Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Transcription

1 How to configure: Sophos UTM Web Application Firewall For: Microsoft Exchange Services This guide explains how to configure your Sophos UTM 9.3+ to allow access to the relevant Microsoft Exchange services through the Web Application Firewall. Included services: Outlook Web Access (OWA) Outlook Anywhere Exchange Autodiscover Exchange ActiveSync Exchange Control Panel (ECP) Offline Address Book (OAB) Configuring your Exchange server is outside the scope of this guide. It assumes you ve already setup your Microsoft Exchange environment for remote connectivity by enabling Basic authentication (as the primary or additional authentication method) for OWA, ECP, Outlook Anywhere, OAB, EWS and Autodiscover, and that you have copies of your public SSL certificates available in PFX (PKCS12) format. Please note: This guide assumes reverse passthrough authentication (eg. the WAF will authenticate the user and then pass the credentials to the backend server) is going to be used for the Exchange servers. Should you wish to authenticate to the Exchange servers directly, please make sure you disable all authentication methods other than Basic Authentication on the Exchange servers. Failure to do so will result in authentication problems that might cause logged in users to lose their sessions, authentication to fail, or session management errors. Known to apply to the following Sophos product(s) and version(s): Sophos UTM 9.3+ Operating systems: Microsoft Windows Server Exchange Versions: Microsoft Exchange Document version: 2.0 (Nov 2015) Page 1

2 Table of Contents A. Import the required certificates... 3 Import the intermediate & root certificates... 3 B. Optional: Configure Active Directory and Exchange IIS... 4 C. Optional: Configuring authentication services... 5 Active Directory (Username + Password style)... 5 LDAP (UPN + password style)... 6 LDAP ( address + password style)... 7 E. Optional: Creating the Reverse Authentication profiles... 8 Basic authentication with passthrough... 8 Forms-based authentication with passthrough... 9 F. Creating the Real Webserver(s) G. Configuring the Firewall Profiles Exchange Autodiscover Outlook Anywhere OWA, ECP, & Exchange ActiveSync H. Creating the Virtual Webservers Exchange Autodiscover Outlook Anywhere OWA & Exchange ActiveSync I. Configuring Exceptions Exchange Autodiscover Outlook Anywhere OWA & Exchange ActiveSync OWA Notifications J. Optional: Configuring Site Path Routing Exchange Autodiscover Outlook Anywhere OWA & ECP Exchange ActiveSync & Other L. Optional: Next Steps Page 2

3 A. Import the required certificates First you ll need to import your Exchange server s SSL certificate. The certificate must be in PKCS12 (.pfx) format, otherwise it cannot be used by the WAF (because it requires the private key). 1. In the UTM WebAdmin, browse to Webserver Protection > Certificate Management. 2. Click New Certificate 3. Enter a name, such as Exchange SSL Certificate. 4. Under Method, select Upload. 5. Ensure File type is set to PKCS#12 (Cert+CA). 6. Click the Folder icon ( ) next to the upload field to select the certificate file you wish to import. 7. Enter the required certificate password. 8. Click Save to upload the certificate and complete the import. Note: please see the following KB article for instructions on generating publically signed certificates and converting them into PKCS12 format: Import the intermediate & root certificates If your certificate file does not include the intermediate and root certificates, you ll need to manually import them in order for the UTM to be able to use it. 1. Browse to Webserver Protection > Certificate Management > Certificate Authority. 2. Click New CA 3. Enter a name, such as Exchange Root Certificate. 4. Under Type, select Verification CA (PEM). 5. Click the folder icon ( ) next to the CA certificate field to select the certificate file to import. 6. Click Save to upload the certificate and complete the import. Page 3

4 B. Optional: Configure Active Directory and Exchange IIS Depending on your preference regarding user logon (either using their username and password, their User Principal Name and password, or their address and password) you might need to configure some additional settings in either AD or the IIS on the Exchange backend(s). This section may be required when using username + password style. It is not required if you are using domain prefixing or suffixing in your Reverse Authentication profile (described later in this guide on page 8). Sophos UTM assumes the default domain name is known to the backend server when using AD integrated authentication. As a result, it will delegate just the username and password to the backend systems, whereas Exchange expects a login to contain a domain\username format. In a single-domain environment, this limitation can be worked around by setting the default domain on IIS, which will then prefix all logins with this domain name. 1. Login to your Exchange server(s) using Remote Desktop. 2. Open the Internet Information Server (IIS) console. 3. Navigate to the website that currently hosts your Exchange services and select the first virtual directory used by Exchange (this is normally Autodiscover ). 4. Open the Authentication applet in the IIS section. 5. Select Basic Authentication from the list and click Edit in the right-hand Actions pane. 6. Fill in the desired default domain name in the Default domain: field, and click OK to save. 7. Repeat steps 1-6 above for every Exchange service in IIS and for every Exchange CAS server in your environment. Page 4

5 C. Optional: Configuring authentication services Depending on the desired style of authentication, one has to either create at least one Active Directory authentication server (for the username + password style) or one LDAP authentication server (for UPN based authentication) in UTM. Active Directory (Username + Password style) 1. In the UTM WebAdmin, browse to Definitions & Users > Authentication Services > Servers. 2. Click New Authentication Server 3. Under Backend, select Active Directory. 4. If you have multiple backend servers of a similar type, use the Position dropdown to determine the order in which servers are contacted. 5. Select the backend server by clicking the folder icon ( ) and clicking and dragging the relevant host object into the Server: field, or by clicking the + icon ( ) to define a new host. 6. Optional: Click the SSL checkbox to enable SSL connectivity to your AD server. 7. Optional: If needed, enter a custom port number into the Port field. 8. Enter the name of the user account the UTM will use to connect to Active Directory into the Bind DN field. Both the domain\username and the LDAP string (CN=user,DC=domain,DC=local) are supported; using the LDAP string is recommended as doing so can reduce backend load. 9. Enter the relevant password for the account into the Password field. 10. Optional: Click the Test button to verify whether the UTM can reach the backend server and if the supplied user credentials are accepted by AD. 11. Optional: Fill out the Base DN field to define at which level the UTM should start querying AD (for example: CN=Users,DC=domain,DC=local). 12. Click Save to store the configured backend server and continue. Page 5

6 LDAP (UPN + password style) This method is recommended when using Basic Authentication (configured later, on page 8). 1. Browse to Definitions & Users > Authentication Services > Servers. 2. Click New Authentication Server 3. Under Backend, select LDAP. 4. If you have multiple backend servers of a similar type, use the Position dropdown to determine the order in which servers are contacted. 5. Select the backend server by clicking the folder icon ( ) and clicking and dragging the relevant host object into the Server: field, or by clicking the + icon ( ) to define a new host. 6. Optional: Click the SSL checkbox to enable SSL connectivity to your AD server. 7. Optional: If needed, enter a custom port number into the Port field. 8. Enter the name of the user account the UTM will use to connect to Active Directory into the Bind DN field. Both the domain\username and the LDAP string (CN=user,DC=domain,DC=local) are supported; using the LDAP string is recommended as doing so can reduce backend load. 9. Enter the relevant password for the account into the Password field. 10. Optional: Click the Test button to verify whether the UTM can reach the backend server and if the supplied user credentials are accepted by AD. 11. Select > from the User Attribute dropdown menu. 12. Enter userprincipalname (case sensitive) in the Custom field to enable the UTM to authenticate based on UPN. 13. Optional: Fill out the Base DN field to define at which level the UTM should start querying AD (for example: CN=Users,DC=domain,DC=local). 14. Click Save to store the configured backend server and continue. Page 6

7 LDAP ( address + password style) 1. Browse to Definitions & Users > Authentication Services > Servers. 2. Click New Authentication Server 3. Under Backend, select LDAP. 4. If you have multiple backend servers of a similar type, use the Position dropdown to determine the order in which servers are contacted. 5. Select the backend server by clicking the folder icon ( ) and clicking and dragging the relevant host object into the Server: field, or by clicking the + icon ( ) to define a new host. 6. Optional: Click the SSL checkbox to enable SSL connectivity to your AD server. 7. Optional: If needed, enter a custom port number into the Port field. 8. Enter the name of the user account the UTM will use to connect to Active Directory into the Bind DN field. Both the domain\username and the LDAP string (CN=user,DC=domain,DC=local) are supported; using the LDAP string is recommended as doing so can reduce backend load. 9. Enter the relevant password for the account into the Password field. 10. Optional: Click the Test button to verify whether the UTM can reach the backend server and if the supplied user credentials are accepted by AD. 11. Select > from the User Attribute dropdown menu. 12. Enter mail (case sensitive) in the Custom field to enable the UTM to authenticate based on the user s address. 13. Optional: Fill out the Base DN field to define at which level the UTM should start querying AD (for example: CN=Users,DC=domain,DC=local). 14. Click Save to store the configured backend server and continue. Page 7

8 E. Optional: Creating the Reverse Authentication profiles As mentioned in the introduction, this guide assumes reverse authentication with passthrough will be used for all published services. If you should not wish to do so, please skip this section. Since Exchange uses two distinct modes of authentication (Forms-based logon and HTTP 401 authentication messages) for improved user experience (user-facing services such as OWA use a form, application-facing services such as Outlook Anywhere use HTTP 401) you ll need to create two separate Reverse Authentication profiles to match this desired authentication scheme. Basic authentication with passthrough This is the profile that will be used to supplant all HTTP 401 authentication interfaces used by Exchange. 1. In the UTM WebAdmin, browse to Webserver Protection > Reverse Authentication. 2. Click New Authentication Profile 3. Enter a name such as Basic Authentication into the Name field. 4. Under Virtual Webserver, choose Basic in the Mode box. 5. Add a relevant name for the HTTP 401 popup box into the Basic Prompt field. 6. Click the folder icon ( ) in the Users/Groups box to select existing users or groups by dragging and dropping them into the textbox, or click the New User ( ) or New Group ( ) icons to define new users or groups allowed to access resources protected by this profile. Important: Selecting local or AD users and groups will enable username/password style logins, selecting LDAP users and groups will enable UPN or logins depending on your configuration. 7. Under Real Webserver, choose Basic in the Mode box. 8. Optional: Depending on the security requirements of your environment you can modify the default User Session timeout settings, or disable session lifetime/timeout. 9. Click Save to store the configured reverse authentication profile. A screenshot showing configuration of this section can be found later (on page 10). Important: Due to the way usernames are processed by Reverse Authentication, entering the \ character as part of a username will cause it to be sent twice when using passthrough authentication, which will cause the request to fail. For example, if a user enters domain\user as their username, the UTM will send domain\\user to the backend server which will be rejected because it isn t a valid username & domain combination. Important: Because Exchange ActiveSync configuration on some mobiles devices requires a domain prefix, or UPN / domain suffix, we recommend not using the Username affix feature on the WAF when configuring the Basic Authentication profile, and using UPN + password based authentication instead of username + password. This will allow mobile devices to authenticate as well as allow Microsoft s Remote Connectivity Analyzer tool to connect properly. Usage of the Username affix feature is explained on the next page. Page 8

9 Forms-based authentication with passthrough This is the profile that will be used to protect the user-facing services where having a login form is desirable over a regular HTTP 401 popup (such as Outlook Web Access). 1. In the UTM WebAdmin, browse to Webserver Protection > Reverse Authentication. 2. Click New Authentication Profile 3. Enter a name such as Form Authentication into the Name field. 4. Under Virtual Webserver, choose Form in the Mode box. 5. Select a Form template in the Form template box. Note: You can edit and upload templates by clicking on the Form Templates tab. 6. Click the folder icon ( ) in the Users/Groups box to select existing users or groups by dragging and dropping them into the textbox, or click the New User ( ) or New Group ( ) icons to define new users or groups allowed to access resources protected by this profile. Important: Selecting local or AD users and groups will enable username/password style logins, selecting LDAP users and groups will enable UPN or logins depending on your configuration. If you are using UPN for login be sure to add LDAP user groups such as LDAP Users, otherwise Autodiscover authentication will fail. 7. Under Real Webserver, choose Basic in the Mode box. 8. Optional: If you didn t configure a default domain on your IIS server in section B of this guide, you can configure the UTM to automatically send the domain using the username affix feature: If using username + password authentication, select Prefix under Username Affix and enter your domain name followed by \ into the Prefix field (eg. domain\ ) If using address + password authentication, select Suffix under Username Affix and and then your domain name into the Suffix field. 9. Optional: Depending on the security requirements of your environment you can modify the default User Session timeout settings, or disable session lifetime/timeout. 10. Click Save to store the configured reverse authentication profile. A screenshot showing this configuration can be found on the next page. Important: As described on the previous page, authentication issues will occur if users enter their usernames in format domain\username when using Reverse Authentication. For this reason it s important to use domain prefixing as described in the instructions above, or enter a default domain into the IIS configuration as described earlier in this guide (on page 4). We recommend using username prefixing for the Forms-based Authentication profile, and having users login with their username only, eg. by entering just username instead of domain\username. Page 9

10 The following screenshots show examples of the configured Basic and Forms authentication profiles: Page 10

11 F. Creating the Real Webserver(s) The next step in setting up the WAF is configuring the Real Webserver(s) which represent the Exchange CAS backend servers to the WAF setup. 1. Browse to Webserver Protection > Web Application Firewall > Real Webservers. 2. Click New Real Webserver 3. Enter a name such as Exchange Server into the Name field. 4. Select the backend server by clicking the folder icon ( ) and clicking and dragging the relevant host object into the Server field, or by clicking the + icon ( ) to define a new host. 5. Set the Real Webserver connection type by selecting either HTTP or HTTPS in the Type box. 6. Optional: After selecting the connection type, the UTM will automatically fill in the associated port number. If you need to use a non-standard port you can enter it into the Port field. 7. Click Save to store the real webserver and continue. Repeat the above procedure for every Exchange server in your farm that users should connect to via the Web Application Firewall. G. Configuring the Firewall Profiles Exchange services such as Outlook Anywhere, Outlook Web Access (OWA), Exchange ActiveSync, Autodiscover, etc. require different levels of protection and different WAF settings to function correctly. Because of this we will configure three separate profiles; one for Outlook Anywhere, one for Autodiscover, and one for the remaining services (OWA, ECP, and Exchange ActiveSync). Note: It s important to configure non-optional items exactly as specified otherwise the UTM might block legitimate requests. Optional items can be treated as suggestions which can help to increase security. Page 11

12 Exchange Autodiscover 1. Browse to Webserver Protection > Web Application Firewall > Firewall Profiles. 2. Click New Firewall Profile 3. Enter a name such as Exchange Autodiscover into the Name field. 4. Under Mode, select Reject. 5. Enable Common threats filter and Rigid Filtering. 6. Add a Skip Filter rule by clicking the + icon ( ) next to the Skip Filter Rules box. 7. Enter (without quotes) and then click Apply. 8. Enable Static URL hardening and enter /autodiscover and /Autodiscover (without quotes) as entry points by clicking the + icon ( ) in the top right. 9. Enable Form Hardening. 10. Optional: Enable Antivirus scanning, then select the Mode (Single or Dual Scan), and Direction (Uploads only, Downloads only, or Uploads and Downloads). 11. Optional: Block suspicious clients by enabling Block clients with bad reputation. 12. Expand Threat Filter Categories by clicking the + icon and uncheck SQL Injection Attacks. 13. Click Save to store the Firewall Profile and continue. The recommended settings are shown in the following screenshots: Page 12

13 Outlook Anywhere 1. Browse to Webserver Protection > Web Application Firewall > Firewall Profiles. 2. Click New Firewall Profile 3. Enter a name such as Outlook Anywhere into the Name field. 4. Check Pass Outlook Anywhere. 5. Under Mode, select Reject. 6. Enable Static URL hardening and enter /rpc and /RPC (without quotes) as entry points by clicking the + icon ( ) in the top right. 7. Optional: Block suspicious clients by enabling Block clients with bad reputation. 8. Click Save to store the Firewall Profile and continue. The recommended settings are shown in the following screenshot: Page 13

14 OWA, ECP, & Exchange ActiveSync 1. Browse to Webserver Protection > Web Application Firewall > Firewall Profiles. 2. Click New Firewall Profile 3. Enter a name such as OWA & Exchange ActiveSync into the Name field. 4. Under Mode, select Reject. 5. Enable Common threats filter and Rigid Filtering. 6. Add the following Skip Filter rules by clicking the + icon ( ) next to the Skip Filter Rules box. 7. Add , , , , and (without quotes) and click Apply after each to confirm. 8. Enable Static URL hardening and enter /owa, /OWA, /ews, /EWS, /oab, /OAB, /ecp, /ECP, /Microsoft-Server-ActiveSync, and / (without quotes) by clicking the + icon ( ) in the top right. URLs are case sensitive. 9. Optional: Enable Antivirus scanning, then select the Mode (Single or Dual Scan), and Direction (Uploads only, Downloads only, or Uploads and Downloads). 10. Optional: Block suspicious clients by enabling Block clients with bad reputation. 11. Expand Threat Filter Categories by clicking the + icon and uncheck SQL Injection Attacks, XSS Attacks, and Outbound. 12. Click Save to store the Firewall Profile and continue. Page 14

15 H. Creating the Virtual Webservers Since we intend to use different firewall profiles for different Exchange services (as previously discussed) we will need to configure a matching set of Virtual Webservers to which these profiles should apply. Exchange Autodiscover Please note that, as part of Microsoft s best practices, Sophos recommends running the Autodiscover service on a separate hostname. This hostname should normally be autodiscover.<domain>.<tld>, as demonstrated below. 1. Browse to Webserver Protection > Web Application Firewall > Virtual Webservers. 2. Click New Virtual Webserver 3. Enter a name such as Exchange Autodiscover into the Name field. 4. Select the interface this Virtual Webserver should be created on from the Interface menu. Note: this is normally the UTM s external (WAN) interface. 5. Select the protocol to be used from the Type menu. Using Encrypted (HTTPS) is recommended. Note: you can also select Encrypted (HTTPS) & redirect to automatically redirect clients to HTTPS if they connect using HTTP. 6. Optional: After selecting the connection type, the UTM will automatically fill in the associated port number. If you need to use a non-standard port you can enter it into the Port field. 7. Select the applicable certificate from the Certificate menu. This was configured on page 3 (Section A) of this guide. 8. Select either the desired domain name for the Domains list, or if using a wildcard certificate, enter your desired hostname by clicking the + icon ( ) in the top right corner. Note: Wildcard certificates are incompatible with multi-site High Availability Exchange setups and require extra configuration on the Exchange server(s). Sophos recommends using Multiple Hostname (SAN) certificates if this is the case in your environment. 9. Select the Firewall Profile created previously for Exchange Autodiscover in the Firewall Profile menu. 10. Expand Advanced and check Pass host header. Important: Exchange requires the original host header to determine the location (inside or outside the organization) of the client, on which many Exchanges services rely. 11. Click Save to store the new Virtual Webserver and continue. Page 15

16 The following screenshot shows the recommended configuration when using a Wildcard certificate: Page 16

17 Outlook Anywhere 1. Browse to Webserver Protection > Web Application Firewall > Virtual Webservers. 2. Click New Virtual Webserver 3. Enter a name such as Outlook Anywhere into the Name field. 4. Select the interface this Virtual Webserver should be created on from the Interface menu. Note: this is normally the UTM s external (WAN) interface. 5. Select the protocol to be used from the Type menu. Using Encrypted (HTTPS) is recommended. Note: you can also select Encrypted (HTTPS) & redirect to automatically redirect clients to HTTPS if they connect using HTTP. 6. Optional: After selecting the connection type, the UTM will automatically fill in the associated port number. If you need to use a non-standard port you can enter it into the Port field. 7. Select the applicable certificate from the Certificate menu. This was configured on page 3 (Section A) of this guide. 8. Select either the desired domain name for the Domains list, or if using a wildcard certificate, enter your desired hostname by clicking the + icon ( ) in the top right corner. 9. Select the Firewall Profile created previously for Outlook Anywhere in the Firewall Profile menu. 10. Expand Advanced and check Pass host header. Important: failure to set this option will break automatic configuration for all Exchange ActiveSync and Outlook Anywhere clients, as well as automatic failover in HA scenarios. 11. Click Save to store the new Virtual Webserver and continue. Page 17

18 The following screenshot shows the recommended configuration when using a Wildcard certificate: Page 18

19 OWA & Exchange ActiveSync This Virtual Webserver will also cover other Exchange services such as Exchange Control Panel (ECP), Offline Address Book (OAB), etc. 1. Browse to Webserver Protection > Web Application Firewall > Virtual Webservers. 2. Click New Virtual Webserver 3. Enter a name such as OWA & Exchange ActiveSync into the Name field. 4. Select the interface this Virtual Webserver should be created on from the Interface menu. Note: this is normally the UTM s external (WAN) interface. 5. Select the protocol to be used from the Type menu. Using Encrypted (HTTPS) is recommended. Note: you can also select Encrypted (HTTPS) & redirect to automatically redirect clients to HTTPS if they connect using HTTP. 6. Optional: After selecting the connection type, the UTM will automatically fill in the associated port number. If you need to use a non-standard port you can enter it into the Port field. 7. Select the applicable certificate from the Certificate menu. This was configured on page 3 (Section A) of this guide. 8. Select either the desired domain name(s) for the Domains list, or if using a wildcard certificate, enter your desired hostname by clicking the + icon ( ) in the top right corner. Note: you can add multiple domains if for example you want to separate different services by domain, such as owa.domain.com, eas.domain.com, etc. 9. Select the Firewall Profile created previously for OWA & Exchange ActiveSync in the Firewall Profile menu. 10. Expand Advanced and check Pass host header. Important: Exchange determines the applicable automatic configuration (received via Autodiscover) based on the host header used to connect to ActiveSync / EWS. Because of this, selecting this option is extremely important. 11. Click Save to store the new Virtual Webserver and continue. Page 19

20 The following screenshot shows the recommended configuration when using a Wildcard certificate: Page 20

21 I. Configuring Exceptions Since the Static URL Hardening feature on the Web Application Firewall is very strict, it will not allow clients to open any URL other than the ones explicitly configured. This means that requests such as webmail.example.com/owa are allowed, but requests to individual pages or subdirectories such as webmail.example.com/owa/auth/login.aspx or webmail.example.com/owa/directory/ will be dropped. To enable the clients to access these locations, you ll need to create Exceptions to allow for less stringent filtering. Exchange Autodiscover 1. Browse to Webserver Protection > Web Application Firewall > Exceptions. 2. Click New Exception List 3. Enter a name such as Exchange Autodiscover into the Name field. 4. Under Skip these checks, check Static URL hardening. 5. Under Virtual Webservers, select your Virtual Webserver for Exchange Autodiscover. 6. Set the For all requests dropdown to Web requests matching this path. 7. Under Paths, click the + icon ( ) and enter /autodiscover/* and /Autodiscover/* (no quotes). 8. Expand Advanced by clicking on the + icon, and then check Never change HTML during static URL hardening or form hardening. 9. Click Save to store the exception and continue. Page 21

22 Outlook Anywhere 1. Browse to Webserver Protection > Web Application Firewall > Exceptions. 2. Click New Exception List 3. Enter a name such as Outlook Anywhere into the Name field. 4. Under Skip these checks, check Static URL hardening. 5. Under Virtual Webservers, select your Virtual Webserver for Outlook Anywhere. 6. Set the For all requests dropdown to Web requests matching this path. 7. Under Paths, click the + icon ( ) and enter /rpc/* and /RPC/* (no quotes). 8. Expand Advanced by clicking on the + icon, and then check Never change HTML during static URL hardening or form hardening. 9. Click Save to store the exception and continue. Page 22

23 OWA & Exchange ActiveSync 1. Browse to Webserver Protection > Web Application Firewall > Exceptions. 2. Click New Exception List 3. Enter a name such as OWA & Exchange ActiveSync into the Name field. 4. Under Skip these checks, check Static URL hardening. 5. Under Virtual Webservers, select your Virtual Webserver for Outlook Anywhere. 6. Set the For all requests dropdown to Web requests matching this path. 7. Under Paths, click the + icon ( ) and enter /owa/*, /OWA/*, /ecp/*, /ECP/*, /ews/*, /EWS/*, /oab/*, /OAB/*, /Microsoft-Server-ActiveSync*, and /favicon.ico (no quotes). Important: Since Microsoft-Server-ActiveSync is not a virtual directory but a URL, there should be no slash between the name and the asterisk. All paths are case sensitive. 8. Expand Advanced by clicking on the + icon, and then check Never change HTML during static URL hardening or form hardening. 9. Click Save to store the exception and continue. Page 23

24 OWA Notifications A special exception needs to be added to ensure notifications for OWA are not blocked by the WAF. 1. Browse to Webserver Protection > Web Application Firewall > Exceptions. 2. Click New Exception List 3. Enter a name such as OWA Notifications into the Name field. 4. Under Skip these checks, check Antivirus. 5. Under Skip these categories, check all categories. 6. Under Virtual Webservers, select your Virtual Webserver for OWA & Exchange ActiveSync. 7. Set the For all requests dropdown to Web requests matching this path. 8. Under Paths, click the + icon ( ) and enter /owa/ev.owa* (no quotes). 9. Expand Advanced by clicking on the + icon, and then check Never change HTML during static URL hardening or form hardening. 10. Click Save to store the exception and continue. When finished, you should have 4 exceptions in total related to Exchange Services. Page 24

25 J. Optional: Configuring Site Path Routing The Web Application Firewall applies authentication on a per-site-path basis, because doing so allows flexibility when setting up authentication for a website (for example, if you don t want authentication to occur on /public, but you do want to authenticate those users visiting /private ). Choosing which paths require authentication, and which type of authentication to use, is performed via the Site Path Routing configuration. Exchange Autodiscover 1. Browse to Webserver Protection > Web Application Firewall > Site Path Routing. 2. Click New Site Path Route 3. Enter a name such as /autodiscover into the Name field. 4. Select the Virtual Webserver created previously for Exchange Autodiscover in the Virtual webserver dropdown box. 5. Enter /autodiscover (no quotes) into the Path field. 6. Under Reverse Authentication, select the Basic Authentication profile created previously (instructions on page 8 of this guide). 7. Under Real Webservers, check all associated Exchange servers. 8. Click Save to store the Site Path Route and continue. 9. Click Clone on the created Site Path Route and create a new route for path /Autodiscover using the same settings above. 10. Optional: Remove the default / Site Path Route for Exchange Autodiscover to improve security. Page 25

26 Outlook Anywhere 1. Browse to Webserver Protection > Web Application Firewall > Site Path Routing. 2. Click New Site Path Route 3. Enter a name such as /rpc into the Name field. 4. Select the Virtual Webserver created previously for Outlook Anywhere in the Virtual webserver dropdown box. 5. Enter /rpc (no quotes) into the Path field. 6. Under Reverse Authentication, select the Basic Authentication profile created previously (instructions on page 8 of this guide). 7. Under Real Webservers, check all associated Exchange servers. 8. Click Save to store the Site Path Route and continue. 9. Click Clone on the created Site Path Route and create a new route for path /RPC using the same settings above. 10. Optional: Remove the default / Site Path Route for Outlook Anywhere to improve security. Page 26

27 OWA & ECP 1. Browse to Webserver Protection > Web Application Firewall > Site Path Routing. 2. Click New Site Path Route 3. Enter a name such as /owa into the Name field. 4. Select the Virtual Webserver created previously for OWA & Exchange ActiveSync in the Virtual webserver dropdown box. 5. Enter /owa (no quotes) into the Path field. 6. Under Reverse Authentication, select the Form Authentication profile created previously (instructions on page 8 of this guide). 7. Under Real Webservers, check all associated Exchange servers. 8. Click Save to store the Site Path Route and continue. 9. Click Clone on the created Site Path Route and create a new route for path /OWA, /ecp, & /ECP using the same settings above. Page 27

28 Exchange ActiveSync & Other 1. Browse to Webserver Protection > Web Application Firewall > Site Path Routing. 2. Click Edit for the / default site path route for the OWA & Exchange ActiveSync site path route. 3. Under Reverse Authentication, select the Basic Authentication profile created previously (instructions on page 8 of this guide). 4. Click Save to continue. When finished, you should have 9 Site Path Routes in total related to Exchange Services. L. Optional: Next Steps You can test to ensure that your Autodiscover & Exchange ActiveSync configuration is working correctly by using Microsoft s Remote Connectivity Analyzer tool, located here: Page 28