@Andreas @asimkon Ahh, I was not aware this question had been cross posted either. I scan through the Lucee discourse topics, but I didn’t even realize from the title that CommandBox was involved so I hadn’t even read that other thread.
I see you have a possible Tuckey rewrite, but I’ll post my solution here since I think it’s cleaner 
I used the Server Rules because they’re cool, generally less boilerplate, and can be specified right in your server.json (or an env var) without needing an additional XML file.
Now to the Farcry rules-- their documentation is a little confusing. They have at least 3 versions of their rule with different regex and I’m not sure which one is really necessary but I took the simplest example and created this rule which seems to work in my basic tests.
Put this in your server.json file and restart your server. No other custom configuration or files are needed:
{
"web":{
"rules":[
"not regex('(^/farcry|^/webtop|^/flex2gateway|^/flashservices|^/cfide)($|/)') and regex('^([^\\.]+)$') -> { rewrite('/index.cfm'); set(attribute='%{QUERY_STRING}', value='furl=$1&%{BARE_QUERY_STRING}') }"
]
}
}
Sorry it’s a little long with the two conditions. Technically this is similar to break it into two rules:
{
"web":{
"rules":[
"regex('(^/farcry|^/webtop|^/flex2gateway|^/flashservices|^/cfide)($|/)') -> done",
"regex('^([^\\.]+)$') -> { rewrite('/index.cfm'); set(attribute='%{QUERY_STRING}', value='furl=$1&%{BARE_QUERY_STRING}') }"
]
}
}
but I don’t care for that solution since the done directive skips ALL REMAINING RULES including the “internal” rules CommandBox adds to secure sensitive files and block administrator access. So I generally don’t ever use done unless I’m specifically overriding a core rule, but I figured I’d show both approaches. done is the equivalent to last in mod rewrite.
And just for funsies-- when this ticket is fixed in Undertow (I’ve sent a pull) the rule above will be even simpler since I can finally set the query string as part of the rewrite.