Exchange Server with Nginx Proxy Manager

[azaloum90]

I have some settings that will supposedly work, but I am unsure how to enter these into NPM. Any ideas?

http://blog.manton.im/2016/04/configure-nginx-with-exchange-2010-2013.html

server {
  listen 192.168.0.1:443 ssl;
  server_name owa.myserver.com;
  ssl_certificate /etc/nginx/ssl/cert.pem;
  ssl_certificate_key /etc/nginx/ssl/key.key;
  access_log  /var/log/nginx/mydomain.access.log  combined;
  error_log  /var/log/nginx/mydomain.error.log;
  client_max_body_size 3G;
  proxy_request_buffering off;
  ssl_session_timeout     5m;
  tcp_nodelay on;
    proxy_http_version      1.1;
    proxy_read_timeout      360;
    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header      Authorization;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_pass_request_headers on;
    more_set_input_headers 'Authorization: $http_authorization';
    proxy_set_header Accept-Encoding "";
    more_set_headers -s 401 'WWW-Authenticate: Basic realm="fqdnofyourexchangeserver"';
    proxy_buffering off;
    proxy_set_header Connection "Keep-Alive";
  location / {
  return 301 https://owa.myserver.com/owa;
  }
  location ~* ^/owa { proxy_pass https://fqdnofyourexchangeserver; }
  location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://fqdnofyourexchangeserver; }
  location ~* ^/ecp { proxy_pass https://fqdnofyourexchangeserver; }
  location ~* ^/rpc { proxy_pass https://fqdnofyourexchangeserver; }
}
# redirect all http traffic to https
server {
  listen 80;
  server_name owa.myserver.com;
  return 301 https://$host$request_uri;
}

[mirotrex]

Are there any Updates on this issue? @jc21

[azaloum90]

Are there any Updates on this issue? @jc21

I got nothing back from anyone... Nobody seems to know how to implement it. I gave up and went back to Microsoft Web Application Proxy

[ichilver]

I tried adding the below in the NPM advanced tab, and also for each of the locations you mentioned above.

/
/owa
/ecp
/rpc
/Microsoft-Server-ActiveSync
/mapi

client_max_body_size   3G;
tcp_nodelay   on;

proxy_request_buffering off;
proxy_buffering off;

proxy_http_version     1.1;
proxy_read_timeout     3600;

proxy_pass_request_headers on;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Accept-Encoding "";

more_set_input_headers 'Authorization: $http_authorization';
more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange-server.mydomain.com"';

However when I go to https://exchange-server.mydomain.com/owa I get an error 'HTTP Error 400. The request has an invalid header name.'

I connected to the container and went to the logs in /data/logs but I can't see which header its complaining about.

However if you took out the line proxy_set_header Host $host; it works

Well!!! Works to a point.

• I have OWA webaccess working.
• I have ECP working, although I soon redirected that as I don't want the ECP publicly accessible
• I even seem to have ActiveSync working as I am running Nine from Android App store and that connects too.

What I can't get working is outlook from outside on the Internet when the Exchange IIS server only has "Windows Auth" enabled. If I enable "Basic Auth" it gets a bit further but still doesn't works.

I can see it does the autodiscover stuff ok and then redirects to https://exchange-server.mydomain.com/mapi and asks for a username and password.

I tried domain\username and username@mydomain.com and neither work.
I tried setting the Realm to exchange-server.mydomain.com and exchange-server.msad.mydomain.com

I am missing something for passing the correct type of authentication, but what???
I need to support the "Windows Auth" on the IIS server, but how do I that from NPM?

Any ideas?

Has anyone got MS Exchange working behind a NPM for OWA, ActiveSync and Outlook?

[azaloum90]

I tried adding the below in the NPM advanced tab, and also for each of the locations you mentioned above.

/
/owa
/ecp
/rpc
/Microsoft-Server-ActiveSync
/mapi

client_max_body_size   3G;
tcp_nodelay   on;

proxy_request_buffering off;
proxy_buffering off;

proxy_http_version     1.1;
proxy_read_timeout     3600;

proxy_pass_request_headers on;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_pass_header Authorization;

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Connection "Keep-Alive";
proxy_set_header Accept-Encoding "";

more_set_input_headers 'Authorization: $http_authorization';
more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange-server.mydomain.com"';

However when I go to https://exchange-server.mydomain.com/owa I get an error 'HTTP Error 400. The request has an invalid header name.'

I connected to the container and went to the logs in /data/logs but I can't see which header its complaining about.

However if you took out the line proxy_set_header Host $host; it works

Well!!! Works to a point.

• I have OWA webaccess working.
• I have ECP working, although I soon redirected that as I don't want the ECP publicly accessible
• I even seem to have ActiveSync working as I am running Nine from Android App store and that connects too.

What I can't get working is outlook from outside on the Internet when the Exchange IIS server only has "Windows Auth" enabled. If I enable "Basic Auth" it gets a bit further but still doesn't works.

I can see it does the autodiscover stuff ok and then redirects to https://exchange-server.mydomain.com/mapi and asks for a username and password.

I tried domain\username and username@mydomain.com and neither work. I tried setting the Realm to exchange-server.mydomain.com and exchange-server.msad.mydomain.com

I am missing something for passing the correct type of authentication, but what??? I need to support the "Windows Auth" on the IIS server, but how do I that from NPM?

Any ideas?

Has anyone got MS Exchange working behind a NPM for OWA, ActiveSync and Outlook?

You for so much further than I ever did! I'm intrigued as to what else gets in the way of allowing this. I believe the mechanism that needs to function is "Forms Authentication", but not sure what that needs from an http reverse proxy perspective.

Wish MS had more info, I don't think they'll ever consider this a "supported" configuration so I can't ask.

Only other thing I can think of is running Wireshark from my existing Web Application Proxy and doing some pakcey captures

[ichilver]

@azaloum90 I think I got all the stuff working for HTTP GET requests and stuff requiring Basic Auth.

What I can't get working is the NTLM auth on /autodiscover and /mapi

I am either missing something in the NPM settings or its just not possible to proxy NTLM auth. Something in the back of my mind is thinking this isn't possible because technically NPM is acting as "a man in the middle". IDK.

[azaloum90]

@azaloum90 I think I got all the stuff working for HTTP GET requests and stuff requiring Basic Auth.

What I can't get working is the NTLM auth on /autodiscover and /mapi

I am either missing something in the NPM settings or its just not possible to proxy NTLM auth. Something in the back of my mind is thinking this isn't possible because technically NPM is acting as "a man in the middle". IDK.

It's definitely possible because MAPI authentication works fine with Microsoft Web Application Proxy (that's actually a Microsoft-supported configuration, though you are supposed to pass it through ADFS for authentication which I do not). Brings me back to "what's missing in the packets", so I think I'd have to look at the packets traversing:

From Microsoft Web App Proxy
To Exchange

And then compare that with packets traversing:

From NPM
To Exchange

Unfortunately my NPM setup has been turned off for over a year now, but I suppose I could grab some packet captures from my Web App Proxy to Exchange servers and then compare with yours?

[ilya-maltsev]

Hi,
try to check that basic authentication enabled for MAPI on Exchange:
https://learn.microsoft.com/en-us/exchange/clients/mapi-over-http/configure-mapi-over-http?view=exchserver-2019
After exec that command:
Set-MapiVirtualDirectory -Identity "<exchange_host>\mapi (Default Web Site)" -ExternalURL https://<mail.domain.com>/mapi -IISAuthenticationMethods NTLM, OAuth , Basic
in our case, all works fine

[azaloum90]

Hi, try to check that basic authentication enabled for MAPI on Exchange: https://learn.microsoft.com/en-us/exchange/clients/mapi-over-http/configure-mapi-over-http?view=exchserver-2019 After exec that command: Set-MapiVirtualDirectory -Identity "<exchange_host>\mapi (Default Web Site)" -ExternalURL https://<mail.domain.com>/mapi -IISAuthenticationMethods NTLM, OAuth , Basic in our case, all works fine

Hey, could you by chance show me some screenshots of how you have the configuration entered into NPM? The entry points are rather confusing and I am curious as to what your configuration is.

[ilya-maltsev]

@azaloum90
that command must be directly executed on Windows Server with installed Exchange via Powershell

[azaloum90]

@azaloum90 that command must be directly executed on Windows Server with installed Exchange via Powershell

Hey,

I'm aware of that piece, I'm just curious how you have the rest of the configuration entered into NPM?

[ilya-maltsev]

@azaloum90 Look at magic lines

http {

map $status $forceBasicOutlook{         #magic_line
        401    'Basic realm=$host';     #magic_line
}                                       #magic_line

}

server {
...
    keepalive_timeout 3h;
    proxy_read_timeout 3h;

    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header       Authorization;

    proxy_hide_header WWW-Authenticate;                      #magic_line
    add_header WWW-Authenticate $forceBasicOutlook always;   #magic_line

    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_set_header Connection "Keep-Alive";

...
}

[azaloum90]

@azaloum90 Look at magic lines

http {

map $status $forceBasicOutlook{         #magic_line
        401    'Basic realm=$host';     #magic_line
}                                       #magic_line

}

server {
...
    keepalive_timeout 3h;
    proxy_read_timeout 3h;

    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header       Authorization;

    proxy_hide_header WWW-Authenticate;                      #magic_line
    add_header WWW-Authenticate $forceBasicOutlook always;   #magic_line

    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_set_header Connection "Keep-Alive";

...
}

Thanks for this. How many entries for your mail server? just a mail.domain.com entry?

[vtornik]

@azaloum90 Look at magic lines

http {

map $status $forceBasicOutlook{         #magic_line
        401    'Basic realm=$host';     #magic_line
}                                       #magic_line

}

server {
...
    keepalive_timeout 3h;
    proxy_read_timeout 3h;

    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header       Authorization;

    proxy_hide_header WWW-Authenticate;                      #magic_line
    add_header WWW-Authenticate $forceBasicOutlook always;   #magic_line

    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_set_header Connection "Keep-Alive";

...
}

Thanks for this. Could you tell me how to perform this configuration in the Nginx proxy manager interface? How and in which tab should this be specified?

[azaloum90]

@azaloum90 Look at magic lines

http {

map $status $forceBasicOutlook{         #magic_line
        401    'Basic realm=$host';     #magic_line
}                                       #magic_line

}

server {
...
    keepalive_timeout 3h;
    proxy_read_timeout 3h;

    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header       Authorization;

    proxy_hide_header WWW-Authenticate;                      #magic_line
    add_header WWW-Authenticate $forceBasicOutlook always;   #magic_line

    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_set_header Connection "Keep-Alive";

...
}

Thanks for this. Could you tell me how to perform this configuration in the Nginx proxy manager interface? How and in which tab should this be specified?

I am wondering the same... @ilya-maltsev if you know please let us know.

[ilya-maltsev]

https://develop.nginxproxymanager.com/advanced-config/#custom-nginx-configurations

[azaloum90]

https://develop.nginxproxymanager.com/advanced-config/#custom-nginx-configurations

Given this info, is it safe to assume that the info should go into this screenshot?

[vtornik]

https://develop.nginxproxymanager.com/advanced-config/#custom-nginx-configurations

Thank you. Do I understand correctly that I have to create
a /data/nginx/custom/http_top.conf file
with this content:

map $status $forceBasicOutlook{ #magic_line
401 'Basic realm=$host'; #magic_line
} #magic_line

and
the /data/nginx/custom/server_proxy.conf file
with the contents:

keepalive_timeout 3h;
proxy_read_timeout 3h;

proxy_pass_header       Date;
proxy_pass_header       Server;
proxy_pass_header       Authorization;

proxy_hide_header WWW-Authenticate;                      #magic_line
add_header WWW-Authenticate $forceBasicOutlook always;   #magic_line

proxy_buffering off;
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_set_header Connection "Keep-Alive";

[azaloum90]

@azaloum90 Look at magic lines

http {

map $status $forceBasicOutlook{         #magic_line
        401    'Basic realm=$host';     #magic_line
}                                       #magic_line

}

server {
...
    keepalive_timeout 3h;
    proxy_read_timeout 3h;

    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header       Authorization;

    proxy_hide_header WWW-Authenticate;                      #magic_line
    add_header WWW-Authenticate $forceBasicOutlook always;   #magic_line

    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_request_buffering off;
    proxy_set_header Connection "Keep-Alive";

...
}

@ilya-maltsev ,

Would you be able to post your entire configuration, as well as perhaps with screenshots as to where these configurations are entered (obviously with domain names redacted)? Though your info was helpful, I am unable to make this work with a variety of configurations -- NPM is reporting that my host is offline, likely due to the configuration being mis-scripted.

Any help is greatly appreciated!

Adam

[ilya-maltsev]

@azaloum90
Did you look at https://develop.nginxproxymanager.com/advanced-config/#custom-nginx-configurations
?
Advanced configuration must be did through config files of nginx, not through web-ui of NPM...

If you are a more advanced user, you might be itching for extra Nginx customizability.

NPM has the ability to include different custom configuration snippets in different places.

You can add your custom configuration snippet files at /data/nginx/custom as follow:

Unfortunately I can't show my config files of nginx...

[tarocjsu]

Useless discussion....