WAF: Common configurations for securing OWA, ActiveSync and Outlook Anywhere to access Exchange mailbox
Description
This article describes common configurations for the WAF to effectively secure Exchange applications, such as OWA, ActiveSync and Outlook Anywhere. This article especially focuses on the configuration for successful support for Outlook Anywhere.
TIP: Please test Exchange Server settings with https://testconnectivity.microsoft.com/ before deploying or switching DNS to make sure all Exchange Settings are good.
Cause
While OWA and ActiveSync requires no additional set up, Outlook Anywhere for Exchange 2010 needs RPC over HTTP, which was not supported by WAF 2.2.0.0-12waf and earlier.
Resolution
Here's a table with the supportability of Exchange version, Outlook version and its protocol (this data is fetched from Microsoft Technet site):
| Product | Exchange 2016 RTM | Exchange 2013 SP1 | Exchange 2013 RTM | Exchange 2010 SP3 |
| Outlook 2016 RTM |
|
| Outlook Anywhere |
|
| Outlook 2013 SP1 |
|
| Outlook Anywhere |
|
| Outlook 2013 RTM | Outlook Anywhere | Outlook Anywhere | Outlook Anywhere |
|
| Outlook 2010 SP2 and updates KB2956191 and KB2965295 (April 14, 2015) |
|
| Outlook Anywhere |
|
| Outlook 2010 SP2 and earlier | Outlook Anywhere | Outlook Anywhere | Outlook Anywhere |
|
| Outlook 2007 | Outlook Anywhere | Outlook Anywhere | Outlook Anywhere |
|
Moreover, we can check the value of Protocol in Outlook Connection Status to check current*
NOTE: Exchange 2010 specifically needs upgrade to WAF 2.2.0.1-16waf as it requires RPC over HTTP protocol support for Outlook Anywhere. WAF does not need any special support for other Exchange versions.
Configuration on WAF:
- Navigate to Application Delivery and click on Offload Web App.
- A wizard will open. Select Single or Multiple (if you have multiple servers and would like to configure Load balancing on WAF), and enable "This is an Exchange Application which will be accessed by OWA, ActiveSync or Outlook Anywhere" . Click NEXT.
- Configure as follows:
- Backend Server to protect: [IP / Name of your backend Exchange server]
- DNS to publish for Web App: Users will be accessing Exchange / OWA/ ActiveSync using this domain name.
- Virtual IP for Web App: This is optional. If not configured, this web App will be listening on X0 IP of WAF. If you would like to use a specific IP, you can configure it here.
- SSL certificate: Select the applicable certificate. It is recommended to use a valid signed certificate.
- Web App Name: Type the application name.
4. Click NEXT. The Security screen appears. Select "Enable Web Security" checkbox to enable the core security features of Web Application firewall.
5. Click NEXT. The final screen with a message appears, Click FINISH. Now, you can edit the web App to make advanced configuration changes as below:
Authentication Controls and Anonymous Session tracking is disabled by default for Exchange portals.
Exchange Server configuration:
External Hostname should be same as Web App Name configured in WAF.
Client authentication method: Basic authentication
It is recommended to enable SSL offloading and set Authentication method to Basic authentication.
NOTE: NTLM is an insecure authentication protocol and is not supported by SonicWall WAF.
IIS configuration:
Outlook Anywhere configuration:
If autodiscover is configured well, the Outlook settings will be configured properly by autodiscover. If not, user will need to configure it manually.
Use this URL to connect to my proxy server for Exchange: should be same as Web App Name and the name configured on Exchange Server.