Sophos has been offering the successor to the UTM, called Sophos XG, for some time now. Sophos's advertising slogan:
The next thing in next-gen: ultimate firewall performance, security and control
So far, I've avoided Sophos XG because a lot of things didn't really work properly during my last test. However, my last test was quite a while ago, so I downloaded the Home Edition of XG and gave it another try. You can download the Home Edition here:
Sophos XG Firewall Home Edition
After the installation and initial configuration, I would first like to test the web server protection of Sophos XG. Therefore, here is a short howto in connection with Exchange 2016.
The surroundings are as follows:
In principle, this is the same environment in which I also test with the Sophos UTM. Therefore, the functionality can be compared quite well. There is a domain controller and an Exchange 2016 server, both of which are connected to the Sophos XG.
So much for the surroundings, let's get started.
Installing a certificate on the Sophos XG
First of all, an SSL certificate is required for web server protection. I use an existing certificate. This is a SAN certificate which contains the names autodiscover.frankysweb.de and mail.frankysweb.de. The certificate is in PKCS12 format and can therefore be imported onto the XG:
When importing, only a name, the PFX file and the corresponding password need to be entered:
After the certificate has been imported, it appears in the GUI:
Note: For the sake of simplicity, I am using an existing valid certificate here; free SAN certificates are available from Let's Encrypt. These can be requested on a Windows server, for example, and then exported. The Let's Encrypt certificate can then be re-imported on the XG as described above and can be used. Further information about Let's Encrypt can be found here:
Exchange 2016: Free certificates from Let's Encrypt
Create web server
After importing the certificate, the Exchange Server is made known to the XG as a web server:
A name must again be specified for the web server; a new object with the IP address of the Exchange server is created as the host. It is also possible to specify the DNS name, in which case it must be ensured that the XG can resolve the name. Encrypted (HTTPS) is selected as the type. The default timeout is 1850 seconds.
Once the web server has been created, the corresponding entry appears:
Configure firewall (web services)
The XG already comes with a template for Exchange Server, but this template is not quite up to date, for example MAPIoverHTTP is not yet taken into account and the redirection from "/" to "/owa" does not work out-of-the-box. But the template can be used as a good basis if you adapt it a little. I use the template and then adapt it to my needs:
The "Exchange General" application template can then be selected in the dialog for the new "Business application rule" and a name can be assigned to the rule. In addition, the WAN port is selected in the "Hosted address" field and the two checkboxes for "HTTPS" and "Redirect HTTP" are activated. In the "HTTPS certificate" field, the previously imported certificate is entered and all domain names except for the name via which all Exchange protocols with the exception of Autodiscover should run. In my case it is mail.frankysweb.de for OWA, EWS, ActiveSync etc.
Further down in the dialog you will now find the "protected servers", here you have to do something manually. A web server must be specified for each path (red box), the paths "/oma" and "/OMA" are obsolete and can be deleted (orange box). If form-based authentication is used internally for Exchange, authentication on the XG must be switched off (blue box):
Here is an example of the settings for "/owa". The previously created web server is selected as the web server and authentication is switched off:
These settings are now made for all paths so that the overview now looks as follows:
The remaining settings in the dialog can be left as they are for the time being:
Once the rule has been saved, it is displayed in the overview:
We continue with Autodiscover.
Configure firewall (Autodiscover)
A second business application rule is required for Autodiscover:
The template used this time is "Exchange Autodiscover" with the corresponding rule name. The WAN port is also entered again in the "Hosted address" field and the two checkboxes for "HTTPS" and "Redirect HTTP" are selected. The already imported certificate is selected again and all domains are deleted except for "autodiscover.frankysweb.de".
In the further course of the dialog, a few settings must be changed again. The Exchange Server is again specified as the web server and authentication is switched off. Switching off the authentication means that the Exchange Server performs the authentication of users and not the XG. Here is an example for the path "/autodiscover":
After all paths have been adjusted, it looks like this:
The remaining settings in this dialog can be left as they are:
Once the rule has been saved, two business application rules are created:
The basic configuration of the XG is now complete.
The next steps
Further steps are necessary for the configuration to work. OWA, EWS, ActiveSync and Autodiscover would already work if the corresponding DNS entries were created. But for Outlook Anywhere and MAPIoverHTTP, the configuration still needs to be adjusted. The redirection from HTTP to HTTPS also works, but not yet the redirection of the root folder (https://mail.frankysweb.de) to "/owa" (https://mail.frankysweb.de/owa) to make it as easy as possible for users. There will be a second part for these adjustments, which is already in progress and will be published in the next few days.
Update
The second part is also finished: Sophos XG: Exchange 2016 and SFOS 16.05 Webserver Protection (Part 2)
In this article I forgot to delete two exceptions that are no longer needed (see note in part 2, section MAPIoverHTTP).