os-OPNWAF / Exchange 2019 authentication Popups

humnab · December 05, 2025, 04:44:04 PM

Hello,

we're migration from a Sophos UTM to opnsense-business and try to replace the Sophos WAF with os-OPNWAF.
No we have the problem that we get authentication Popups in Outlook when we try to connect externally.
After canceling the popups or entering the password 2-3 times Outlook shows online.
When we do the same with the caddy plugin we have no popups (but no WAF), with the Sophos UTM WAF we also have no Popups.

Any idea whats wrong? The Web Protection is disabled in os-OPNWAF, the Locations are configured as "Exchange Server", the Remote destionatios with https://IP of Exchange...Thanks!

Monviech (Cedrik) · December 05, 2025, 05:15:32 PM

The popups should not happen since this apache plugin is compiled in:

https://github.com/opnsense/ports/tree/master/opnsense/mod_proxy_msrpc

Outlook Anywhere should just work the same as in Sophos (fun fact that module was developed by Astaro - which later became Sophos).

When I tested this while writing the manual, it was still working. Is your setup exactly as described? If not, do it like in the manual.

https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server

humnab · December 06, 2025, 12:30:11 AM

Hello,

sure, I did it as described in https://docs.opnsense.org/vendor/deciso/opnwaf.html#exchange-server
I set up the mail and the autodiscover virtual server as described and I also played with the authentication settings in the exchange virtual directories, no change. The same exchnage server works with the Caddy Plugin and the Sophos UTM WAF, any ideas?

Monviech (Cedrik) · December 06, 2025, 05:43:00 AM

I dont have an idea right now. I also know of customers for who it works as it is right now when using Outlook.

Caddy works because there is an NTML plugin compiled in (I maintain the Caddy plugin too). Though as NTML is deprecated I wonder how long that will still work.

If it works for Sophos UTM please connect to it via SSH and extract the apache config and post it here, maybe we can spot a difference to our apache config.

humnab · December 08, 2025, 02:09:18 PM

Hello,

here's the UTM configuration, I replaced the domain with example.com

/var/chroot-reverseproxy/usr/apache/conf/httpd.conf

Code Select

ServerRoot /usr/apache
DefaultRuntimeDir /var/run/apache2
PidFile /var/run/apache2.pid

Include conf/modules.conf
Include conf/mpm.conf
Include conf/modsecurity.conf

HostnameLookups Off
ExtendedStatus On
ServerTokens Prod
ServerSignature Off
Header unset Server

User nobody
Group nogroup

Timeout 300
MaxKeepAliveRequests 100
KeepAliveTimeout 15

UseCanonicalName On
CoreDumpDirectory "/tmp"

SecDataDir /tmp
SecTmpDir /tmp

LogFormat "id=\"0299\" srcip=\"%a\" localip=\"%A\" size=\"%B\" user=\"%u\" host=\"%h\" method=\"%<m\" statuscode=\"%s\" reason=\"%<{block-reason}e\" extra=\"%<{block-reason-extra}e\" exceptions=\"%<{matched-exceptions}n\" time=\"%D\" url=\"%U\" server=\"%{Host}i\" port=\"%p\" query=\"%q\" referer=\"%{Referer}i\" cookie=\"%{Cookie}i\" set-cookie=\"%{Set-Cookie}o\" websocket_scheme=\"%{scheme}w\" websocket_protocol=\"%{protocol}w\" websocket_key=\"%{key}w\" websocket_version=\"%{version}w\" uid=\"%{UNIQUE_ID}e\"" astaro
ErrorLog syslog:local1
CustomLog "|/bin/logger -p local1.info -t httpd" astaro
LogLevel notice

## Uncomment these lines for extended debug logging
#LoadModule firehose_module /usr/apache/modules/mod_firehose.so
#FirehoseProxyConnectionInput /tmp/proxy-input.firehose
#FirehoseProxyConnectionOutput /tmp/proxy-output.firehose
#FirehoseConnectionInput /tmp/input.firehose
#FirehoseConnectionOutput /tmp/output.firehose

## Uncomment these lines for traffic dumping in pcap format
#LoadModule pcap_module /usr/apache/modules/mod_pcap.so
#PcapFileName /tmp/WAF.pcap
#PcapNetworkProtocol ip

SecRule ENV:block-reason "@streq cookie"         "phase:5,id:99001,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq url hardening"  "phase:5,id:99002,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq form hardening" "phase:5,id:99003,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq av"             "phase:5,id:99004,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq dnsrbl"         "phase:5,id:99005,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"
SecRule ENV:block-reason "@streq geoip"          "phase:5,id:99006,t:none,nolog,auditlog,msg:'%{ENV.block-reason-extra}'"

TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-bzip2 .bz2

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gvfs/1" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLHonorCipherOrder On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLProxyCheckPeerName off
# Disable transparent compression of SSL data transfers.
# This mitigates impact of SSL "CRIME" attacks (CVE-2012-4929)
SSLCompression off
SSLSessionTickets off

# Drop the (Request-)Range header if more than 5 ranges (CVE-2011-3192)
SetEnvIf Range (,.*?){5} bad-range=1
RequestHeader unset Range env=bad-range
SetEnvIf Request-Range (,.*?){5} bad-request-range=1
RequestHeader unset Request-Range env=bad-request-range

ProxyWebsocketFallbackToProxyHttp off

# ClamavTmpdir    /tmp/clamav
# ClamavSocket    /var/run/clamav/clamd.ctl
# ClamavMode      daemon
# ClamavPermissions 0644

# <Location /clamav>
#       SetHandler clamav
# </Location>

CookieLimit 1000

Include conf/status.conf

Include conf/reverseproxy.conf

/var/chroot-reverseproxy/usr/apache/conf/reverseproxy.conf

Code Select

KeepAlive On
ServerName rzfw01.example.com
ServerAdmin support-hsg@example.com
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AESGCM:RSA+AES:ECDH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!DHE
RemoteIPProxyProtocol Off
Listen 93.189.156.39:443 https
Listen 93.189.156.39:80 http
<VirtualHost 93.189.156.39:443>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAlias ex03.example.com
        SSLProxyEngine On
        SSLEngine On
        SSLCertificateFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.pem
        SSLCACertificatePath /usr/apache/conf/cacerts/
        SSLCertificateKeyFile /usr/apache/conf/ssl/REF_wyZfriWfxEsZ.key
        RequestHeader set X-Forwarded-Proto https
        DocumentRoot /var/www/REF_RevFroAutodiscov
        SetEnv proxy-initial-not-pooled
        <Proxy balancer://0e9f56dedc1c6a43ee0c263a6d1b336b>
                BalancerMember https://10.10.10.5 status=-SE timeout=300
        </Proxy>
        <Proxy balancer://756724cd34319588665693abb5819b66>
                BalancerMember https://10.10.10.5 status=-SE timeout=300
        </Proxy>
        <Location "/">
                SetEnv proxy-aside-c
                ProxyPass "balancer://0e9f56dedc1c6a43ee0c263a6d1b336b/" lbmethod=bybusyness
                ProxyPassReverse "https://10.10.10.5:443/"
                ProxyPassReverse "https://10.10.10.5/"
                SetOutputFilter DEFLATE
                <RequireAll>
                        Require all granted
                </RequireAll>
        </Location>
        <Location "/ecp">
                SetEnv proxy-aside-c
                ProxyPass "balancer://756724cd34319588665693abb5819b66/ecp" lbmethod=bybusyness
                ProxyPassReverse "https://10.10.10.5:443/ecp"
                ProxyPassReverse "https://10.10.10.5/ecp"
                SetOutputFilter DEFLATE
                <RequireAll>
                        <RequireAny>
                                Require ip 10.0.0.0/16
                        </RequireAny>
                </RequireAll>
        </Location>
</VirtualHost>
<VirtualHost 93.189.156.39:80>
        ServerName REF_RevFroAutodiscov_redirect_ssl
        ServerAlias mail.example.com
        ServerAlias autodiscover.example.com
        ServerAlias ex03.example.com
        <Location />
                Require all granted
                RedirectSSL permanent / 443
        </Location>
</Virtualhost>

/var/chroot-reverseproxy/usr/apache/conf/status.conf

Code Select

Listen 127.0.0.1:4080
<VirtualHost 127.0.0.1:4080>
        ServerName localhost
        ProxyStatus On
        RemoteIPProxyProtocol Off
        SecAuditEngine Off
        <Location /status>
                SetHandler server-status
                Require local
        </Location>
        <Location /lb-status>
                SetHandler balancer-status
                Require local
        </Location>
        <Location /session-cleanup>
                SetHandler session-cleanup-handler
                Require local
                SessionServerStorageDir /var/lib/apache2/sessions
                SessionServerStorageMaxFiles 25000
        </Location>
</VirtualHost>

Monviech (Cedrik) · December 08, 2025, 02:46:17 PM

Hello, thanks for these.

I want to additionally know whats loaded inside this path of the UTM:

# conf/modules.conf

Afterwards, on your OPNsense, please give us the following files:

# cat /usr/local/etc/apache24/Includes/gateway_vhosts.conf (Please PM it to me)
# cat /usr/local/etc/apache24/httpd.conf (Please PM it to me)

humnab · December 09, 2025, 08:42:11 AM

Hello,

thats the content of ls -lla /var/chroot-reverseproxy/usr/apache/modules/

Thanks!

Code Select

-rw-r--r-- 1 root root  17381 Jun 16  2023 httpd.exp
-rwxr-xr-x 1 root root   9832 Jun 16  2023 mod_access_compat.so
-rwxr-xr-x 1 root root  18080 Jun 16  2023 mod_alias.so
-rwxr-xr-x 1 root root   5704 Jun 16  2023 mod_allowmethods.so
-rwxr-xr-x 1 root root  13956 Jun 16  2023 mod_auth_basic.so
-rwxr-xr-x 1 root root  34636 Jun 16  2023 mod_auth_digest.so
-rwxr-xr-x 1 root root  26308 Jun 16  2023 mod_auth_form.so
-rwxr-xr-x 1 root root   9860 Jun 16  2023 mod_authn_core.so
-rwxr-xr-x 1 root root   9828 Jun 16  2023 mod_authn_file.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_authn_socache.so
-rw-r--r-- 1 root root  30436 Jun 16  2023 mod_authnz_aua.so
-rwxr-xr-x 1 root root  18092 Jun 16  2023 mod_authz_blacklist.so
-rwxr-xr-x 1 root root  22212 Jun 16  2023 mod_authz_core.so
-rwxr-xr-x 1 root root  13956 Jun 16  2023 mod_authz_dbd.so
-rwxr-xr-x 1 root root   9868 Jun 16  2023 mod_authz_groupfile.so
-rwxr-xr-x 1 root root   9860 Jun 16  2023 mod_authz_host.so
-rwxr-xr-x 1 root root   5700 Jun 16  2023 mod_authz_user.so
-rwxr-xr-x 1 root root  79776 Jun 16  2023 mod_avscan.so
-rw-r--r-- 1 root root  18120 Jun 16  2023 mod_backtrace.so
-rwxr-xr-x 1 root root  13920 Jun 16  2023 mod_buffer.so
-rwxr-xr-x 1 root root  34532 Jun 16  2023 mod_cache_disk.so
-rwxr-xr-x 1 root root  71696 Jun 16  2023 mod_cache.so
-rwxr-xr-x 1 root root  34572 Jun 16  2023 mod_cache_socache.so
-rwxr-xr-x 1 root root  18112 Jun 16  2023 mod_cookie.so
-rw-r--r-- 1 root root   9804 Jun 16  2023 mod_custom_blockpage.so
-rwxr-xr-x 1 root root  34532 Jun 16  2023 mod_deflate.so
-rw-r--r-- 1 root root   7460 Jun 24  2010 mod_envbyip.so
-rwxr-xr-x 1 root root   9824 Jun 16  2023 mod_env.so
-rwxr-xr-x 1 root root  13960 Jun 16  2023 mod_expires.so
-rwxr-xr-x 1 root root  22308 Jun 16  2023 mod_ext_filter.so
-rwxr-xr-x 1 root root   9892 Jun 16  2023 mod_file_cache.so
-rwxr-xr-x 1 root root  18080 Jun 16  2023 mod_filter.so
-rw-r--r-- 1 root root  13988 Jun 16  2023 mod_firehose.so
-rwxr-xr-x 1 root root  59280 Oct 27  2023 mod_form_hardening.so
-rwxr-xr-x 1 root root  18180 Jun 16  2023 mod_headers.so
-rwxr-xr-x 1 root root  51044 Jun 16  2023 mod_include.so
-rwxr-xr-x 1 root root  26276 Jun 16  2023 mod_info.so
-rwxr-xr-x 1 root root   5712 Jun 16  2023 mod_lbmethod_bybusyness.so
-rwxr-xr-x 1 root root   5712 Jun 16  2023 mod_lbmethod_byrequests.so
-rwxr-xr-x 1 root root   5712 Jun 16  2023 mod_lbmethod_bytraffic.so
-rwxr-xr-x 1 root root  14032 Jun 16  2023 mod_lbmethod_heartbeat.so
-rwxr-xr-x 1 root root  30544 Jun 16  2023 mod_log_config.so
-rwxr-xr-x 1 root root   9860 Jun 16  2023 mod_log_debug.so
-rwxr-xr-x 1 root root  18080 Jun 16  2023 mod_macro.so
-rwxr-xr-x 1 root root  18112 Jun 16  2023 mod_mime.so
-rwxr-xr-x 1 root root  30632 Jun 16  2023 mod_mpm_prefork.so
-rwxr-xr-x 1 root root  43012 Jun 16  2023 mod_mpm_worker.so
-rwxr-xr-x 1 root root  30536 Jun 16  2023 mod_negotiation.so
-rw-r--r-- 1 root root  22148 Jun 16  2023 mod_pcap.so
-rwxr-xr-x 1 root root  59340 Jun 16  2023 mod_proxy_balancer.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_proxy_connect.so
-rwxr-xr-x 1 root root   9832 Jun 16  2023 mod_proxy_express.so
-rwxr-xr-x 1 root root  30564 Jun 16  2023 mod_proxy_fcgi.so
-rwxr-xr-x 1 root root   9832 Jun 16  2023 mod_proxy_fdpass.so
-rwxr-xr-x 1 root root  30568 Jun 16  2023 mod_proxy_hcheck.so
-rwxr-xr-x 1 root root  38732 Jun 16  2023 mod_proxy_html.so
-rwxr-xr-x 1 root root  38820 Jun 16  2023 mod_proxy_http.so
-rwxr-xr-x 1 root root  67496 Jun 16  2023 mod_proxy_msrpc.so
-rwxr-xr-x 1 root root  18180 Jun 16  2023 mod_proxy_scgi.so
-rwxr-xr-x 1 root root 154504 Jun 16  2023 mod_proxy.so
-rwxr-xr-x 1 root root  14036 Jun 16  2023 mod_proxy_uwsgi.so
-rwxr-xr-x 1 root root  22216 Jun 16  2023 mod_proxy_wstunnel.so
-rwxr-xr-x 1 root root   9828 Jun 16  2023 mod_ratelimit.so
-rwxr-xr-x 1 root root  26340 Jun 16  2023 mod_remoteip.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_reqtimeout.so
-rwxr-xr-x 1 root root   9860 Jun 16  2023 mod_request.so
-rw-r--r-- 1 root root  13928 Jun 16  2023 mod_reverse_auth.so
-rwxr-xr-x 1 root root  71748 Jun 16  2023 mod_rewrite.so
-rw-r--r-- 1 root root 617532 Jun 16  2023 mod_security2_beta.so
-rw-r--r-- 1 root root 650424 Jun 16  2023 mod_security2.so
-rwxr-xr-x 1 root root  34496 Jun 16  2023 mod_sed.so
-rwxr-xr-x 1 root root   9832 Jun 16  2023 mod_session_cookie.so
-rwxr-xr-x 1 root root  22248 Jun 16  2023 mod_session_crypto.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_session_dbd.so
-rw-r--r-- 1 root root  51084 Jun 16  2023 mod_session_server.so
-rwxr-xr-x 1 root root  18116 Jun 16  2023 mod_session.so
-rwxr-xr-x 1 root root  13956 Jun 16  2023 mod_setenvif.so
-rwxr-xr-x 1 root root  18088 Jun 16  2023 mod_slotmem_shm.so
-rwxr-xr-x 1 root root  13992 Jun 16  2023 mod_socache_dbm.so
-rwxr-xr-x 1 root root  13968 Jun 16  2023 mod_socache_memcache.so
-rwxr-xr-x 1 root root  13964 Jun 16  2023 mod_socache_redis.so
-rwxr-xr-x 1 root root  22156 Jun 16  2023 mod_socache_shmcb.so
-rwxr-xr-x 1 root root 237392 Jun 16  2023 mod_ssl.so
-rwxr-xr-x 1 root root  22212 Jun 16  2023 mod_status.so
-rwxr-xr-x 1 root root  18084 Jun 16  2023 mod_substitute.so
-rwxr-xr-x 1 root root   9748 Jun 16  2023 mod_unique_id.so
-rwxr-xr-x 1 root root  13952 Jun 16  2023 mod_unixd.so
-rwxr-xr-x 1 root root  30472 Jun 16  2023 mod_url_hardening.so
-rwxr-xr-x 1 root root   9828 Jun 16  2023 mod_version.so
-rw-r--r-- 1 root root  14088 Jun 16  2023 mod_waf_exceptions.so
-rwxr-xr-x 1 root root  18152 Jun 16  2023 mod_watchdog.so
-rw-r--r-- 1 root root  18204 Jun 16  2023 mod_whatkilledus.so
-rwxr-xr-x 1 root root  26340 Jun 16  2023 mod_xml2enc.so

Monviech (Cedrik) · December 09, 2025, 08:44:37 AM

Okay thank, this one is the interesting one

-rwxr-xr-x 1 root root 67496 Jun 16 2023 mod_proxy_msrpc.so

We use exactly the same (as stated in my first response)

So it must be something else, maybe we find something obvious when comparing configurations.

Monviech (Cedrik) · December 09, 2025, 02:36:46 PM

I have a hunch.

Could you go to:

Code Select

/usr/local/etc/apache24/Includes/gateway_vhosts.conf
In there find the lines that say:

Code Select

Redirect / /owa/
Delete these lines or comment them out.

Then afterwards do

Code Select

service apache24 restart
This restarts apache without regenerating the configuration file. Don't press Apply in the GUI now, otherwise the configuration file will revert.

Then test if the authentication popup got better or no change.

If the above did the trick, I wonder if RedirectMatch solves it:

Code Select

RedirectMatch ^/$ /owa/

os-OPNWAF / Exchange 2019 authentication Popups

humnab

December 05, 2025, 04:44:04 PM

Monviech (Cedrik)

December 05, 2025, 05:15:32 PM #1

humnab

December 06, 2025, 12:30:11 AM #2

Monviech (Cedrik)

December 06, 2025, 05:43:00 AM #3 Last Edit: December 06, 2025, 05:44:47 AM by Monviech (Cedrik)

humnab

December 08, 2025, 02:09:18 PM #4

Monviech (Cedrik)

December 08, 2025, 02:46:17 PM #5 Last Edit: December 08, 2025, 02:48:00 PM by Monviech (Cedrik)

humnab

December 09, 2025, 08:42:11 AM #6

Monviech (Cedrik)

December 09, 2025, 08:44:37 AM #7

Monviech (Cedrik)

December 09, 2025, 02:36:46 PM #8 Last Edit: December 09, 2025, 02:38:26 PM by Monviech (Cedrik)