Hi,
we have 6 Exchange 2016 Servers and one Sophos UTM (9.409) (Active-Passiv Cluster, 2 Nodes).
Now I want'ed to combine our Exchange server with the WAF to remove our current loadbalancer.
I've configured the WAF with 2 diffrend tutorialshttps://networkguy.de/?p=998 andhttps://www.frankysweb.de/sophos-utm-9-4-waf-und-exchange-2016/
When setting up Outlook, I am always asked for the password.If I only use one realserver in a virtual server, insead of 6, Oulook / the Login works. >1 Server -> no Way
How we configured our virtual directorys authentication in Exchange:mapi - windows authenticaton (ntlm, negotiale) - basic authenticationews - integrated windows authenticationmicrosoft-server-activesync - basic authenticationowa - use form-based authtication with domain\username and pre set domain
We don't want to use the reverse authentication from sophos / waf.
Frank from frankysweb (see link above) wrote, that this is a bug (not a feature :D)Comment from "19. Januar 2017 um 20:51"[...]Die UTM kann in diesem Fall nur mit einem Exchange Server umgehen.[...]Das Problem ist schon mehrfach an Sophos gemeldet worden, aber leider immer noch nicht behoben. Bei mehreren Exchange Servern muss in diesem Fall ein externer Loadbalancer eingesetzt werden.
Is this realy a bug and do you have a Workaround?
ThanksLogan517
Hallo,
What does Sophos Support say about this issue now?
Cheers - Bob
Is there no way to set session cokies on the SGS/XGS?
nothing really helpful. Answer: Exchange 2016 is not completely supported!... but advertising as Forefront Replacement? Bad.
Perhaps this helps:
docs.microsoft.com/.../kerberos-auth-for-load-balanced-client-access
Actually with enabled "persistent Session Cookie" it seems to work. i will look at this in next days.
I have been working through this, myself, and I have eliminated most of our issues as described here: https://community.sophos.com/products/unified-threat-management/f/web-server-security/118299/http-502-keepalivetimer-how-to-fix-outlook-client-authentication-prompts
We still get credential pop ups occasionally, and I'm trying to find a way to tune them out even more, but the nature of MAPI over HTTP makes it impossible to completely eliminate the credential prompts.
Lately, I've been fighting performance issues that I believe are unrelated to the basic configuration. Both our Exchange virtual server on the WAF and the other production app we host through the WAF suffer from occasional extreme slowdowns... I'm currently exploring if it's related to connection exhaustion or something like that, but I don't think that has anything to do with the basic site setup.
I can share screenshots of my config if anyone's interested.
In my opinion, cause of problem is load balancer cannot relay HTTP requests from same user to a fixed Exchange server.
In the perspective of Load balancer, all requests come from same source IP, which is LAN IP of UTM.
Recommended to
- remove load balancer
- assign multiple Exchange servers to site path
- try "Enable sticky session cookie" in site path > advanced settings. However, I have no chance to test "Enable sticky session cookie" for Exchange server. "Enable sticky session cookie" is desinged for HTTP protocol, and it might not work for MAPI, EWS protocols used by Exchange.