-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
WAF: Common configurations for securing OWA, ActiveSync and Outlook Anywhere to access Exchange mailbox
03/26/2020 
19 People found this article helpful
474,958 Views
Description
This article describes common configurations for the WAF to effectively secure Exchange applications, such as OWA, ActiveSync and Outlook Anywhere. This article especially focuses on the configuration for successful support for Outlook Anywhere.
TIP: Please test Exchange Server settings with https://testconnectivity.microsoft.com/ before deploying or switching DNS to make sure all Exchange Settings are good.
Cause
While OWA and ActiveSync requires no additional set up, Outlook Anywhere for Exchange 2010 needs RPC over HTTP, which was not supported by WAF 2.2.0.0-12waf and earlier.
Resolution
Here's a table with the supportability of Exchange version, Outlook version and its protocol (this data is fetched from Microsoft Technet site):
| Product | Exchange 2016 RTM | Exchange 2013 SP1 | Exchange 2013 RTM | Exchange 2010 SP3 |
| Outlook 2016 RTM |
|
| Outlook Anywhere |
|
| Outlook 2013 SP1 |
|
| Outlook Anywhere |
|
| Outlook 2013 RTM | Outlook Anywhere | Outlook Anywhere | Outlook Anywhere |
|
| Outlook 2010 SP2 and updates KB2956191 and KB2965295 (April 14, 2015) |
|
| Outlook Anywhere |
|
| Outlook 2010 SP2 and earlier | Outlook Anywhere | Outlook Anywhere | Outlook Anywhere |
|
| Outlook 2007 | Outlook Anywhere | Outlook Anywhere | Outlook Anywhere |
|
Moreover, we can check the value of Protocol in Outlook Connection Status to check current*
NOTE: Exchange 2010 specifically needs upgrade to WAF 2.2.0.1-16waf as it requires RPC over HTTP protocol support for Outlook Anywhere. WAF does not need any special support for other Exchange versions.
Configuration on WAF:
- Navigate to Application Delivery and click on Offload Web App.
- A wizard will open. Select Single or Multiple (if you have multiple servers and would like to configure Load balancing on WAF), and enable "This is an Exchange Application which will be accessed by OWA, ActiveSync or Outlook Anywhere" . Click NEXT.
- Configure as follows:
- Backend Server to protect: [IP / Name of your backend Exchange server]
- DNS to publish for Web App: Users will be accessing Exchange / OWA/ ActiveSync using this domain name.
- Virtual IP for Web App: This is optional. If not configured, this web App will be listening on X0 IP of WAF. If you would like to use a specific IP, you can configure it here.
- SSL certificate: Select the applicable certificate. It is recommended to use a valid signed certificate.
- Web App Name: Type the application name.
4. Click NEXT. The Security screen appears. Select "Enable Web Security" checkbox to enable the core security features of Web Application firewall.
5. Click NEXT. The final screen with a message appears, Click FINISH. Now, you can edit the web App to make advanced configuration changes as below:
Authentication Controls and Anonymous Session tracking is disabled by default for Exchange portals.
Exchange Server configuration:
External Hostname should be same as Web App Name configured in WAF.
Client authentication method: Basic authentication
It is recommended to enable SSL offloading and set Authentication method to Basic authentication.
NOTE: NTLM is an insecure authentication protocol and is not supported by SonicWall WAF.
IIS configuration:
Outlook Anywhere configuration:
If autodiscover is configured well, the Outlook settings will be configured properly by autodiscover. If not, user will need to configure it manually.
Use this URL to connect to my proxy server for Exchange: should be same as Web App Name and the name configured on Exchange Server.
Related Articles
- How to configure numbered VPN tunnel
- Cysurance Partner FAQ
- How can I enable Enhanced Audit Logging Support?
YES
NO