The last article on Sophos XG in conjunction with Exchange is a bit outdated, so here is an updated version. At the moment SFOS 18 is the latest version, I have tested version 18.0.4 MR-4. My small test environment is set up as follows:
Exchange is configured to the hostnames outlook.frankyswebweblab.de for the web services and autodisocver.frankysweblab.de for Autodiscover. The same host names are configured internally and externally. Everything else follows in the article.
Configuration Sophos XG Webserver Protection
An SSL certificate must first be installed so that the web server protection of Sophos XG can be configured later. Unfortunately, XG version 18 still does not support automated Let's Encrypt certificates. The Let's Encrypt feature (as it has long been available on the Sophos UTM) has long been on the wish list of users, perhaps the feature will make it into one of the next versions. At the moment, a corresponding certificate still needs to be obtained. As most connections via web server protection to Exchange come from external clients, this should be a certificate from a public CA so that the certificate is recognized as trustworthy by all clients. The certificate must contain the DNS name for the Exchange web services and for Autodiscover (further information can be found in the Exchange Certificates Whitepaper). In my case, the certificate contains the name outlook.frankysweblab.de and autodiscover.frankysweblab.de.
The certificate can be added under "Certificates":
The certificate can be uploaded in PFX or PEM format:
After the certificate has been uploaded, it is displayed in the overview. Even if it is not displayed in this overview, the certificate contains the DNS names outlook.frankysweblab.de and autodiscover.frankysweblab.de. Both names are important so that no certificate warnings or errors occur later when setting up the Outlook clients:
The Exchange server can now be added as a web server under "Web servers". If there are several Exchange servers in the organization, the virtual server of the load balancer must be specified here. Not all Exchange servers can simply be specified here (this is also the case with Sophos UTM). Either one Exchange server must be created here, or a load balancer must be implemented between XG and Exchange:
The Exchange Server is created here as an IP or FQDN host:
In my case, I have specified the Exchange Server as the IP host:
Finally, the value in the "Type" field must now be changed to "Encrypted (HTTPS)" and the "Time-out" to "1850":
Two new protection policies can now be created for Exchange 2019. The Sophos templates are not suitable for Exchange 2019/2016 as they are completely outdated. A new policy should therefore be created for Exchange 2019 (also works with Exchange 2016):
The policy for Exchange 2019 services such as OWA and EWS, for example, can be called "Exchange Webservices" and initially has the following settings:
Note: The "Pass Outlook Anywhere" setting is no longer required, all clients from Outlook 2010 onwards speak MAPIoverHTTP. On Exchange 2019 Server this is also the preferred protocol, on Exchange 2016/2013 servers, it may still need to be activated. become.
Here is the complete list of entry URLs:
- /ecp
- /ECP
- /ews
- /EWS
- /Microsoft-Server-ActiveSync
- /oab
- /OAB
- /owa
- /OWA
- /
- /mapi
- /MAPI
The following 4 filter rules must be excluded:
- 960010
- 960015
- 981204
- 981176
A further policy is required for Autodiscover, which is configured as follows:
Here are the entry URLs:
- /autodiscover
- /Autodiscover
The following two filter rules must be excluded:
- 960015
- 960911
After the two rules have been created, the overview now looks like this:
Two new firewall rules can now be created for Exchange:
The first rule is for the Exchange web services, the settings can be seen in the screenshots. It is important that the WAN port of the Sophos XG is selected as the "Hosted address":
The Exchange 2019 Server is of course selected as the "Protected Server":
The previously created protection policy is now selected in the "Advanced" area and "Pass host header" is activated ("Pass host header" is particularly important for downstream load balancers):
The second firewall rule is for Autodiscover, the rule is configured almost identically to the first rule. It is important here that the entry "outlook.frankysweblab.de" in the "Domains" field is replaced by "autodiscover.frankysweblab.de":
Note: The previously configured certificate must contain both names, two individual certificates with one host name each do not work here.
The Exchange 2019 server is again selected as the protected server:
The Protection Policy for Autodiscover can now be selected in the Exceptions area and the "Pass host header" setting can be activated:
When saving the firewall rule, a warning is displayed that the certificate would not cover the host name "autodisocver.frankysweblab.de". However, this message is nonsense. The XG only seems to evaluate the CN (Common Name) of the certificate, but not the SAN entries ("Subject Alternate Name"). However, the rule can still be saved and works:
After the two rules have been created, the overview now looks as follows:
Finally, the two DNS entries "outlook.frankysweblab.de" and "autodiscover.frankysweblab.de" must point to the WAN IP of the Sophos XG (in the public DNS).