Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add an Exchange general rule

You can control HTTP traffic flowing to and from a web application by creating an Exchange general rule that uses IPv4 protocol.

  1. Go to Rules and policies > Firewall, select IPv4 and click Add firewall rule.
  2. Rules are turned on by default. You can turn off a rule if you don’t want to apply its matching criteria.
  3. Enter the general details.

    Name Description
    Rule name Enter a name.
    Rule position

    Specify the position of the rule.

    Available options:

    • Top
    • Bottom
    Rule group

    Specify the rule group to which you want to add the firewall rule. You can also create a new rule group by using Create new from the list.

    If you select Automatic, the firewall rule is added to an existing group based on first match with rule type and source-destination zones.

    Action Select Protect with web server protection.
    Preconfigured template

    Select a template to apply:

    • None: Specify the web server protection details.
    • Exchange Autodiscover
    • Exchange Outlook Anywhere
    • Exchange General
    • Microsoft Lync
    • Microsoft RDG
    • Microsoft RD Web
  4. Enter Hosted server details.

    Name Description
    Hosted address

    Select the public IP address assigned to an interface through which users access the internal server or host. The WAF rule is bound to the IP address assigned to the interface.

    You can use the public IP address assigned to the interface or use an alias to bind the required public IP address.

    When a client establishes a connection and accesses the web server, the web server obtains the interface address configured in the WAF rule. The HTTP header X-Forwarded-For carries the client’s IP address.

    Listening port

    Enter the port number on which to reach the hosted web server. The defaults are port 80 for HTTP and port 443 for HTTPS.

    Make sure WAF is different in at least one of the following attributes from the VPN portal and SSL VPN: WAN IP address, port, protocol. See Port sharing among services.

    You can't use some ports as these are reserved by the firewall for system services. For details, see Reserved ports.

    HTTPS If you turn this on, the hosted server is accessible through HTTPS and not through HTTP.
    HTTPS certificate

    If you selected HTTPS, select the certificate.

    Sophos Firewall supports SNI (Server Name Indication), allowing you to create more than one virtual web server that's accessible over the same IP address and port. You can assign a different certificate to each server. Servers are presented to clients based on the requested hostname.

    To create or upload a certificate, go to Certificates > Certificates.

    Redirect HTTP Select to redirect port 80 traffic to port 443.
    Domains

    Enter the FQDN configured for the web server, for example, shop.example.com.

    If you've turned on HTTPS, domain names of the selected HTTPS certificate show in the list. You can edit or delete these or add new domain names.

    You can use the wildcard *. at the start of a domain name only.

    Example: *.company.com

    A single WAF policy supports multiple wildcard domains. Virtual web servers with wildcard domains are only matched when there are no virtual web servers with specific domains configured.

    Example: A client request to the domain, test.company.com, will match with test.company.com before it matches with *.company.com before matching with *.com.

  5. Specify the details of the Protected servers. You can specify the web servers, authentication method, and allowed and blocked client networks. If you select path-specific routing, in addition to these settings, you can bind sessions to servers, specify the primary and backup servers, and use the WebSocket protocol.

    Note

    If you select multiple web servers, requests are balanced between the webservers.

    If you don't want to configure path-specific routing, specify the Web servers and Access permissions.

    Name Description
    Web server Select the web servers from the Web server list. Alternatively, you can create new ones. You can see the selected web servers under Selected web servers.
    Allowed client networks

    Specify the IP addresses and networks that can connect to the hosted web server.

    The default value is Any IPv4. Keep the default value if you don't want to specify any IP addresses or networks. If you leave this setting blank, your WAF rule won't work, and the browser will show a "400 Bad Request" error.

    Blocked client networks Specify the IP addresses and networks to block from connecting to the hosted web server.
    Authentication Specify an authentication profile for web applications.
    Blocked countries Specify the countries or country groups you want to block from connecting to the hosted web server.
    Block IP addresses of unknown country-origin

    Turn on to block IP addresses whose country of origin is unknown.

    Use caution when turning this on because you might get blocked from this resource if you're connecting from an IP address of unknown country-origin. You can check if your IP address has a country-origin or not. See GeoIP2 Databases Demo.

  6. Select Add new exception to specify the security checks to skip.

    Select the paths, sources, categories, and security checks to skip. For more information about categories, see the Common threat filter settings in Add a protection policy.

    You can specify more than one exception in a WAF rule.

    Name Description
    Paths Specify the paths for which you want to create an exception. You can use wildcards in the paths. Example: /products/*/images/*
    Operation Select the Boolean operation for paths and source networks.
    Sources Specify the IP addresses, range, list, or networks from which the traffic originates.
    Cookie signing Skips check for cookie tampering. Cookie signing mitigates attempts to obtain private session data and engage in fraudulent activity by tampering with cookies. When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built from the name and value of the primary cookie and a secret that is known only to Sophos Firewall. If a request can't provide the correct cookie pair, the cookie is dropped.
    Static URL hardening

    Allows rewritten links for the specified paths and source networks.

    Static URL hardening prevents users from manually constructing deep links that lead to unauthorized access. When a client requests a website, all static URLs of the website are signed using a procedure similar to cookie signing. In addition, the response from the web server is analyzed regarding which links can be validly requested next.

    When you turn on static URL hardening, the entries for URL paths become case-sensitive. For example, if you add the path /rule.html and users enter /Rule.html, Sophos Firewall reports that the signature can't be found.

    Form hardening Skips checks for web form rewriting. To prevent tampering with forms, Sophos Firewall saves the original structure of a web form and signs it. If the structure has changed when the form is submitted, Sophos Firewall rejects the request.
    Antivirus Skips anti-virus scanning for requests from the specified source networks and to the paths that you specify.
    Block clients with bad reputation Skips checks for clients that have a bad reputation according to real-time blackhole lists (RBLs) and GeoIP information.
    Never change HTML during static URL hardening or form hardening If you select this exception, the firewall doesn't perform an HTML rewrite during static URL hardening or form hardening. For example, it doesn't update the links inside an HTML page and retains the full link returned by the web server. You may have to skip static URL hardening or form hardening to allow access to these links. So, if a web application needs anything in the HTML page to function, it isn't dropped by HTML rewrite.
    Accept unhardened form data Even if you select the Form hardening exception, the firewall doesn't accept form data if the form hardening signature is missing. With this option, the firewall accepts unhardened form data.
  7. Specify the advanced protection policies.

    Name Description
    Protection Specify a protection policy for the servers.
    Intrusion prevention

    Specify an intrusion prevention policy.

    The communication protocol between the firewall and the web server must be HTTP to use intrusion prevention with WAF.

    Traffic shaping Specify a traffic shaping policy to allocate bandwidth.
  8. Specify the Advanced settings.

    Name Description
    Disable compression support

    When clients request compressed data, Sophos Firewall sends data in compressed form.

    Select this setting to turn off compression if web pages appear incorrectly or if users experience content-encoding errors. Sophos Firewall then requests uncompressed data from web servers and sends it to the client irrespective of the request’s encoding parameter.

    Rewrite HTML

    Select to rewrite the links of returned web pages to retain link validity.

    Example: If a web server's hostname is yourcompany.local, but the hosted web server’s hostname is yourcompany.com, absolute links like [a href="http://yourcompany.local/"] are broken if the link is not rewritten to [a href="http://yourcompany.com/"] before delivery to the client.

    You don't need to select this option if yourcompany.com is configured on your web server or if internal links on your web pages are always realized as relative links.

    We recommend that you use the option with Microsoft Outlook web access or SharePoint portal server.

    HTML rewriting affects all files with HTTP content type text/* or *xml*. * is a wildcard. To prevent corruption during HTML rewriting, make sure that other file types (example: binary files) have the correct HTTP content type.

    Rewrite cookies Select to rewrite cookies of the returned web pages.
    Pass host header

    Select to forward the host header requested by the client to the web server.

    You can use this to match the requested hostname with the web server when you've hosted more than one website on a server.

  9. Click Save. When you save a WAF rule, the firewall restarts all web server protection rules. Live connections using any of these rules will be lost and need to be re-established.

More resources