Using Entra Proxy is not supported with on-prem Exchange and OWA/ECP: https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide
Extended Protection in combination with Azure AD app proxy
Hello,
We have deployed Azure AD application proxy connectors to access on-premises Exchange webmail.
As soon as we enable Extended Protection on OWA, webmail is not working. No matter if it's set on 'Allow' or 'Require', it has to be set to 'Off'.
Can someone tell me if either AAD app Proxy Connector or AAD app Proxy Service is acting as an SSL offloader? I've read that SSL offloading is not supported.
If so, will there be support to enable ExtProt in such situation?
Thank you.
Regards,
Stephan
1 additional answer
Sort by: Most helpful
-
Samuel Stoica 0 Reputation points Microsoft Agency Temporary
Apr 22, 2024, 11:04 AM Please be so kind as to test the following:
- For each Exchange Server, remove the "Require SSL" flag under IIS Manager > Default Website > OWA > SSL Settings.
- For Modern Hybrid, the Extended Protection Token Checking for the EWS virtual directory should be set to NONE:
Set-WebServicesVirtualDirectory -Identity 'ServerName\EWS (Default Web Site)' -ExtendedProtectionTokenChecking 'None'
- Similarly, set the Extended Protection Token Checking to NONE for the PowerShell virtual directory:
Set-PowerShellVirtualDirectory -Identity 'ServerName\PowerShell (Default Web Site)' -ExtendedProtectionTokenChecking 'None'
- If you're using a Reverse Proxy, ADFS, or something similar, please switch from Preauthentication to Passthrough authentication.