WAF Exchange 2016 Load Balancing causes Login problems

Hi,

we have 6 Exchange 2016 Servers and one Sophos UTM (9.409) (Active-Passiv Cluster, 2 Nodes).

Now I want'ed to combine our Exchange server with the WAF to remove our current loadbalancer.

I've configured the WAF with 2 diffrend tutorials
https://networkguy.de/?p=998 and
https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/

When setting up Outlook, I am always asked for the password.
If I only use one realserver in a virtual server, insead of 6, Oulook / the Login works.
>1 Server -> no Way


How we configured our virtual directorys  authentication in Exchange:
mapi - windows authenticaton (ntlm, negotiale) - basic authentication
ews - integrated windows authentication
microsoft-server-activesync - basic authentication
owa - use form-based authtication with domain\username and pre set domain

We don't want to use the reverse authentication from sophos / waf.

 

Frank from frankysweb (see link above) wrote, that this is a bug (not a feature :D)
Comment from "19. Januar 2017 um 20:51"
[...]Die UTM kann in diesem Fall nur mit einem Exchange Server umgehen.[...]Das Problem ist schon mehrfach an Sophos gemeldet worden, aber leider immer noch nicht behoben. Bei mehreren Exchange Servern muss in diesem Fall ein externer Loadbalancer eingesetzt werden.

 

Is this realy a bug and do you have a Workaround?

 

Thanks
Logan517

  • I have been working through this, myself, and I have eliminated most of our issues as described here: https://community.sophos.com/products/unified-threat-management/f/web-server-security/118299/http-502-keepalivetimer-how-to-fix-outlook-client-authentication-prompts

     

    We still get credential pop ups occasionally, and I'm trying to find a way to tune them out even more, but the nature of MAPI over HTTP makes it impossible to completely eliminate the credential prompts.

     

    Lately, I've been fighting performance issues that I believe are unrelated to the basic configuration.  Both our Exchange virtual server on the WAF and the other production app we host through the WAF suffer from occasional extreme slowdowns... I'm currently exploring if it's related to connection exhaustion or something like that, but I don't think that has anything to do with the basic site setup.

    I can share screenshots of my config if anyone's interested.