This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Exchange 2016 Load Balancing causes Login problems

Hi,

we have 6 Exchange 2016 Servers and one Sophos UTM (9.409) (Active-Passiv Cluster, 2 Nodes).

Now I want'ed to combine our Exchange server with the WAF to remove our current loadbalancer.

I've configured the WAF with 2 diffrend tutorials
https://networkguy.de/?p=998 and
https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/

When setting up Outlook, I am always asked for the password.
If I only use one realserver in a virtual server, insead of 6, Oulook / the Login works.
>1 Server -> no Way


How we configured our virtual directorys  authentication in Exchange:
mapi - windows authenticaton (ntlm, negotiale) - basic authentication
ews - integrated windows authentication
microsoft-server-activesync - basic authentication
owa - use form-based authtication with domain\username and pre set domain

We don't want to use the reverse authentication from sophos / waf.

 

Frank from frankysweb (see link above) wrote, that this is a bug (not a feature :D)
Comment from "19. Januar 2017 um 20:51"
[...]Die UTM kann in diesem Fall nur mit einem Exchange Server umgehen.[...]Das Problem ist schon mehrfach an Sophos gemeldet worden, aber leider immer noch nicht behoben. Bei mehreren Exchange Servern muss in diesem Fall ein externer Loadbalancer eingesetzt werden.

 

Is this realy a bug and do you have a Workaround?

 

Thanks
Logan517



This thread was automatically locked due to age.
Parents
  • Are we really the only ones who have the problem? / More than one Exchange 2016 server?

    Or does nobody have an idea?

  • Hi,

    if you have multiple real webservers, the load is distributed between all webservers. This means, you authenticate at webserverA and the next request goes to webserverB and webserverB asks for your credentials again.

    To prevent this, there is the option 'Enable sticky session cookie' on the advanced tab in the site path route edit form.
    If you enable this option "each (client) session will be bound to one real webserver. If enabled, a cookie is passed to the user's browser, which provokes the UTM to route all requests from this browser to the same real webserver. If the server is not available, the cookie will be updated, and the session will switch to another webserver." (cited from the Sophos UTM Online Help).

    Edit: When sticky session cookie is enabled the load is still balanced between the webservers. But each client sticks to one webserver.

    Best,
    Sabine

  • Hi Sabine,

    thx for your reply but this isn't the fault.

    I've already enabled the "sticky session cookie" in the site path route and OWA work's fine.

     

    Our Outlook clients on Windows computers are the problem. The users will always be asked for the credentials, even if you select the "remember me" box.

    Only if i remove 3 of our 4 Real Servers, Outlook works.

     

    Greetings

  • This just doesn't seem like a configuration issue that's well-known.  What if you enable reverse auth so that WAF knows the credentials?

    I wonder if there isn't something that can be configured in Exchange that enables the servers to share credentials in a distributed environment.

    What does Sophos Support say about this?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

     

    no i've doesn't tried the reverse auth. We don't want to use this feature. We want to use the WAF for loadbalancing and virus / hacker / etc. protection

    The Sophos support isn't especially helpful (Sry, about that), the say the same thing as Evianne / Sabine. The thing with the sicky session cookie.

    As i said, the sticky session cookie works on OWA / browsers. The are able to save these. But Outlook not.

    I think this is the problem and we need another Scheduling/Balancing Method.

     

    I'm wondering, that we are the only one with this problem.

     

    Greetings

Reply
  • Hi Bob,

     

    no i've doesn't tried the reverse auth. We don't want to use this feature. We want to use the WAF for loadbalancing and virus / hacker / etc. protection

    The Sophos support isn't especially helpful (Sry, about that), the say the same thing as Evianne / Sabine. The thing with the sicky session cookie.

    As i said, the sticky session cookie works on OWA / browsers. The are able to save these. But Outlook not.

    I think this is the problem and we need another Scheduling/Balancing Method.

     

    I'm wondering, that we are the only one with this problem.

     

    Greetings

Children