Windows Extended Protection and Exchange 2016

rniesen · December 29, 2022, 1:40pm

Hello,

A security update on Exchange 2016 (2019) will break the possible use of a loadbalancer like haproxy.
I using at this moment haproxy, but when I enable this security, outlook remote will not work anymore.
A login screen apaers and the login fail.
Sync on mibile devices is also broken.

In the docs of microsoft
https://microsoft.github.io/CSS-Exchange/Security/Extended-Protection/

SSL Offloading scenarios are not supported

Extended Protection is not supported in environments that use SSL offloading. SSL termination during SSL offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers.

SSL Bridging supported scenarios

Extended Protection is supported in environments that use SSL Bridging under certain conditions. To enable Extended Protection in your Exchange environment using SSL Bridging, you must use the same SSL certificate on Exchange and your Load Balancers. If not this will cause Extended Protection to fail.

Because I have limit expierence with hwproxy, I don’t know if thre could be a solution?
I found this on kemp.

I exported the cert en private key from the exchange server but I’m lost what to do next.

Does someone have a solution for me?

Thanks.

jasejk · January 2, 2023, 4:05pm

openssl pkcs12 -in yourcertwprivatekey.pfx -nocerts -out exchange_private_key_passwordprotected.pem

openssl rsa -in exchange_private_key_passwordprotected.pem -out exchange_private_key_nopassword.pem

openssl pkcs12 -in yourcertwprivatekey.pfx -clcerts -nokeys -out exchange_certificate.pem

cat exchange_certificate.pem exchange_private_key_nopassword.pem > exchange_certificate_and_key_nopassword.pem

cat exchange_certificate_and_key_nopassword.pem YourCARootCert.crt > final.pem


mv /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem /etc/ssl/certs/exchange_certificate_and_key_nopassword2.pem
cp /root/certificates/final.pem /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem

So basically you export your ca cert with private key from Exchange, copy that to haproxy,
you then extract the private key w password, then remove the password.
Then you get the cert without keys, then combine the thus extracted cert with private key with no password.

Then you add to the cert your CAs root cert.

Then copy the file to the proper place in haproxy, I’m using Debian hence the path.

There could be a way to input the cert password in a script but I haven’t found a way to do it, hence stripping the password.

rniesen · January 6, 2023, 10:42am

Hello,

I’m very new to HA Proxy.
Is there any working example for exchange with SSL briding?

I think this example is using SSL-offloading?
HAProxy configuration for Windows Exchange Server 2016/2019 - bidhankhatri.com.np

jasejk · January 7, 2023, 8:03pm

Topic		Replies	Views
Outlook clients constantly prompted for password [Exchange Help!	2	1067	February 4, 2023
Exchange 2010 RPC over HTTPS Help!	6	3886	February 2, 2019
SMTP Load Balancing With Exchange 2013 Help!	6	9241	April 1, 2020
HAproxy and Outlook 2010 on Exchange 2016 Help!	22	5649	April 18, 2021
Exchange 2016 + HAproxy + MacOS Outlook issues Help!	7	7076	August 9, 2019

Windows Extended Protection and Exchange 2016

SSL Offloading scenarios are not supported

SSL Bridging supported scenarios

Related topics