Hi,
has anyone succesfully secured a Microsoft Exchenge OWA/ECP behind the OPNWAF included in Business edition with web protection enabled?
As i can see there is only a small specific ruleset for exclusions which do not cover MS Exchange.
So far it did only work without web protection for me...
Web application rules and exchange server are a very annoying combination.
I suggest you enable the web application firewall (Firewall: Web Application: Settings) and run it as "detection only" (this setting can be configured in a Virtual Server - Security - Web Protection).
Then you look at the web application logs "Firewall: Log Files: Web Security. Write down the rule IDs that trigger and you think are false positives.
Then you go to Virtual Server - Security - Web Protection and disable these rules with "Disable Security Rules by ID".
Afterwards you can put the Web Protection to "on" and see if everything still works.
------
Though from a security perspective, patching the Exchange Server regularly and limiting paths like /ecp should be enough as security hardening.