Windows Extended Protection and Exchange 2016


A security update on Exchange 2016 (2019) will break the possible use of a loadbalancer like haproxy.
I using at this moment haproxy, but when I enable this security, outlook remote will not work anymore.
A login screen apaers and the login fail.
Sync on mibile devices is also broken.

In the docs of microsoft

SSL Offloading scenarios are not supported

Extended Protection is not supported in environments that use SSL offloading. SSL termination during SSL offloading causes Extended Protection to fail. To enable Extended Protection in your Exchange environment, you must not be using SSL offloading with your Load Balancers.

SSL Bridging supported scenarios

Extended Protection is supported in environments that use SSL Bridging under certain conditions. To enable Extended Protection in your Exchange environment using SSL Bridging, you must use the same SSL certificate on Exchange and your Load Balancers. If not this will cause Extended Protection to fail.

Because I have limit expierence with hwproxy, I don’t know if thre could be a solution?
I found this on kemp.

I exported the cert en private key from the exchange server but I’m lost what to do next.

Does someone have a solution for me?


openssl pkcs12 -in yourcertwprivatekey.pfx -nocerts -out exchange_private_key_passwordprotected.pem

openssl rsa -in exchange_private_key_passwordprotected.pem -out exchange_private_key_nopassword.pem

openssl pkcs12 -in yourcertwprivatekey.pfx -clcerts -nokeys -out exchange_certificate.pem

cat exchange_certificate.pem exchange_private_key_nopassword.pem > exchange_certificate_and_key_nopassword.pem

cat exchange_certificate_and_key_nopassword.pem YourCARootCert.crt > final.pem

mv /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem /etc/ssl/certs/exchange_certificate_and_key_nopassword2.pem
cp /root/certificates/final.pem /etc/ssl/certs/exchange_certificate_and_key_nopassword.pem

So basically you export your ca cert with private key from Exchange, copy that to haproxy,
you then extract the private key w password, then remove the password.
Then you get the cert without keys, then combine the thus extracted cert with private key with no password.

Then you add to the cert your CAs root cert.

Then copy the file to the proper place in haproxy, I’m using Debian hence the path.

There could be a way to input the cert password in a script but I haven’t found a way to do it, hence stripping the password.


I’m very new to HA Proxy.
Is there any working example for exchange with SSL briding?

I think this example is using SSL-offloading?
HAProxy configuration for Windows Exchange Server 2016/2019 -