Hi Leo, I have a lab with a slightly different configuration than yours. In my lab, HAProxy decipher the traffic, log everything then recipher the traffic to the server. Like a man in the middle. I have a round robin algorithm + no session persistence + option http-server-close.
I ran the same test as yours. >From my lab platform, I can see those URLs requested, in front the server that was used: exch1: "POST /ecp/DDI/DDIService.svc/SetObject?schema=PasswordService&msExchEcpCanary=<SOME BLAH BLAH HERE> HTTP/1.1" exch2: "GET /ecp/PersonalSettings/logoff.aspx?src=exch HTTP/1.1" exch1: "GET /owa/logoff.owa HTTP/1.1" exch2: "GET /owa/auth/logon.aspx?url=https%3a%2f%2fmail.2013.haproxylab.net%2fowa%2flogoff.owa&reason=0 HTTP/1.1" so sounds normal I'm logged out after a password update: application design. That said, your configuration should not produce this effect, since all your requests are routed to a single server. An other point: my password has been changed, but now I can't change it anymore due to a password policy issue (whatever I type in, it says my password is too weak)... I'll investigate on this in my platform and keep you updated. Can you tell us exactly how your netscaller is configured and works with exchange 2013? Baptiste On Fri, Sep 20, 2013 at 3:56 AM, Leo Raikhman <[email protected]> wrote: > Hi all, > > I have haproxy 1.5dev19 running in TCP mode in front of my Exchange 2013 CAS > servers. My config is appended. > > It seems that haproxy can't handle the outlook web access redirect. When I > log into OWA 2013, internally, and externally, everything is fine. > > When I click on the "Options" or "Change Password" item on the OWA menu the > URL changes from https://email.company.com/owa to > https://email.company.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2femail.company.com%2fecp%2f%3frfr%3dowa%26owaparam%3dmodurl%253D0%26p%3daccount > and drops me into the Exchange 2013 login page again, except I can't login. > > This does not happen internally, or when I load balance the CAS servers > behind a Citrix NetScaler. Is there something I'm missing? Does haproxy have > a character limit on URLs in TCP mode? Can it not decode the URL encoding of > those characters? > > Please help... > > Config: > > defaults > option dontlognull > option redispatch > option contstats > retries 3 > timeout connect 5s > timeout http-keep-alive 1s > timeout http-request 15s > timeout queue 30s > timeout tarpit 1m > backlog 10000 > > balance roundrobin > mode tcp > option tcplog > log global > timeout client 300s > timeout server 300s > default-server inter 3s rise 2 fall 3 > > frontend ft_exchange_tcp > bind 10.0.0.9:443 name https > maxconn 10000 > default_backend bk_exchange_tcp > > backend bk_exchange_tcp > stick-table type ip size 10240k expire 60m > stick on src > option redispatch > option abortonclose > balance leastconn > server cas1 10.0.0.15:443 maxconn 10000 check > server cas2 10.0.0.16:443 maxconn 10000 check > > -- > Leo Raikhman > VMware ESX/Storage Consultant > Ph: 0404943618 > Email: [email protected]
