@KenynMacCormik wrote:
Greetings,
I’m using Exchange 2016 DAG with two servers. Recently I’ve installed pfSense with HAproxy module to ensure web reverse proxy.
My issue is following: MacOS outlook clients are constantly requesting password to connect and RPC over HTTP is not working in my configuration. If I will just forward 443 port to the exchange DAG RPC over HTTP is working fine. If I replace HAproxy with IIS + ARR MacOS clients stops requesting passwords. Does anyone ever faced this issue or something similar?
P.S. Windows Outlook clients working fine in any configuration
The haproxy.cfg file is like following
# Automaticaly generated, dont edit manually. # Generated on: 2019-01-31 16:22 global maxconn 10000 log syslog1.<my domain> local0 debug stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 4096 log-send-hostname pfsense server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats refresh 10 stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend http-https-frontend bind <public ip>:443 name <public ip>:443 ssl crt-list /var/etc/haproxy/http-https-frontend.crt_list bind <public ip>:80 name <public ip>:80 mode http log global option socket-stats option log-separate-errors option httplog option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https maxconn 10000 timeout client 30000 capture request header Host len 32 capture request header User-Agent len 64 capture response header Content-Length len 10 #option httplog log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1" option contstats # Enable continuous traffic statistics updates timeout http-keep-alive 30s # 15 second max for the client to post next request timeout http-request 30s # 15 seconds max for the client to send a request acl is_ecp var(txn.txnpath) -m sub -i /ecp/ acl not_https ssl_fc,not acl is_portal var(txn.txnhost) -m str -i portal.<public domain> acl is_healthcheck var(txn.txnpath) -m reg -i healthcheck.htm$ acl is_autodiscover var(txn.txnhost) -m str -i autodiscover.<public domain> acl is_rpc var(txn.txnpath) -m sub -i /rpc/ acl is_owa var(txn.txnpath) -m sub -i /OWA/ acl is_ews var(txn.txnpath) -m sub -i /EWS/ acl is_oab var(txn.txnpath) -m sub -i /OAB/ acl is_eas var(txn.txnpath) -m sub -i /EAS/ acl is_mapi var(txn.txnpath) -m sub -i /mapi/ http-request set-var(txn.txnpath) path http-request set-var(txn.txnhost) hdr(host) http-response deny if is_ecp http-response deny if is_healthcheck http-request redirect scheme https code 301 if not_https use_backend portal-backend_ipvANY if is_portal use_backend ex-Autodiscover-backend_ipvANY if is_autodiscover use_backend ex-RPC-backend_ipvANY if is_rpc use_backend ex-OWA-backend_ipvANY if is_owa use_backend ex-EWS-backend_ipvANY if is_ews use_backend ex-OAB-backend_ipvANY if is_oab use_backend ex-EAS-backend_ipvANY if is_eas use_backend ex-MAPI-backend_ipvANY if is_mapi default_backend ex-OWA-backend_ipvANY frontend smtp-frontend bind <public ip>:25 name <public ip>:25 mode tcp log global option socket-stats option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-smtp-backend_ipvANY frontend smtptls-frontend bind <public ip>:587 name <public ip>:587 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-smtptls-backend_ipvANY frontend smtpssl-frontend bind <public ip>:465 name <public ip>:465 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-smtpssl-backend_ipvANY frontend imap-frontend bind <public ip>:143 name <public ip>:143 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-imap-backend_ipvANY frontend imaps-frontend bind <public ip>:993 name <public ip>:993 mode tcp log global option dontlognull option dontlog-normal timeout client 300000 option contstats default_backend ex-imaps-backend_ipvANY frontend pop-frontend bind <public ip>:110 name <public ip>:110 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-pop-backend_ipvANY frontend pops-frontend bind <public ip>:995 name <public ip>:995 mode tcp log global option dontlognull option dontlog-normal maxconn 10000 timeout client 300000 option tcplog option contstats default_backend ex-pops-backend_ipvANY backend portal-backend_ipvANY mode http id 103 log global stats enable stats uri /haproxy?stats stats realm . timeout connect 30000 timeout server 30000 retries 3 server portal.<my domain> <my local subnet>.11:443 id 104 ssl check inter 1000 verify none backend ex-Autodiscover-backend_ipvANY mode http id 105 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /autodiscover/healthcheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure server ex1 <my local subnet>.3:443 id 101 ssl check inter 3000 verify none server ex2 <my local subnet>.4:443 id 102 ssl check inter 3000 verify none backend ex-RPC-backend_ipvANY mode http id 106 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /RPC/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-OWA-backend_ipvANY mode http id 100 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /OWA/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-EWS-backend_ipvANY mode http id 107 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /EWS/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-OAB-backend_ipvANY mode http id 108 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /OAB/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-EAS-backend_ipvANY mode http id 109 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-MAPI-backend_ipvANY mode http id 116 log global stats enable stats uri /haproxy?stats stats realm . balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk GET /mapi/HealthCheck.htm http-check expect status 200 option redispatch # Try another server in case of connection failure #timeout queue 30s # 30 seconds max queued on load balancer server ex1.<my domain> <my local subnet>.3:443 id 101 ssl check inter 1000 verify none server ex2.<my domain> <my local subnet>.4:443 id 102 ssl check inter 1000 verify none backend ex-smtp-backend_ipvANY mode tcp id 110 log global balance leastconn timeout connect 5000 timeout server 30000 retries 3 option redispatch option tcp-check tcp-check expect string 220 default-server rise 2 fall 3 server ex1.<my domain> <my local subnet>.3:25 id 111 check inter 3000 server ex2.<my domain> <my local subnet>.4:25 id 112 check inter 3000 backend ex-smtptls-backend_ipvANY mode tcp id 115 log global balance leastconn timeout connect 5000 timeout server 30000 retries 3 default-server rise 2 fall 3 option redispatch option tcp-check tcp-check expect string 220 server ex1.<my domain> <my local subnet>.3:587 id 111 check inter 3000 server ex2.<my domain> <my local subnet>.4:587 id 112 check inter 3000 backend ex-smtpssl-backend_ipvANY mode tcp id 121 log global balance leastconn timeout connect 5000 timeout server 30000 retries 3 option redispatch option tcp-check tcp-check expect string 220 ssl default-server rise 2 fall 3 server ex1.<my domain> <my local subnet>.3:465 id 111 check inter 3000 verify none server ex2.<my domain> <my local subnet>.4:465 id 112 check inter 3000 verify none backend ex-imap-backend_ipvANY mode tcp id 114 log global option log-health-checks balance leastconn timeout connect 30000 timeout server 30000 retries 3 option tcp-check tcp-check connect tcp-check expect string * OK server ex1.<my domain> <my local subnet>.3:143 id 111 check inter 1000 server ex2.<my domain> <my local subnet>.4:143 id 112 check inter 1000 backend ex-imaps-backend_ipvANY mode tcp id 117 log global balance leastconn timeout connect 5000 timeout server 30000 retries 3 option redispatch option tcp-check tcp-check connect port 993 ssl tcp-check expect string * OK server ex1.<my domain> <my local subnet>.3:993 id 118 check inter 3000 verify none server ex2.<my domain> <my local subnet>.4:993 id 119 check inter 3000 verify none backend ex-pop-backend_ipvANY mode tcp id 120 log global option log-health-checks balance leastconn timeout connect 5000 timeout server 30000 retries 3 option tcp-check tcp-check connect port 110 tcp-check expect string +OK default-server rise 2 fall 3 server ex1.<my domain> <my local subnet>.3:110 id 111 check inter 5000 server ex2.<my domain> <my local subnet>.4:110 id 112 check inter 5000 backend ex-pops-backend_ipvANY mode tcp id 113 log global option log-health-checks balance leastconn timeout connect 5000 timeout server 30000 retries 3 option tcp-check tcp-check connect port 995 ssl tcp-check expect string +OK default-server rise 2 fall 3 server ex1.<my domain> <my local subnet>.3:995 id 111 check inter 5000 verify none server ex2.<my domain> <my local subnet>.4:995 id 112 check inter 5000 verify noneWhen I run “Outlook Connectivity” test from the Microsoft Test Connectivity site I get the following
Here is some more details on the RPC over HTTP error
Here is an exempt from the haproxy logs
Jan 31 16:29:07 pfsense haproxy[65367]: 13.67.59.89:17280 [31/Jan/2019:16:29:07.405] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 478/0/0/2/480 401 262 - - ---- 766/756/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll HTTP/1.1 Jan 31 16:29:08 pfsense haproxy[65367]: 13.67.59.89:17277 [31/Jan/2019:16:28:55.995] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 12115/0/1/1/12117 401 262 - - ---- 768/758/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6002 HTTP/1.1 Jan 31 16:29:08 pfsense haproxy[65367]: 13.67.59.89:17277 [31/Jan/2019:16:29:08.112] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 227/0/0/1/228 401 262 - - ---- 767/757/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/Rpc/RpcProxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1 Jan 31 16:29:12 pfsense haproxy[65367]: 13.67.59.89:17281 [31/Jan/2019:16:29:11.818] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 240/0/1/1/242 401 507 - - ---- 756/746/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/Rpc/RpcProxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1 Jan 31 16:29:12 pfsense haproxy[65367]: 13.67.59.89:17281 [31/Jan/2019:16:29:12.059] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 234/0/0/20/254 200 377 - - ---- 756/746/0/1/0 0/0 {mail.<public domain>|MSRPC} {} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/Rpc/RpcProxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1 Jan 31 16:29:12 pfsense haproxy[65367]: 13.67.59.89:17280 [31/Jan/2019:16:29:07.885] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 4667/0/0/1/4668 401 507 - - ---- 755/745/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1 Jan 31 16:29:12 pfsense haproxy[65367]: 13.67.59.89:17280 [31/Jan/2019:16:29:12.552] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 239/0/0/11/250 200 377 - - ---- 754/744/0/1/0 0/0 {mail.<public domain>|MSRPC} {} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1 Jan 31 16:29:16 pfsense haproxy[65367]: 13.67.59.89:17302 [31/Jan/2019:16:29:15.616] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 471/0/1/1/473 401 507 - - ---- 753/743/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1 Jan 31 16:29:46 pfsense haproxy[65367]: 13.67.59.89:17280 [31/Jan/2019:16:29:12.803] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 2577/0/1/6/33517 401 262 - - sD-- 753/741/1/0/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1 Jan 31 16:29:46 pfsense haproxy[65367]: 13.67.59.89:17302 [31/Jan/2019:16:29:16.089] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 230/0/0/13/30243 200 346 - - sD-- 752/740/0/0/0 0/0 {mail.<public domain>|MSRPC} {} {TLSv1.2/ECDHE-RSA-AES256-GCM-SHA384/mail.<public domain>/-} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?dd0e139f-324e-408a-8b4a-6574977303cd@<public domain>:6001 HTTP/1.1 Jan 31 22:09:46 pfsense haproxy[65367]: 46.0.224.14:13159 [31/Jan/2019:22:09:46.265] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 91/0/1/1/93 401 507 - - ---- 236/232/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/#0357ٞ▒} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1 Jan 31 22:09:46 pfsense haproxy[65367]: 46.0.224.14:13944 [31/Jan/2019:22:09:46.443] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 78/0/0/1/80 401 507 - - ---- 237/233/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/o▒rY;$▒cҘ▒P#002▒ԩP*#016o▒▒b▒▒f'▒*E▒[} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1 Jan 31 22:09:46 pfsense haproxy[65367]: 46.0.224.14:13944 [31/Jan/2019:22:09:46.523] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 20/0/0/2/22 401 262 - - ---- 237/233/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/o▒rY;$▒cҘ▒P#002▒ԩP*#016o▒▒b▒▒f'▒*E▒[} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1 Jan 31 22:09:46 pfsense haproxy[65367]: 46.0.224.14:13159 [31/Jan/2019:22:09:46.359] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 64/0/0/2/205 401 262 - - CD-- 236/232/0/0/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/#0357ٞ▒} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1 Feb 1 22:09:58 pfsense haproxy[65367]: 46.0.128.3:7409 [01/Feb/2019:22:09:57.881] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 415/0/1/2/418 401 507 - - ---- 159/153/0/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/:E▒X▒▒:#024$▒▒▒,#023▒▒▒▒Q▒H▒Q}#022▒Ip▒▒Bp} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1 Feb 1 22:09:58 pfsense haproxy[65367]: 46.0.128.3:7462 [01/Feb/2019:22:09:58.359] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 89/0/1/1/91 401 507 - - ---- 160/154/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/▒h$▒,#031p▒#025▒뉬▒#025Şl#012M_▒e▒Xe#020#0159#007̑} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1 Feb 1 22:09:58 pfsense haproxy[65367]: 46.0.128.3:7462 [01/Feb/2019:22:09:58.450] http-https-frontend~ ex-RPC-backend_ipvANY/ex2.<local domain> 19/0/0/2/21 401 262 - - ---- 160/154/1/1/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/▒h$▒,#031p▒#025▒뉬▒#025Şl#012M_▒e▒Xe#020#0159#007̑} RPC_OUT_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1 Feb 1 22:09:58 pfsense haproxy[65367]: 46.0.128.3:7409 [01/Feb/2019:22:09:58.298] http-https-frontend~ ex-RPC-backend_ipvANY/ex1.<local domain> 31/0/0/2/194 401 262 - - CD-- 159/153/0/0/0 0/0 {mail.<public domain>|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/mail.<public domain>/:E▒X▒▒:#024$▒▒▒,#023▒▒▒▒Q▒H▒Q}#022▒Ip▒▒Bp} RPC_IN_DATA mail.<public domain>/rpc/rpcproxy.dll?6627f89e-fa58-4bb4-bbc4-3afb47028417@<public domain>:6002 HTTP/1.1
Posts: 1
Participants: 1
