Extended Protection in combination with Azure AD app proxy

Stephan van den Heuvel 36 Reputation points
2024-02-26T15:45:04.9266667+00:00

Hello, We have deployed Azure AD application proxy connectors to access on-premises Exchange webmail. As soon as we enable Extended Protection on OWA, webmail is not working. No matter if it's set on 'Allow' or 'Require', it has to be set to 'Off'. Can someone tell me if either AAD app Proxy Connector or AAD app Proxy Service is acting as an SSL offloader? I've read that SSL offloading is not supported. If so, will there be support to enable ExtProt in such situation? Thank you. Regards,
Stephan

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,131 questions
0 comments No comments
{count} vote

Accepted answer
  1. Andy David - MVP 149.1K Reputation points MVP
    2024-02-26T16:02:44.8366667+00:00
    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Samuel Stoica 0 Reputation points Microsoft Agency Temporary
    2024-04-22T11:04:59.2666667+00:00

    Please be so kind as to test the following:

    1. For each Exchange Server, remove the "Require SSL" flag under IIS Manager > Default Website > OWA > SSL Settings.
    2. For Modern Hybrid, the Extended Protection Token Checking for the EWS virtual directory should be set to NONE:

    Set-WebServicesVirtualDirectory -Identity 'ServerName\EWS (Default Web Site)' -ExtendedProtectionTokenChecking 'None'

    1. Similarly, set the Extended Protection Token Checking to NONE for the PowerShell virtual directory:

    Set-PowerShellVirtualDirectory -Identity 'ServerName\PowerShell (Default Web Site)' -ExtendedProtectionTokenChecking 'None'

    1. If you're using a Reverse Proxy, ADFS, or something similar, please switch from Preauthentication to Passthrough authentication.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.