Hi, i have haproxy 1.7.8 @Ubuntu 16.04 up and running. Outlook Webaccess and the Administration Panel are working fine but I can't get Outlook to work, it repeatly asks for credentials (it is working if I try it directly without the loadbalancer). Microsofts Connectivity Analyzer tells: Testing HTTP Authentication Methods for URL https://xxx/rpc/rpcproxy.dll?xxx:6002. The HTTP authentication methods are correct.
Additional Details The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLM HTTP Response Headers: request-id: b57cf3ce-4d29-4a15-9246-7527db63bea1 Server: Microsoft-IIS/8.5 WWW-Authenticate: Negotiate,NTLM,Basic realm="xxx" Date: Thu, 03 Aug 2017 07:57:54 GMT Content-Length: 0 Elapsed Time: 1502 ms. Attempting to ping RPC proxy xxx. RPC Proxy can't be pinged. Additional Details An unexpected network-level exception was encountered. This is the log output of haproxy: Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14546 [03/Aug/2017:09:50:50.774] ft_exch~ oa/exch02 377/0/9/4/390 401 269 - - ---- 1/1/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-SHA384/xxx/-} RPC_IN_DATA xxx/rpc/rpcproxy.dll HTTP/1.1 Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14547 [03/Aug/2017:09:50:51.519] ft_exch~ oa/exch02 176/0/7/5/188 401 269 - - ---- 2/2/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA xxx/rpc/rpcproxy.dll?xxx:6002 HTTP/1.1 Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14547 [03/Aug/2017:09:50:51.708] ft_exch~ oa/exch02 175/0/0/4/180 401 269 - - ---- 2/2/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1 Aug 3 09:50:52 localhost haproxy[1880]: 13.67.59.89:14549 [03/Aug/2017:09:50:52.239] ft_exch~ oa/exch02 182/0/7/4/193 401 582 - - ---- 3/3/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1 Aug 3 09:50:52 localhost haproxy[1880]: 13.67.59.89:14549 [03/Aug/2017:09:50:52.433] ft_exch~ oa/exch02 177/0/0/169/346 404 282 - - ---- 3/3/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1 Firewall is deaktivated And this is my configuration: global log 127.0.0.1 local0 debug log /var/lib/haproxy/dev/log local0 debug log /var/lib/haproxy/dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s user haproxy group haproxy daemon ssl-server-verify none # Default SSL material locations #ca-base /etc/ssl/certs #crt-base /etc/ssl/private crt-base /etc/ssl/ca/certs ca-base /etc/ssl/ca/intermediate/certs # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 defaults log global mode http option httplog option dontlognull option http-keep-alive option prefer-last-server option forwardfor option http-server-close no option httpclose no option forceclose no option http-tunnel balance leastconn default-server inter 3s rise 2 fall 3 timeout client 600s timeout http-request 10s timeout connect 4s timeout server 60s errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend ft_exch bind 0.0.0.0:443 name https ssl crt /etc/ssl/z/bundle.pem no-sslv3 capture request header Host len 32 capture request header User-Agent len 64 capture response header Content-Length len 10 log /var/lib/haproxy/dev/log local4 debug log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ss l_fc_session_id]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1" option http-keep-alive option socket-stats stats uri /haproxy?stats stats realm Strictly\ Private stats auth admin:xxx maxconn 1000 acl ssl_connection ssl_fc acl host_mail hdr(Host) -i xxx acl path_slash path / acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml acl path_activesync path_beg -i /Microsoft-Server-ActiveSync acl path_ews path_beg -i /ews/ acl path_owa path_beg -i /owa/ acl path_oa path_beg -i /rpc/rpcproxy.dll acl path_ecp path_beg -i /ecp/ acl path_oab path_beg -i /oab/ acl path_mapi path_beg -i /mapi/ acl path_check path_end -i HealthCheck.htm http-request deny if path_check http-request redirect scheme https code 302 unless ssl_connection http-request redirect location /owa/ code 302 if path_slash host_mail use_backend autodiscover if path_autodiscover use_backend activesync if path_activesync use_backend ews if path_ews use_backend owa if path_owa use_backend oa if path_oa use_backend ecp if path_ecp use_backend oab if path_oab use_backend mapi if path_mapi default_backend default backend activesync option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend autodiscover option httpchk GET /Autodiscover/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend ecp option httpchk GET /ECP/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend ews option httpchk GET /EWS/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend mapi balance source option httpchk GET /mapi/HealthCheck.htm http-check expect string 200\ OK option http-keep-alive option prefer-last-server timeout server 600s server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend oab option httpchk GET /OAB/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend oa balance source option httpchk GET /RPC/HealthCheck.htm http-check expect string 200\ OK option http-keep-alive option prefer-last-server timeout server 600s server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend owa option httpchk GET /owa/HealthCheck.htm http-check expect string 200\ OK server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check backend default timeout server 60s server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check hope someone can help I'm googling and experimenting for weeks now but it seems like everybody is using Exchange 2013 and that people that are telling they have a working configuration won't post it. Thanks in advance Regards Philipp