WAF Exchange 2016 Load Balancing causes Login problems

Hi,

we have 6 Exchange 2016 Servers and one Sophos UTM (9.409) (Active-Passiv Cluster, 2 Nodes).

Now I want'ed to combine our Exchange server with the WAF to remove our current loadbalancer.

I've configured the WAF with 2 diffrend tutorials
https://networkguy.de/?p=998 and
https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/

When setting up Outlook, I am always asked for the password.
If I only use one realserver in a virtual server, insead of 6, Oulook / the Login works.
>1 Server -> no Way


How we configured our virtual directorys  authentication in Exchange:
mapi - windows authenticaton (ntlm, negotiale) - basic authentication
ews - integrated windows authentication
microsoft-server-activesync - basic authentication
owa - use form-based authtication with domain\username and pre set domain

We don't want to use the reverse authentication from sophos / waf.

 

Frank from frankysweb (see link above) wrote, that this is a bug (not a feature :D)
Comment from "19. Januar 2017 um 20:51"
[...]Die UTM kann in diesem Fall nur mit einem Exchange Server umgehen.[...]Das Problem ist schon mehrfach an Sophos gemeldet worden, aber leider immer noch nicht behoben. Bei mehreren Exchange Servern muss in diesem Fall ein externer Loadbalancer eingesetzt werden.

 

Is this realy a bug and do you have a Workaround?

 

Thanks
Logan517

  • Are we really the only ones who have the problem? / More than one Exchange 2016 server?

    Or does nobody have an idea?

  • In reply to logan517:

    Hi,

    if you have multiple real webservers, the load is distributed between all webservers. This means, you authenticate at webserverA and the next request goes to webserverB and webserverB asks for your credentials again.

    To prevent this, there is the option 'Enable sticky session cookie' on the advanced tab in the site path route edit form.
    If you enable this option "each (client) session will be bound to one real webserver. If enabled, a cookie is passed to the user's browser, which provokes the UTM to route all requests from this browser to the same real webserver. If the server is not available, the cookie will be updated, and the session will switch to another webserver." (cited from the Sophos UTM Online Help).

    Edit: When sticky session cookie is enabled the load is still balanced between the webservers. But each client sticks to one webserver.

    Best,
    Sabine

  • In reply to Evianne:

    Hi Sabine,

    thx for your reply but this isn't the fault.

    I've already enabled the "sticky session cookie" in the site path route and OWA work's fine.

     

    Our Outlook clients on Windows computers are the problem. The users will always be asked for the credentials, even if you select the "remember me" box.

    Only if i remove 3 of our 4 Real Servers, Outlook works.

     

    Greetings

  • In reply to logan517:

    This just doesn't seem like a configuration issue that's well-known.  What if you enable reverse auth so that WAF knows the credentials?

    I wonder if there isn't something that can be configured in Exchange that enables the servers to share credentials in a distributed environment.

    What does Sophos Support say about this?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

     

    no i've doesn't tried the reverse auth. We don't want to use this feature. We want to use the WAF for loadbalancing and virus / hacker / etc. protection

    The Sophos support isn't especially helpful (Sry, about that), the say the same thing as Evianne / Sabine. The thing with the sicky session cookie.

    As i said, the sticky session cookie works on OWA / browsers. The are able to save these. But Outlook not.

    I think this is the problem and we need another Scheduling/Balancing Method.

     

    I'm wondering, that we are the only one with this problem.

     

    Greetings

  • In reply to logan517:

    Hello Logan,

    you are not alone! :D

    I have exactly the same issue with two Exhange 2016 mailbox server behind SOPHOS WAF. Outlook prompt indefinitely credentials..

    When we use WAF with one Exhange 2016 mailbox server, Outlook anywhere works again..

    Have you find a solution of this issue?

    I'm going to continue to search on my side

    Have a good day!

     

     

     

     

     

     

  • In reply to YvainBARON:

    Hey,

    I'm sorry, but we haven't found a solution to get this working over the waf.

    Sophos support wasn't able to name a date when this is working, so that we're using the server load balancing function in the utm. (Network protection -> server load balancing. It's not thats what we wanted but it works)

    Regards

  • In reply to logan517:

    Hi everybody,

     

    did you find a solution or another workaround in order to use WAF with several Exchange 2016 real webserver ?

     

    Thanks for your help!

  • In reply to YvainBARON:

    Hi YvainBARON,

    no sry. I have'nt found a nother solution to use the waf with more than one exchange 2016 server.

    At the moment we still use the simple server load balancing function

    I read the changelog at each up2date release, but I honestly do not have much hope anymore.
    The utm development seems to be dead, too bad for an actually really good product.

     

    Exchange 2019 will be released by the end of 2018, maybe it'll work again with this version

  • In reply to logan517:

    same for me with UTM 9.603-1 - any news on this?


    Loadbalancing should be possible with WAF enabled.

  • In reply to flyinghuman:

    Hallo,

    What does Sophos Support say about this issue now?

    Cheers - Bob

  • Is there no way to set session cokies on the  SGS/XGS?

  • In reply to BAlfson:

    nothing really helpful. Answer: Exchange 2016 is not completely supported!

    ... but advertising as Forefront Replacement? Bad.

  • In reply to piddae:

    Actually with enabled "persistent Session Cookie" it seems to work. i will look at this in next days.