Hi!
I'm using haproxy 1.5dev17 and try to balance traffic destined for MS
Exchange 2010 CAS servers.
OWA and ActiveSync are working without any problems- but Outlook Anywhere
(RPC over HTTP with NTLM auth) produces an error 401 even with Microsofts
Remote Connectivity Analyzer.
HAProxy runs in SSL offload mode. The cert is an officialy signed one.
My haproxy.conf is (partially):
...
defaults
mode http
maxconn 50000
contimeout 4000
clitimeout 50000
srvtimeout 50000
balance roundrobin
log global
option tcplog
option redispatch
option contstats
option dontlognull
timeout connect 5s
timeout http-keep-alive 5s
timeout http-request 15s
timeout queue 30s
timeout client 300s
timeout server 300s
default-server inter 3s rise 2 fall 3
backlog 10000
option http-pretend-keepalive
frontend WebAccess
maxconn 50000
bind 172.17.336.433:666 ssl crt
/usr/local/etc/haproxy-certs/mc.dom.com.pem
mode http
option httplog
log global
no option httpclose
acl ACLRPC path_beg -i /rpc/rpcproxy.dll
use_backend OutlookAnywhere if ACLRPC
...
backend OutlookAnywhere
stick-table type ip size 10240k expire 60m
stick on src
cookie SRV insert nocache
balance roundrobin
option redispatch
server juno 172.17.336.433:80 cookie oasrv1 weight 1 check
...
The one active CAS server used for testing purposes (juno) is configured
for SSL offloading for RPC. All other Exchange directories in IIS are set
to not require SSL on this system.
When running HAProxy in debug mode an Outlook Anywhere session looks like:
00000005:WebAccess.clireq[000d:ffff]: RPC_IN_DATA
/Rpc/RpcProxy.dll?lips.dom.intl:6001 HTTP/1.1
00000005:WebAccess.clihdr[000d:ffff]: Accept: application/rpc
00000005:WebAccess.clihdr[000d:ffff]: User-Agent: MSRPC
00000005:WebAccess.clihdr[000d:ffff]: Authorization: NTLM
TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
00000005:WebAccess.clihdr[000d:ffff]: Host: mc.dom.com
00000005:WebAccess.clihdr[000d:ffff]: Content-Length: 0
00000005:OutlookAnywhere.srvrep[000d:000e]: HTTP/1.1 401 Unauthorized
00000005:OutlookAnywhere.srvhdr[000d:000e]: Content-Type: text/html
00000005:OutlookAnywhere.srvhdr[000d:000e]: Server: Microsoft-IIS/7.5
00000005:OutlookAnywhere.srvhdr[000d:000e]: WWW-Authenticate: NTLM
TlRMTVNTUAACAAAABgAGADgAAAAFgomiDMdfGnUDCJUAAAAAAAAAAGwAbAA+AAAABgGxHQAAAA9OAEsARAACAAYATgBLAEQAAQAIAEoAVQBOAE8ABAAQAG4AawBkAC4AaQBuAHQAbAADABoAagB1AG4AbwAuAG4AawBkAC4AaQBuAHQAbAAFABAAbgBrAGQALgBpAG4AdABsAAcACADUFzdfwP/NAQAAAAA=
00000005:OutlookAnywhere.srvhdr[000d:000e]: WWW-Authenticate: Negotiate
00000005:OutlookAnywhere.srvhdr[000d:000e]: X-Powered-By: ASP.NET
00000005:OutlookAnywhere.srvhdr[000d:000e]: Date: Thu, 31 Jan 2013
14:36:35 GMT
00000005:OutlookAnywhere.srvhdr[000d:000e]: Content-Length: 58
I suspect NTLM to be the culprit.
Even after searching through all possible ressources I cannot find a
solution for this problem. As you can see in the config above I already
tried to implement some kind of keep-alive- with no success at all.
If I bypass HAProxy or change HAProxy config to "mode tcp" everything is
fine.
Have anyone had this kind of problem already? Or maybe some similar?
Best regards,
Roland