Sophos UTM Web Application Firewall For: Microsoft Exchange Services

Similar documents
How to configure the UTM Web Application Firewall for Microsoft Remote Desktop Gateway connectivity

How to configure the UTM Web Application Firewall for Microsoft Lync Web Services connectivity

User guide NotifySCM Installer

Hands-on Lab Exercise Guide

HOL122 Lab 1: Configuring Microsoft Windows Server 2003 RPC Proxy

This post documents the basic steps that should be performed after installing Exchange I perform the following steps:

Entrust Connector (econnector) Venafi Trust Protection Platform

Workspace ONE UEM Certificate Authentication for EAS with ADCS. VMware Workspace ONE UEM 1902

Setting up Microsoft Exchange Server 2016 with Avi

Sophos Mobile Control SaaS startup guide. Product version: 7

Hosted Microsoft Exchange Client Setup & Guide Book

Sophos Mobile. installation guide. Product Version: 8.5

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

Sophos Mobile. installation guide. product version: 8.6

Microsoft ISA 2006 Integration. Microsoft Internet Security and Acceleration Server (ISA) Integration Notes Introduction

Azure MFA Integration with NetScaler

How to Set Up External CA VPN Certificates

DoD Common Access Card Authentication. Feature Description

Owner of the content within this article is Written by Marc Grote

Remote Support Security Provider Integration: RADIUS Server

Kaseya 2. Installation guide. Version R8. English

Module 3 Remote Desktop Gateway Estimated Time: 90 minutes

Hypersocket SSO. Lee Painter HYPERSOCKET LIMITED Unit 1, Vision Business Centre, Firth Way, Nottingham, NG6 8GF, United Kingdom. Getting Started Guide

Sophos Mobile. installation guide. Product Version: 8

Sophos Mobile. installation guide. product version: 9

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Sophos Mobile as a Service

Sophos Mobile SaaS startup guide. Product version: 7.1

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Configuring EAP-FAST CHAPTER

SecurEnvoy Microsoft Server Agent Installation and Admin Guide v9.3

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Security Provider Integration RADIUS Server

Configuring the SFB 2015 Reverse Proxy Server for Express for Lync 3.0

scconnect v1.x ADMINISTRATION, INSTALLATION, AND USER GUIDE

San Jacinto College. Secure SSL VPN Instruction Manual. Contents

Getting Started with Outlook Web App (OWA)

Administration Guide

In this article I will show you how to enable Outlook Web Access with forms based authentication in Exchange Server 2007 Beta 2.

Step 1: Adding Darwin to your computer

App Orchestration 2.6

Sophos Mobile. super administrator guide. product version: 8.6

Sophos Mobile. super administrator guide. product version: 9

How do I configure my LPL client to use SSL for incoming mail?

How to Configure Authentication and Access Control (AAA)

How to install DBXL in a load balanced

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

MailEnable Connector for Microsoft Outlook

Sophos Mobile as a Service

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

IceWarp SSL Certificate Process

Sophos Mobile super administrator guide. Product version: 7.1

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VII. Corente Services SSL Client

Sophos Mobile. super administrator guide. Product Version: 8

VMware AirWatch Certificate Authentication for EAS with NDES-MSCEP. For VMware AirWatch

Sophos Mobile Control SaaS startup guide. Product version: 6.1

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Microsoft OWA 2013 IIS Integration

DEPLOYMENT GUIDE. Load Balancing VMware Unified Access Gateway

Integrating AirWatch and VMware Identity Manager

WebsitePanel User Guide

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Microsoft OWA 2007 IIS Integration

Exchange Server 2016 Client Access Namespace Configuration

VMware AirWatch - Workspace ONE, Single Sign-on and VMware Identity Manager

with Access Manager 51.1 What is Supported in This Release?

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Revised: 08/02/ Click the Start button at bottom left, enter Server Manager in the search box, and select it in the list to open it.

Barracuda Web Application Firewall Foundation - WAF01. Lab Guide

VMware AirWatch Certificate Authentication for EAS with ADCS

PxM Proof of Concept Configuration. June 2018 Version 3.1

Migrate All Mailboxes to the Cloud with a Cutover Exchange

MS Exchange 2016 Deployment Guide

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

MS Exchange 2010 Deployment Guide

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Load Balancing Microsoft Exchange Deployment Guide v Copyright Loadbalancer.org

ProxyCap Help. Table of contents. Configuring ProxyCap Proxy Labs

Microsoft Exchange Proxy Settings Outlook 2010 Gpo

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

MailEnable Connector for Microsoft Outlook

ISA 2006 and OWA 2003 Implementation Guide

Create Decryption Policies to Control HTTPS Traffic

Realms and Identity Policies

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Microsoft OWA 2010 IIS Integration

Table of Contents. VMware AirWatch: Technology Partner Integration

Setting Up Resources in VMware Identity Manager

Extranet User Manager

Deploying F5 with Microsoft Exchange 2016 Mailbox Servers

Sophos Enterprise Console

SafeConsole On-Prem Install Guide

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Authlogics Forefront TMG and UAG Agent Integration Guide

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

Setup Guide. Page 0

Manual Owa Exchange 2010 Not Working Externally

BEST PRACTICES ARCHIVE in contentaccess

Transcription:

How to configure: Sophos UTM Web Application Firewall For: Microsoft Exchange Services This guide explains how to configure your Sophos UTM 9.3+ to allow access to the relevant Microsoft Exchange services through the Web Application Firewall. Included services: Outlook Web Access (OWA) Outlook Anywhere Exchange Autodiscover Exchange ActiveSync Exchange Control Panel (ECP) Offline Address Book (OAB) Configuring your Exchange server is outside the scope of this guide. It assumes you ve already setup your Microsoft Exchange environment for remote connectivity by enabling Basic authentication (as the primary or additional authentication method) for OWA, ECP, Outlook Anywhere, OAB, EWS and Autodiscover, and that you have copies of your public SSL certificates available in PFX (PKCS12) format. Please note: This guide assumes reverse passthrough authentication (eg. the WAF will authenticate the user and then pass the credentials to the backend server) is going to be used for the Exchange servers. Should you wish to authenticate to the Exchange servers directly, please make sure you disable all authentication methods other than Basic Authentication on the Exchange servers. Failure to do so will result in authentication problems that might cause logged in users to lose their sessions, authentication to fail, or session management errors. Known to apply to the following Sophos product(s) and version(s): Sophos UTM 9.3+ Operating systems: Microsoft Windows Server 2003 2012 Exchange Versions: Microsoft Exchange 2007 2013 Document version: 2.0 (Nov 2015) Page 1

Table of Contents A. Import the required certificates... 3 Import the intermediate & root certificates... 3 B. Optional: Configure Active Directory and Exchange IIS... 4 C. Optional: Configuring authentication services... 5 Active Directory (Username + Password style)... 5 LDAP (UPN + password style)... 6 LDAP (Email address + password style)... 7 E. Optional: Creating the Reverse Authentication profiles... 8 Basic authentication with passthrough... 8 Forms-based authentication with passthrough... 9 F. Creating the Real Webserver(s)... 11 G. Configuring the Firewall Profiles... 11 Exchange Autodiscover... 12 Outlook Anywhere... 13 OWA, ECP, & Exchange ActiveSync... 14 H. Creating the Virtual Webservers... 15 Exchange Autodiscover... 15 Outlook Anywhere... 17 OWA & Exchange ActiveSync... 19 I. Configuring Exceptions... 21 Exchange Autodiscover... 21 Outlook Anywhere... 22 OWA & Exchange ActiveSync... 23 OWA Notifications... 24 J. Optional: Configuring Site Path Routing... 25 Exchange Autodiscover... 25 Outlook Anywhere... 26 OWA & ECP... 27 Exchange ActiveSync & Other... 28 L. Optional: Next Steps... 28 Page 2

A. Import the required certificates First you ll need to import your Exchange server s SSL certificate. The certificate must be in PKCS12 (.pfx) format, otherwise it cannot be used by the WAF (because it requires the private key). 1. In the UTM WebAdmin, browse to Webserver Protection > Certificate Management. 2. Click New Certificate 3. Enter a name, such as Exchange SSL Certificate. 4. Under Method, select Upload. 5. Ensure File type is set to PKCS#12 (Cert+CA). 6. Click the Folder icon ( ) next to the upload field to select the certificate file you wish to import. 7. Enter the required certificate password. 8. Click Save to upload the certificate and complete the import. Note: please see the following KB article for instructions on generating publically signed certificates and converting them into PKCS12 format: https://community.sophos.com/kb/en-us/118084 Import the intermediate & root certificates If your certificate file does not include the intermediate and root certificates, you ll need to manually import them in order for the UTM to be able to use it. 1. Browse to Webserver Protection > Certificate Management > Certificate Authority. 2. Click New CA 3. Enter a name, such as Exchange Root Certificate. 4. Under Type, select Verification CA (PEM). 5. Click the folder icon ( ) next to the CA certificate field to select the certificate file to import. 6. Click Save to upload the certificate and complete the import. Page 3

B. Optional: Configure Active Directory and Exchange IIS Depending on your preference regarding user logon (either using their username and password, their User Principal Name and password, or their email address and password) you might need to configure some additional settings in either AD or the IIS on the Exchange backend(s). This section may be required when using username + password style. It is not required if you are using domain prefixing or suffixing in your Reverse Authentication profile (described later in this guide on page 8). Sophos UTM assumes the default domain name is known to the backend server when using AD integrated authentication. As a result, it will delegate just the username and password to the backend systems, whereas Exchange expects a login to contain a domain\username format. In a single-domain environment, this limitation can be worked around by setting the default domain on IIS, which will then prefix all logins with this domain name. 1. Login to your Exchange server(s) using Remote Desktop. 2. Open the Internet Information Server (IIS) console. 3. Navigate to the website that currently hosts your Exchange services and select the first virtual directory used by Exchange (this is normally Autodiscover ). 4. Open the Authentication applet in the IIS section. 5. Select Basic Authentication from the list and click Edit in the right-hand Actions pane. 6. Fill in the desired default domain name in the Default domain: field, and click OK to save. 7. Repeat steps 1-6 above for every Exchange service in IIS and for every Exchange CAS server in your environment. Page 4

C. Optional: Configuring authentication services Depending on the desired style of authentication, one has to either create at least one Active Directory authentication server (for the username + password style) or one LDAP authentication server (for UPN based authentication) in UTM. Active Directory (Username + Password style) 1. In the UTM WebAdmin, browse to Definitions & Users > Authentication Services > Servers. 2. Click New Authentication Server 3. Under Backend, select Active Directory. 4. If you have multiple backend servers of a similar type, use the Position dropdown to determine the order in which servers are contacted. 5. Select the backend server by clicking the folder icon ( ) and clicking and dragging the relevant host object into the Server: field, or by clicking the + icon ( ) to define a new host. 6. Optional: Click the SSL checkbox to enable SSL connectivity to your AD server. 7. Optional: If needed, enter a custom port number into the Port field. 8. Enter the name of the user account the UTM will use to connect to Active Directory into the Bind DN field. Both the domain\username and the LDAP string (CN=user,DC=domain,DC=local) are supported; using the LDAP string is recommended as doing so can reduce backend load. 9. Enter the relevant password for the account into the Password field. 10. Optional: Click the Test button to verify whether the UTM can reach the backend server and if the supplied user credentials are accepted by AD. 11. Optional: Fill out the Base DN field to define at which level the UTM should start querying AD (for example: CN=Users,DC=domain,DC=local). 12. Click Save to store the configured backend server and continue. Page 5

LDAP (UPN + password style) This method is recommended when using Basic Authentication (configured later, on page 8). 1. Browse to Definitions & Users > Authentication Services > Servers. 2. Click New Authentication Server 3. Under Backend, select LDAP. 4. If you have multiple backend servers of a similar type, use the Position dropdown to determine the order in which servers are contacted. 5. Select the backend server by clicking the folder icon ( ) and clicking and dragging the relevant host object into the Server: field, or by clicking the + icon ( ) to define a new host. 6. Optional: Click the SSL checkbox to enable SSL connectivity to your AD server. 7. Optional: If needed, enter a custom port number into the Port field. 8. Enter the name of the user account the UTM will use to connect to Active Directory into the Bind DN field. Both the domain\username and the LDAP string (CN=user,DC=domain,DC=local) are supported; using the LDAP string is recommended as doing so can reduce backend load. 9. Enter the relevant password for the account into the Password field. 10. Optional: Click the Test button to verify whether the UTM can reach the backend server and if the supplied user credentials are accepted by AD. 11. Select > from the User Attribute dropdown menu. 12. Enter userprincipalname (case sensitive) in the Custom field to enable the UTM to authenticate based on UPN. 13. Optional: Fill out the Base DN field to define at which level the UTM should start querying AD (for example: CN=Users,DC=domain,DC=local). 14. Click Save to store the configured backend server and continue. Page 6

LDAP (Email address + password style) 1. Browse to Definitions & Users > Authentication Services > Servers. 2. Click New Authentication Server 3. Under Backend, select LDAP. 4. If you have multiple backend servers of a similar type, use the Position dropdown to determine the order in which servers are contacted. 5. Select the backend server by clicking the folder icon ( ) and clicking and dragging the relevant host object into the Server: field, or by clicking the + icon ( ) to define a new host. 6. Optional: Click the SSL checkbox to enable SSL connectivity to your AD server. 7. Optional: If needed, enter a custom port number into the Port field. 8. Enter the name of the user account the UTM will use to connect to Active Directory into the Bind DN field. Both the domain\username and the LDAP string (CN=user,DC=domain,DC=local) are supported; using the LDAP string is recommended as doing so can reduce backend load. 9. Enter the relevant password for the account into the Password field. 10. Optional: Click the Test button to verify whether the UTM can reach the backend server and if the supplied user credentials are accepted by AD. 11. Select > from the User Attribute dropdown menu. 12. Enter mail (case sensitive) in the Custom field to enable the UTM to authenticate based on the user s email address. 13. Optional: Fill out the Base DN field to define at which level the UTM should start querying AD (for example: CN=Users,DC=domain,DC=local). 14. Click Save to store the configured backend server and continue. Page 7

E. Optional: Creating the Reverse Authentication profiles As mentioned in the introduction, this guide assumes reverse authentication with passthrough will be used for all published services. If you should not wish to do so, please skip this section. Since Exchange uses two distinct modes of authentication (Forms-based logon and HTTP 401 authentication messages) for improved user experience (user-facing services such as OWA use a form, application-facing services such as Outlook Anywhere use HTTP 401) you ll need to create two separate Reverse Authentication profiles to match this desired authentication scheme. Basic authentication with passthrough This is the profile that will be used to supplant all HTTP 401 authentication interfaces used by Exchange. 1. In the UTM WebAdmin, browse to Webserver Protection > Reverse Authentication. 2. Click New Authentication Profile 3. Enter a name such as Basic Authentication into the Name field. 4. Under Virtual Webserver, choose Basic in the Mode box. 5. Add a relevant name for the HTTP 401 popup box into the Basic Prompt field. 6. Click the folder icon ( ) in the Users/Groups box to select existing users or groups by dragging and dropping them into the textbox, or click the New User ( ) or New Group ( ) icons to define new users or groups allowed to access resources protected by this profile. Important: Selecting local or AD users and groups will enable username/password style logins, selecting LDAP users and groups will enable UPN or Email logins depending on your configuration. 7. Under Real Webserver, choose Basic in the Mode box. 8. Optional: Depending on the security requirements of your environment you can modify the default User Session timeout settings, or disable session lifetime/timeout. 9. Click Save to store the configured reverse authentication profile. A screenshot showing configuration of this section can be found later (on page 10). Important: Due to the way usernames are processed by Reverse Authentication, entering the \ character as part of a username will cause it to be sent twice when using passthrough authentication, which will cause the request to fail. For example, if a user enters domain\user as their username, the UTM will send domain\\user to the backend server which will be rejected because it isn t a valid username & domain combination. Important: Because Exchange ActiveSync configuration on some mobiles devices requires a domain prefix, or UPN / email domain suffix, we recommend not using the Username affix feature on the WAF when configuring the Basic Authentication profile, and using UPN + password based authentication instead of username + password. This will allow mobile devices to authenticate as well as allow Microsoft s Remote Connectivity Analyzer tool to connect properly. Usage of the Username affix feature is explained on the next page. Page 8

Forms-based authentication with passthrough This is the profile that will be used to protect the user-facing services where having a login form is desirable over a regular HTTP 401 popup (such as Outlook Web Access). 1. In the UTM WebAdmin, browse to Webserver Protection > Reverse Authentication. 2. Click New Authentication Profile 3. Enter a name such as Form Authentication into the Name field. 4. Under Virtual Webserver, choose Form in the Mode box. 5. Select a Form template in the Form template box. Note: You can edit and upload templates by clicking on the Form Templates tab. 6. Click the folder icon ( ) in the Users/Groups box to select existing users or groups by dragging and dropping them into the textbox, or click the New User ( ) or New Group ( ) icons to define new users or groups allowed to access resources protected by this profile. Important: Selecting local or AD users and groups will enable username/password style logins, selecting LDAP users and groups will enable UPN or Email logins depending on your configuration. If you are using UPN for login be sure to add LDAP user groups such as LDAP Users, otherwise Autodiscover authentication will fail. 7. Under Real Webserver, choose Basic in the Mode box. 8. Optional: If you didn t configure a default domain on your IIS server in section B of this guide, you can configure the UTM to automatically send the domain using the username affix feature: If using username + password authentication, select Prefix under Username Affix and enter your domain name followed by \ into the Prefix field (eg. domain\ ) If using email address + password authentication, select Suffix under Username Affix and enter @ and then your domain name (eg. @domain.com) into the Suffix field. 9. Optional: Depending on the security requirements of your environment you can modify the default User Session timeout settings, or disable session lifetime/timeout. 10. Click Save to store the configured reverse authentication profile. A screenshot showing this configuration can be found on the next page. Important: As described on the previous page, authentication issues will occur if users enter their usernames in format domain\username when using Reverse Authentication. For this reason it s important to use domain prefixing as described in the instructions above, or enter a default domain into the IIS configuration as described earlier in this guide (on page 4). We recommend using username prefixing for the Forms-based Authentication profile, and having users login with their username only, eg. by entering just username instead of domain\username. Page 9

The following screenshots show examples of the configured Basic and Forms authentication profiles: Page 10

F. Creating the Real Webserver(s) The next step in setting up the WAF is configuring the Real Webserver(s) which represent the Exchange CAS backend servers to the WAF setup. 1. Browse to Webserver Protection > Web Application Firewall > Real Webservers. 2. Click New Real Webserver 3. Enter a name such as Exchange Server into the Name field. 4. Select the backend server by clicking the folder icon ( ) and clicking and dragging the relevant host object into the Server field, or by clicking the + icon ( ) to define a new host. 5. Set the Real Webserver connection type by selecting either HTTP or HTTPS in the Type box. 6. Optional: After selecting the connection type, the UTM will automatically fill in the associated port number. If you need to use a non-standard port you can enter it into the Port field. 7. Click Save to store the real webserver and continue. Repeat the above procedure for every Exchange server in your farm that users should connect to via the Web Application Firewall. G. Configuring the Firewall Profiles Exchange services such as Outlook Anywhere, Outlook Web Access (OWA), Exchange ActiveSync, Autodiscover, etc. require different levels of protection and different WAF settings to function correctly. Because of this we will configure three separate profiles; one for Outlook Anywhere, one for Autodiscover, and one for the remaining services (OWA, ECP, and Exchange ActiveSync). Note: It s important to configure non-optional items exactly as specified otherwise the UTM might block legitimate requests. Optional items can be treated as suggestions which can help to increase security. Page 11

Exchange Autodiscover 1. Browse to Webserver Protection > Web Application Firewall > Firewall Profiles. 2. Click New Firewall Profile 3. Enter a name such as Exchange Autodiscover into the Name field. 4. Under Mode, select Reject. 5. Enable Common threats filter and Rigid Filtering. 6. Add a Skip Filter rule by clicking the + icon ( ) next to the Skip Filter Rules box. 7. Enter 960015 (without quotes) and then click Apply. 8. Enable Static URL hardening and enter /autodiscover and /Autodiscover (without quotes) as entry points by clicking the + icon ( ) in the top right. 9. Enable Form Hardening. 10. Optional: Enable Antivirus scanning, then select the Mode (Single or Dual Scan), and Direction (Uploads only, Downloads only, or Uploads and Downloads). 11. Optional: Block suspicious clients by enabling Block clients with bad reputation. 12. Expand Threat Filter Categories by clicking the + icon and uncheck SQL Injection Attacks. 13. Click Save to store the Firewall Profile and continue. The recommended settings are shown in the following screenshots: Page 12

Outlook Anywhere 1. Browse to Webserver Protection > Web Application Firewall > Firewall Profiles. 2. Click New Firewall Profile 3. Enter a name such as Outlook Anywhere into the Name field. 4. Check Pass Outlook Anywhere. 5. Under Mode, select Reject. 6. Enable Static URL hardening and enter /rpc and /RPC (without quotes) as entry points by clicking the + icon ( ) in the top right. 7. Optional: Block suspicious clients by enabling Block clients with bad reputation. 8. Click Save to store the Firewall Profile and continue. The recommended settings are shown in the following screenshot: Page 13

OWA, ECP, & Exchange ActiveSync 1. Browse to Webserver Protection > Web Application Firewall > Firewall Profiles. 2. Click New Firewall Profile 3. Enter a name such as OWA & Exchange ActiveSync into the Name field. 4. Under Mode, select Reject. 5. Enable Common threats filter and Rigid Filtering. 6. Add the following Skip Filter rules by clicking the + icon ( ) next to the Skip Filter Rules box. 7. Add 960015, 981203, 960010, 960018, and 981204 (without quotes) and click Apply after each to confirm. 8. Enable Static URL hardening and enter /owa, /OWA, /ews, /EWS, /oab, /OAB, /ecp, /ECP, /Microsoft-Server-ActiveSync, and / (without quotes) by clicking the + icon ( ) in the top right. URLs are case sensitive. 9. Optional: Enable Antivirus scanning, then select the Mode (Single or Dual Scan), and Direction (Uploads only, Downloads only, or Uploads and Downloads). 10. Optional: Block suspicious clients by enabling Block clients with bad reputation. 11. Expand Threat Filter Categories by clicking the + icon and uncheck SQL Injection Attacks, XSS Attacks, and Outbound. 12. Click Save to store the Firewall Profile and continue. Page 14

H. Creating the Virtual Webservers Since we intend to use different firewall profiles for different Exchange services (as previously discussed) we will need to configure a matching set of Virtual Webservers to which these profiles should apply. Exchange Autodiscover Please note that, as part of Microsoft s best practices, Sophos recommends running the Autodiscover service on a separate hostname. This hostname should normally be autodiscover.<domain>.<tld>, as demonstrated below. 1. Browse to Webserver Protection > Web Application Firewall > Virtual Webservers. 2. Click New Virtual Webserver 3. Enter a name such as Exchange Autodiscover into the Name field. 4. Select the interface this Virtual Webserver should be created on from the Interface menu. Note: this is normally the UTM s external (WAN) interface. 5. Select the protocol to be used from the Type menu. Using Encrypted (HTTPS) is recommended. Note: you can also select Encrypted (HTTPS) & redirect to automatically redirect clients to HTTPS if they connect using HTTP. 6. Optional: After selecting the connection type, the UTM will automatically fill in the associated port number. If you need to use a non-standard port you can enter it into the Port field. 7. Select the applicable certificate from the Certificate menu. This was configured on page 3 (Section A) of this guide. 8. Select either the desired domain name for the Domains list, or if using a wildcard certificate, enter your desired hostname by clicking the + icon ( ) in the top right corner. Note: Wildcard certificates are incompatible with multi-site High Availability Exchange setups and require extra configuration on the Exchange server(s). Sophos recommends using Multiple Hostname (SAN) certificates if this is the case in your environment. 9. Select the Firewall Profile created previously for Exchange Autodiscover in the Firewall Profile menu. 10. Expand Advanced and check Pass host header. Important: Exchange requires the original host header to determine the location (inside or outside the organization) of the client, on which many Exchanges services rely. 11. Click Save to store the new Virtual Webserver and continue. Page 15

The following screenshot shows the recommended configuration when using a Wildcard certificate: Page 16

Outlook Anywhere 1. Browse to Webserver Protection > Web Application Firewall > Virtual Webservers. 2. Click New Virtual Webserver 3. Enter a name such as Outlook Anywhere into the Name field. 4. Select the interface this Virtual Webserver should be created on from the Interface menu. Note: this is normally the UTM s external (WAN) interface. 5. Select the protocol to be used from the Type menu. Using Encrypted (HTTPS) is recommended. Note: you can also select Encrypted (HTTPS) & redirect to automatically redirect clients to HTTPS if they connect using HTTP. 6. Optional: After selecting the connection type, the UTM will automatically fill in the associated port number. If you need to use a non-standard port you can enter it into the Port field. 7. Select the applicable certificate from the Certificate menu. This was configured on page 3 (Section A) of this guide. 8. Select either the desired domain name for the Domains list, or if using a wildcard certificate, enter your desired hostname by clicking the + icon ( ) in the top right corner. 9. Select the Firewall Profile created previously for Outlook Anywhere in the Firewall Profile menu. 10. Expand Advanced and check Pass host header. Important: failure to set this option will break automatic configuration for all Exchange ActiveSync and Outlook Anywhere clients, as well as automatic failover in HA scenarios. 11. Click Save to store the new Virtual Webserver and continue. Page 17

The following screenshot shows the recommended configuration when using a Wildcard certificate: Page 18

OWA & Exchange ActiveSync This Virtual Webserver will also cover other Exchange services such as Exchange Control Panel (ECP), Offline Address Book (OAB), etc. 1. Browse to Webserver Protection > Web Application Firewall > Virtual Webservers. 2. Click New Virtual Webserver 3. Enter a name such as OWA & Exchange ActiveSync into the Name field. 4. Select the interface this Virtual Webserver should be created on from the Interface menu. Note: this is normally the UTM s external (WAN) interface. 5. Select the protocol to be used from the Type menu. Using Encrypted (HTTPS) is recommended. Note: you can also select Encrypted (HTTPS) & redirect to automatically redirect clients to HTTPS if they connect using HTTP. 6. Optional: After selecting the connection type, the UTM will automatically fill in the associated port number. If you need to use a non-standard port you can enter it into the Port field. 7. Select the applicable certificate from the Certificate menu. This was configured on page 3 (Section A) of this guide. 8. Select either the desired domain name(s) for the Domains list, or if using a wildcard certificate, enter your desired hostname by clicking the + icon ( ) in the top right corner. Note: you can add multiple domains if for example you want to separate different services by domain, such as owa.domain.com, eas.domain.com, etc. 9. Select the Firewall Profile created previously for OWA & Exchange ActiveSync in the Firewall Profile menu. 10. Expand Advanced and check Pass host header. Important: Exchange determines the applicable automatic configuration (received via Autodiscover) based on the host header used to connect to ActiveSync / EWS. Because of this, selecting this option is extremely important. 11. Click Save to store the new Virtual Webserver and continue. Page 19

The following screenshot shows the recommended configuration when using a Wildcard certificate: Page 20

I. Configuring Exceptions Since the Static URL Hardening feature on the Web Application Firewall is very strict, it will not allow clients to open any URL other than the ones explicitly configured. This means that requests such as webmail.example.com/owa are allowed, but requests to individual pages or subdirectories such as webmail.example.com/owa/auth/login.aspx or webmail.example.com/owa/directory/ will be dropped. To enable the clients to access these locations, you ll need to create Exceptions to allow for less stringent filtering. Exchange Autodiscover 1. Browse to Webserver Protection > Web Application Firewall > Exceptions. 2. Click New Exception List 3. Enter a name such as Exchange Autodiscover into the Name field. 4. Under Skip these checks, check Static URL hardening. 5. Under Virtual Webservers, select your Virtual Webserver for Exchange Autodiscover. 6. Set the For all requests dropdown to Web requests matching this path. 7. Under Paths, click the + icon ( ) and enter /autodiscover/* and /Autodiscover/* (no quotes). 8. Expand Advanced by clicking on the + icon, and then check Never change HTML during static URL hardening or form hardening. 9. Click Save to store the exception and continue. Page 21

Outlook Anywhere 1. Browse to Webserver Protection > Web Application Firewall > Exceptions. 2. Click New Exception List 3. Enter a name such as Outlook Anywhere into the Name field. 4. Under Skip these checks, check Static URL hardening. 5. Under Virtual Webservers, select your Virtual Webserver for Outlook Anywhere. 6. Set the For all requests dropdown to Web requests matching this path. 7. Under Paths, click the + icon ( ) and enter /rpc/* and /RPC/* (no quotes). 8. Expand Advanced by clicking on the + icon, and then check Never change HTML during static URL hardening or form hardening. 9. Click Save to store the exception and continue. Page 22

OWA & Exchange ActiveSync 1. Browse to Webserver Protection > Web Application Firewall > Exceptions. 2. Click New Exception List 3. Enter a name such as OWA & Exchange ActiveSync into the Name field. 4. Under Skip these checks, check Static URL hardening. 5. Under Virtual Webservers, select your Virtual Webserver for Outlook Anywhere. 6. Set the For all requests dropdown to Web requests matching this path. 7. Under Paths, click the + icon ( ) and enter /owa/*, /OWA/*, /ecp/*, /ECP/*, /ews/*, /EWS/*, /oab/*, /OAB/*, /Microsoft-Server-ActiveSync*, and /favicon.ico (no quotes). Important: Since Microsoft-Server-ActiveSync is not a virtual directory but a URL, there should be no slash between the name and the asterisk. All paths are case sensitive. 8. Expand Advanced by clicking on the + icon, and then check Never change HTML during static URL hardening or form hardening. 9. Click Save to store the exception and continue. Page 23

OWA Notifications A special exception needs to be added to ensure notifications for OWA are not blocked by the WAF. 1. Browse to Webserver Protection > Web Application Firewall > Exceptions. 2. Click New Exception List 3. Enter a name such as OWA Notifications into the Name field. 4. Under Skip these checks, check Antivirus. 5. Under Skip these categories, check all categories. 6. Under Virtual Webservers, select your Virtual Webserver for OWA & Exchange ActiveSync. 7. Set the For all requests dropdown to Web requests matching this path. 8. Under Paths, click the + icon ( ) and enter /owa/ev.owa* (no quotes). 9. Expand Advanced by clicking on the + icon, and then check Never change HTML during static URL hardening or form hardening. 10. Click Save to store the exception and continue. When finished, you should have 4 exceptions in total related to Exchange Services. Page 24

J. Optional: Configuring Site Path Routing The Web Application Firewall applies authentication on a per-site-path basis, because doing so allows flexibility when setting up authentication for a website (for example, if you don t want authentication to occur on /public, but you do want to authenticate those users visiting /private ). Choosing which paths require authentication, and which type of authentication to use, is performed via the Site Path Routing configuration. Exchange Autodiscover 1. Browse to Webserver Protection > Web Application Firewall > Site Path Routing. 2. Click New Site Path Route 3. Enter a name such as /autodiscover into the Name field. 4. Select the Virtual Webserver created previously for Exchange Autodiscover in the Virtual webserver dropdown box. 5. Enter /autodiscover (no quotes) into the Path field. 6. Under Reverse Authentication, select the Basic Authentication profile created previously (instructions on page 8 of this guide). 7. Under Real Webservers, check all associated Exchange servers. 8. Click Save to store the Site Path Route and continue. 9. Click Clone on the created Site Path Route and create a new route for path /Autodiscover using the same settings above. 10. Optional: Remove the default / Site Path Route for Exchange Autodiscover to improve security. Page 25

Outlook Anywhere 1. Browse to Webserver Protection > Web Application Firewall > Site Path Routing. 2. Click New Site Path Route 3. Enter a name such as /rpc into the Name field. 4. Select the Virtual Webserver created previously for Outlook Anywhere in the Virtual webserver dropdown box. 5. Enter /rpc (no quotes) into the Path field. 6. Under Reverse Authentication, select the Basic Authentication profile created previously (instructions on page 8 of this guide). 7. Under Real Webservers, check all associated Exchange servers. 8. Click Save to store the Site Path Route and continue. 9. Click Clone on the created Site Path Route and create a new route for path /RPC using the same settings above. 10. Optional: Remove the default / Site Path Route for Outlook Anywhere to improve security. Page 26

OWA & ECP 1. Browse to Webserver Protection > Web Application Firewall > Site Path Routing. 2. Click New Site Path Route 3. Enter a name such as /owa into the Name field. 4. Select the Virtual Webserver created previously for OWA & Exchange ActiveSync in the Virtual webserver dropdown box. 5. Enter /owa (no quotes) into the Path field. 6. Under Reverse Authentication, select the Form Authentication profile created previously (instructions on page 8 of this guide). 7. Under Real Webservers, check all associated Exchange servers. 8. Click Save to store the Site Path Route and continue. 9. Click Clone on the created Site Path Route and create a new route for path /OWA, /ecp, & /ECP using the same settings above. Page 27

Exchange ActiveSync & Other 1. Browse to Webserver Protection > Web Application Firewall > Site Path Routing. 2. Click Edit for the / default site path route for the OWA & Exchange ActiveSync site path route. 3. Under Reverse Authentication, select the Basic Authentication profile created previously (instructions on page 8 of this guide). 4. Click Save to continue. When finished, you should have 9 Site Path Routes in total related to Exchange Services. L. Optional: Next Steps You can test to ensure that your Autodiscover & Exchange ActiveSync configuration is working correctly by using Microsoft s Remote Connectivity Analyzer tool, located here: https://testconnectivity.microsoft.com Page 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback