opnsense
os-OPNWAF: Issue with Exchange Server Publishing via Web Application Firewall on OPNsense
Hi,
I attempted to publish an Exchange Server using the Web Application Firewall (WAF) to take advantage of web filtering. While Caddy and HAProxy work, they lack built-in web filtering. Currently, I'm using the nginx plugin, but as you know, the free version on OPNsense does not support NTLM authentication.
Describe the bug Issue Description: Outlook Web Access (OWA) works without any issues.
ActiveSync accounts can be added manually in the Outlook Android app.
Autodiscover fails for both ActiveSync and Outlook 2016/2019.
When trying to add an account in Outlook, continuous authentication prompts appear.
Relevant log files
POST /autodiscover/autodiscover.xml HTTP/1.1" 401
mod_proxy_msrpc.c(1276): [client "IP-Address":34778] declining due to bad method: POST
Environment: OPNsense Version: 24.10.2_6
Has anyone successfully configured the Web Application Firewall for Exchange, specifically for Autodiscover and NTLM-based authentication? Any insights or recommendations would be greatly appreciated.
Thanks!
Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
The easiest option to gain traction is to close this ticket and open a new one using one of our templates.
I can only offer this doc page which explains how to set it up correctly in the scope of community support. Last time I tested this (last year) it worked just fine. Though special care must be taken to really set everything up correctly.
https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server
Using the Web Protection component itself is an uphill battle against an Exchange Server and can even be considered a waste of time if the server is always on the latest patch level and some of the more spicy paths like ECP are filtered out.
Sorry, I forgot to mention that I followed the documentation carefully during setup. However, I noticed a potential inconsistency:
VirtualServer: mail.example.com (create another location for autodiscover.example.com)
If the Type is set to Exchange, it seems that only one location can be defined. That said, I don't believe this is the root cause of the issue, as Autodiscover also works via mail.example.com/autodiscover, making autodiscover.example.com unnecessary in this case.
We are planning to replace our Sophos UTM with OPNsense, so it would be great if this feature worked as expected.
Oh yeah it should say
"Add another virtual server for autodiscover.example.com with the same location as mail.example.com".
But yeah there are multiple autodiscover fallbacks so one of them should work, though adding the additional domain does not hurt either, as the autodiscover link will be set to a domain in the "ClientAccessService".
It might be the cause of your issue.
Otherwise, troubleshooting setup issues through community support is not feasible since we cannot see whats wrong with your setup or infrastructure. This is more the scope of our business support.
I made it more explicit in the documentation, thanks for the feedback.
https://github.com/opnsense/docs/pull/684
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.