Can't access exchange services. TCP-DENIED/403 for OWA

  • Hi,

    I've already posted that in the french forum, but since I had no response and despite my poor english, I have to try here...

    I hope english speaking peopple will not be angry with me and my english :-)


    I can not run my owa, nor outlook through my pf sense with squid and the publication exchange through the reverse proxy.

    Context: pro environment, pro system administrator, but layman pfsense, age of the firewall solution: new test for replacement solution TMG out of age ...

    Need: The goal is to publish exchange using the reverse proxy squid

    Scheme test platform ::
    exchange production server <-> pfsense <-> test's PC

    On exchange static route to pc test through pfsense
    On PC test static route to exchange through pfsense
    On IP test PC IP resolution fixed by hosts file to the used names (exch2013, autodiscover, owa)
    On DNS squid set to internal DNS resolving these names in IP

    WAN (modem / router / box): 1 network. 1 public IP on pf sense (

    LAN: 1 ( the tmg being in .1) dhcp not concerned, dns local (used by pf sense)

    NAT rules: nothing relevant to mail access for owa, autodiscover, rcp / https nor activesync (443 and 80)

    Firewall rules:
    the rules to be taken into account are those defined by the pages et
    Basically, rules allowing the 443 and 80 from the wan to pf sense (here to everything to facilitate the setting) and rules of publication reverse proxy squid

    Added Packages: squid and its reverse proxy

    Other functions assigned to pfSense: nothing... for the moment

    (And here I leave french forum's requested formalism)

    Question: not possible to run owa, autodiscover, client already configured outlook, client exchange on mobile phone ...
    for the OWA which is the one on which I dug the most, The client does not connect with "access forbidden" or if the box "If checked, the reverse proxy will reset the TCP connection if the request is unauthorized" is checked then "The connection to the server has been reset".
    In the squid logs error TCP_DENIED / 403
    In firewall logs I have permissions for frames on port 443

    Tracks imagined: many research on the net with no success (I searched a lot before choosing to post here)

    I tried to speak directly to the exchange server address. It works but does not go through the squid.

    I tried to change Compatibility mode from modern to intermediaite (and I have the impression that sometimes it worked for a few seconds I am at this change although I did not see it again during my last tests)

    I wonder if the problem comes:

    • certificate that I have not registered properly. I use on my exchange a multi-host certificate (which principal host name is provided by globalsign. It was provided with an intermediate certificate. I had to fight to convert my certificate as a pfx to the desired format ... But my last attempt (I did it several times) is what is on the procedure http: // www. via Digicert's tool.
      As for the intermediate certificate, I tried to put it at the ACs level (System / Certificate Manager or Intermediate CA Certificate (If Needed)) or PackageReverse Proxy Server/GeneralGeneral without more success.

    • since I do not know how to tell the reverse proxy exchange must rely on the name "exch2013" and not on "mail" as I saw on most topics that I could find on this problem.

    • A setting of my exchange not in conformity with what pf sense wants that would be different from what TMG wants

    And in the log. I wonder if this TCP_DENIED / 403 me well indicates that it is squid himself who has refused (with wireshark I do not see besides frames 443 arrive on my exchange during my attempts against, from time to time, I see arriving frames coming from the pfsense but not synchronized with my requests ... Squid would establish the contact with the server regardless of requests that we done ... or maybe I misinterpreted some frames)

    Here, I am lost.
    What do you think?
    I hope someone will give me an answer ... I have my boss who turns me on because it's been several months since I have to put this in place ...

    Thank you... for reading me already!
    And sorry for this poor mix beetween my poor english and an automative traduction system.


  • Hi,
    Finnaly I've got it.
    Squid/pfsense takes the "External FQDN" for exchange URL publication!!!

  • Hello.
    I have the same problem.
    Tell me, how did you solve it?

  • Hi,
    It's quite simple.
    your external fqdn linked to your certificate must be filled in the External FQDN field.

  • Unfortunately I did not understand you.

    I have parameters in Package\Reverse Proxy Server: General next Squid Reverse Proxy General Settings
    External FQDN:

    Squid Reverse HTTPS Settings
    Reverse SSL Certificate: * ( I have an external certificate for *

    In Intermediate CA Certificate - COMODO RSA Domain Validation Secure Server CA


    what am i doing wrong ?

  • Ouch... Really sorry!
    I think I've made a mistake...

    I don't have Pfsense server anymore but i think that It was not External FQDN but reverse https default site witch cares...

    And I'm wondering if you don't have to use an host name and not a domains one, something like and not only a
    But My certificate wasn't a wildcard. So it could be wrong.

    To be complete there's some points I have to add here:

    • to get through this issue, I used the console to look at the squids configurations files. it's not so difficult and there can be found the ssl adresses usable to connect
    • I ve never been able to have everything working as it should with PFsense with squid on it. One colleague of mine tried again with a fresh install of Pfsense to be sure theyre's no artefact of what I did. But for me, as I read it so many times, pfsense does not work fine with squid (we forgot Squid and changed to a commercial solution)

Log in to reply