os-OPNWAF / Exchange 2019 authentication Popups

[humnab]

Hello,

we're migration from a Sophos UTM to opnsense-business and try to replace the Sophos WAF with os-OPNWAF.
No we have the problem that we get authentication Popups in Outlook when we try to connect externally.
After canceling the popups or entering the password 2-3 times Outlook shows online.
When we do the same with the caddy plugin we have no popups (but no WAF), with the Sophos UTM WAF we also have no Popups.

Any idea whats wrong? The Web Protection is disabled in os-OPNWAF, the Locations are configured as "Exchange Server", the Remote destionatios with https://IP of Exchange...Thanks!

[Monviech (Cedrik)]

The popups should not happen since this apache plugin is compiled in:

https://github.com/opnsense/ports/tree/master/opnsense/mod_proxy_msrpc

Outlook Anywhere should just work the same as in Sophos (fun fact that module was developed by Astaro - which later became Sophos).

When I tested this while writing the manual, it was still working. Is your setup exactly as described? If not, do it like in the manual.

https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server

[humnab]

Hello,

sure, I did it as described in https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server
I set up the mail and the autodiscover virtual server as described and I also played with the authentication settings in the exchange virtual directories, no change. The same exchnage server works with the Caddy Plugin and the Sophos UTM WAF, any ideas?

[Monviech (Cedrik)]

I dont have an idea right now. I also know of customers for who it works as it is right now when using Outlook.

Caddy works because there is an NTML plugin compiled in (I maintain the Caddy plugin too). Though as NTML is deprecated I wonder how long that will still work.

If it works for Sophos UTM please connect to it via SSH and extract the apache config and post it here, maybe we can spot a difference to our apache config.

[humnab]

Hello,

here's the UTM configuration, I replaced the domain with example.com

/var/chroot-reverseproxy/usr/apache/conf/httpd.conf

Code Select Expand

ServerRoot /usr/apache
DefaultRuntimeDir /var/run/apache2
PidFile /var/run/apache2.pid

Include conf/modules.conf
Include conf/mpm.conf
Include conf/modsecurity.conf

HostnameLookups Off
ExtendedStatus On
ServerTokens Prod
ServerSignature Off
Header unset Server

User nobody
Group nogroup

Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 15

UseCanonicalName On
CoreDumpDirectory "/tmp"

SecDataDir /tmp
SecTmpDir /tmp

LogFormat "id=\"0299\" srcip=\"%a\" localip=\"%A\" size=\"%B\" user=\"%u\" host=\"%h\" method=\"%<m\" statuscode=\"%s\" reason=\"%<{block-reason}e\" extra=\"%<{block-reason-extra}e\" exceptions=\"%<{matched-exceptions}n\" time=\"%D\" url=\"%U\" server=\"%{Host}i\" port=\"%p\" query=\"%q\" referer=\"%{Referer}i\" cookie=\"%{Cookie}i\" set-cookie=\"%{Set-Cookie}o\" websocket_scheme=\"%{scheme}w\" websocket_protocol=\"%{protocol}w\" websocket_key=\"%{key}w\" websocket_version=\"%{version}w\" uid=\"%{UNIQUE_ID}e\"" astaro
ErrorLog syslog:local1
CustomLog "|/bin/logger -p local1.info -t httpd" astaro
LogLevel notice

## Uncomment these lines for extended debug logging
#LoadModule firehose_module /usr/apache/modules/mod_firehose.so
#FirehoseProxyConnectionInput /tmp/proxy-input.firehose
#FirehoseProxyConnectionOutput /tmp/proxy-output.firehose
#FirehoseConnectionInput /tmp/input.firehose
#FirehoseConnectionOutput /tmp/output.firehose

## Uncomment these lines for traffic dumping in pcap format
#LoadModule pcap_module /usr/apache/modules/mod_pcap.so
#PcapFileName /tmp/WAF.pcap
#PcapNetworkProtocol ip

SecRule ENV:block-reason "@streq cookie"         "phase:5,id:99001,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq url hardening"  "phase:5,id:99002,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq form hardening" "phase:5,id:99003,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq av"             "phase:5,id:99004,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq dnsrbl"         "phase:5,id:99005,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq geoip"          "phase:5,id:99006,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"

TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-bzip2 .bz2

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gvfs/1" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLHonorCipherOrder On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyCheckPeerName off
# Disable transparent compression of SSL data transfers.
# This mitigates impact of SSL "CRIME" attacks (CVE-2012-4929)
SSLCompression off
SSLSessionTickets off

# Drop the (Request-)Range header if more than 5 ranges (CVE-2011-3192)
SetEnvIf Range (,.*?){5} bad-range=1
RequestHeader unset Range env=bad-range
SetEnvIf Request-Range (,.*?){5} bad-request-range=1
RequestHeader unset Request-Range env=bad-request-range

ProxyWebsocketFallbackToProxyHttp off

# ClamavTmpdir    /tmp/clamav
# ClamavSocket    /var/run/clamav/clamd.ctl
# ClamavMode      daemon
# ClamavPermissions 0644

# <Location /clamav>
#       SetHandler clamav
# </Location>

CookieLimit 1000

Include conf/status.conf

Include conf/reverseproxy.conf


/var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

Code Select Expand

KeepAlive On
ServerName rzfw01.example.com
ServerAdmin support-hsg@example.com
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AESGCM:RSA+AES:ECDH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!DHE
RemoteIPProxyProtocol Off
Listen 93.189.156.39:443 https
Listen 93.189.156.39:80 http
<VirtualHost 93.189.156.39:443>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAlias ex03.example.com
        SSLProxyEngine On
        SSLEngine On
        SSLCertificateFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.pem
        SSLCACertificatePath /usr/apache/conf/cacerts/
        SSLCertificateKeyFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.key
        RequestHeader set X-Forwarded-Proto https
        DocumentRoot /var/www/REF_RevFroAutodiscov
        SetEnv proxy-initial-not-pooled
        <Proxy balancer://0e9f56dedc1c6a43ee0c263a6d1b336b>
                BalancerMember https://10.10.10.5 status=-SE timeout=300
        </Proxy>
        <Proxy balancer://756724cd34319588665693abb5819b66>
                BalancerMember https://10.10.10.5 status=-SE timeout=300
        </Proxy>
        <Location "/">
                SetEnv proxy-aside-c
                ProxyPass "balancer://0e9f56dedc1c6a43ee0c263a6d1b336b/" lbmethod=bybusyness
                ProxyPassReverse "https://10.10.10.5:443/"
                ProxyPassReverse "https://10.10.10.5/"
                SetOutputFilter DEFLATE
                <RequireAll>
                        Require all granted
                </RequireAll>
        </Location>
        <Location "/ecp">
                SetEnv proxy-aside-c
                ProxyPass "balancer://756724cd34319588665693abb5819b66/ecp" lbmethod=bybusyness
                ProxyPassReverse "https://10.10.10.5:443/ecp"
                ProxyPassReverse "https://10.10.10.5/ecp"
                SetOutputFilter DEFLATE
                <RequireAll>
                        <RequireAny>
                                Require ip 10.0.0.0/16
                        </RequireAny>
                </RequireAll>
        </Location>
</VirtualHost>
<VirtualHost 93.189.156.39:80>
        ServerName REF_RevFroAutodiscov_redirect_ssl
        ServerAlias mail.example.com
        ServerAlias autodiscover.example.com
        ServerAlias ex03.example.com
        <Location />
                Require all granted
                RedirectSSL permanent / 443
        </Location>
</Virtualhost>


/var/chroot-reverseproxy/usr/apache/conf/status.conf

Code Select Expand

Listen 127.0.0.1:4080
<VirtualHost 127.0.0.1:4080>
        ServerName localhost
        ProxyStatus On
        RemoteIPProxyProtocol Off
        SecAuditEngine Off
        <Location /status>
                SetHandler server-status
                Require local
        </Location>
        <Location /lb-status>
                SetHandler balancer-status
                Require local
        </Location>
        <Location /session-cleanup>
                SetHandler session-cleanup-handler
                Require local
                SessionServerStorageDir /var/lib/apache2/sessions
                SessionServerStorageMaxFiles 25000
        </Location>
</VirtualHost>


[Monviech (Cedrik)]

Hello, thanks for these.

I want to additionally know whats loaded inside this path of the UTM:

# conf/modules.conf

Afterwards, on your OPNsense, please give us the following files:

# cat /usr/local/etc/apache24/Includes/gateway_vhosts.conf (Please PM it to me)
# cat /usr/local/etc/apache24/httpd.conf (Please PM it to me)