For Exchange 2010 and Exchange 2013, I had already published articles for Sophos UTM Webserver Protection (WAF) here. However, since Exchange 2016 has now been released and Sophos UTM is also available in a more up-to-date version, there is another update here.
Environment (UTM and Exchange)
Exchange Server 2016 CU1 and Sophos UTM 9.400-9 are the versions used. The Exchange URLs internally and externally are mail.frankysweb.de and split-brain DNS is used.
The first step is to install the certificate. I use a wildcard certificate (*.frankysweb.de). However, it also works if only the external host names are stored on the certificate (for example autodiscover.frankysweb.de and mail.frankysweb.de).
Important: A SAN certificate must be used, i.e. a certificate that contains at least the two external names; 2 certificates with one name each cannot be used.
After the certificate has been installed, the real web server is created. This is the Exchange server which is called mail.frankysweb.de both internally and externally:
Now the firewall profiles must be created. In this case, two firewall profiles are required, one for Autodiscover and one for the remaining Exchange web services.
Settings for the Autodiscover Firewall Profile
Entry URLs:
/autodiscover /autodiscover
Skip Filter Rules:
- 960015
- 960911
Exchange Webservices Firewall Profile settings
Entry URLs:
/ecp /ECP /ews /EWS /Microsoft-Server-ActiveSync /oab /OAB /owa /OWA /rpc /RPC /mapi /Mapi /
Skip Filter Rules:
- 960015
- 981203
- 960010
- 960018
- 981204
- 960032
- 981176
Virtual web server
The virtual web servers can now be created. Two virtual web servers are also created here, one for Autodiscover and one for the remaining web services:
Here are the settings for the Autodiscover Virtual Webserver:
And here for the remaining Exchange web services:
Exceptions
Exceptions are still required for all services to function correctly
Autodiscover:
Paths:
/autodiscover/* /autodiscover/*
OWA Antivirus:
Paths:
/owa/ev.owa* /OWA/ev.owa*
Outlook Anywhere (RPCoverHTTP and MAPIoverHTTP)
Paths:
/rpc/* /RPC/* /mapi/* /MAPI/*
Exchange web services
Paths:
/ecp/* /ECP/* /ews/* /EWS/* /Microsoft-Server-ActiveSync* /oab/* /OAB/* /owa/* /OWA/*
Done.