Since it's been a few days since the last article on Sophos UTM Webserver Protection and Exchange, I've decided to update the howto. The last article still referred to the UTM 9.4 and is now almost 3 years old. Therefore, there is now a new article with the UTM in the current version 9.6 in conjunction with Exchange 2016. The Let's Encrypt certificate is also used, which can be conveniently requested and renewed via the UTM.
The settings described below have been working perfectly in my environment for a long time now. Currently, all internal connections in my environment are also routed through the UTM web server protection; the Exchange server is no longer accessible from the internal LAN.
However, this article is about publishing Exchange via web server protection on the Internet.
Environment (UTM and Exchange)
The environment is almost unchanged from the article linked above, here is a brief overview:
Exchange Server 2016 CU12 and Sophos UTM 9.601-5 are the versions used. The Exchange URLs internally and externally are mail.frankysweb.de and split-brain DNS is used.
Let's Encrypt certificate for the UTM
The Let's Encrypt certificate can be requested via the certificate management.
Since I use the DNS name mail.frankysweb.de for all web services and the DNS name autodiscover.frankysweb.de for Autodiscover, I only need to configure these domains for the certificate:
Additional domains for other services can of course be configured here.
Note: The UTM does not support ACMEv2 and therefore cannot request wildcard certificates. The configured domains must be externally resolvable, internal domains (.local / .intern) cannot be used.
Real Server
You can do little wrong with the real servers (real web servers). Only the internal Exchange server is specified here. This can be done either by IP or DNS name.
Here are my settings:
When specifying the Exchange server using the DNS name, the UTM must of course be able to resolve the name of the Exchange server.
Incidentally, it is still not possible to specify multiple Exchange servers here, so if you operate more than one Exchange server, you can specify the VIP of the internal load balancer here.
Firewall profiles
I have created two firewall profiles for the Exchange Server, one for Autodiscover and one for the other web services. First of all, here are the settings for the Autodiscover firewall profile (2 screenshots):
Entry URLs:
/autodiscover /autodiscover
Override filter rules:
960015 960911
Here is the second firewall profile for the remaining Exchange web services (2 screenshots):
Entry URLs:
/ecp /ECP /ews /EWS /Microsoft-Server-ActiveSync /oab /OAB owa /OWA / /mapi /MAPI /api /API
Override filter rules:
960010 960015 981204 981176
Please make sure that the remaining checkboxes are set accordingly.
Virtual Server
Once the firewall profiles have been created, the virtual web servers can be created. Here too, there are two virtual web servers, one for Autodiscover and one for the rest. Here is the virtual web server for Autodiscover:
Here is the second web server for the remaining Exchange web services:
Note: The previously created Let's Encrypt certificate is selected as the certificate for both virtual web servers.
Exceptions
To ensure that all Exchange features work properly, a few exceptions are required. I have again created 2 lists with exceptions.
The first exception applies to both Exchange web services and Exchange Autodiscover:
Paths:
/ecp/* /ECP/* /ews/* /EWS/* /Microsoft-Server-ActiveSync* /oab/* /OAB/* /owa/* /OWA/* /api/* /API/* /MAPI/* /mapi/* /autodiscover/* /autodiscover/*
The second exception is only necessary for Exchange web services:
Paths:
/owa/ev.owa* /OWA/ev.owa*
These were all the necessary settings.
Optional but recommended settings
On the "Advanced" tab, the TLS version should be set to TLS 1.2:
If Windows 7 is still being used, TLS 1.2 must be activated on the client in this case. See here:
There are further settings to improve the SSL Labs rating, so if you like you can only use strong ciphers and activate HSTS:
Note
This HowTo no longer contains a configuration for RPCoverHTTP. Since even Outlook 2010 supports the new MAPIoverHTTP protocol with corresponding updates, the old RPCoverHTTP protocol is no longer required.