os-OPNWAF / Exchange 2019 authentication Popups

[Monviech (Cedrik)]

Thanks for testing.

The Sophos config has these two settings, can you add them to the location?

Code Select Expand

SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c

If that didn't change anything remove http/2 and force http/1.1

Replace:

Code Select Expand

Protocols h2 http/1.1With:

Code Select Expand

Protocols http/1.1
Please try these one by one so we can figure out which one did the trick. I imagine the http/1.1 might do something, since Caddy does the same when enabling the NTML module in it.

[humnab]

Hello,

no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:

Code Select Expand

ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<LocatioN />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>


[Monviech (Cedrik)]

Sorry to be really specific but in the first virtual host you have

"LocatioN"

and in the second virtual host you dont have any location. Can you put the same location in there?

Could you fix that and retry just to be 100% sure?

------

A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).

------

EDIT: I will test this again with my own exchange server so I can iterate faster over possible solutions and come back here if I find something.

[humnab]

Hello,

sorry, I'm not good with vi...

Code Select Expand

ServerName mail.example.com
Listen 443




<VirtualHost *:443>
    ServerName mail.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
    SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>

<Location />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>





    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>



<VirtualHost *:443>
    ServerName autodiscover.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    RequestHeader set X-Forwarded-Proto "https"
    SSLProxyEngine On
    SSLProxyCheckPeerName On
    SSLProxyCheckPeerExpire On


    SSLEngine on
    Protocols http/1.1
    SSLCertificateFile    /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
    SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key



    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
    SSLHonorCipherOrder     off
    SSLCompression          off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire
    SSLUseStapling          On

    # Start ExchangeHttps
    OutlookAnywherePassthrough On
    Header always set X-Frame-Options SAMEORIGIN
    Header set Server Apache
    Header unset X-AspNet-Version
    Header unset X-OWA-Version
    Header unset X-Powered-By
    RequestHeader unset Expect early
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early
    RequestHeader unset Accept-Encoding
    TimeOut 1800

    # Change Character set to allow umlaute
    AddDefaultCharset ISO-8859-1

    # Redirect to owa (Outlook Web Access)
#    Redirect / /owa/

    # Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
    <Directory /Microsoft-Server-ActiveSync>
        SSLRenegBufferSize 31457280
    </Directory>
<Location />
    SetEnv proxy-initial-not-pooled
    SetEnv proxy-aside-c
    ProxyPass https://10.10.10.5/ connectiontimeout=900
    ProxyPassReverse https://10.10.10.5/
</Location>



    # End ExchangeHttps

    <Location "/__waf_errors__">
        ProxyPass "!"
        <RequireAny>
            # error pages are allowed for all.
            Require all granted
        </RequireAny>
    </Location>

    Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
    ErrorDocument 400 /__waf_errors__/400.html
    ErrorDocument 401 /__waf_errors__/401.html
    ErrorDocument 403 /__waf_errors__/403.html
    ErrorDocument 404 /__waf_errors__/404.html
    ErrorDocument 408 /__waf_errors__/408.html
    ErrorDocument 500 /__waf_errors__/500.html
    ErrorDocument 502 /__waf_errors__/502.html
    ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>

Now Outlook asks permanently for the password, no Email Body will we displayed even after entering the password.

[Monviech (Cedrik)]

Thank you so far I am in the process of creating a new AD/Exchange VM and test it myself. I'll post here when I found out what it is.

EDIT:

I used Exchange 2019 CU 15 for testing.
- There seem to be new features that make using a proxy harder: https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-extended-protection#ssl-bridging-scenarios
- NTLM was hardened too: https://www.heise.de/en/news/Microsoft-takes-measures-against-NTLM-relay-attacks-10194340.html
- NTML is also deprecated, and Kerberos cannot work through a reverse proxy: https://learn.microsoft.com/de-de/windows/whats-new/deprecated-features (check for NTLM)
- The mod_proxy_msrpc only tries to fix "Outlook Anywhere" which is the RPC/http endpoint, not the MAPI/http endpoint. But even that does not seem to work reliably anymore.
- Outlook Classic shows that Microsoft aims to use the web app more prominently

I couldn't even get Outlook Classic it to work with Caddy anymore, also authentication popups.

I have a strong feeling there is no magic solution, and the way Exchange is still sometimes able to be reverse proxied is not actively pursued by any developer anymore since everyone uses the cloud anyway.

If somebody has an idea please let me know.

[humnab]

Hello,

Caddy works in my Environment with Exchange 2016 CU22 (Windows Server 2016), in the same Environment the UTM also works but the OPNWAF does not.
Extended Security requires the same certificate on the Exchange IIS and the reverse Proxy, we have that in those three configurations.
I will try OPNWAF wit a Exchange 2019 and report the results.

[VG Gerolstein]

Hello everyone,
we have the same problem and the same entries in the log file. We use Exchange 2019 CU 14.
We haven't found a solution yet.
In addition, uploading file attachments in OWA takes forever since we started using OPNsense. We also used Sophos UTM before.
Best regards,
Thomas

[humnab]

Hello,

I configured a Apache Reverse Proxy on Ubuntu 24 LTS:

Code Select Expand

# Tipp von Bernd Krumböck wegen Sicherheitsproblemen mit dem MPM Modul und NTLM Authentifizierung
# Clients welche EWS verwenden (z.B. AquaMail) bekommen E-Mails anderer Sitzungen synchronisiert
# ServerLimit und MaxRequestWorkers ggf. an die Anzahl der vorhandenen Clients anpassen
#ServerLimit 300
#MaxRequestWorkers 300
MaxConnectionsPerChild 1

<VirtualHost 192.168.80.221:80>
        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        RequestHeader unset Expect early
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        ProxyRequests Off
        RewriteEngine On
        RewriteCond %{HTTPS} !=on
        RewriteRule ^/owa(.*) https://mail.example.com/owa$1 [R,L]
        RewriteRule ^/ecp(.*) https://mail.example.com/ecp$1 [R,L]
        RewriteRule ^/Microsoft-Server-ActiveSync(.*) https://mail.example.com/Microsoft-Server-ActiveSync$1 [R,L]

        DocumentRoot /var/www/mail.example.com/web

        <Directory />
            Order deny,allow
            Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
            DirectoryIndex index.php index.html
            Options -Indexes +FollowSymLinks
            Order allow,deny
            Allow from all
        </Directory>

        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
</VirtualHost>

<VirtualHost 192.168.80.221:443>
        DocumentRoot /var/www/mail.example.com/web

        ServerName mail.example.com
        ServerAlias autodiscover.example.com
        ServerAdmin webmaster@znil.org

        ErrorLog /var/log/apache2/error.log
        # Nachfolgende Zeile loggt jeden Zugriff, alternativ den Zeile darunter verwenden, dann werden die Logs verworfen
        CustomLog /var/log/apache2/access.log combined
        #CustomLog /dev/null common

        Header always set X-Frame-Options SAMEORIGIN
        Header set Server Apache
        Header unset X-AspNet-Version
        Header unset X-OWA-Version
        Header unset X-Powered-By

        RequestHeader unset Expect early

        SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
        # 10.12.2020: Nachfolgende Zeilen würden eine Standardauthentifizierung erzwingen, ist nun nicht mehr Notwendig
        # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
        # Header unset WWW-Authenticate
        # Header add WWW-Authenticate "Basic realm=mail.example.com"
        ProxyRequests Off
        ProxyPreserveHost On

        #abgeschaut von https://github.com/phr0gz/Apache-reverse-proxy-for-Exchange-2010-2013-2016/blob/master/webmail.conf
        ProxyVia Full
        RequestHeader edit Transfer-Encoding Chunked chunked early
        RequestHeader unset Accept-Encoding
        TimeOut 1800
        # Ende abgeschaut

        SSLProxyEngine On
        # Problemen mit Kommunikation zwischen Apache-Proxy und Exchange-Server aus dem Wege gehen
        # Alle SSL Prüfungen werden damit ausgeschaltet. So kann z.B. auch intern ein Selbstsigniertes Zertifikat verwendet werden
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerExpire off

        #Nachfolgende Zeile bewirkt das ein Aufruf von nur https://sub.name.suffix auf https://sub.name.suffix/owa weiter geleitet wird.
        Redirect / /owa/

        # owa
        ProxyPass /owa https://192.168.80.112/owa
        ProxyPassReverse /owa https://192.168.80.112/owa
        ProxyPass /OWA https://192.168.80.112/OWA
        ProxyPassReverse /OWA https://192.168.80.112/OWA
        ProxyPass /Owa https://192.168.80.112/Owa
        ProxyPassReverse /Owa https://192.168.80.112/Owa

        # ecp = Adminoberfläche - falls Zugriff nicht gewünscht einfach auskommentieren!
        ProxyPass /ecp https://192.168.80.112/ecp
        ProxyPassReverse /ecp https://192.168.80.112/ecp
        ProxyPass /ECP https://192.168.80.112/ECP
        ProxyPassReverse /ECP https://192.168.80.112/ECP
        ProxyPass /Ecp https://192.168.80.112/Ecp
        ProxyPassReverse /Ecp https://192.168.80.112/Ecp

        # mapi
        ProxyPass /mapi https://192.168.80.112/mapi
        ProxyPassReverse /mapi https://192.168.80.112/mapi

        # ews -> Exchange Web Services
        ProxyPass /ews https://192.168.80.112/ews
        ProxyPassReverse /ews https://192.168.80.112/ews
        ProxyPass /EWS https://192.168.80.112/EWS
        ProxyPassReverse /EWS https://192.168.80.112/EWS
        ProxyPass /Ews https://192.168.80.112/Ews
        ProxyPassReverse /Ews https://192.168.80.112/Ews
        ProxyPass /exchange https://192.168.80.112/exchange
        ProxyPassReverse /exchange https://192.168.80.112/exchange
        ProxyPass /Exchange https://192.168.80.112/Exchange
        ProxyPassReverse /Exchange https://192.168.80.112/Exchange
        ProxyPass /exchweb https://192.168.80.112/exchweb
        ProxyPassReverse /exchweb https://192.168.80.112/exchweb
        ProxyPass /public https://192.168.80.112/public
        ProxyPassReverse /public https://192.168.80.112/public

        # oab (Offline Address Book)
        ProxyPass /oab https://192.168.80.112/oab
        ProxyPassReverse /oab https://192.168.80.112/oab
        ProxyPass /OAB https://192.168.80.112/OAB
        ProxyPassReverse /OAB https://192.168.80.112/OAB

        # RPC over http(s) / Outlook Anywhere
        #OutlookAnywherePassthrough On
        ProxyPass /rpc https://192.168.80.112/rpc
        ProxyPassReverse /rpc https://192.168.80.112/rpc
        ProxyPass /Rpc https://192.168.80.112/Rpc
        ProxyPassReverse /Rpc https://192.168.80.112/Rpc

        # Microsoft-Server-ActiveSync
        ProxyPass /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync connectiontimeout=900
        ProxyPassReverse /Microsoft-Server-ActiveSync https://192.168.80.112/Microsoft-Server-ActiveSync

        # Problem mit dem Versenden von Dateianhängen > 128KByte per ActiceSync umgehen (neuer Wert 30MByte)
        <Directory /Microsoft-Server-ActiveSync>
                SSLRenegBufferSize 31457280
        </Directory>

        # AutoDiscover  -> Autodiscover for non-AD integrated Clients (Mac, eg.)
        ProxyPass /autodiscover https://192.168.80.112/autodiscover
        ProxyPassReverse /autodiscover https://192.168.80.112/autodiscover
        ProxyPass /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPassReverse /Autodiscover https://192.168.80.112/Autodiscover
        ProxyPass /AutoDiscover https://192.168.80.112/AutoDiscover
        ProxyPassReverse /AutoDiscover https://192.168.80.112/AutoDiscover

        # Zeichensatz spezifieren fuer Umlaute
        AddDefaultCharset ISO-8859-1

        <Directory />
                Order deny,allow
                Deny from all
        </Directory>

        <Directory /var/www/mail.example.com/web>
                DirectoryIndex index.php index.html
                 Options -Indexes +FollowSymLinks
                Order allow,deny
                Allow from all
        </Directory>

        <Proxy *>
                # 10.12.2020: Nachfolgende 2 Zeilen sind nicht mehr Notwendig
                # Tipp von Marco Maus, Fragen an marco.maus@mit-system.eu
                # SetEnv proxy-nokeepalive 1
                # SetEnv force-proxy-request-1.0 1
                Order deny,allow
                Allow from all
        </Proxy>

        # Nach extern ein Lets Encrypt Zertifikat nutzen:
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLHonorCipherOrder     on
        SSLCertificateFile /etc/ssl/certs/wsmail03.pem
        SSLCertificateKeyFile /etc/ssl/private/wsmail03.key
        SSLCertificateChainFile /etc/ssl/certs/r13.pem

        BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

No Popups, Outlook and ActiveSync works.

Environment:

Exchange 2019 CU15 on Windows Server 2022
I enabled Extended Protection with: ExchangeExtendedProtectionManagement.ps1
The certificate on Exchange IIS and the Apache2 is the same.

Installation:

apt-get install apache2
a2enmod headers
a2enmod rewrite
a2enmod proxy_http
a2enmod ssl
a2dismod mpm_event
a2enmod mpm_prefork

I followed this Guide:

https://znil.net/index.php?title=Apache2_als_Reverse_Proxy_f%C3%BCr_Exchange_2010_2013_2016_2019_inklusive_Outlook_Anywhere_RPC_over_http

[Monviech (Cedrik)]

We use almost the exact same template.

Only major difference is that mpm-event is used, and not mpm-prefork.

Yet in early tests it did not make a difference, it really did work like a year ago.

Since in my tests now, caddy has also issues, it paints an interesting picture.

Maybe the issue is found outside of apache. Since it always works on linux (ubuntu, sophos UTM), yet not on freebsd (opnsense) anymore, it could be an interaction with pf, or the TCP network stack.