Exchange Autodiscover

(Only available for IPv4 policy) This page describes how to configure a rule for Exchange Autodiscover.

  1. Go to Device Configuration > Protect > Firewall and select IPv4. using the filter switch.
  2. Click +Add Firewall Rule and Business Application Rule.
  3. Specify the general rule details.
    Application Template
    Select Exchange Autodiscover to configure a policy for an Exchange Autodiscover environment.
    Specify a description for the rule.
    Rule Position
    Specify the position of the rule.
    Available Options:
    • Top
    • Bottom
    Rule Name
    Specify a name for the rule.
    Figure: About This Rule
  4. Specify Hosted Server details.
    Hosted Address
    Specify the address of the hosted server to which the rule applies. It is the public IP address through which Internet users access an internal server/host.
    Note When a connection is established by a client device and the client accesses the web server, the web server does not obtain the real client IP address. Reason is that the connection is made through the Web Application Firewall, so the address of the interface the WAF uses for the connection is delivered. To receive the real client IP address, the administrator has to read out the contents of the HTTP header "X-Forwarded-For".
    Listening Port
    Enter a port number on which the hosted web server can be reached externally over the Internet. Default is port 80 for plaintext communication (HTTP) and port 443 for encrypted communication (HTTPS).
    Select to enable or disable scanning of HTTPS traffic.
    HTTPS Certificate (only available if HTTPS is selected)
    Select the HTTPS certificate to be used.
    Redirect HTTP (only available if HTTPS is selected)
    Select to redirect HTTP requests.
    Enter the domains the web server is responsible for as FQDN, e.g.
    Figure: Hosted Server
  5. Specify Protected Server(s) details.
    Path-specific routing
    You can enable path-specific routing to define (the path) to which web servers incoming requests are forwarded.
    You can define that all URLs with a specific path, for example, /products/, are sent to a specific web server. On the other hand you can allow more than one web server for a specific request but add rules how to distribute the requests among the servers. Additionally, you can define that each session is bound to one web server throughout its lifetime (sticky session). This may be necessary if you host an online shop and want to make sure that a user sticks to one server during the shopping session. You can also configure to send all requests to one web server and use the others only as a backup.
    For each hosted web server, one default site path route (with path /) is created automatically. The device automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, (in case the default route was deleted), the request will be denied.
    Default: Enabled
    Add New Path (only available if Path-specific routing is selected)
    Click Add New Path to define a new path.
    Add Path
    Note Add New Path will only be active only after at least one web server and one hosted web server have been created.
    Default: /autodiscover, /Autodiscover, /AutoDiscover
    Web Server (not available if Path-specific routing is selected)
    Web servers are the application servers to be protected. Select a web server from the list of web servers or enter a web server and click Create to add a web server.
    A new web server can be created directly from this page or from the Device Configuration > Protect > Web Server > Web Servers page.
    Figure: Protected Server(s)
  6. Specify Access Permission details (not available if Path-specific routing is selected).
    Allowed Client Networks
    Select the allowed host(s)/network(s).
    Blocked Client Networks
    Select the blocked host(s)/network(s).
    Select the web application authentication profile from the list of available profiles.
    You can also create a new authentication profile on this page or on the Device Configuration > Protect > Web Server > Authentication Policies page.
    Figure: Access Permission
  7. Add path Exceptions for the web servers.

    Click Add New Exception to specify new exception.

    Add Exception

    Default: /autodiscover/*,/Autodiscover/*

    Figure: Exceptions
  8. Configure advanced settings.
    1. Specify Profiles for Business Applications.
      Intrusion Prevention
      Select an IPS policy for the rule.
      A new IPS policy can be created directly from this page or from the Device Configuration > Protect > Intrusion Prevention > IPS Policies page.
      Traffic Shaping
      Select a traffic shaping policy for the rule.
      A traffic shaping policy allocates & limits the maximum bandwidth usage of the user.
      A new traffic shaping policy can be created directly from this page or from the Device Configuration > System > Profiles > Traffic Shapping page.
      Application Protection
      Select an application protection policy for the server.
      A new application protection policy can be created directly from this page or from the Device Configuration > Protect > Web Server > Protection Policies page.
      Default: ExchangeAutoDiscover
      Figure: Policies for Business Applications
    2. Specify Advanced settings for the added server.
      Disable Compression Support
      By default, this checkbox is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, in case of websites being displayed incorrectly or when users experience content-encoding errors accessing your web servers, it can be necessary to disable compression support. When the checkbox is enabled, the WAF will request uncompressed data from the web servers of this hosted web server and will send it on uncompressed to the client, independent of the HTTP request's encoding parameter.
      Default: Disabled
      Rewrite HTML
      Select this option to have the device rewrite links of the returned webpages in order for the links to stay valid. Example: One of your web server instances has the hostname yourcompany.local but the hosted web server's hostname on the device is Thus, absolute links like [a href="http://yourcompany.local/"] will be broken if the link is not rewritten to [a href=""] before delivery to the client. However, you do not need to enable this option if either is configured on your web server or if internal links on your webpages are always realized as relative links. It is recommended that you use the option with Microsoft's Outlook web access and/or SharePoint portal server.
      Note HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wild card. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting feature.
      Default: Disabled
      Rewrite cookies (only available if Rewrite HTML is selected)
      Select this option to have the device rewrite cookies of the returned web pages.
      Note If Rewrite HTML is disabled the Rewrite cookies option will also be disabled.
      Pass Host Header
      When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the web server. Whether passing the host header is necessary in your environment however depends on the configuration of your web server.
      Default: Enabled
      Figure: Advanced
  9. Click Save.
    Note As soon as a new HTTP based policy configuration has been created and saved or an existing HTTP based rule configuration has been altered and saved, all HTTP based business rules will be restarted. Any underlying client connection using a HTTP based business rule will get lost and has to be re-established.
The firewall rule for Microsoft Remote Desktop Gateway 2008 and R2 has been created and appears on the Firewall page when the IPv4 filter is set.