Exchange 2016 Autodiscover



  • Greetings,

    I'm using HAproxy to proxy my exchange DAG.

    pfsense

    Version 2.4.4-RELEASE-p2 (amd64)
    built on Wed Dec 12 07:40:18 EST 2018
    FreeBSD 11.2-RELEASE-p6

    Here is HAprox config from /var/etc/haproxy.cfg

    # Automaticaly generated, dont edit manually.
    # Generated on: 2019-01-28 14:54
    global
            maxconn                 10000
            stats socket /tmp/haproxy.socket level admin
            uid                     80
            gid                     80
            nbproc                  1
            hard-stop-after         15m
            chroot                          /tmp/haproxy_chroot
            daemon
            tune.ssl.default-dh-param       4096
            server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
            bind 127.0.0.1:2200 name localstats
            mode http
            stats enable
            stats refresh 10
            stats admin if TRUE
            stats show-legends
            stats uri /haproxy/haproxy_stats.php?haproxystats=1
            timeout client 5000
            timeout connect 5000
            timeout server 5000
    
    frontend http-https-frontend
            bind                    <public ip>:443 name <public ip>:443   ssl crt-list /var/etc/haproxy/http-https-frontend.crt_list
            bind                    <public ip>:80 name <public ip>:80
            mode                    http
            log                     global
            option                  socket-stats
            option                  http-keep-alive
            maxconn                 10000
            timeout client          30000
            acl                     is_ecp  var(txn.txnpath) -m sub -i /ecp/
            acl                     not_https       ssl_fc,not
            acl                     is_portal       var(txn.txnhost) -m str -i <web_portal>
            acl                     is_healthcheck  var(txn.txnpath) -m reg -i healthcheck.htm$
            acl                     is_autodiscover var(txn.txnpath) -m sub -i /Autodiscover/
            acl                     is_rpc  var(txn.txnpath) -m sub -i /rpc/
            acl                     is_owa  var(txn.txnpath) -m sub -i /OWA/
            acl                     is_ews  var(txn.txnpath) -m sub -i /EWS/
            acl                     is_oab  var(txn.txnpath) -m sub -i /OAB/
            acl                     is_eas  var(txn.txnpath) -m sub -i /EAS/
            acl                     is_mapi var(txn.txnpath) -m sub -i /mapi/
            acl                     aclcrt_http-https-frontend      var(txn.txnhost) -m reg -i ^([^\.]*)\.<company>\.ru(:([0-9]){1,5})?$
            acl                     aclcrt_http-https-frontend      var(txn.txnhost) -m reg -i ^<company>\.ru(:([0-9]){1,5})?$
            http-request set-var(txn.txnpath) path
            http-request set-var(txn.txnhost) hdr(host)
            http-response deny  if  is_ecp aclcrt_http-https-frontend
            http-response deny  if  is_healthcheck aclcrt_http-https-frontend
            http-request redirect scheme https code 301  if  not_https aclcrt_http-https-frontend
            use_backend portal-backend_ipvANY  if  is_portal aclcrt_http-https-frontend
            use_backend ex-Autodiscover-backend_ipvANY  if  is_autodiscover aclcrt_http-https-frontend
            use_backend ex-RPC-backend_ipvANY  if  is_rpc aclcrt_http-https-frontend
            use_backend ex-OWA-backend_ipvANY  if  is_owa aclcrt_http-https-frontend
            use_backend ex-EWS-backend_ipvANY  if  is_ews aclcrt_http-https-frontend
            use_backend ex-OAB-backend_ipvANY  if  is_oab aclcrt_http-https-frontend
            use_backend ex-EAS-backend_ipvANY  if  is_eas aclcrt_http-https-frontend
            use_backend ex-MAPI-backend_ipvANY  if  is_mapi aclcrt_http-https-frontend
            use_backend ex-OWA-backend_ipvANY  if   aclcrt_http-https-frontend
    
    frontend smtp-frontend
            bind                    <public ip>:25 name <public ip>:25
            bind                    <public ip>:110 name <public ip>:110
            bind                    <public ip>:143 name <public ip>:143
            bind                    <public ip>:465 name <public ip>:465
            bind                    <public ip>:993 name <public ip>:993
            bind                    <public ip>:995 name <public ip>:995
            bind                    <public ip>:587 name <public ip>:587
            mode                    tcp
            log                     global
            option                  socket-stats
            option                  log-separate-errors
            option                  tcplog
            maxconn                 10000
            timeout client          30000
            acl                     is_smtp_insecure        dst_port 25
            acl                     is_pop3_insecure        dst_port 110
            acl                     is_imap_insecure        dst_port 143
            acl                     is_smtp_secure  dst_port 465
            acl                     is_pop3_secure  dst_port 995
            acl                     is_imap_secure  dst_port 993
            acl                     is_starttls     dst_port 587
            use_backend ex-smtp-backend_ipvANY  if  is_smtp_insecure
            use_backend ex-pop3-backend_ipvANY  if  is_pop3_insecure
            use_backend ex-imap-backend_ipvANY  if  is_imap_insecure
            use_backend ex-pop3-backend_ipvANY  if  is_pop3_secure
            use_backend ex-smtp-backend_ipvANY  if  is_smtp_secure
            use_backend ex-imap-backend_ipvANY  if  is_imap_secure
            use_backend ex-starttls-backend_ipvANY  if  is_starttls
            default_backend ex-smtp-backend_ipvANY
    
    backend portal-backend_ipvANY
            mode                    http
            id                      103
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            timeout connect         30000
            timeout server          30000
            retries                 3
            server                  portal.<company>.local <internal_subnet>.11:443 id 104 ssl check inter 1000  verify none
    
    backend ex-Autodiscover-backend_ipvANY
            mode                    http
            id                      105
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /autodiscover/healthcheck.htm
            http-check expect status 200
            server                  ex1 <internal_subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2 <internal_subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-RPC-backend_ipvANY
            mode                    http
            id                      106
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /RPC/HealthCheck.htm
            http-check expect status 200
            server                  ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-OWA-backend_ipvANY
            mode                    http
            id                      100
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /OWA/HealthCheck.htm
            http-check expect status 200
            server                  ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-EWS-backend_ipvANY
            mode                    http
            id                      107
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /EWS/HealthCheck.htm
            http-check expect status 200
            server                  ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-OAB-backend_ipvANY
            mode                    http
            id                      108
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /OAB/HealthCheck.htm
            http-check expect status 200
            server                  ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-EAS-backend_ipvANY
            mode                    http
            id                      109
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
            http-check expect status 200
            server                  ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-MAPI-backend_ipvANY
            mode                    http
            id                      116
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /mapi/HealthCheck.htm
            http-check expect status 200
            server                  ex1.<company>.local <internal_subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<company>.local <internal_subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-smtp-backend_ipvANY
            mode                    tcp
            id                      110
            log                     global
            option                  log-health-checks
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  smtpchk EHLO mail.<company>.ru
            server                  ex1.<company>.local <internal_subnet>.3:25 id 111 check inter 1000
            server                  ex2.<company>.local <internal_subnet>.4:25 id 112 check inter 1000
    
    backend ex-pop3-backend_ipvANY
            mode                    tcp
            id                      113
            log                     global
            option                  log-health-checks
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option tcp-check
            tcp-check connect
            tcp-check expect string +OK
            server                  ex1.<company>.local <internal_subnet>.3:110 id 111 check inter 1000
            server                  ex2.<company>.local <internal_subnet>.4:110 id 112 check inter 1000
    
    backend ex-imap-backend_ipvANY
            mode                    tcp
            id                      114
            log                     global
            option                  log-health-checks
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3![0_1548677179783_0a6e22da-f2d8-4a6f-8091-3a53f7e0b934-image.png](/assets/uploads/files/1548677180069-0a6e22da-f2d8-4a6f-8091-3a53f7e0b934-image-resized.png) 
            option tcp-check
            tcp-check connect
            tcp-check expect string * OK
            server                  ex1.<company>.local <internal_subnet>.3:143 id 111 check inter 1000
            server                  ex2.<company>.local <internal_subnet>.4:143 id 112 check inter 1000
    
    backend ex-starttls-backend_ipvANY
            mode                    tcp
            id                      115
            log                     global
            option                  log-health-checks
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            server                  ex1.<company>.local <internal_subnet>.3:587 id 111 check inter 1000
            server                  ex2.<company>.local <internal_subnet>.4:587 id 112 check inter 1000
    

    ECP and OWA working fine, but Microsoft Remote Connectivity Analyzer returns

    0_1548677194037_4fb3374d-c5df-48a5-8d37-b7198ec20d46-image.png

    Anybody faced that before?



  • Little update with more info

    I'm using Exchange 2016 DAG with two servers. Recently I've installed pfSense with HAproxy module to ensure web reverse proxy.

    My issue is following: MacOS outlook clients are constantly requesting password to connect and RPC over HTTP is not working in my configuration. If I will just forward 443 port to the exchange DAG RPC over HTTP is working fine. If I replace HAproxy with IIS + ARR MacOS clients stops requesting passwords. Does anyone ever faced this issue or something similar?

    P.S. Windows Outlook clients working fine in any configuration

    The haproxy.cfg file is like following

    # Automaticaly generated, dont edit manually.
    # Generated on: 2019-01-31 16:22
    global
            maxconn                 10000
            log                     syslog1.<my domain>      local0  debug
            stats socket /tmp/haproxy.socket level admin
            uid                     80
            gid                     80
            nbproc                  1
            hard-stop-after         15m
            chroot                          /tmp/haproxy_chroot
            daemon
            tune.ssl.default-dh-param       4096
            log-send-hostname               pfsense
            server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
            bind 127.0.0.1:2200 name localstats
            mode http
            stats enable
            stats refresh 10
            stats admin if TRUE
            stats show-legends
            stats uri /haproxy/haproxy_stats.php?haproxystats=1
            timeout client 5000
            timeout connect 5000
            timeout server 5000
    
    frontend http-https-frontend
            bind                    <public ip>:443 name <public ip>:443   ssl crt-list /var/etc/haproxy/http-https-frontend.crt_list
            bind                    <public ip>:80 name <public ip>:80
            mode                    http
            log                     global
            option                  socket-stats
            option                  log-separate-errors
            option                  httplog
            option                  http-keep-alive
            option                  forwardfor
            acl https ssl_fc
            http-request set-header         X-Forwarded-Proto http if !https
            http-request set-header         X-Forwarded-Proto https if https
            maxconn                 10000
            timeout client          30000
            capture request header Host len 32
            capture request header User-Agent len 64
            capture response header Content-Length len 10
            #option httplog
            log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1"
            option  contstats               # Enable continuous traffic statistics updates
            timeout http-keep-alive 30s     # 15 second max for the client to post next request
            timeout http-request 30s        # 15 seconds max for the client to send a request
            acl                     is_ecp  var(txn.txnpath) -m sub -i /ecp/
            acl                     not_https       ssl_fc,not
            acl                     is_portal       var(txn.txnhost) -m str -i portal.<public domain>
            acl                     is_healthcheck  var(txn.txnpath) -m reg -i healthcheck.htm$
            acl                     is_autodiscover var(txn.txnhost) -m str -i autodiscover.<public domain>
            acl                     is_rpc  var(txn.txnpath) -m sub -i /rpc/
            acl                     is_owa  var(txn.txnpath) -m sub -i /OWA/
            acl                     is_ews  var(txn.txnpath) -m sub -i /EWS/
            acl                     is_oab  var(txn.txnpath) -m sub -i /OAB/
            acl                     is_eas  var(txn.txnpath) -m sub -i /EAS/
            acl                     is_mapi var(txn.txnpath) -m sub -i /mapi/
            http-request set-var(txn.txnpath) path
            http-request set-var(txn.txnhost) hdr(host)
            http-response deny  if  is_ecp
            http-response deny  if  is_healthcheck
            http-request redirect scheme https code 301  if  not_https
            use_backend portal-backend_ipvANY  if  is_portal
            use_backend ex-Autodiscover-backend_ipvANY  if  is_autodiscover
            use_backend ex-RPC-backend_ipvANY  if  is_rpc
            use_backend ex-OWA-backend_ipvANY  if  is_owa
            use_backend ex-EWS-backend_ipvANY  if  is_ews
            use_backend ex-OAB-backend_ipvANY  if  is_oab
            use_backend ex-EAS-backend_ipvANY  if  is_eas
            use_backend ex-MAPI-backend_ipvANY  if  is_mapi
            default_backend ex-OWA-backend_ipvANY
    
    frontend smtp-frontend
            bind                    <public ip>:25 name <public ip>:25
            mode                    tcp
            log                     global
            option                  socket-stats
            option                  dontlognull
            option                  dontlog-normal
            maxconn                 10000
            timeout client          300000
            option tcplog
            option contstats
            default_backend ex-smtp-backend_ipvANY
    
    frontend smtptls-frontend
            bind                    <public ip>:587 name <public ip>:587
            mode                    tcp
            log                     global
            option                  dontlognull
            option                  dontlog-normal
            maxconn                 10000
            timeout client          300000
            option tcplog
            option contstats
            default_backend ex-smtptls-backend_ipvANY
    
    frontend smtpssl-frontend
            bind                    <public ip>:465 name <public ip>:465
            mode                    tcp
            log                     global
            option                  dontlognull
            option                  dontlog-normal
            maxconn                 10000
            timeout client          300000
            option tcplog
            option contstats
            default_backend ex-smtpssl-backend_ipvANY
    
    frontend imap-frontend
            bind                    <public ip>:143 name <public ip>:143
            mode                    tcp
            log                     global
            option                  dontlognull
            option                  dontlog-normal
            maxconn                 10000
            timeout client          300000
            option tcplog
            option contstats
            default_backend ex-imap-backend_ipvANY
    
    frontend imaps-frontend
            bind                    <public ip>:993 name <public ip>:993
            mode                    tcp
            log                     global
            option                  dontlognull
            option                  dontlog-normal
            timeout client          300000
            option contstats
            default_backend ex-imaps-backend_ipvANY
    
    frontend pop-frontend
            bind                    <public ip>:110 name <public ip>:110
            mode                    tcp
            log                     global
            option                  dontlognull
            option                  dontlog-normal
            maxconn                 10000
            timeout client          300000
            option tcplog
            option contstats
            default_backend ex-pop-backend_ipvANY
    
    frontend pops-frontend
            bind                    <public ip>:995 name <public ip>:995
            mode                    tcp
            log                     global
            option                  dontlognull
            option                  dontlog-normal
            maxconn                 10000
            timeout client          300000
            option tcplog
            option contstats
            default_backend ex-pops-backend_ipvANY
    
    backend portal-backend_ipvANY
            mode                    http
            id                      103
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            timeout connect         30000
            timeout server          30000
            retries                 3
            server                  portal.<my domain> <my local subnet>.11:443 id 104 ssl check inter 1000  verify none
    
    backend ex-Autodiscover-backend_ipvANY
            mode                    http
            id                      105
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /autodiscover/healthcheck.htm
            http-check expect status 200
            option  redispatch              # Try another server in case of connection failure
            server                  ex1 <my local subnet>.3:443 id 101 ssl check inter 3000  verify none
            server                  ex2 <my local subnet>.4:443 id 102 ssl check inter 3000  verify none
    
    backend ex-RPC-backend_ipvANY
            mode                    http
            id                      106
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /RPC/HealthCheck.htm
            http-check expect status 200
            option  redispatch              # Try another server in case of connection failure
            #timeout queue 30s               # 30 seconds max queued on load balancer
            server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-OWA-backend_ipvANY
            mode                    http
            id                      100
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /OWA/HealthCheck.htm
            http-check expect status 200
            option  redispatch              # Try another server in case of connection failure
            server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-EWS-backend_ipvANY
            mode                    http
            id                      107
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /EWS/HealthCheck.htm
            http-check expect status 200
            option  redispatch              # Try another server in case of connection failure
            #timeout queue 30s               # 30 seconds max queued on load balancer
            server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-OAB-backend_ipvANY
            mode                    http
            id                      108
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /OAB/HealthCheck.htm
            http-check expect status 200
            option  redispatch              # Try another server in case of connection failure
            #timeout queue 30s               # 30 seconds max queued on load balancer
            server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-EAS-backend_ipvANY
            mode                    http
            id                      109
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
            http-check expect status 200
            option  redispatch              # Try another server in case of connection failure
            #timeout queue 30s               # 30 seconds max queued on load balancer
            server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-MAPI-backend_ipvANY
            mode                    http
            id                      116
            log                     global
            stats                   enable
            stats                   uri /haproxy?stats
            stats                   realm .
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk GET /mapi/HealthCheck.htm
            http-check expect status 200
            option  redispatch              # Try another server in case of connection failure
            #timeout queue 30s               # 30 seconds max queued on load balancer
            server                  ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000  verify none
            server                  ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000  verify none
    
    backend ex-smtp-backend_ipvANY
            mode                    tcp
            id                      110
            log                     global
            balance                 leastconn
            timeout connect         5000
            timeout server          30000
            retries                 3
            option redispatch
            option tcp-check
            tcp-check expect string 220
            default-server rise 2 fall 3
            server                  ex1.<my domain> <my local subnet>.3:25 id 111 check inter 3000
            server                  ex2.<my domain> <my local subnet>.4:25 id 112 check inter 3000
    
    backend ex-smtptls-backend_ipvANY
            mode                    tcp
            id                      115
            log                     global
            balance                 leastconn
            timeout connect         5000
            timeout server          30000
            retries                 3
            default-server rise 2 fall 3
            option redispatch
            option tcp-check
            tcp-check expect string 220
            server                  ex1.<my domain> <my local subnet>.3:587 id 111 check inter 3000
            server                  ex2.<my domain> <my local subnet>.4:587 id 112 check inter 3000
    
    backend ex-smtpssl-backend_ipvANY
            mode                    tcp
            id                      121
            log                     global
            balance                 leastconn
            timeout connect         5000
            timeout server          30000
            retries                 3
            option redispatch
            option tcp-check
            tcp-check expect string 220 ssl
            default-server rise 2 fall 3
            server                  ex1.<my domain> <my local subnet>.3:465 id 111 check inter 3000  verify none
            server                  ex2.<my domain> <my local subnet>.4:465 id 112 check inter 3000  verify none
    
    backend ex-imap-backend_ipvANY
            mode                    tcp
            id                      114
            log                     global
            option                  log-health-checks
            balance                 leastconn
            timeout connect         30000
            timeout server          30000
            retries                 3
            option tcp-check
            tcp-check connect
            tcp-check expect string * OK
            server                  ex1.<my domain> <my local subnet>.3:143 id 111 check inter 1000
            server                  ex2.<my domain> <my local subnet>.4:143 id 112 check inter 1000
    
    backend ex-imaps-backend_ipvANY
            mode                    tcp
            id                      117
            log                     global
            balance                 leastconn
            timeout connect         5000
            timeout server          30000
            retries                 3
            option redispatch
            option tcp-check
            tcp-check connect port 993 ssl
            tcp-check expect string * OK
            server                  ex1.<my domain> <my local subnet>.3:993 id 118 check inter 3000  verify none
            server                  ex2.<my domain> <my local subnet>.4:993 id 119 check inter 3000  verify none
    
    backend ex-pop-backend_ipvANY
            mode                    tcp
            id                      120
            log                     global
            option                  log-health-checks
            balance                 leastconn
            timeout connect         5000
            timeout server          30000
            retries                 3
            option tcp-check
            tcp-check connect port 110
            tcp-check expect string +OK
            default-server rise 2 fall 3
            server                  ex1.<my domain> <my local subnet>.3:110 id 111 check inter 5000
            server                  ex2.<my domain> <my local subnet>.4:110 id 112 check inter 5000
    
    backend ex-pops-backend_ipvANY
            mode                    tcp
            id                      113
            log                     global
            option                  log-health-checks
            balance                 leastconn
            timeout connect         5000
            timeout server          30000
            retries                 3
            option tcp-check
            tcp-check connect port 995 ssl
            tcp-check expect string +OK
            default-server rise 2 fall 3
            server                  ex1.<my domain> <my local subnet>.3:995 id 111 check inter 5000  verify none
            server                  ex2.<my domain> <my local subnet>.4:995 id 112 check inter 5000  verify none
    

    When I run "Outlook Connectivity" test from the Microsoft Test Connectivity site I get the following

    0_1549287202942_1.png

    Here is some more details on the RPC over HTTP error

    0_1549287207044_2.png

    Here is an exempt from the haproxy logs

    0_1549287376634_logs.txt