Sophos UTM 9.4 WAF and Exchange 2016 (without RPCoverHTTP)

At the end of last year, I had already written an article on the subject of RPCoverHTTP, better known as Outlook Anywhere:

Exchange 2016: Is RPCoverHTTP still needed?

I therefore switched off Outlook Anywhere in my environment in December 2016. I have not encountered any problems so far. Outlook 2016 works perfectly with MAPIoverHTTP.

Now that more than two months have passed, I'm taking this opportunity to publish my current configuration of Sophos UTM Webserver Protection in conjunction with Exchange 2016. The environment is still the same. There is a domain controller and an Exchange 2016 with the current CU 4:

Since I don't want to constantly reinvent the wheel, this article is based on the original configuration, or the UTM configuration including RPCoverHTTP is adapted so that only MAPIoverHTTP is supported for Outlook remote access. ActiveSync and EWS remain unaffected and continue to function:

Sophos UTM 9.4 WAF and Exchange 2016

The UTM Web Application Firewall is configured as follows:

Real web server

First of all, the settings for the "real web server", in this case Exchange:

Here I have only adjusted the HTTP-Keep-Alive to the default setting of Exchange 2016.

Autodiscover Firewall Profile

I have left the Autodiscover Firewall profile unchanged:

Entry URLs:

/autodiscover
/autodiscover

Skip Filter Rules:

• 960015
• 960911

Web services firewall profile

I deactivated the option "Let Outlook Anywhere pass" in the firewall profile for the web services. I also adapted the initial URLs to support the future REST api:

/ecp
/ECP
/ews
/EWS
/Microsoft-Server-ActiveSync
/oab
/OAB
owa
/OWA
/
/mapi
/MAPI
/api
/API

The filter rules have also been significantly reduced:

• 960010
  960015
  981204
  981176

Web services exceptions

There have been some changes to the exceptions. There is now only one exception for the web services and one exception for Autodiscover and the web services:

/ecp/*
/ECP/*
/ews/*
/EWS/*
/Microsoft-Server-ActiveSync*
/oab/*
/OAB/*
/owa/*
/OWA/*
/api/*
/API/*
/MAPI/*
/mapi/*
/autodiscover/*
/autodiscover/*

Outlook Web Access Exceptions

Another exception is necessary for OWA:

The exception applies to the following URLs:

/owa/ev.owa*
/OWA/ev.owa*

Autodiscover virtual web server

The virtual web server for Autodiscover remains unchanged and is only assigned the new firewall profile:

Web services Virtual web server

The virtual web server for the Exchange web services also remains unchanged and is only assigned the new firewall profile:

Avoid MAPIoverHTTP authentication problems

To avoid authentication problems in connection with MAPIoverhTTP, it should be ensured that the login information is passed through accordingly. The settings can be made in the Internet options on the client. To do this, the option "Automatic login only in the intranet zone" is activated for the "local intranet" zone (if not already done):

It may also be necessary to add the corresponding URL to the intranet zone:

Here are the authentication methods for the Mapi directory: