I didn't really warm to the Sophos UTM 9.2 WAF in conjunction with Exchange 2013. In my opinion, there were too many things that didn't work as I expected. But Sophos UTM 9.3 is now available, so it's time for a new test. The environment is almost unchanged:
This is my standard test environment, 2 Exchange 2013 CU7 (CAS + MBX) servers, 1 domain controller and Sophos UTM 9.3 (9.303-2)
Exchange and Domain Controller are installed on Server 2012 R2. All systems are installed as VMs. The Sophos UTM serves as the standard gateway for the VMs and is a member of the Active Directory. For this test, there is also a Windows 8.1 client with Outlook 2013, which is not a member of the Active Directory and wants to use Outlook Anywhere.
I want to use the DNS name "outlook.frankysweb.de" as the access point for Outlook Anywhere, so this name is configured as the internal and external host name:
Note: I have decided to use only 2 hostnames. Autodiscover.frankysweb.de for Autodiscover and outlook.frankysweb.de for Outlook Anywhere, OWA and ActiveSync. There are a few HowTo's that separate all services using their own hostnames and corresponding rules. However, if purchased certificates are used, many hostnames can quickly become expensive, or the external IPs become scarce. So I would like to be able to use all Exchange services with 2 hostnames and 1 external IP.
With Exchange 2013, it is best practice to use the same host name for internal and external access points. With Exchange 2010, the recommendation was still to separate this. I therefore use the DNS name "outlook.frankysweb.de" both internally and externally.
My Exchange servers have IPs from the network 172.16.100.X. Since this is a test environment, I have attached a computer with Windows 8.1 to the external interface of the UTM, which is not a member of the domain. the computer has an external IP from the network 172.16.200.X. The next screenshot makes it a little clearer:
The DNS entries for autodiscover.frankysweb.de and outlook.frankysweb.de each point to the external IP of the UTM. In my case, this is 172.16.200.1.
But now to the configuration of the UTM WAF. First import the corresponding certificate:
The certificate can be uploaded here
After the upload it should look like this:
Das Zertifikat welches ich verwende kommt von einer internen CA, es kann natürlich auch jedes gekaufte Zertifikat verwendet werden, wenn es die korrekten Hostnamen enthält. In meinem Fall also „outlook.frankysweb.de und „autodiscover.frankysweb.de“. Hier mein Zertifikat zur Veranschaulichung:
As soon as the certificate is uploaded, we can create a firewall profile:
Ich habe mein Profil „Exchange“ genannt und die folgenden Einstellungen aktiviert:
Die oben gezeigten Einstellungen haben in meiner Testumgebung bestens funktioniert. Daher habe ich es erst einmal so belassen und werde gegebenenfalls weiter verfeinern. Jetzt können die „Real Servers“ angelegt werden:
Hinter „Host“ verbirgt sich nur die IP des Exchange Servers.
I have created both Exchange servers as real servers:
And finally, the virtual server is created:
The settings for the virtual server are as follows:
That was all...
...and the best thing is that it even works. The problems I had with UTM 9.2 no longer occur. Autodiscover works perfectly, setting up a new Outlook account without the client having been in the domain beforehand. Even NTLM works:
Great, that's how I imagined it. No more workarounds on Exchange and Active Directory, it just works. Finally, the initial Outlook setup if the client is not in AD:
The request for login data is normal. Outlook tries to log in with the user administrator@frankysweb.de. However, my AD user is called frankysweb\administrator. This will be the case in most environments.
I will refine this article a little more. But I'm pleased that UTM 9.3 finally works the way I want it to. You can use the small TLS Bug almost forgotten...