This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 31%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESV%3C/text%3E%3C/svg%3E)
Hello,
We have deployed Azure AD application proxy connectors to access on-premises Exchange webmail.
As soon as we enable Extended Protection on OWA, webmail is not working. No matter if it's set on 'Allow' or 'Require', it has to be set to 'Off'.
Can someone tell me if either AAD app Proxy Connector or AAD app Proxy Service is acting as an SSL offloader? I've read that SSL offloading is not supported.
If so, will there be support to enable ExtProt in such situation?
Thank you.
Regards,
Stephan
Using Entra Proxy is not supported with on-prem Exchange and OWA/ECP:
https://learn.microsoft.com/en-us/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide
Hello Andy,
Thanks for pointing out.
I can't see the date, but I don't believe that note has always been there.
AFAIK it was supported before and we are succesfully running on-prem OWA behind AAD app proxy for more than two years.
I guess we just leave extended protection for what it is.
Regards,
Stephan
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 47%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
@Stephan van den Heuvel I agree this is news to me and we are in the same boat as you. That "note" also is refer to a hybrid modern authentication...hybrid environments which we are not.
Yea that unsupported note has been there for years actually in different forms. Not sure why they buried it in that particular doc.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 92%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Please be so kind as to test the following:
Set-WebServicesVirtualDirectory -Identity 'ServerName\EWS (Default Web Site)' -ExtendedProtectionTokenChecking 'None'
Set-PowerShellVirtualDirectory -Identity 'ServerName\PowerShell (Default Web Site)' -ExtendedProtectionTokenChecking 'None'