At the end of last year, I had already written an article on the subject of RPCoverHTTP, better known as Outlook Anywhere:
Exchange 2016: Is RPCoverHTTP still needed?
I therefore switched off Outlook Anywhere in my environment in December 2016. I have not encountered any problems so far. Outlook 2016 works perfectly with MAPIoverHTTP.
Now that more than two months have passed, I'm taking this opportunity to publish my current configuration of Sophos UTM Webserver Protection in conjunction with Exchange 2016. The environment is still the same. There is a domain controller and an Exchange 2016 with the current CU 4:
Since I don't want to constantly reinvent the wheel, this article is based on the original configuration, or the UTM configuration including RPCoverHTTP is adapted so that only MAPIoverHTTP is supported for Outlook remote access. ActiveSync and EWS remain unaffected and continue to function:
Sophos UTM 9.4 WAF and Exchange 2016
The UTM Web Application Firewall is configured as follows:
Real web server
First of all, the settings for the "real web server", in this case Exchange:
Here I have only adjusted the HTTP-Keep-Alive to the default setting of Exchange 2016.
Autodiscover Firewall Profile
I have left the Autodiscover Firewall profile unchanged:
Entry URLs:
/autodiscover /autodiscover
Skip Filter Rules:
- 960015
- 960911
Web services firewall profile
I deactivated the option "Let Outlook Anywhere pass" in the firewall profile for the web services. I also adapted the initial URLs to support the future REST api:
/ecp /ECP /ews /EWS /Microsoft-Server-ActiveSync /oab /OAB owa /OWA / /mapi /MAPI /api /API
The filter rules have also been significantly reduced:
- 960010
960015
981204
981176
Web services exceptions
There have been some changes to the exceptions. There is now only one exception for the web services and one exception for Autodiscover and the web services:
/ecp/* /ECP/* /ews/* /EWS/* /Microsoft-Server-ActiveSync* /oab/* /OAB/* /owa/* /OWA/* /api/* /API/* /MAPI/* /mapi/* /autodiscover/* /autodiscover/*
Outlook Web Access Exceptions
Another exception is necessary for OWA:
The exception applies to the following URLs:
/owa/ev.owa* /OWA/ev.owa*
Autodiscover virtual web server
The virtual web server for Autodiscover remains unchanged and is only assigned the new firewall profile:
Web services Virtual web server
The virtual web server for the Exchange web services also remains unchanged and is only assigned the new firewall profile:
Avoid MAPIoverHTTP authentication problems
To avoid authentication problems in connection with MAPIoverhTTP, it should be ensured that the login information is passed through accordingly. The settings can be made in the Internet options on the client. To do this, the option "Automatic login only in the intranet zone" is activated for the "local intranet" zone (if not already done):
It may also be necessary to add the corresponding URL to the intranet zone:
Here are the authentication methods for the Mapi directory:
