os-OPNWAF / Exchange 2019 authentication Popups

Started by humnab, December 05, 2025, 04:44:04 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 11, 2025, 11:09:10 AM #15
Thanks for testing.

The Sophos config has these two settings, can you add them to the location?

Code Select
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c

If that didn't change anything remove http/2 and force http/1.1

Replace:
Code Select
Protocols h2 http/1.1With:
Code Select
Protocols http/1.1
Please try these one by one so we can figure out which one did the trick. I imagine the http/1.1 might do something, since Caddy does the same when enabling the NTML module in it.
Hardware:
DEC740
December 11, 2025, 04:51:40 PM #16
Hello,

no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:

Code Select
ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<LocatioN />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
December 11, 2025, 04:57:49 PM #17
Sorry to be really specific but in the first virtual host you have

"LocatioN"

and in the second virtual host you dont have any location. Can you put the same location in there?

Could you fix that and retry just to be 100% sure?

------

A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).
Hardware:
DEC740
Print
Go Up Pages 1 2
User actions