WAF Exchange 2016 Load Balancing causes Login problems

Question

Hi, 
 we have 6 Exchange 2016 Servers and one Sophos UTM (9.409) (Active-Passiv Cluster, 2 Nodes). 
 Now I want'ed to combine our Exchange server with the WAF to remove our current loadbalancer. 
 I've configured the WAF with 2 diffrend tutorials https://networkguy.de/?p=998 and https://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/ 
 When setting up Outlook, I am always asked for the password. If I only use one realserver in a virtual server, insead of 6, Oulook / the Login works. >1 Server -> no Way 
 How we configured our virtual directorys authentication in Exchange: mapi - windows authenticaton (ntlm, negotiale) - basic authentication ews - integrated windows authentication microsoft-server-activesync - basic authentication owa - use form-based authtication with domain\username and pre set domain 
 We don't want to use the reverse authentication from sophos / waf. 
 
 Frank from frankysweb (see link above) wrote, that this is a bug (not a feature :D) Comment from "19. Januar 2017 um 20:51" [...]Die UTM kann in diesem Fall nur mit einem Exchange Server umgehen.[...]Das Problem ist schon mehrfach an Sophos gemeldet worden, aber leider immer noch nicht behoben. Bei mehreren Exchange Servern muss in diesem Fall ein externer Loadbalancer eingesetzt werden. 
 
 Is this realy a bug and do you have a Workaround? 
 
 Thanks Logan517

taowang · Accepted Answer

In my opinion, cause of problem is load balancer cannot relay HTTP requests from same user to a fixed Exchange server. 
 In the perspective of Load balancer, all requests come from same source IP, which is LAN IP of UTM. 
 Recommended to 
 - remove load balancer 
 - assign multiple Exchange servers to site path 
 - try "Enable sticky session cookie" in site path > advanced settings. However, I have no chance to test "Enable sticky session cookie" for Exchange server. "Enable sticky session cookie" is desinged for HTTP protocol, and it might not work for MAPI, EWS protocols used by Exchange.

Bjorkum · Answer

I have been working through this, myself, and I have eliminated most of our issues as described here: https://community.sophos.com/products/unified-threat-management/f/web-server-security/118299/http-502-keepalivetimer-how-to-fix-outlook-client-authentication-prompts 
 
 We still get credential pop ups occasionally, and I'm trying to find a way to tune them out even more, but the nature of MAPI over HTTP makes it impossible to completely eliminate the credential prompts. 
 
 Lately, I've been fighting performance issues that I believe are unrelated to the basic configuration. Both our Exchange virtual server on the WAF and the other production app we host through the WAF suffer from occasional extreme slowdowns... I'm currently exploring if it's related to connection exhaustion or something like that, but I don't think that has anything to do with the basic site setup. 
 I can share screenshots of my config if anyone's interested.