Add rule for Exchange general

(only available for IPv4 policy) This page describes how to configure a rule for Exchange general.

  1. Go to Firewall and select IPv4 using the filter switch.
  2. Click +Add firewall rule and Business application rule.
  3. Specify the general policy details.
    Application template
    Select Exchange general to configure a rule for Exchange general.
    Description
    Enter a description for the rule.
    Rule position
    Specify the position of the rule.
    Available options:
    • Top
    • Bottom
    Rule group
    Specify the rule group to add the firewall rule to. You can also create a new rule group by using Create new from the list.
    If you select Automatic, the firewall rule will be added to an existing group based on first match with rule type and source-destination zones.
    Rule name
    Specify a name for the rule.
  4. Specify Hosted server details.
    Hosted address
    Specify the address of the hosted server to which the rule applies. It is the public IP address through which internet users access an internal server/host.
    Note When a client establishes a connection and accesses the web server, the web server does not obtain the client’s real IP address. The server obtains the address of the interface used by the web application firewall (WAF) because the connection is made through the WAF. The client’s real IP address is available in the HTTP header
    Listening port
    Enter a port number on which the hosted web server can be reached externally over the internet. Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication (HTTPS).
    HTTPS
    Select to enable or disable of HTTPS traffic.
    HTTPS certificate (only available if HTTPS is selected)
    Select the HTTPS certificate to be used.
    Redirect HTTP (only available if HTTPS is selected)
    Select to redirect HTTP requests.
    Domains
    Use FQDN when you enter the domains the web server is responsible for, for example, shop.example.com.
  5. Specify Protected server(s) details.
    Path-specific routing
    You can enable path-specific routing to define (path) to which web servers incoming requests are forwarded.
    You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
    For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
    Add new path (only available if Path-specific routing is selected)
    Click Add new path to define a new path.
    Note Add new path will only be active after at least one web server and one hosted web server have been created.
    Default: /owa, /OWA, /ecp, /ECP, /oab, /OAB, /ews, /EWS, /oma, /OMA, /Microsoft-Server-ActiveSync
    Web servers (not available if Path-specific routing is selected)
    Web servers are the application servers that are to be protected. Select a web server from the list of web servers or click Add new item to add a web server.
    A new web server can be created directly from this page or from the Web server > Web servers page.
  6. Specify Access permission details. (not available if Path-specific routing is selected)
    Allowed client networks
    Select the allowed host(s)/network(s).
    Blocked client networks
    Select the blocked host(s)/network(s).
    Authentication
    Select the web application authentication profile from the list of available profiles. You can also create new authentication profile on this page or on the Web server > Authentication policies page.
  7. Add path Exceptions for the web servers.

    Click Add new exception to specify a new exception.

    Default: /owa/*,/OWA/*,/ews/*,/EWS/*,/ecp/*,/ECP/*,/oab/*,/OAB/*,/oma/*,/OMA/*,/Microsoft-Server-ActiveSync?*, /owa/ev.owa*

  8. Specify policies for business applications in the Advanced section.
    OptionDescription

    Protection

    Select an application protection policy for the server or create a new one.

    Intrusion prevention

    Select an intrusion prevention policy for the rule or create a new one.

    Traffic shaping

    The traffic shaping policy allocates and limits the maximum bandwidth usage of the user.
  9. Click Save.
    Note As soon as a new HTTP based rule configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The Exchange general rule has been created and appears on the Firewall page when the IPv4 filter is set.