mirotrex
commented
1 year ago Are there any Updates on this issue? @jc21
Open azaloum90 opened 2 years ago
mirotrex
commented
1 year ago Are there any Updates on this issue? @jc21
azaloum90
commented
1 year ago Are there any Updates on this issue? @jc21
I got nothing back from anyone... Nobody seems to know how to implement it. I gave up and went back to Microsoft Web Application Proxy
ichilver
commented
1 year ago I tried adding the below in the NPM advanced tab, and also for each of the locations you mentioned above.
/
/owa
/ecp
/rpc
/Microsoft-Server-ActiveSync
/mapiclient_max_body_size 3G;
tcp_nodelay on;
proxy_request_buffering off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_read_timeout 3600;
proxy_pass_request_headers on;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Accept-Encoding "";
more_set_input_headers 'Authorization: $http_authorization';
more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange-server.mydomain.com"';However when I go to https://exchange-server.mydomain.com/owa I get an error 'HTTP Error 400. The request has an invalid header name.'
I connected to the container and went to the logs in /data/logs but I can't see which header its complaining about.
However if you took out the line proxy_set_header Host $host; it works
Well!!! Works to a point.
What I can't get working is outlook from outside on the Internet when the Exchange IIS server only has "Windows Auth" enabled. If I enable "Basic Auth" it gets a bit further but still doesn't works.
I can see it does the autodiscover stuff ok and then redirects to https://exchange-server.mydomain.com/mapi and asks for a username and password.
I tried domain\username and username@mydomain.com and neither work.
I tried setting the Realm to exchange-server.mydomain.com and exchange-server.msad.mydomain.com
I am missing something for passing the correct type of authentication, but what??? I need to support the "Windows Auth" on the IIS server, but how do I that from NPM?
Any ideas?
Has anyone got MS Exchange working behind a NPM for OWA, ActiveSync and Outlook?
azaloum90
commented
1 year ago I tried adding the below in the NPM advanced tab, and also for each of the locations you mentioned above.
/ /owa /ecp /rpc /Microsoft-Server-ActiveSync /mapiclient_max_body_size 3G; tcp_nodelay on; proxy_request_buffering off; proxy_buffering off; proxy_http_version 1.1; proxy_read_timeout 3600; proxy_pass_request_headers on; proxy_pass_header Date; proxy_pass_header Server; proxy_pass_header Authorization; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Connection "Keep-Alive"; proxy_set_header Accept-Encoding ""; more_set_input_headers 'Authorization: $http_authorization'; more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange-server.mydomain.com"';However when I go to https://exchange-server.mydomain.com/owa I get an error 'HTTP Error 400. The request has an invalid header name.'
I connected to the container and went to the logs in /data/logs but I can't see which header its complaining about.
However if you took out the line
proxy_set_header Host $host;it worksWell!!! Works to a point.
- I have OWA webaccess working.
- I have ECP working, although I soon redirected that as I don't want the ECP publicly accessible
- I even seem to have ActiveSync working as I am running Nine from Android App store and that connects too.
What I can't get working is outlook from outside on the Internet when the Exchange IIS server only has "Windows Auth" enabled. If I enable "Basic Auth" it gets a bit further but still doesn't works.
I can see it does the autodiscover stuff ok and then redirects to https://exchange-server.mydomain.com/mapi and asks for a username and password.
I tried domain\username and username@mydomain.com and neither work. I tried setting the Realm to
exchange-server.mydomain.comandexchange-server.msad.mydomain.comI am missing something for passing the correct type of authentication, but what??? I need to support the "Windows Auth" on the IIS server, but how do I that from NPM?
Any ideas?
Has anyone got MS Exchange working behind a NPM for OWA, ActiveSync and Outlook?
You for so much further than I ever did! I'm intrigued as to what else gets in the way of allowing this. I believe the mechanism that needs to function is "Forms Authentication", but not sure what that needs from an http reverse proxy perspective.
Wish MS had more info, I don't think they'll ever consider this a "supported" configuration so I can't ask.
Only other thing I can think of is running Wireshark from my existing Web Application Proxy and doing some pakcey captures
ichilver
commented
1 year ago @azaloum90 I think I got all the stuff working for HTTP GET requests and stuff requiring Basic Auth.
What I can't get working is the NTLM auth on /autodiscover and /mapi
I am either missing something in the NPM settings or its just not possible to proxy NTLM auth. Something in the back of my mind is thinking this isn't possible because technically NPM is acting as "a man in the middle". IDK.
azaloum90
commented
1 year ago @azaloum90 I think I got all the stuff working for HTTP GET requests and stuff requiring Basic Auth.
What I can't get working is the NTLM auth on /autodiscover and /mapi
I am either missing something in the NPM settings or its just not possible to proxy NTLM auth. Something in the back of my mind is thinking this isn't possible because technically NPM is acting as "a man in the middle". IDK.
It's definitely possible because MAPI authentication works fine with Microsoft Web Application Proxy (that's actually a Microsoft-supported configuration, though you are supposed to pass it through ADFS for authentication which I do not). Brings me back to "what's missing in the packets", so I think I'd have to look at the packets traversing:
From Microsoft Web App Proxy To Exchange
And then compare that with packets traversing:
From NPM To Exchange
Unfortunately my NPM setup has been turned off for over a year now, but I suppose I could grab some packet captures from my Web App Proxy to Exchange servers and then compare with yours?
ilya-maltsev
commented
1 year ago Hi,
try to check that basic authentication enabled for MAPI on Exchange:
https://learn.microsoft.com/en-us/exchange/clients/mapi-over-http/configure-mapi-over-http?view=exchserver-2019
After exec that command:
Set-MapiVirtualDirectory -Identity "<exchange_host>\mapi (Default Web Site)" -ExternalURL https://<mail.domain.com>/mapi -IISAuthenticationMethods NTLM, OAuth , Basic
in our case, all works fine
azaloum90
commented
10 months ago Hi, try to check that basic authentication enabled for MAPI on Exchange: https://learn.microsoft.com/en-us/exchange/clients/mapi-over-http/configure-mapi-over-http?view=exchserver-2019 After exec that command:
Set-MapiVirtualDirectory -Identity "<exchange_host>\mapi (Default Web Site)" -ExternalURL https://<mail.domain.com>/mapi -IISAuthenticationMethods NTLM, OAuth , Basicin our case, all works fine
Hey, could you by chance show me some screenshots of how you have the configuration entered into NPM? The entry points are rather confusing and I am curious as to what your configuration is.
ilya-maltsev
commented
9 months ago @azaloum90 that command must be directly executed on Windows Server with installed Exchange via Powershell
azaloum90
commented
9 months ago @azaloum90 that command must be directly executed on Windows Server with installed Exchange via Powershell
Hey,
I'm aware of that piece, I'm just curious how you have the rest of the configuration entered into NPM?
ilya-maltsev
commented
9 months ago @azaloum90 Look at magic lines
http {
map $status $forceBasicOutlook{ #magic_line
401 'Basic realm=$host'; #magic_line
} #magic_line
}
server {
...
keepalive_timeout 3h;
proxy_read_timeout 3h;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;
proxy_hide_header WWW-Authenticate; #magic_line
add_header WWW-Authenticate $forceBasicOutlook always; #magic_line
proxy_buffering off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header Connection "Keep-Alive";
...
}@azaloum90 Look at magic lines
http { map $status $forceBasicOutlook{ #magic_line 401 'Basic realm=$host'; #magic_line } #magic_line } server { ... keepalive_timeout 3h; proxy_read_timeout 3h; proxy_pass_header Date; proxy_pass_header Server; proxy_pass_header Authorization; proxy_hide_header WWW-Authenticate; #magic_line add_header WWW-Authenticate $forceBasicOutlook always; #magic_line proxy_buffering off; proxy_http_version 1.1; proxy_request_buffering off; proxy_set_header Connection "Keep-Alive"; ... }
Thanks for this. How many entries for your mail server? just a mail.domain.com entry?
vtornik
commented
9 months ago @azaloum90 Look at magic lines
http { map $status $forceBasicOutlook{ #magic_line 401 'Basic realm=$host'; #magic_line } #magic_line } server { ... keepalive_timeout 3h; proxy_read_timeout 3h; proxy_pass_header Date; proxy_pass_header Server; proxy_pass_header Authorization; proxy_hide_header WWW-Authenticate; #magic_line add_header WWW-Authenticate $forceBasicOutlook always; #magic_line proxy_buffering off; proxy_http_version 1.1; proxy_request_buffering off; proxy_set_header Connection "Keep-Alive"; ... }Thanks for this. Could you tell me how to perform this configuration in the Nginx proxy manager interface? How and in which tab should this be specified?
azaloum90
commented
9 months ago @azaloum90 Look at magic lines
http { map $status $forceBasicOutlook{ #magic_line 401 'Basic realm=$host'; #magic_line } #magic_line } server { ... keepalive_timeout 3h; proxy_read_timeout 3h; proxy_pass_header Date; proxy_pass_header Server; proxy_pass_header Authorization; proxy_hide_header WWW-Authenticate; #magic_line add_header WWW-Authenticate $forceBasicOutlook always; #magic_line proxy_buffering off; proxy_http_version 1.1; proxy_request_buffering off; proxy_set_header Connection "Keep-Alive"; ... }Thanks for this. Could you tell me how to perform this configuration in the Nginx proxy manager interface? How and in which tab should this be specified?
I am wondering the same... @ilya-maltsev if you know please let us know.
ilya-maltsev
commented
9 months ago azaloum90
commented
9 months ago https://develop.nginxproxymanager.com/advanced-config/#custom-nginx-configurations
Given this info, is it safe to assume that the info should go into this screenshot?
vtornik
commented
9 months ago https://develop.nginxproxymanager.com/advanced-config/#custom-nginx-configurations
Thank you. Do I understand correctly that I have to create a /data/nginx/custom/http_top.conf file with this content:
map $status $forceBasicOutlook{ #magic_line 401 'Basic realm=$host'; #magic_line } #magic_line
and the /data/nginx/custom/server_proxy.conf file with the contents:
keepalive_timeout 3h;
proxy_read_timeout 3h;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;
proxy_hide_header WWW-Authenticate; #magic_line
add_header WWW-Authenticate $forceBasicOutlook always; #magic_line
proxy_buffering off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header Connection "Keep-Alive";@azaloum90 Look at magic lines
http { map $status $forceBasicOutlook{ #magic_line 401 'Basic realm=$host'; #magic_line } #magic_line } server { ... keepalive_timeout 3h; proxy_read_timeout 3h; proxy_pass_header Date; proxy_pass_header Server; proxy_pass_header Authorization; proxy_hide_header WWW-Authenticate; #magic_line add_header WWW-Authenticate $forceBasicOutlook always; #magic_line proxy_buffering off; proxy_http_version 1.1; proxy_request_buffering off; proxy_set_header Connection "Keep-Alive"; ... }
@ilya-maltsev ,
Would you be able to post your entire configuration, as well as perhaps with screenshots as to where these configurations are entered (obviously with domain names redacted)? Though your info was helpful, I am unable to make this work with a variety of configurations -- NPM is reporting that my host is offline, likely due to the configuration being mis-scripted.
Any help is greatly appreciated!
Adam
ilya-maltsev
commented
7 months ago @azaloum90 Did you look at https://develop.nginxproxymanager.com/advanced-config/#custom-nginx-configurations ? Advanced configuration must be did through config files of nginx, not through web-ui of NPM...
If you are a more advanced user, you might be itching for extra Nginx customizability.
NPM has the ability to include different custom configuration snippets in different places.
You can add your custom configuration snippet files at /data/nginx/custom as follow:Unfortunately I can't show my config files of nginx...
tarocjsu
commented
6 months ago Useless discussion....
I have some settings that will supposedly work, but I am unsure how to enter these into NPM. Any ideas?
http://blog.manton.im/2016/04/configure-nginx-with-exchange-2010-2013.html