HAProxy don't work for Smartphone Active Sync

Help!
1

Hello everyone,

I currently have a KEMP server used for an Exchange 2016 Reverse Proxy that I want to replace with HAProxy. I configured everything to make it work and only one point does not work: Smartphones with ActiveSync.

If I use the Microsoft Outlook application on Android, it doesn’t work.
But with Gmail application, the same settings work.

This is the log with Gmail App :

2024-08-09T09:22:08.603356+02:00 S35 haproxy[58500]: 87.88.147.213:8224 [09/Aug/2024:09:22:08.563] ft_ex2019~ bk_ex2019_eas/exchange1 0/0/6/33/39 200 714 - - ---- 14/14/0/0/0 0/0 “POST /Microsoft-Server-ActiveSync?Cmd=Sync&User=domain.intra%5Cuser
&DeviceId=androidc672123383&DeviceType=Android HTTP/1.1”
2024-08-09T09:22:08.735679+02:00 S35 haproxy[58500]: 87.88.147.213:8224 [09/Aug/2024:09:22:08.702] ft_ex2019~ bk_ex2019_eas/exchange1 0/0/0/32/32 200 714 - - ---- 14/14/0/0/0 0/0 “POST /Microsoft-Server-ActiveSync?Cmd=Sync&User=domain.intra%5Cuser&DeviceId=androidc672123383&DeviceType=Android HTTP/1.1”
2024-08-09T09:22:21.102618+02:00 S35 haproxy[58500]: 87.88.147.213:8224 [09/Aug/2024:09:22:21.086] ft_ex2019~ bk_ex2019_eas/exchange1 0/0/0/16/16 200 989 - - ---- 14/14/0/0/0 0/0 “POST /Microsoft-Server-ActiveSync?Cmd=Settings&User=domain.intra%5Cuser&DeviceId=androidc672123383&DeviceType=Android HTTP/1.1”

The log with Outlook App

2024-08-09T10:09:19.907924+02:00 S35 haproxy[58500]: 52.97.187.109:54379 [09/Aug/2024:10:09:19.903] ft_ex2019~ bk_ex2019_eas/exchange1 0/0/1/3/4 401 259 - - ---- 13/13/0/0/0 0/0 “OPTIONS /Microsoft-Server-ActiveSync?Cmd=Options&User=domain.intra%5Cuser&DeviceId=OPCC286B2E6E33A3AAC152A4DE796B59&DeviceType=Outlook HTTP/1.1”
2024-08-09T10:09:19.928580+02:00 S35 haproxy[58500]: 52.97.187.109:54379 [09/Aug/2024:10:09:19.918] ft_ex2019~ bk_ex2019_eas/exchange1 0/0/0/9/9 200 1042 - - ---- 13/13/0/0/0 0/0 “OPTIONS /Microsoft-Server-ActiveSync?Cmd=Options&User=domain.intra%5Cuser&DeviceId=OPCC286B2E6E33A3AAC152A4DE796B59&DeviceType=Outlook HTTP/1.1”

If I do a test on Microsoft Remote Connectivity Analyzer, all sticks are green for ActiveSync.

Does anyone have a solution because I’m completely stuck there and it’s not possible for users to use anything other than the Outlook application on Mobile for their professional address.

HAProxy version : 2.6.12 on Debian 12

global

log         127.0.0.1:514 local0 debug
chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
user        haproxy
group       haproxy
daemon

h1-case-adjust www-authenticate WWW-Authenticate
h1-case-adjust persistent-auth Persistent-Auth

# turn on stats unix socket
stats socket /var/run/haproxy.stat

#--------------------------

SSL tuning / hardening

#--------------------------
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:DH+AES256:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:DH+AES256:!aNULL:!MD5:!DSS
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
tune.ssl.default-dh-param 2048

defaults
mode http
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch

option contstats

option h1-case-adjust-bogus-client
no option httpclose
no option http-server-close
retries                 3
timeout http-request    15s
timeout queue           1m
timeout connect         15s
timeout client          15m # this value should be rather high with Exchange
timeout server          15m # this value should be rather high with Exchange
timeout http-keep-alive 15s
timeout check           15s
maxconn                 100

#---------------------------------------------------------------------

Main front-end which proxies to the back-ends

#---------------------------------------------------------------------

frontend ft_ex2019
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options SAMEORIGIN
http-response set-header X-Content-Type-Options nosniff
option http-use-proxy-header
mode http
log /dev/log local0 info
bind *:443 ssl crt /etc/haproxy/ssl alpn h2,http/1.1
bind 10.10.10.35:1936 ssl crt /etc/haproxy/ssl
redirect scheme https code 301 if !{ ssl_fc } # redirect 80 → 443 (for owa)
acl autodiscover url_beg /Autodiscover
acl autodiscover url_beg /autodiscover
acl mapi url_beg /mapi
acl rpc url_beg /rpc
acl owa url_beg /owa
acl owa url_beg /OWA
acl eas url_beg /Microsoft-Server-ActiveSync
acl ecp url_beg /ecp
acl ews url_beg /EWS
acl ews url_beg /ews
acl oab url_beg /OAB

http-request deny if ecp

use_backend bk_ex2019_autodiscover if autodiscover
use_backend bk_ex2019_mapi if mapi
use_backend bk_ex2019_rpc if rpc
use_backend bk_ex2019_owa if owa
use_backend bk_ex2019_eas if eas

use_backend bk_ex2019_ecp if ecp

use_backend bk_ex2019_ews if ews
use_backend bk_ex2019_oab if oab
default_backend bk_ex2019

#------------------------------

Back-end section

#------------------------------

backend bk_ex2019_autodiscover
mode http
balance roundrobin
option httpchk GET /autodiscover/healthcheck.htm
option log-health-checks
http-check expect status 200
server exchange1 SRV_Intern:443 check ssl inter 15s verify none

backend bk_ex2019_mapi
mode http
balance roundrobin
option httpchk GET /mapi/healthcheck.htm
option log-health-checks
http-check expect status 200
server exchange1 SRV_Intern:443 check ssl inter 15s verify none

backend bk_ex2019_rpc
mode http
balance roundrobin
option httpchk GET /rpc/healthcheck.htm
option log-health-checks
http-check expect status 200
server exchange1 SRV_Intern:443 check ssl inter 15s verify none

backend bk_ex2019_owa
mode http
balance roundrobin
option httpchk GET /owa/healthcheck.htm
option log-health-checks
http-check expect status 200
server exchange1 SRV_Intern:443 check ssl inter 15s verify none

backend bk_ex2019_eas
mode http
log 127.0.0.1 local0 info
log 127.0.0.1 local0 warning
log 127.0.0.1 local0 err
option httpchk GET /microsoft-server-activesync/healthcheck.htm
option log-health-checks
http-check expect status 200
server exchange1 SRV_Intern:443 check ssl inter 15s verify none

#backend bk_ex2019_ecp

mode http

balance roundrobin

option httpchk GET /ecp/healthcheck.htm

option log-health-checks

http-check expect status 200

server exchange1 SRV_Intern:443 check ssl inter 15s verify none

backend bk_ex2019_ews
mode http
log 127.0.0.1 local0 info
log 127.0.0.1 local0 warning
log 127.0.0.1 local0 err
option httpchk GET /ews/healthcheck.htm
option log-health-checks
http-check expect status 200
server exchange1 SRV_Intern:443 check ssl inter 30s verify none

backend bk_ex2019_oab
mode http
option httpchk GET /oab/healthcheck.htm
option log-health-checks
http-check expect status 200
server exchange1 SRV_Intern:443 check ssl inter 15s verify none

backend bk_ex2019
mode http
server exchange1 SRV_Intern:443 check ssl inter 15s verify none

Thank you.