How to Secure Microsoft OWA 2013 Applications Using Citrix Application Firewall

How to Secure Microsoft OWA 2013 Applications Using Citrix Application Firewall

book

Article ID: CTX201989

calendar_today

Updated On:

Description

This article describes how to secure Microsoft Outlook Web App (OWA) 2013 applications using Citrix Application Firewall.

Background

Microsoft OWA 2013 is a web-based email client that enables users to access emails and contacts, and to share a web calendar. It is supported by all major browsers. To implement OWA security, the Citrix NetScaler application firewall offers an easy-to-configure security solution using the hybrid model. A set of built-in signatures with auto-update support offer protection against the WEB-IIS vulnerabilities. Deep protections such as Buffer Overflow, SQL Injection and Cross-Site Scripting security checks can effectively thwart any attempt to exploit application vulnerabilities. Each request is inspected to identify any malicious content, and specified actions are taken to either block such content or render it harmless by transforming it.

Instructions

Use the following procedure to configure security protections:

  1. Create a service for local virtual server.

  2. Create load balancing virtual server.

  3. Create signatures for the application firewall and enable the built-in rules in the web-iis category.

  4. Create an application-firewall profile.

  5. Configure the profile’s security checks to enable Buffer Overflow, XSS and SQL Injection protections.

  6. Configure the profile’s settings to bind signatures and exclude file uploads from inspection, to prevent false positives.

  7. Create an application firewall policy with an expression that identifies the traffic flowing to and from the application, and an action that applies the configured profile’s protections to the traffic.

  8. Bind the policy to the load balancing virtual server.

  9. Monitor logs and tweak the configuration. Deploy relaxation rules to avoid false positives if needed. 

To secure Microsoft OWA 2013 applications by using the configuration utility:

  1. Add a service to represent the OWA service of type SSL using port 443.
    Note: Download the images to view them at full resolution.

    User-added image

  2. Add a load balancing (lb) virtual server (vserver). The protocol must be SSL and port must be 443. Bind the service to the lb vserver. Also bind the required SSL certificates to the lb vserver.

    User-added image

  3. Make a copy of the application firewall default signatures, and then double-click the newly added signature that you want to edit. Use the Show/Hide button to select web-iis to isolate all the rules for this Category. By default the signature rules are disabled. Click the down-arrow on the Action button, and select Enable all searched rules to enable all the selected rules.

    User-added image

  4. Add a basic application firewall profile for the OWA application. Use a meaningful name to keep track of the purpose of the profile.
    The following example shows owa_profile as the profile name.

    User-added image

  5. Configure the security checks of the newly added profile. Enable the Block, Log, Learn, and Stats actions for the SQL Injection and Cross-Site Scripting checks. Enable the Block, Log and Stats actions for the Buffer Overflow check. Disable all actions for the rest of the security checks.

    User-added image

  6. Configure profile’s settings. Bind the signatures to the profile and select the check box for Exclude Uploaded Files From Security Checks

    User-added image

  7. Create an application firewall policy for the OWA profile and bind the policy to the lb vserver.
    The following example uses the expression HTTP.REQ.HOSTNAME.EQ("www.mail.com") to select the target traffic.  

    User-added image

  8. Select the newly added policy and click Policy Manager. From the Bind Point options, select Load Balancing Virtual Server. The Virtual Server field now becomes visible. From this field's drop-down list, select the OWA virtual server that you added in Step 2. Click Continue to display the Bind Point pane.

    User-added image

    In the Select Policy field, click the arrow to display the policy options. Select the OWA policy and click Select. Click Bind.

    User-added image

    In the Bind Point pane, click Done.

    User-added image

    In the Application Firewall Policies pane, refresh the page. A Green check mark appears in the Active Column to indicate that the policy is now active.

    User-added image

The Microsoft OWA application is now protected by the application firewall. You can monitor the /var/log/ns.log to verify whether any violations are getting triggered, and fine-tune the security check configuration by adding relaxation rules if needed.

Highlights

  • To protect Microsoft OWA applications, use easy to configure application firewall security checks and built-in signatures.

  • Get the latest updates for the signatures by using auto-update feature.

Issue/Introduction

This article describes how to secure Microsoft OWA 2013 applications using Citrix Application Firewall.
Powered by Wolken Software