os-OPNWAF / Exchange 2019 authentication Popups

Started by humnab, December 05, 2025, 04:44:04 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
December 11, 2025, 11:09:10 AM #15
Thanks for testing.

The Sophos config has these two settings, can you add them to the location?

Code Select
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c

If that didn't change anything remove http/2 and force http/1.1

Replace:
Code Select
Protocols h2 http/1.1With:
Code Select
Protocols http/1.1
Please try these one by one so we can figure out which one did the trick. I imagine the http/1.1 might do something, since Caddy does the same when enabling the NTML module in it.
Hardware:
DEC740
December 11, 2025, 04:51:40 PM #16
Hello,

no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:

Code Select
ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<LocatioN />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
December 11, 2025, 04:57:49 PM #17 Last Edit: December 12, 2025, 08:29:13 AM by Monviech (Cedrik)
Sorry to be really specific but in the first virtual host you have

"LocatioN"

and in the second virtual host you dont have any location. Can you put the same location in there?

Could you fix that and retry just to be 100% sure?

------

A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).

------

EDIT: I will test this again with my own exchange server so I can iterate faster over possible solutions and come back here if I find something.
Hardware:
DEC740
December 12, 2025, 08:37:50 AM #18
Hello,

sorry, I'm not good with vi...


Code Select
ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<Location />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>
<Location />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>

Now Outlook asks permanently for the password, no Email Body will we displayed even after entering the password.
December 12, 2025, 09:19:07 AM #19 Last Edit: December 12, 2025, 05:21:33 PM by Monviech (Cedrik)
Thank you so far I am in the process of creating a new AD/Exchange VM and test it myself. I'll post here when I found out what it is.

EDIT:

I used Exchange 2019 CU 15 for testing.
- There seem to be new features that make using a proxy harder: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection#ssl-bridging-scenarios
- NTLM was hardened too: https://www.heise.de/en/news/Microsoft-takes-measures-against-NTLM-relay-attacks-10194340.html
- NTML is also deprecated, and Kerberos cannot work through a reverse proxy: https://learn.microsoft.com/de-de/windows/whats-new/deprecated-features (check for NTLM)
- The mod_proxy_msrpc only tries to fix "Outlook Anywhere" which is the RPC/http endpoint, not the MAPI/http endpoint. But even that does not seem to work reliably anymore.
- Outlook Classic shows that Microsoft aims to use the web app more prominently

I couldn't even get Outlook Classic it to work with Caddy anymore, also authentication popups.

I have a strong feeling there is no magic solution, and the way Exchange is still sometimes able to be reverse proxied is not actively pursued by any developer anymore since everyone uses the cloud anyway.

If somebody has an idea please let me know.
Hardware:
DEC740
December 15, 2025, 08:52:34 AM #20
Hello,

Caddy works in my Environment with Exchange 2016 CU22 (Windows Server 2016), in the same Environment the UTM also works but the OPNWAF does not.
Extended Security requires the same certificate on the Exchange IIS and the reverse Proxy, we have that in those three configurations.
I will try OPNWAF wit a Exchange 2019 and report the results.
December 15, 2025, 11:59:30 AM #21
Hello everyone,
we have the same problem and the same entries in the log file. We use Exchange 2019 CU 14.
We haven't found a solution yet.
In addition, uploading file attachments in OWA takes forever since we started using OPNsense. We also used Sophos UTM before.
Best regards,
Thomas
Print
Go Up Pages 1 2
User actions