Hi,
I have Exchange 2019 DAG with 4 EX servers. IIS ARR 3.0 server was installed in DMZ zone for filtering purposes. I had to enable SSL offloading feature in order to forward http unencrypted traffic to upstream servers. Exchange 2019 has two CAS: frontend and backend. "SSL required" checkbox was unset on frontend side for all apps in EX servers. I found some articles how to set ARR for Exchange but not for 2019 and not for DAG. However, ARR works and Outlook app works fine through this reverse proxy. Only OWA caused the login page loop problem.
If I open owa web page, enter my credentials, page just redirects me to login page again with filled username. There are no errors in ARR logs:
2021-06-29 16:40:22 10.0.0.6767 POST /owa/auth.owa X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.82&X-ARR-LOG-ID=cd3c9628-...-5aa42f0bf118&SERVER-STATUS=302 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 302 0 0 13
2021-06-29 16:40:22 10.0.0.6767 GET /owa X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.83&X-ARR-LOG-ID=b6e2f90d-...-50d96e4ec209&SERVER-STATUS=302 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 302 0 0 6
2021-06-29 16:40:22 10.0.0.6767 GET /owa/auth/logon.aspx url=https%3a%2f%2fmail.domain.com%2fowa&reason=0&X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.84&X-ARR-LOG-ID=a9cbe07a-...-d53c52885c89&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 200 0 0 14
2021-06-29 16:40:24 10.0.0.6767 GET /owa/auth/logon.aspx replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa&X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.81&X-ARR-LOG-ID=216288a5-...-a5c2db240935&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?url=https%3a%2f%2fmail.domain.com%2fowa&reason=0 200 0 0 54
2021-06-29 16:40:24 10.0.0.6767 GET /owa/auth/15.2.792/themes/resources/segoeui-regular.ttf X-ARR-CACHE-HIT=0&SERVER-ROUTED=172.16.1.82&X-ARR-LOG-ID=97e05718-...-84738c26e4eb&SERVER-STATUS=200 443 - 192.168.1.66 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/91.0.4472.124+Safari/537.36 https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.domain.com%2fowa 200 0 0 78
What did I miss?
Thanks!


Hi KaelYao-MSFT,
Thank you for an answer!
Sure, a lot of them (the mostly are copies of each other). I made a compilation of all of them. Some of them:
Your article says that "Select Routing Rules and uncheck Enable SSL Offloading as it is not supported in Exchange 2013." This is my fail probably. But this is for Exchange 2013 and we have 2019 with last CU. Probably something changed in this technology. I hope that and I also opened case in MS support.
I also made an experiment: if I disable ARR redirection and login to OWA directly, browser gets generated cookie. If then I close this browser, enable ARR redirection and open mail.detmir.ru/owa again I WILL see my mailbox! However, if I delete all cookies, re-open browser and try to login with ARR redirection I find that cookie won’t be generated and I can’t login to OWA.
I guess that something wrong with cookie generation when OWA is using.