How to configure Sophos UTM Web Application Firewall for Microsoft Exchange connectivity This article explains how to configure your Sophos UTM 9.2 to allow access to the relevant Microsoft Exchange services through the Web Application Firewall. Configuring your Exchange server is outside the scope of this guide; This article assumes you ve already setup your Microsoft Exchange environment for remote connectivity by enabling Basic authentication (as the primary or additional authentication method) for OWA, ECP, Outlook Anywhere, OAB, EWS and Autodiscover and that you have copies of your public SSL certificates available in PFX format. Please note: This guide assumes passthrough authentication is going to be used for the Exchange servers. Should you wish to authenticate to the Exchange servers directly, please make sure you disable all authentication methods other than Basic Authentication on the Exchange servers. Failure to do so will result in authentication problems that might cause logged in users to lose their sessions, authentication to fail or session management errors. Known to apply to the following Sophos product(s) and version(s) Sophos UTM 9.2 Operating systems Microsoft Windows Server 2003 2012, Microsoft Exchange 2007-2013
What To Do A. Import the required certificates 1. Go to the Webserver Protection menu in the UTM Web admin console and select Certificate Management 2. Click New Certificate and select Upload in the Method: dropdown box 3. Fill in a name, the required password and a comment (if needed) 4. Click the folder next to the upload field to select the PFX file you wish to import 5. Click save to upload the PFX and complete the import B. Optional: Import the root Certificate In case your PFX file does not include the root certificate you need to manually import it in order for the UTM to be able to use it. 1. Go to certificate management and navigate to the Certificate Authority tab. 2. Click the Import CA button and fill in the name, description and type (this should usually be Verification CA ) 3. Click the folder next to the upload field to select the certificate to upload (both PFX and CER format are supported) 4. Click save to upload the certificate and complete the import
C. (Optional) Configure Active Directory and Exchange IIS Depending on your preference regarding user logon (either using their username and password, their UPN and password or their email address and password) one might need to configure some additional settings in either AD or the IIS on the Exchange backend(s). Username + Password style Sophos UTM assumes the default domain name is known to the backend server when using AD integrated authentication. As a result it will delegate just the username and password to the backend systems, where Exchange expects a login to contain a domain\username format. In a single-domain environment, this limitation can be worked around by setting the default domain on IIS, which will then prefix all logins with this domain name. 1. Login to your Exchange server(s) using remote desktop 2. Open the Internet Information Server (IIS) console 3. Navigate to the website that currently hosts your Exchange services and select the first virtual directory used by Exchange (this is normally Autodiscover ) 4. Open the Authentication applet in the IIS section 5. Select Basic Authentication from the list and click Edit in the right-hand Actions pane 6. Fill in the desired default domain name in the Default domain: filed and click OK to save 7. Repeat the above steps for every Exchange service in IIS and for every Exchange CAS server in your organization.
D. (Optional) Configuring authentication services Depending on the desired style of authentication, one has to either create at least one Active Directory authentication server (for the username + password style) or one LDAP authentication server (for UPN based authentication) in UTM. Active Directory (Username + password style) 1. Go to the Users & Definitions menu in the UTM Web admin console and select Authentication Services 2. Navigate to the Servers tab and click the New Authentication Server button 3. Select Active Directory from the Backend dropdown 4. If you have multiple backend of a similar type, use the Position dropdown menu to determine the place in the availability hierarchy (if the server in position 1 is unavailable UTM will automatically failover to the server in position2 and so forth) 5. Next select the backend server by either clicking the folder icon and clicking and dragging the relevant server into the Server: field, or by clicking the + icon to define a new host. 6. (Optional) Tick the SSL checkbox to enable SSL connectivity to your AD server 7. (Optional) The Port: field will be automatically filled out with the relevant default TCP port, but if needed this can be customized by entering the actual port in the Port: field 8. Enter the name of the (service) account the UTM may use to connect to Active Directory in the Bind DN: field. Both the domain\username and the LDAP object (CN=username,DC=domain,DC=local) are supported here, though the latter can reduce the amount of DNS and AD queries in high-load environments. 9. Enter the relevant password for the account in the Password: field 10. (Optional) Click the Test button to verify whether UTM can reach the backend server and if the supplied user and credentials are accepted by AD. 11. (Optional) Fill out the Base DN: field to define at which level UTM should start querying AD (for example CN=Users,DC=domain,DC=local). It is recommended to set this value to reduce query length, duration and recursion to improve lookup times. 12. Click Save to store the configured backend server and continue
LDAP (UPN + password style) 1. Go to the Users & Definitions menu in the UTM Web admin console and select Authentication Services 2. Navigate to the Servers tab and click the New Authentication Server button 3. Select LDAP from the Backend dropdown 4. If you have multiple backend of a similar type, use the Position dropdown menu to determine the place in the availability hierarchy (if the server in position 1 is unavailable UTM will automatically failover to the server in position2 and so forth) 5. Next select the backend server by either clicking the folder icon and clicking and dragging the relevant server into the Server: field, or by clicking the + icon to define a new host. 6. (Optional) Tick the SSL checkbox to enable SSL connectivity to your LDAP server 7. (Optional) The Port field will be automatically filled out with the relevant default TCP port, but if needed this can be customized by entering the actual port in the Port: field 8. Enter the name of the (service) account the UTM may use to connect to Active Directory in the Bind DN: field. Both the domain\username and the LDAP object (CN=username,DC=domain,DC=local) are supported here, though the latter can reduce the amount of DNS and AD queries in high-load environments. 9. Enter the relevant password for the account in the Password: field 10. (Optional) Click the Test button to verify whether UTM can reach the backend server and if the supplied user and credentials are accepted by AD. 11. Select > from the User Attribute: dropdown menu to authenticate based on a custom attribute 12. Enter userprincipalname (case sensitive) in the Custom: field to enable UTM to authenticate based on UPN 13. (Optional) Fill out the Base DN: field to define at which level UTM should start querying AD (for example CN=Users,DC=domain,DC=local). It is recommended to set this value to reduce query length, duration and recursion to improve lookup times. 14. Click Save to store the configured backend server and continue
LDAP (Email address + password style) 1. Go to the Users & Definitions menu in the UTM Web admin console and select Authentication Services 2. Navigate to the Servers tab and click the New Authentication Server button 3. Select LDAP from the Backend dropdown 4. If you have multiple backend of a similar type, use the Position dropdown menu to determine the place in the availability hierarchy (if the server in position 1 is unavailable UTM will automatically failover to the server in position2 and so forth) 5. Next select the backend server by either clicking the folder icon and clicking and dragging the relevant server into the Server: field, or by clicking the + icon to define a new host. 6. (Optional) Tick the SSL checkbox to enable SSL connectivity to your LDAP server 7. (Optional) The Port field will be automatically filled out with the relevant default TCP port, but if needed this can be customized by entering the actual port in the Port: field 8. Enter the name of the (service) account the UTM may use to connect to Active Directory in the Bind DN: field. Both the domain\username and the LDAP object (CN=username,DC=domain,DC=local) are supported here, though the latter can reduce the amount of DNS and AD queries in high-load environments. 9. Enter the relevant password for the account in the Password: field 10. (Optional) Click the Test button to verify whether UTM can reach the backend server and if the supplied user and credentials are accepted by AD. 11. Select > from the User Attribute: dropdown menu to authenticate based on a custom attribute
12. Enter mail (case sensitive) in the Custom: field to enable UTM to authenticate based on the user s primary email address 13. (Optional) Fill out the Base DN: field to define at which level UTM should start querying AD (for example CN=Users,DC=domain,DC=local). It is recommended to set this value to reduce query length, duration and recursion to improve lookup times. 14. Click Save to store the configured backend server and continue
E. (Optional) Creating the Reverse authentication profiles As mentioned in the introduction, this guide assumes reverse authentication with passthrough is going to be used for all published services. If you should not wish to do so, please skip this section. Since Exchange uses two distinct modes of authentication (Forms-based logon and HTTP 401 authentication messages) for improved user experience (user-facing services such as OWA use a form, application-facing services such as Outlook Anywhere use HTTP 401) we ll need to create two separate Reverse authentication profiles to match this desired authentication scheme. Basic authentication with passthrough This is the profile that will be used to supplant all HTTP 401 authentication interfaces used by Exchange. 1. Go to the Webserver Protection menu in the UTM Web admin console and select Reverse Authentication 2. Click the New Authentication Profile button on the Profiles tab 3. Fill in a Name for the new Authentication profile in the Name: field 4. Select Basic from the Frontend mode: dropdown menu and set a relevant name for the HTTP 401 popup box in the Frontend realm: field 5. Set the backend mode to Basic to enable authentication passthrough 6. Click the folder icon in the Users/Groups box to select existing users/groups by dragging and dropping them into the textbox, or click the New User or New Group icon to define new groups allowed to access resources protected by this profile. Please note: Selecting AD users and groups will enable username/password style logins, selecting LDAP users and groups will enable UPN logins or Email logins depending on your configuration.
Forms-based authentication with passthrough This is the profile that will be used to protect the user-facing services where having a logon form is desirable over a regular HTTP 401 popup. 1. Go to the Webserver Protection menu in the UTM Web admin console and select Reverse Authentication 2. Click the New Authentication Profile button on the Profiles tab 3. Fill in a Name for the new Authentication profile in the Name: field 4. Select Form from the Frontend mode: dropdown menu and set a unique URL value for the location of the login page in the Frontend realm: field Please note: If the URL used for the form is not unique, backend resources will become unreachable! 5. Select an Form template from the Form template: dropdown menu 6. Set the backend mode to Basic to enable authentication passthrough 7. Click the folder icon in the Users/Groups box to select existing users/groups by dragging and dropping them into the textbox, or click the New User or New Group icon to define new groups allowed to access resources protected by this profile. Please note: Selecting AD users and groups will enable username/password style logins, selecting LDAP users and groups will enable UPN logins or Email logins depending on your configuration.
F. Creating the Real Webserver(s) The next step in setting up the WAF is configuring the Real Webserver(s) which represent the Exchange CAS backend servers to the WAF setup. 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Real Webservers tab and click the New Real Webserver button 3. Fill in a Name for the new Real Webserver and select either a pre-existing Host object by clicking the folder icon or create one by clicking the + button 4. Set the Real Webserver connection type by selecting either HTTP or HTTPS from the Type dropdown menu. 5. (Optional) After selecting the appropriate connection type the UTM will automatically fill in the associated port, should you however need to use a non-standard port you can enter it in the Port field. 6. Click Save to store the real server and continue Repeat the above procedure for every Exchange server in your farm. For the rest of this guide we are going to assume a minimum of two servers, but aside from the amount of available backend servers, the setup for a single server is similar. G. Configuring the firewall profiles Exchange contains several web services (Outlook Anywhere, Outlook Web App (OWA), Exchange ActiveSync, Autodiscover, etc) which require different levels of protection and different WAF settings to function correctly. As a result of this, we will configure three separate profiles; One for Outlook Anywhere, one for Autodiscover and one for all other Exchange services. The profile options configured below are based on our recommended settings and the items marked (Optional) should be treated as our personal suggestions. Exchange Autodiscover 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Firewall Profiles tab and click the New Firewall Profile button 3. Fill in a Name for the profile and select the appropriate firewall action (Monitor or Reject) from the Mode: dropdown menu
4. Enable the Common Threats Filter and Rigid Filtering 5. Add a Skip Filter rule by clicking the + icon of the textbox 6. Enter 960015 (without quotation marks) and click apply 7. Enable URL Hardening and enter /autodiscover and /Autodiscover as entry points by clicking the + icon in the top right corner of the textbox 8. Enable Form Hardening 9. (Optional) Enable antivirus scanning, select the engine mode (Single or Dual engine) and Scan mode (Upload, Download or Upload and Download) from the dropdown menus 10. (Optional) Block suspect hosts by enabling the Block clients with bad reputation feature 11. Expand the Threat Filter Categories by clicking the - icon to the left and untick SQL Injection Attacks 12. Click Save to store the profile and continue The following screenshot displays our recommended settings:
Outlook Anywhere 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Firewall Profiles tab and click the New Firewall Profile button 3. Fill in a Name for the profile and enable the Pass Outlook Anywhere option 4. Select the appropriate firewall action (Reject or Monitor) from the Mode: dropdown menu 5. Enable URL Hardening and enter /rpc and /RPC as entry points by clicking the + icon in the top right corner of the textbox. 6. (Optional) Block suspect hosts by enabling the Block clients with bad reputation feature 7. Click Save to store the profile and continue The following screenshot displays our recommended settings:
All other Exchange services 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Firewall Profiles tab and click the New Firewall Profile button 3. Fill in a Name for the profile and select the appropriate firewall action (Reject or Monitor) from the Mode: dropdown menu 4. Enable the Common Threats Filter and Rigid Filtering 5. Add the following Skip Filter rules by clicking the + icon on the top of the textbox 6. Add 960015, 981203, 960010, 960018 and 981204 (without quotation marks) and click Apply on each line to confirm 7. Enable URL Hardening and enter /owa, /OWA, /ews, /EWS, /oab, /OAB, /ecp, /ECP and /Microsoft-Server-ActiveSync as entry points by clicking the + icon in the top right corner of the textbox. 8. (Optional) Enable antivirus scanning, select the engine mode (Single or Dual engine) and Scan mode (Upload, Download or Upload and Download) from the dropdown menus 9. (Optional) Block suspect hosts by enabling the Block clients with bad reputation feature 10. Expand the Threat Filter Categories by clicking the - icon to the left and untick SQL Injection Attacks, XSS Attacks and Outbound 11. Click Save to store the profile and continue The following screenshot displays our recommended settings:
H. Creating the Virtual Webservers Since we intend to use different firewall profiles for different Exchange services (as previously discussed) we will need to configure a matching amount of Virtual Webservers to which these profiles should apply. Exchange Autodiscover Please note that, as part of Microsoft s best practices, Sophos recommends running the Autodiscover service on a separate hostname. This hostname should normally be autodiscover.<domain>.<tld>, as demonstrated below. 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Virtual Webservers tab and click the New Virtual Webserver button 3. Fill in a Name for the Virtual server 4. Select the interface on which this Virtual Webserver should be created from the Interface dropdown menu, along with the protocol the end-users should use to connect to this server from the Type menu. For the intents and purposes of this article securely enabling remote access to your Exchange environment) we will set this to HTTPS. 5. (Optional) The UTM will automatically fill in the standard port associated to the HTTPS protocol, but you can set an alternate port in the Port: field. 6. (Optional) Tick the Redirect HTTP to HTTPS checkbox to enable automatic forwarding of HTTP to HTTPS traffic for requests matching the configured hostname 7. Select the applicable certificate from the Certificate: dropdown menu 8. Select either the desired domain name from the Domains: list, or (when using a wildcard certificate) enter your desired hostname by clicking the + button in the top right corner. (Sophos advises you to use a SAN certificate here, as wildcard certificates are incompatible with multi-site High Availability (HA) Exchange setups and require extra configuration on the Exchange server(s)) 9. Select the Firewall Profile you ve created for the Exchange Autodiscover from the Firewall Profile dropdown menu 10. Enable the Pass Host Header option (this is very important as your Exchange server needs the actual host header to determine the location (inside/outside the organization) of the client, on which many Exchange services rely) 11. Click the Save button to store the configuration and continue The following screenshot displays our recommended settings:
Outlook Anywhere 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Virtual Webservers tab and click the New Virtual Webserver button 3. Fill in a Name for the Virtual server 4. Select the interface on which this Virtual Webserver should be created from the Interface dropdown menu, along with the protocol the end-users should use to connect to this server from the Type menu. For the intents and purposes of this article securely enabling remote access to your Exchange environment) we will set this to HTTPS. 5. (Optional) The UTM will automatically fill in the standard port associated to the HTTPS protocol, but you can set an alternate port in the Port: field. 6. (Optional) Tick the Redirect HTTP to HTTPS checkbox to enable automatic forwarding of HTTP 7. Select the applicable certificate from the Certificate: dropdown menu 8. Select either the desired domain name from the Domains: list, or (when using a wildcard certificate) enter your desired hostname by clicking the + button in the top right corner. 9. Select the Firewall Profile you ve created for Outlook Anywhere from the Firewall Profile dropdown menu 10. Enable the Pass Host Header option (failure to set this option will break automatic configuration for all Exchange ActiveSync and Outlook Anywhere clients, as well as automatic failover in HA scenario s) 11. Click the Save button to store the configuration and continue The following screenshot displays our recommended settings:
All other Exchange services 1. Go to the Webserver Protection menu in the UTM Web admin console and select Web Application Firewall 2. Navigate to the Virtual Webservers tab and click the New Virtual Webserver button 3. Fill in a Name for the Virtual server 4. Select the interface on which this Virtual Webserver should be created from the Interface dropdown menu, along with the protocol the end-users should use to connect to this server from the Type menu. For the intents and purposes of this article securely enabling remote access to your Exchange environment) we will set this to HTTPS. 5. (Optional) The UTM will automatically fill in the standard port associated to the HTTPS protocol, but you can set an alternate port in the Port: field. 6. (Optional) Tick the Redirect HTTP to HTTPS checkbox to enable automatic forwarding of HTTP 7. Select the applicable certificate from the Certificate: dropdown menu 8. Select either the desired domain name from the Domains: list, or (when using a wildcard certificate) enter your desired hostname by clicking the + button in the top right corner. 9. Select the Firewall Profile you ve created for the other Exchange services from the Firewall Profile dropdown menu 10. Enable the Pass Host Header option (Exchange determines the applicable automatic configuration (received through Autodiscover) based on the host header used to connect to ActiveSync and EWS for example, this option is therefore very important) 11. Click the Save button to store the configuration and continue
The following screenshot displays our recommended settings: H. Configuring Exceptions Since the URL Filtering feature in UTM is very strict, it will currently not allow clients to open any URL other than the ones we ve configured. This means that webmail.example.com/owa is allowed, but webmail.example.com/owa/auth/login.aspx or webmail.example.com/owa/directory/anything will be dropped. To enable the clients to access these virtual directories, you need to create an Exception to allow for a little less stringent filtering. Exchange Autodiscover 1. Navigate to the Exceptions tab and click the New Exception button 2. Set a Name for the exception and (if needed) write a description in the Comment: field 3. Enable the URL Hardening option in the Skip these checks menu 4. Select your Exchange Autodiscover Virtual Webserver in the Virtual servers checkbox
5. Set the For all requests dropdown menu to Web requests matching this path 6. Click the + button in the top right corner to create a new excepted path and enter /autodiscover/* 7. Repeat the above steps for /Autodiscover/* 8. Open the Advanced settings by clicking the - icon and tick the Never change HTML during URL hardening or Form Hardening to enable script content to pass unaltered 9. Click the Save button to store the configuration and continue. The following screenshot displays our recommended settings for the exception: Outlook Anywhere 1. Navigate to the Exceptions tab and click the New Exception button 2. Set a Name for the exception and (if needed) write a description in the Comment: field 3. Enable the URL Hardening option in the Skip these checks menu 4. Select your Outlook Anywhere Virtual Webserver from the On the virtual server dropdown menu 5. Set the For all requests dropdown menu to Web requests matching this path 6. Click the + button in the top right corner to create the a new excepted path and enter /rpc/* 7. Repeat the previous steps for /RPC/* 8. Click the Save button to store the configuration and finish this guide. The following screenshot displays our recommended settings for the exception:
All other Exchange services For Exchange to work, we need two exceptions: One for URL filtering, and one for AV scanning (this enables Exchange Notifications to work properly).
URL filtering exception 1. Navigate to the Exceptions tab and click the New Exception button 2. Set a Name for the exception and (if needed) write a description in the Comment: field 3. Enable the URL Hardening option in the Skip these checks menu 4. Select your Outlook Anywhere Virtual Webserver from the On the virtual server dropdown menu 5. Set the For all requests dropdown menu to Web requests matching this path 6. Click the + button in the top right corner to create the a new excepted path and enter /owa/* 7. Repeat the previous steps for /OWA/*, /ecp/*, /ECP/*, /ews/*, /EWS/*, /oab/*, /OAB/* and /Microsoft-Server-ActiveSync* Please note: Since Microsoft-Server-ActiveSync is not a virtual directory but a URL, there should be no slash between the name and the asterisk 8. Open the Advanced settings by clicking the - icon and tick the Never change HTML during URL hardening or Form Hardening to enable script content to pass unaltered 9. Click the Save button to store the configuration and finish this guide. The following screenshot displays our recommended settings for the exception:
AV exception 1. Navigate to the Exceptions tab and click the New Exception button 2. Set a Name for the exception and (if needed) write a description in the Comment: field 3. Enable the Antivirus option in the Skip these checks menu 4. Select your Outlook Anywhere Virtual Webserver from the On the virtual server dropdown menu 5. Set the For all requests dropdown menu to Web requests matching this path 6. Click the + button in the top right corner to create the a new excepted path and enter /owa/ev.owa* 7. Click the Save button to store the configuration and finish this guide. The following screenshot displays our recommended settings for the exception:
I. (Optional) Configuring Site Path routing Sophos UTM applies authentication on a per site-path basis, as this allows flexibility when setting up authentication for a website (for example you don t want authentication to occur on /public, but you do wish to authenticate those visiting /private ). Configuring which paths require (which type of) authentication is therefore performed through the Site Path routing configuration. Exchange Autodiscover 1. Navigate to the Site Path Routing tab and click the New Site Path Route button 2. Set a Name for the route and (if needed) write a description in the Comment: field 3. Select your Exchange Autodiscover Virtual Webserver from the Virtual Webserver: dropdown menu 4. Enter /autodiscover/ in the Path: field 5. Select the basic authentication profile previously created from the Reverse Authentication: dropdown menu 6. Tick the checkboxes on all associated Real Webservers in the Real Webservers menu 7. Click Save to continue and repeat step 1-6 for /Autodiscover/ The following screenshot displays our recommended settings for this route: 8. (Optional) Remove the default / Site Path Route for the Exchange Autodiscover Virtual Webserver to improve security
Outlook Anywhere 1. Navigate to the Site Path Routing tab and click the New Site Path Route button 2. Set a Name for the route and (if needed) write a description in the Comment: field 3. Select your Outlook Anywhere Virtual Webserver from the Virtual Webserver: dropdown menu 4. Enter /rpc/ in the Path: field 5. Select the basic authentication profile previously created from the Reverse Authentication: dropdown menu 6. Tick the checkboxes on all associated Real Webservers in the Real Webservers menu 7. Click Save to continue and repeat step 1-6 for /RPC/ The following screenshot displays our recommended settings for this route: 8. (Optional) Remove the default / Site Path Route for the Outlook Anywhere Virtual Webserver to improve security
OWA and ECP 1. Navigate to the Site Path Routing tab and click the New Site Path Route button 2. Set a Name for the route and (if needed) write a description in the Comment: field 3. Select your Exchange Virtual Webserver from the Virtual Webserver: dropdown menu 4. Enter /owa/ in the Path: field 5. Select the Form authentication profile previously created from the Reverse Authentication: dropdown menu 6. Tick the checkboxes on all associated Real Webservers in the Real Webservers menu 7. Click Save to continue and repeat step 1-6 for /OWA/, /ecp/ and /ECP/ The following screenshot displays our recommended settings for this route:
All other Exchange services 1. Navigate to the Site Path Routing tab and click the Edit button for the / default site path route for the Exchange Virtual Webserver site path route 2. Select the basic authentication profile previously created from the Reverse Authentication: dropdown menu 3. Click Save to continue The following screenshot displays our recommended settings for this route: