Is there a guide for onboarding OWA on Cloud WAF?
Thanks for posting. I had a chat with some Imperva colleagues and I think the following might be useful...
Generally there are no special requirements for onboarding the OWA/Email application. However, there are couple of details you need to be aware of:
1. Idle timeout(KeepAliveTime) of Exchange Server.
Idle timeout(KeepAliveTime) time is configured on the origin server (Exchange Server). When Outlook or a mobile device, opens a connection to Exchange, it is basically saying, "Hey, I am open on this port and I will remain open on this port until something closes it". Exchange will do the same saying "ok, I will use a port on my side and reserve it for your system to talk to mine". So both of those ports remain open and available to each other until Exchange no longer needs it, or the client disconnects. Exchange expects that connection to remain open until it is done with it. If it sends a process to the client, or if the client sends one to it, depending on the process, it can take some time for a response. If the Network appliance times out the connection before the response comes in, it causes all kinds of inconvenient issues such as Outlook authentication prompts, IPhone full resyncs, and delayed responses. Usually the default is set to 2 hours.
Consequently, understand that if there are additional appliances with different Timeout settings configured prior to the exchange server, this may lead to Idle timeout (HTTP timeout). Hence, it is recommended to set the KeepAliveTime to 30 minutes, while any appliances prior the exchange server (such as Imperva WAF, Load Balancers or other firewall appliances) timeout be set HIGHER than the KeepAliveTime configured on the origin mail server.
2. Client wait time indication - HeartbeatInterval (Ping).
With ActiveSync, OWA/Mobile clients MAY send an indication to the server, how long should it wait before sending back a response. This is an indication called HeartbeatInterval (Ping). It is sent as a XML regular request.
In Ping command requests, it specifies the length of time, in seconds, that the server SHOULD wait before sending a response if no new items are added to the specified set of folders. The client MUST include a Folders element in the initial Ping command request (in the request body) to specify one or more folders that the server will monitor for additions.
Post data: =\x03\x01j\x00\x00 EH\x03470\x00\x01IJK\x037\x00\x01L\x03Contacts\x00\x01\x01JK\x035\x00\x01L\x03Calendar\x00\x01\x01JK\x0323\x00\x01L\x03Tasks\x00\x01\x01JK\x031\x00\x01L\x03Email\x00\x01\x01JK\x036\x00\x01L\x03Contacts\x00\x01\x01JK\x0322\x00\x01L\x03Tasks\x00\x01\x01\x01\x01
The HeartbeatInterval element is also returned by the server with a status code of 5 and specifies either the minimum or maximum interval that is allowed when the client has requested a heartbeat interval that is outside the acceptable range.Why is HeartbeatInterval relevant?
1. If the HeartbeatInterval is higher than our default HTTP Timeout of 360 seconds (6 minutes), it will lead to HTTP timeout. Hence, you might want to raise the HTTP timeout.
2. Because the client can indicate how long the server can wait before sending back response, the response time in the Real-Time dashboard can be overwhelming and confusing (showing much higher response times than normal, because response can be very delayed.) Being aware of this will avoid getting alarmed by the data in the dashboard.
Basically, if you set the OWA KeepAliveTime to the recommended 30 minutes, then have us set the HTTP timeout of your site to 35, this will conform to the above recommendations. Let us know if you need us to make these changes.
I hope these details are helpful to you in configuring your OWA behind Imperva Cloud WAF.
Thank you very much Samantha, for the detailed answer!