Exchange 2010 RPC over HTTPS

Hi,

I’m trying to get Exchange 2010 working with Outlook Anywhere which uses RPC over HTTPS. I followed https://www.haproxy.com/documentation/haproxy/deployment-guides/exchange-2010/ssl-offload/ but the rpc part is not working. The rpc part gives http 401 errors

When I use another config that only uses ‘mode tcp’, Outlook Anywhere works fine, but then I am not able to use acl’s, right? I need to proxy several websites to different backends based on host headers/paths.

Is there a way to combine http and tcp modes in one configuration?

Hi,

That guide with Exchange 2010 will have some more pre-reqs at the real servers unless you use ssl bridging as described at the very end… Without bridging you’d need to set a registry key on the real servers “SSLOffload=1” or something… Let me check…

Can I ask if you are re-encrypting to the real servers(SSL bridging)?

I’d also wonder if we need to add “option accept-invalid-http-request” because Microsoft have a habit of breaking standards.

Not quite… it’s SSLOffloaded=1…

Check this article : https://social.technet.microsoft.com/wiki/contents/articles/1267.how-to-configure-ssl-offloading-in-exchange-2010.aspx

Although I’d be tempted to use SSL bridging myself.

Thanks for your reply. I have already set the SSL offloading to be allowed on the Exchange server and tried several settings regarding the authentication (Basic/NTLM).

My current setup is SSL termination (how is that different exactly from SSL bridging?) and I have set the backend to ‘ssl verify none’.

While typing I tried the option accept-invalid-http-request and that seems to do the trick!! I am now able to connect via Outlook Anywhere.
My log still shows some errors like " https~ bk_rpc/ex01 20/0/1/-1/9526 -1 0 - - CD-- 8/8/1/1/0 0/0" however. Will investigate…

Thanks a lot!

By SSL Bridging I only mean re-encrypting on the trip to the real servers so adding ‘ssl verify none’ will make it SSL Bridging.

I’m glad ‘option accept-invalid-http-request’ fixed your problem, HAproxy follows RFC’s and drops non standard HTTP traffic by default unless you tell it not to, you could have verfied this was happening by using the stats page and a socat command to see errors:

echo "show errors" | socat unix-connect:/var/run/haproxy.stat stdio

More info here: https://makandracards.com/makandra/36727-get-haproxy-stats-informations-via-socat

In my experience, longer timeout’s can be needed also so you may wish to experiment with the ‘timeout client / server’ settings as well as other timeouts.

I’m not sure why you are getting sudden client disconnects either, it could be these are simply unused connections because in my experience the number of connections used per client fluctuates…

I’ve got “mode tcp” and “acl XXXXX req.ssl_sni -i xxx.yyyyyyy.zzz” combined in one frontend. I hope it’s working, had no complaints.

i had a similar problem. I attached my proxy config in the following link:

Which works for 2010, 2013 and 2016