This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi,
I have Exchange 2019 DAG with 4 EX servers. IIS ARR 3.0 server was installed in DMZ zone for filtering purposes. I had to enable SSL offloading feature in order to forward http unencrypted traffic to upstream servers. Exchange 2019 has two CAS: frontend and backend. "SSL required" checkbox was unset on frontend side for all apps in EX servers. I found some articles how to set ARR for Exchange but not for 2019 and not for DAG. However, ARR works and Outlook app works fine through this reverse proxy. Only OWA caused the login page loop problem.
If I open owa web page, enter my credentials, page just redirects me to login page again with filled username. There are no errors in ARR logs:
2021-06-29 16:40:22 10.0.0.6767 POST /owa/auth.owa X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.82&X-ARR-LOG-ID=cd3c9628-...-5aa42f0bf118&SERVER-STATUS=302 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 302 0 0 13
2021-06-29 16:40:22 10.0.0.6767 GET /owa X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.83&X-ARR-LOG-ID=b6e2f90d-...-50d96e4ec209&SERVER-STATUS=302 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 302 0 0 6
2021-06-29 16:40:22 10.0.0.6767 GET /owa/auth/logon.aspx url=https%3a%2f%2fmail.domain.com%2fowa&reason=0&X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.84&X-ARR-LOG-ID=a9cbe07a-...-d53c52885c89&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 200 0 0 14
2021-06-29 16:40:24 10.0.0.6767 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa&X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.81&X-ARR-LOG-ID=216288a5-...-a5c2db240935&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.domain.com%2fowa&reason=0 200 0 0 54
2021-06-29 16:40:24 10.0.0.6767 GET /owa/auth/15.2.792/themes/resources/segoeui-regular.ttf X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.82&X-ARR-LOG-ID=97e05718-...-84738c26e4eb&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 200 0 0 78
What did I miss?
Thanks!
Hi @HeavenBay
Would you share with us which article did you follow?
Did you follow the guide in this link: Part 1: Reverse Proxy for Exchange Server 2013 using IIS ARR
Thanks in advance for your update.
@HeavenBay I too have been working on this very same problem with Exch 2019 on prem. In addition to those same articles you referenced, I have also followed the instructions at:
configuring-ssl-offloading-in-exchange-2013-exchange-2013-help to enable SSL offloading.
Like you, I have narrowed the problem down to the cookie behavior and have been working through the issues highlighted in
But have not got it working yet.
Hi WCW65-9345,
configuring-ssl-offloading-in-exchange-2013-exchange-2013-help to enable SSL offloading.
Cool article - thanks! However, not work too.
@HeavenBay I got it working. After ensuring you have SSL Offloading setup per the prior link I sent, you then need to ensure samesite cookies through the outbound rules.
I just followed the instructions in this article for samesite cookies and now my login loop is no longer happening. Site is working fine with SSL offload and login.
The article is part of the Url Rewriting series part 6 of 6 by the author. It has been very helpful with ARR issues for me.
Hi KaelYao-MSFT,
Thank you for an answer!
Sure, a lot of them (the mostly are copies of each other). I made a compilation of all of them. Some of them:
Your article says that "Select Routing Rules and uncheck Enable SSL Offloading as it is not supported in Exchange 2013." This is my fail probably. But this is for Exchange 2013 and we have 2019 with last CU. Probably something changed in this technology. I hope that and I also opened case in MS support.
I also made an experiment: if I disable ARR redirection and login to OWA directly, browser gets generated cookie. If then I close this browser, enable ARR redirection and open mail.detmir.ru/owa again I WILL see my mailbox! However, if I delete all cookies, re-open browser and try to login with ARR redirection I find that cookie won’t be generated and I can’t login to OWA.
I guess that something wrong with cookie generation when OWA is using.