How to Configure EWS Protection?

Owned by Agat Support
Last updated: Apr 13, 2022 by Avi J. Levin (Unlicensed)

The EWS Protector is a component of SphereShield which is located in the Bastion Reverse Proxy as a filter.


The EWS Protector is used to allow only SphereShield registered Skype for Business client to access the Exchange web services.

The EWS Protector is also used in order to prevent DOS (Denial of Service) attacks, by having a counter for incorrect sign-in attempts to the Exchange web services.


Configuring EWS Protection

To configure EWS Protection, we must create a channel in the Bastion.xml (please note that the default Bastion.xml has an existing EWS channel)


Tags

  • Channel Name - Specify the name of the Channel.
  • Listener - Specify the listener to be used by this channel (more on configuring listeners)
  • External Hosts - Specify the Exchange Autodiscover hostname and the Exchange Web Services hostname
  • Publish - Specify the FQDN or IP of the next hop that will get to the Client Access Server Role (From Exchange server 2016 and up this is now a service).
  • sslPort - Specify the port to forward the traffic on
  • Filter - Specify the folder and filter DLL to be used (in the example below ews\EWS_protector is used, which is the folder that resides by default in C:\Agat\Bastion\Filters)


After we have a channel for the EWS Protector, we can now configure the EWS_Protector.xml, located by default in C:\Agat\Bastion\Filters\EWS


In the EWS_Protector.xml we only need to configure a connection to the Access Portal Database.

<db connStr="Provider=SQLOLEDB; Data Source=sqlserver\instance,1433; Initial Catalog=<database Name>; User ID=<Database Username>; Password=<Database User Name Password>;" />

Afterwards, save the file.


Configuring EWS Protector settings on Admin Portal


In the Admin Portal, go to Settings → EWS Protector, or by using the following URL: /admin/settings?category=settings_ews_protector_settings_category_header


Restrict EWS access to registered devices only - Set if only SphereShield registered devices will be able to access Exchange web services.

External Host Suffix - This is  used only when the domain suffix is different from the SIP domain (I.E SIP domain is "Sip.agat.com" and the domain address is "mail.sphereshield.com")

Exchange Services Permitted - By default EWS and Autodiscover are enabled. It is possible to add OWA and ActiveSync as well. 

User Agents permitted to access Exchange - Which user-agents are allowed to access Exchange (user-agents are the types of devices, which by default set to only SfB Devices.  You can add "All" as well.)

Allow SfB PC and Android clients - By default set to Yes, allows PCs and Android client in addition to iPhone devices.