On Thu, Aug 3, 2017 at 9:01 AM, Philipp Zeitschel <[email protected]> wrote: > Hi, > > > > i have haproxy 1.7.8 @Ubuntu 16.04 up and running. > > Outlook Webaccess and the Administration Panel are working fine but I can’t > get Outlook to work, it repeatly asks for credentials (it is working if I > try it directly without the loadbalancer). > > Microsofts Connectivity Analyzer tells: > > Testing HTTP Authentication Methods for URL > https://xxx/rpc/rpcproxy.dll?xxx:6002. > > The HTTP authentication methods are correct. > > > > Additional Details > > > > The Microsoft Connectivity Analyzer found all expected authentication > methods and no disallowed methods. Methods found: Basic, Negotiate, NTLM > > HTTP Response Headers: > > request-id: b57cf3ce-4d29-4a15-9246-7527db63bea1 > > Server: Microsoft-IIS/8.5 > > WWW-Authenticate: Negotiate,NTLM,Basic realm="xxx" > > Date: Thu, 03 Aug 2017 07:57:54 GMT > > Content-Length: 0 > > Elapsed Time: 1502 ms. > > > > > > Attempting to ping RPC proxy xxx. > > RPC Proxy can't be pinged. > > > > Additional Details > > > > An unexpected network-level exception was encountered. > > > > This is the log output of haproxy: > > Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14546 > [03/Aug/2017:09:50:50.774] ft_exch~ oa/exch02 377/0/9/4/390 401 269 - - ---- > 1/1/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-SHA384/xxx/-} > RPC_IN_DATA xxx/rpc/rpcproxy.dll HTTP/1.1 > > Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14547 > [03/Aug/2017:09:50:51.519] ft_exch~ oa/exch02 176/0/7/5/188 401 269 - - ---- > 2/2/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA > xxx/rpc/rpcproxy.dll?xxx:6002 HTTP/1.1 > > Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14547 > [03/Aug/2017:09:50:51.708] ft_exch~ oa/exch02 175/0/0/4/180 401 269 - - ---- > 2/2/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA > xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1 > > Aug 3 09:50:52 localhost haproxy[1880]: 13.67.59.89:14549 > [03/Aug/2017:09:50:52.239] ft_exch~ oa/exch02 182/0/7/4/193 401 582 - - ---- > 3/3/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA > xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1 > > Aug 3 09:50:52 localhost haproxy[1880]: 13.67.59.89:14549 > [03/Aug/2017:09:50:52.433] ft_exch~ oa/exch02 177/0/0/169/346 404 282 - - > ---- 3/3/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} > RPC_IN_DATA xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1 > > > > Firewall is deaktivated > > > > And this is my configuration: > > global > > log 127.0.0.1 local0 debug > > log /var/lib/haproxy/dev/log local0 debug > > log /var/lib/haproxy/dev/log local1 notice > > > > chroot /var/lib/haproxy > > stats socket /run/haproxy/admin.sock mode 660 level admin > > stats timeout 30s > > user haproxy > > group haproxy > > daemon > > ssl-server-verify none > > # Default SSL material locations > > #ca-base /etc/ssl/certs > > #crt-base /etc/ssl/private > > crt-base /etc/ssl/ca/certs > > ca-base /etc/ssl/ca/intermediate/certs > > > > > > # Default ciphers to use on SSL-enabled listening sockets. > > # For more information, see ciphers(1SSL). This list is from: > > # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ > > ssl-default-bind-ciphers > ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS > > ssl-default-bind-options no-sslv3 > > tune.ssl.default-dh-param 2048 > > > > defaults > > log global > > mode http > > option httplog > > option dontlognull > > option http-keep-alive > > option prefer-last-server > > option forwardfor > > option http-server-close > > no option httpclose > > no option forceclose > > no option http-tunnel > > balance leastconn > > default-server inter 3s rise 2 fall 3 > > timeout client 600s > > timeout http-request 10s > > timeout connect 4s > > timeout server 60s > > errorfile 400 /etc/haproxy/errors/400.http > > errorfile 403 /etc/haproxy/errors/403.http > > errorfile 408 /etc/haproxy/errors/408.http > > errorfile 500 /etc/haproxy/errors/500.http > > errorfile 502 /etc/haproxy/errors/502.http > > errorfile 503 /etc/haproxy/errors/503.http > > errorfile 504 /etc/haproxy/errors/504.http > > > > frontend ft_exch > > bind 0.0.0.0:443 name https ssl crt /etc/ssl/z/bundle.pem no-sslv3 > > capture request header Host len 32 > > capture request header User-Agent len 64 > > capture response header Content-Length len 10 > > log /var/lib/haproxy/dev/log local4 debug > > log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ > %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ > {%sslv/%sslc/%[ssl_fc_sni]/%[ss > l_fc_session_id]}\ "%[capture.req.method]\ > %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1" > > option http-keep-alive > > option socket-stats > > stats uri /haproxy?stats > > stats realm Strictly\ Private > > stats auth admin:xxx > > > > maxconn 1000 > > acl ssl_connection ssl_fc > > acl host_mail hdr(Host) -i xxx > > acl path_slash path / > > acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml > > acl path_activesync path_beg -i /Microsoft-Server-ActiveSync > > acl path_ews path_beg -i /ews/ > > acl path_owa path_beg -i /owa/ > > acl path_oa path_beg -i /rpc/rpcproxy.dll > > acl path_ecp path_beg -i /ecp/ > > acl path_oab path_beg -i /oab/ > > acl path_mapi path_beg -i /mapi/ > > acl path_check path_end -i HealthCheck.htm > > http-request deny if path_check > > http-request redirect scheme https code 302 unless ssl_connection > > http-request redirect location /owa/ code 302 if path_slash host_mail > > use_backend autodiscover if path_autodiscover > > use_backend activesync if path_activesync > > use_backend ews if path_ews > > use_backend owa if path_owa > > use_backend oa if path_oa > > use_backend ecp if path_ecp > > use_backend oab if path_oab > > use_backend mapi if path_mapi > > default_backend default > > > > backend activesync > > option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm > > http-check expect string 200\ OK > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > backend autodiscover > > option httpchk GET /Autodiscover/HealthCheck.htm > > http-check expect string 200\ OK > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > backend ecp > > option httpchk GET /ECP/HealthCheck.htm > > http-check expect string 200\ OK > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > backend ews > > option httpchk GET /EWS/HealthCheck.htm > > http-check expect string 200\ OK > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > backend mapi > > balance source > > option httpchk GET /mapi/HealthCheck.htm > > http-check expect string 200\ OK > > option http-keep-alive > > option prefer-last-server > > timeout server 600s > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > backend oab > > option httpchk GET /OAB/HealthCheck.htm > > http-check expect string 200\ OK > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > backend oa > > balance source > > option httpchk GET /RPC/HealthCheck.htm > > http-check expect string 200\ OK > > option http-keep-alive > > option prefer-last-server > > timeout server 600s > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > backend owa > > option httpchk GET /owa/HealthCheck.htm > > http-check expect string 200\ OK > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > backend default > > timeout server 60s > > server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check > > server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check > > > > > > hope someone can help I’m googling and experimenting for weeks now but it > seems like everybody is using Exchange 2013 and that people that are telling > they have a working configuration won’t post it. >
As a basic troubleshooting step, I would suggest trying a simplified config with just a default section single backend with either different weights for the two servers, or just a single backend. Cheers
