl.gif" server="mail.domain.com" referer="mail.domain.com/.../logon.aspx

#2 Is there no way to export the local x509 cert so I can change that to what the exchange server uses for https?  I ask because if I attempt to add a phone to the exchange server I clearly see the cert it's using is the UTM's cert which is not currently the https cert used by exchange.  Now if my only option is to purchase a cert from a recognized CA then so be it, but I was curious if there is a way around this issue?


This thread was automatically locked due to age.
  • 0
    Issue number one was resolved by me creating a request routing entry for the internal domain's DNS and using a DNS host instead of a Host network definition.  But my issue with provisioning new phones with WAF in place is still an issue due to the UTM using a different SSL cert than Exchange.  Existing phones are still able to receive/send mail because they've already been provisioned with the correct SSL cert.
  • 0
    you will have to install the waf cert onto the phones...since WAF is effectively a MITM you have to use the WAF cert due to that is what external clients see.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    Hi ,

    If you have a real cert like verysign gidaddy or so that you are using on the exchange for autodiscover and other services that you are using on the exchange , you can install it on the UTM and then use it on the WAF and it will work without any need to install any certs on the phones.

    All my best.
    Gilipeled

    Gil Peled.

    CEO- Expert2IT LTD.

    SOPHOS Platinum Partner.

    Gil@expert2it.co.Il.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?