Check to see if your ports are set correctly.

@JonathanLee Thats really great news, sorry was not following this since long (I switched from IT to Development). So to clean things up I will be closing PR and Redmine issue. Best Maharsh.

@viragomann Yes, the host is reachable and the exchange server has the correct certificate. If I use normal portforwarding without a HAProxy at ports 80+443 from pfsense to the exchange server everything works properly.

@viragomann Thanks so much for your help. I finally got it working with WAN and LAN

Some sites you need to splice it is complex software to configure. Don't give up you got your splice list keep going...

@viragomann Got it working! I wasn't able to reboot pfSense before because it's on production. Last night I scheduled a window and voilá... it works now. Thanks!

@maverick_slo not always the case.. While sure its good idea to keep your software updated, but if there are no bug fixes to address an issue your seeing, or security fixes that are of concern, or new features you want. There is nothing pushing to running a newer version when your current version is working fine. Ever hear the term if its not broke, don't fix it ;) Normally when a new version of pfsense comes out, the packages normally get an update along with that. But they don't always push updates to packages unless the package maintainer updates it, or there is some sort of security issue, etc.

@jacklynjohnson start page like this and it will work. HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close Content-Type: text/html <!DOCTYPE html>.........

@planetinse If someone reads this the problem was related to HTTP/2 and http/1.1 and known issues post Haproxy 2.4 Enforcing traffic in frontend with alpn http/1.1 - solved the issue in my scenario. btw. the certificates was a blind-track, it was never related. https://github.com/haproxy/haproxy/issues/162

I'm wondering, I changed my mode from "custom" mode to "splice all" mode and added these codes as you can see in the photo, the system and many blocked programs and applications started to work. What exactly is the logic behind this? @JonathanLee @stephenw10 Custom Options (SSL/MITM) = acl splice_it ssl::server_name .microsoft.com acl splice_it ssl::server_name .windowsupdate.com acl splice_it ssl::server_name .akamaitechnologies.com acl splice_it ssl::server_name .akadns.net acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice splice_it ssl_bump bump all ssl_bump peek step1 ssl_bump splice all My custom refresh_options on the Local Cache tab refresh_pattern -i windowsupdate.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i windows.com/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i microsoft.com.akadns.net/..(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims refresh_pattern -i deploy.akamaitechnologies.com/.*.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims If you want to restrict (bypass) ip addresses of your local Network :- acl splice_it ssl::server_name .microsoft.com acl splice_it ssl::server_name .windowsupdate.com acl splice_it ssl::server_name .akamaitechnologies.com acl splice_it ssl::server_name .akadns.net acl localnet src 10.0.0.0/8 #local network acl localnet src 192.168.0.0/16 #local network acl localnet src 172.16.0.0/12 #local network acl localnet src 2.2.2.2/32 #just for example acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice splice_it ssl_bump splice localnet # splice one more time ssl_bump bump all