Exchange 2016 Autodiscover
-
Greetings,
I'm using HAproxy to proxy my exchange DAG.
pfsense
Version 2.4.4-RELEASE-p2 (amd64)
built on Wed Dec 12 07:40:18 EST 2018
FreeBSD 11.2-RELEASE-p6Here is HAprox config from /var/etc/haproxy.cfg
# Automaticaly generated, dont edit manually. # Generated on: 2019-01-28 14:54 global maxconn 10000 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 4096 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 10 stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend http-https-frontend bind <public ip>:443 name <public ip>:443 ssl crt-list /var/etc/haproxy/http-https-frontend.crt_list bind <public ip>:80 name <public ip>:80 mode http log global option socket-stats option http-keep-alive maxconn 10000 timeout client 30000 acl is_ecp var(txn.txnpath) -m sub -i /ecp/ acl not_https ssl_fc,not acl is_portal var(txn.txnhost) -m str -i <web_portal> acl is_healthcheck var(txn.txnpath) -m reg -i healthcheck.htm$ acl is_autodiscover var(txn.txnpath) -m sub -i /Autodiscover/ acl is_rpc var(txn.txnpath) -m sub -i /rpc/ acl is_owa var(txn.txnpath) -m sub -i /OWA/ acl is_ews var(txn.txnpath) -m sub -i /EWS/ acl is_oab var(txn.txnpath) -m sub -i /OAB/ acl is_eas var(txn.txnpath) -m sub -i /EAS/ acl is_mapi var(txn.txnpath) -m sub -i /mapi/ acl aclcrt_http-https-frontend var(txn.txnhost) -m reg -i ^([^\.]*)\.<company>\.ru(:([0-9]){1,5})?$ acl aclcrt_http-https-frontend var(txn.txnhost) -m reg -i ^<company>\.ru(:([0-9]){1,5})?$ http-request set-var(txn.txnpath) path http-request set-var(txn.txnhost) hdr(host) http-response deny if is_ecp aclcrt_http-https-frontend http-response deny if is_healthcheck aclcrt_http-https-frontend http-request redirect scheme https code 301 if not_https aclcrt_http-https-frontend use_backend portal-backend_ipvANY if is_portal aclcrt_http-https-frontend use_backend ex-Autodiscover-backend_ipvANY if is_autodiscover aclcrt_http-https-frontend use_backend ex-RPC-backend_ipvANY if is_rpc aclcrt_http-https-frontend use_backend ex-OWA-backend_ipvANY if is_owa aclcrt_http-https-frontend use_backend ex-EWS-backend_ipvANY if is_ews aclcrt_http-https-frontend use_backend ex-OAB-backend_ipvANY if is_oab aclcrt_http-https-frontend use_backend ex-EAS-backend_ipvANY if is_eas aclcrt_http-https-frontend use_backend ex-MAPI-backend_ipvANY if is_mapi aclcrt_http-https-frontend use_backend ex-OWA-backend_ipvANY if aclcrt_http-https-frontend frontend smtp-frontend bind <public ip>:25 name <public ip>:25 bind <public ip>:110 name <public ip>:110 bind <public ip>:143 name <public ip>:143 bind <public ip>:465 name <public ip>:465 bind <public ip>:993 name <public ip>:993 bind <public ip>:995 name <public ip>:995 bind <public ip>:587 name <public ip>:587 mode tcp log global option socket-stats option log-separate-errors option tcplog maxconn 10000 timeout client 30000 acl is_smtp_insecure dst_port 25 acl is_pop3_insecure dst_port 110 acl is_imap_insecure dst_port 143 acl is_smtp_secure dst_port 465 acl is_pop3_secure dst_port 995 acl is_imap_secure dst_port 993 acl is_starttls dst_port 587 use_backend ex-smtp-backend_ipvANY if is_smtp_insecure use_backend ex-pop3-backend_ipvANY if is_pop3_insecure use_backend ex-imap-backend_ipvANY if is_imap_insecure use_backend ex-pop3-backend_ipvANY if is_pop3_secure use_backend ex-smtp-backend_ipvANY if is_smtp_secure use_backend ex-imap-backend_ipvANY if is_imap_secure use_backend ex-starttls-backend_ipvANY if is_starttls default_backend ex-smtp-backend_ipvANY backend portal-backend_ipvANY mode http id 103 log global stats enable stats uri /haproxy?stats stats realm . timeout connect 30000 timeout server 30000 retries 3 server portal.<company>.local <internal_subnet>.11:443 id 104 ssl check inter 1000 verify none backend ex-Autodiscover-backend_ipvANY mode http id 105 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /autodiscover/healthcheck.htm http-check expect status 200 server ex1 <internal_subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2 <internal_subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-RPC-backend_ipvANY mode http id 106 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /RPC/HealthCheck.htm http-check expect status 200 server ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-OWA-backend_ipvANY mode http id 100 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /OWA/HealthCheck.htm http-check expect status 200 server ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-EWS-backend_ipvANY mode http id 107 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /EWS/HealthCheck.htm http-check expect status 200 server ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-OAB-backend_ipvANY mode http id 108 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /OAB/HealthCheck.htm http-check expect status 200 server ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-EAS-backend_ipvANY mode http id 109 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm http-check expect status 200 server ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-MAPI-backend_ipvANY mode http id 116 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /mapi/HealthCheck.htm http-check expect status 200 server ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-smtp-backend_ipvANY mode tcp id 110 log global option log-health-checks balance leastconn timeout connect 30000 timeout server 30000 retries 3 option smtpchk EHLO mail.<company>.ru server ex1.<company>.local <internal_subnet>.3:25 id 111 check inter 1000 server ex2.<company>.local <internal_subnet>.4:25 id 112 check inter 1000 backend ex-pop3-backend_ipvANY mode tcp id 113 log global option log-health-checks balance leastconn timeout connect 30000 timeout server 30000 retries 3 option tcp-check tcp-check connect tcp-check expect string +OK server ex1.<company>.local <internal_subnet>.3:110 id 111 check inter 1000 server ex2.<company>.local <internal_subnet>.4:110 id 112 check inter 1000 backend ex-imap-backend_ipvANY mode tcp id 114 log global option log-health-checks balance leastconn timeout connect 30000 timeout server 30000 retries 3 option tcp-check tcp-check connect tcp-check expect string * OK server ex1.<company>.local <internal_subnet>.3:143 id 111 check inter 1000 server ex2.<company>.local <internal_subnet>.4:143 id 112 check inter 1000 backend ex-starttls-backend_ipvANY mode tcp id 115 log global option log-health-checks balance leastconn timeout connect 30000 timeout server 30000 retries 3 server ex1.<company>.local <internal_subnet>.3:587 id 111 check inter 1000 server ex2.<company>.local <internal_subnet>.4:587 id 112 check inter 1000ECP and OWA working fine, but Microsoft Remote Connectivity Analyzer returns
Anybody faced that before?
-
Little update with more info
I'm using Exchange 2016 DAG with two servers. Recently I've installed pfSense with HAproxy module to ensure web reverse proxy.
My issue is following: MacOS outlook clients are constantly requesting password to connect and RPC over HTTP is not working in my configuration. If I will just forward 443 port to the exchange DAG RPC over HTTP is working fine. If I replace HAproxy with IIS + ARR MacOS clients stops requesting passwords. Does anyone ever faced this issue or something similar?
P.S. Windows Outlook clients working fine in any configuration
The haproxy.cfg file is like following
# Automaticaly generated, dont edit manually. # Generated on: 2019-01-31 16:22 global maxconn 10000 log syslog1.<my domain> local0 debug stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 4096 log-send-hostname pfsense server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 10 stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend http-https-frontend bind <public ip>:443 name <public ip>:443 ssl crt-list /var/etc/haproxy/http-https-frontend.crt_list bind <public ip>:80 name <public ip>:80 mode http log global option socket-stats option log-separate-errors option httplog option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https maxconn 10000 timeout client 30000 capture request header Host len 32 capture request header User-Agent len 64 capture response header Content-Length len 10 #option httplog log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1" option contstats # Enable continuous traffic statistics updates timeout http-keep-alive 30s # 15 second max for the client to post next request timeout http-request 30s # 15 seconds max for the client to send a request acl is_ecp var(txn.txnpath) -m sub -i /ecp/ acl not_https ssl_fc,not acl is_portal var(txn.txnhost) -m str -i portal.<public domain> acl is_healthcheck var(txn.txnpath) -m reg -i healthcheck.htm$ acl is_autodiscover var(txn.txnhost) -m str -i autodiscover.<public domain> acl is_rpc var(txn.txnpath) -m sub -i /rpc/ acl is_owa var(txn.txnpath) -m sub -i /OWA/ acl is_ews var(txn.txnpath) -m sub -i /EWS/ acl is_oab var(txn.txnpath) -m sub -i /OAB/ acl is_eas var(txn.txnpath) -m sub -i /EAS/ acl is_mapi var(txn.txnpath) -m sub -i /mapi/ http-request set-var(txn.txnpath) path http-request set-var(txn.txnhost) hdr(host) http-response deny if is_ecp http-response deny if is_healthcheck http-request redirect scheme https code 301 if not_https use_backend portal-backend_ipvANY if is_portal use_backend ex-Autodiscover-backend_ipvANY if is_autodiscover use_backend ex-RPC-backend_ipvANY if is_rpc use_backend ex-OWA-backend_ipvANY if is_owa use_backend ex-EWS-backend_ipvANY if is_ews use_backend ex-OAB-backend_ipvANY if is_oab use_backend ex-EAS-backend_ipvANY if is_eas use_backend ex-MAPI-backend_ipvANY if is_mapi default_backend ex-OWA-backend_ipvANY frontend smtp-frontend bind <public ip>:25 name <public ip>:25 mode tcp log global option socket-stats option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-smtp-backend_ipvANY frontend smtptls-frontend bind <public ip>:587 name <public ip>:587 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-smtptls-backend_ipvANY frontend smtpssl-frontend bind <public ip>:465 name <public ip>:465 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-smtpssl-backend_ipvANY frontend imap-frontend bind <public ip>:143 name <public ip>:143 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-imap-backend_ipvANY frontend imaps-frontend bind <public ip>:993 name <public ip>:993 mode tcp log global option dontlognull option dontlog-normal timeout client 300000 option contstats default_backend ex-imaps-backend_ipvANY frontend pop-frontend bind <public ip>:110 name <public ip>:110 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-pop-backend_ipvANY frontend pops-frontend bind <public ip>:995 name <public ip>:995 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-pops-backend_ipvANY backend portal-backend_ipvANY mode http id 103 log global stats enable stats uri /haproxy?stats stats realm . timeout connect 30000 timeout server 30000 retries 3 server portal.<my domain> <my local subnet>.11:443 id 104 ssl check inter 1000 verify none backend ex-Autodiscover-backend_ipvANY mode http id 105 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /autodiscover/healthcheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure server ex1 <my local subnet>.3:443 id 101 ssl check inter 3000 verify none server ex2 <my local subnet>.4:443 id 102 ssl check inter 3000 verify none backend ex-RPC-backend_ipvANY mode http id 106 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /RPC/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-OWA-backend_ipvANY mode http id 100 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /OWA/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-EWS-backend_ipvANY mode http id 107 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /EWS/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-OAB-backend_ipvANY mode http id 108 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /OAB/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-EAS-backend_ipvANY mode http id 109 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-MAPI-backend_ipvANY mode http id 116 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /mapi/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-smtp-backend_ipvANY mode tcp id 110 log global balance leastconn timeout connect 5000 timeout server 30000 retries 3 option redispatch option tcp-check tcp-check expect string 220 default-server rise 2 fall 3 server ex1.<my domain> <my local subnet>.3:25 id 111 check inter 3000 server ex2.<my domain> <my local subnet>.4:25 id 112 check inter 3000 backend ex-smtptls-backend_ipvANY mode tcp id 115 log global balance leastconn timeout connect 5000 timeout server 30000 retries 3 default-server rise 2 fall 3 option redispatch option tcp-check tcp-check expect string 220 server ex1.<my domain> <my local subnet>.3:587 id 111 check inter 3000 server ex2.<my domain> <my local subnet>.4:587 id 112 check inter 3000 backend ex-smtpssl-backend_ipvANY mode tcp id 121 log global balance leastconn timeout connect 5000 timeout server 30000 retries 3 option redispatch option tcp-check tcp-check expect string 220 ssl default-server rise 2 fall 3 server ex1.<my domain> <my local subnet>.3:465 id 111 check inter 3000 verify none server ex2.<my domain> <my local subnet>.4:465 id 112 check inter 3000 verify none backend ex-imap-backend_ipvANY mode tcp id 114 log global option log-health-checks balance leastconn timeout connect 30000 timeout server 30000 retries 3 option tcp-check tcp-check connect tcp-check expect string * OK server ex1.<my domain> <my local subnet>.3:143 id 111 check inter 1000 server ex2.<my domain> <my local subnet>.4:143 id 112 check inter 1000 backend ex-imaps-backend_ipvANY mode tcp id 117 log global balance leastconn timeout connect 5000 timeout server 30000 retries 3 option redispatch option tcp-check tcp-check connect port 993 ssl tcp-check expect string * OK server ex1.<my domain> <my local subnet>.3:993 id 118 check inter 3000 verify none server ex2.<my domain> <my local subnet>.4:993 id 119 check inter 3000 verify none backend ex-pop-backend_ipvANY mode tcp id 120 log global option log-health-checks balance leastconn timeout connect 5000 timeout server 30000 retries 3 option tcp-check tcp-check connect port 110 tcp-check expect string +OK default-server rise 2 fall 3 server ex1.<my domain> <my local subnet>.3:110 id 111 check inter 5000 server ex2.<my domain> <my local subnet>.4:110 id 112 check inter 5000 backend ex-pops-backend_ipvANY mode tcp id 113 log global option log-health-checks balance leastconn timeout connect 5000 timeout server 30000 retries 3 option tcp-check tcp-check connect port 995 ssl tcp-check expect string +OK default-server rise 2 fall 3 server ex1.<my domain> <my local subnet>.3:995 id 111 check inter 5000 verify none server ex2.<my domain> <my local subnet>.4:995 id 112 check inter 5000 verify noneWhen I run "Outlook Connectivity" test from the Microsoft Test Connectivity site I get the following
Here is some more details on the RPC over HTTP error
Here is an exempt from the haproxy logs
-
Did you solve this?
I don't have the same issue, but found your posting while looking for a working setup for proxying MS Exchange.
Would be great if you could share your latest and greatest setup ;-)
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.