Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.
we have 6 Exchange 2016 Servers and one Sophos UTM (9.409) (Active-Passiv Cluster, 2 Nodes).
Now I want'ed to combine our Exchange server with the WAF to remove our current loadbalancer.
I've configured the WAF with 2 diffrend tutorialshttps://networkguy.de/?p=998 andhttps://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/
When setting up Outlook, I am always asked for the password.If I only use one realserver in a virtual server, insead of 6, Oulook / the Login works. >1 Server -> no Way
How we configured our virtual directorys authentication in Exchange:mapi - windows authenticaton (ntlm, negotiale) - basic authenticationews - integrated windows authenticationmicrosoft-server-activesync - basic authenticationowa - use form-based authtication with domain\username and pre set domain
We don't want to use the reverse authentication from sophos / waf.
Frank from frankysweb (see link above) wrote, that this is a bug (not a feature :D)Comment from "19. Januar 2017 um 20:51"[...]Die UTM kann in diesem Fall nur mit einem Exchange Server umgehen.[...]Das Problem ist schon mehrfach an Sophos gemeldet worden, aber leider immer noch nicht behoben. Bei mehreren Exchange Servern muss in diesem Fall ein externer Loadbalancer eingesetzt werden.
Is this realy a bug and do you have a Workaround?
I have been working through this, myself, and I have eliminated most of our issues as described here: https://community.sophos.com/products/unified-threat-management/f/web-server-security/118299/http-502-keepalivetimer-how-to-fix-outlook-client-authentication-prompts
We still get credential pop ups occasionally, and I'm trying to find a way to tune them out even more, but the nature of MAPI over HTTP makes it impossible to completely eliminate the credential prompts.
Lately, I've been fighting performance issues that I believe are unrelated to the basic configuration. Both our Exchange virtual server on the WAF and the other production app we host through the WAF suffer from occasional extreme slowdowns... I'm currently exploring if it's related to connection exhaustion or something like that, but I don't think that has anything to do with the basic site setup.
I can share screenshots of my config if anyone's interested.