Secure Exchange Webservices with Sophos UTM WAF

current status of this guide: 18th July 2016 (Exchange 2016 compatible)

There are many tutorials about securing Exchange webservices with the Webserver Protection from Sophos UTM but some are outdated or are not working any more. So I will show you a working configuration and will keep this tutorial up2date. Login to your Sophos UTM WebAdmin, deactivate the DNAT and configure your Exchange server under “Real Webservers”:

waf-realserver

upload your SSL certificate to the Sophos UTM store to publish the site via the virtual webservers:

waf-certificate

there are three Exchange webservices: ActiveSync for pushmail with mobile devices, Outlook Anywhere (RPC) for secure sync with Outlook clients and the Outlook Web App for accessing your mails via browser. I combined all services in a single profile and built a second profile for autodiscover.

waf-firewall-autodiscover

Skip Filter rules:

960015
960911

Static URL Hardening:

/autodiscover
/Autodiscover

Firewall-Profile for OWA:

waf-firewall-owa

Skip Filter rules:

960015
981203
960010
960018
981204
960032
981176

Static URL Hardening:

/ecp
/ECP
/ews
/EWS
/Microsoft-Server-ActiveSync
/oab
/OAB
/owa
/OWA
/rpc
/RPC
/mapi
/MAPI
/

after this you need to configure both virtual webservers for the URLs autodiscover.company.com and owa.company.com:

waf-virtual-autodiscover

 

waf-virtual-owa

at the end you need to configure exceptions to make everything work. We will configure four exceptions for specific URLs:

Title: AV exception for OWA
Skip: Antivirus
Virtual Webserver: “Exchange OWA”
for paths:
/owa/ev.owa*
/OWA/ev.owa*

Title: exception for autodiscover
Skip: Static URL Hardening
Virtual Webserver: “Exchange Autodiscover”
for paths:
/autodiscover/*
/Autodiscover/*
Advanced: Never change HTML during Static URL Hardening or Form Hardening

Title: exception for OWA
Skip: Static URL Hardening
Virtual Webserver: “Exchange OWA”
for paths:
/ecp/*
/ECP/*
/ews/*
/EWS/*
/Microsoft-Server-ActiveSync*
/oab/*
/OAB/*
/owa/*
/OWA/*

Advanced: Never change HTML during Static URL Hardening or Form Hardening

Title: exception for Outlook Anywhere
Skip: (everything:) Antivirus, Static URL Hardening, Form Hardening, Cookie Signing, Bad Reputation, Outbound HTTP Policy, Protocol Anomalies, Protocol Violations, Bad Robots, Request Limits, SQL Injection Attacks, Generic Attacks, Trojans, Tight Security, XSS Attacks
Virtual Webserver: “Exchange OWA”
for paths:
/rpc/*
/RPC/*
/mapi/*
/MAPI/*

Feel free to discuss this in the comments. I saw some “ModSecurity” messages at one of my customer and skipped additionally the rules 981176, 960009, 900000, 960911, 960904, 960035 and Outlook Anywhere stops working! I don’t know why skipping some rules is breaking the RPC service… just keep that info in mind. I’m using the above configuration at all of my customers.

 

 

32 thoughts on “Secure Exchange Webservices with Sophos UTM WAF

  1. Pingback: Anonymous
  2. Hi, do you have this working 100%? – I have it setup on my mobile and it makes errors:
    method=”POST” statuscode=”403″ reason=”url hardening” extra=”No signature found”
    on this one: url=”/Microsoft-Server-ActiveSync”

    Thanks for a great guide though 🙂

    Br. martin

    • Yeah I corrected the tutorial. The exception for this folder is your virtual “Exchange OWA” server, not “Exchange Autodiscover”, sorry 🙂

  3. Hi michel

    I have problem with my exchage 2010 and utm 9.3
    I didi configure my sopho with thier officle doc but when try to open owa or outlook anywhere get loging prompt repedetly
    I didnot confihure anything for autodiscover could it this be the reson?
    If this is the root of the issue
    My cert has 4 names and non is autodiscover can i use for example remote.mydomain.com to configutr my auto discover or it must called autodiscover?

    Thanks

    • Hi Shahin,

      Outlook is looking automatically for “autodiscover.yourcompany.com” :-/ you need to point this DNS name to the same address as “owa.” or your “remote.”

  4. Hi Michel,

    I really appreciate to take the time an answer my question,

    We hosting many domains in our Exchange org the domain called internally .local and external domains belong to different customers so I dont think the Autodiscover is really an issue here.

    Just one question:

    You didn’t configure any Authentication profile so your configuration dont need any right? should I still configure the Exchange virtual directory with basic Authentication?

    Thanks

  5. This is realy streang that Sophos dont talk about this in thier article:
    https://sophserv.sophos.com/repo_kb/120454/file/Exchange%20WAF%20How%20to%209%202.pdf

    So if we dont want to use OTP there is no need to configure the Reverse Authentication and no need to add our DC to the servers onder the Authentication services right?

    with your config does the end user see the Exchange form Base Authentication page or Basic Authentication?
    or this depend on which authentication is setup at IIS level?

    Thanks

    • This article is not working 🙂

      If you don’t use OTP you don’t need to configure authenticatoin on the Sophos UTM. I often configure form-based authentication as the user likes it more 🙂

  6. Hi Michel,

    Thanks again for reply,

    I am realy new to UTM and always worked with TMG, so thank you for being patient and answering my questions.

    If I understood you correctly your configuration should work for OWA and outlook anywhere and also for smartphones right?

    On the exchange level how should we configure the authentication for the exchange virtual directory? right now all of the directories have Windows and Basic authentication enabled.
    should we change the OWA and ECP to form based authentication and leve the rest as they are with basic auth?

    • I’m always patient 😉

      yes it will work for the three ways to access your mailbox (Outlook Web Access “/owa” within a browser, Outlook Anywhere “/rpc” and Pushmail “/Microsoft-ActiveSync”). You don’t need to change anything at the directories. You can change form based in the Exchange Management Console in serverconfiguration / client-access / Outlook Web App.

      Keep asking questions 🙂

  7. Very kind of you,

    I decided to go ahead with your config.

    Just with one difference that I dont have the autodiscover.mydomain.com in my cert so I hoop this one is not going to create a problem.

  8. Hi Michel

    Unfortunatly with above config the outlookanywhere dont work( didnt test the phons yet)
    I can login to the owa only in the internet explorer if i try in other browser get an error
    I did check the logs and see the ids that michel in his last part of his config talked abut I did add them to exception with The rest of the ids but still no change.
    when try to access the OA i get the loging screen repedetly.
    Any ideas guys

  9. Guys my exchane OA and activesync and owa is finally working
    We decided not to use the reverse authentiaction as i think still is not really working good and sophos has his issues with it and no need for the reverse authantication let the backend server do the authentication
    I did use the Michel and the offical doc of sophos and get it to work

    Thank you Michel

  10. Hi Michel, do you know the OWA App for iOS / Android? Some of our customer are using this app but it doesn´t work, although it should because it is using the same infrastructure as native OWA. Do you know where the problem could be?

  11. Thanks so much for this great writeup. For now we are running without firewall profiles for simplicity – more interested in being able to control access to the various virtual directories by network location (under site path routing).

    One thing I noticed was that when we had HTTPS & Redirection on the virtual servers, users would get an Outlook popup regarding allowing autodiscover to configure settings etc. We switched both VSes to just HTTPS and that seems to have gone away.

    WAF is definitely a little quirky/touchy!

    Curious what version of UTM you are on. We had been happy with 9.321 for a loooong time but it seemed to me that WAF wasn’t working right with Exchange on it. Moved to 9.355-1 for now and it seems to function properly.

  12. Eh, spoke too soon. It’s just not stable. Outlook randomly disconnecting (while still fine for others) on people and refusing to reconnect. Had to switch back to DNAT for now.

    Having a DNAT just for SMTP to the same ip shouldn’t affect WAF on that ip, correct?

    • A DNAT for SMTP is ok, WAF is only working on http and https. Can you update to the latest 9.4 version? I use this tutorial always at new installations and I haven’t problem yet.

  13. It absolutely amazing: skipping some Rule IDs really breaks WAF as you wrote above. My logs were full of warnings after I excluded 900000, 960911, 960904, 960035 and outlook Anywhere could not connect over RPC/HTTP
    The warnings were like:

    ModSecurity: Warning. Match of “rx ^(?i:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+)?)?/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$” against “REQUEST_LINE” required. [file “/usr/apache/conf/waf/modsecurity_crs_protocol_violations.conf”] [line “52”] [id “960911”] [rev “2”] [msg “Invalid HTTP Request Line”] [data “RPC_OUT_DATA /rpc/rpcproxy.dll?cas.mydomain.lan:6002 HTTP/1.1”] [severity “WARNING”] [ver “OWASP_CRS/2.2.7”] [maturity “9”] [accuracy “9”] [tag “OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ”] [tag “CAPEC-272”] [hostname “mail.mydomain.de”] [uri “/rpc/rpcproxy.dll”]

    ModSecurity: Warning. String match within “.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/” at TX:extension. [file “/usr/apache/conf/waf/modsecurity_crs_http_policy.conf”] [line “88”] [id “960035”] [rev “2”] [msg “URL file extension is restricted by policy”] [data “.dll”] [severity “CRITICAL”] [ver “OWASP_CRS/2.2.7”] [maturity “9”] [accuracy “9”] [tag “OWASP_CRS/POLICY/EXT_RESTRICTED”] [tag “WASCTC/WASC-15”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “mail.mydomain.de”] [uri “/rpc/rpcproxy.dll”]

    My exclusions are now for and Webservices:
    960015
    960010
    960018
    981204
    960032
    981176
    981203

    Btw: still got this nasty one left. Note: it allows access but warns.
    ModSecurity: Access allowed (phase 1). Operator GT matched 0 at ENV. [file “/usr/apache/conf/waf/base.conf”] [line “14”] [id “900000”] [hostname “mail.mydomain.de”] [uri “/rpc/rpcproxy.dll”]

  14. Followup:
    when using “rigid filtering” in the firewall profile, Rule 960009 must be skipped for /Microsoft-Server-ActiveSync.

    [security2:error] ModSecurity: Warning. Operator EQ matched 0 at REQUEST_HEADERS. [file “/usr/apache/conf/waf/modsecurity_crs_protocol_anomalies.conf”] [line “66”] [id “960009”] [rev “1”] [msg “Request Missing a User Agent Header”] [severity “NOTICE”] [ver “OWASP_CRS/2.2.7”] [maturity “9”] [accuracy “9”] [tag “OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA”] [tag “WASCTC/WASC-21”] [tag “OWASP_TOP_10/A7”] [tag “PCI/6.5.10”] [hostname “mail.mydomain.de”] [uri “/Microsoft-Server-ActiveSync”]

    Btw. for WAF ActiveSync testing during Sophos SG migrations without hacking/rooting mobile phones, you can use the Windows 10 mail app and select Advanced Setup -> MS Active Sync when creating a mailbox profile. Then you can comfortably change windows hosts file.

Leave a Comment