New Member

Question

Virtual Server - Outlook > Exchange

Forum|Forum|2 years ago
July 13, 2023
7 replies
10602 views

Please can someone urgently assis.t

I have upgrade to os 7.4 on my 200E.

Created virtual servers for my internal setups.

The Virtual Server for Microsoft Exchange / Email connectivity (HTTPS) works perfectly on mobile (IOS, Android)
But refuses to work on Outlook ?

No errors in logs etc. Any ideas?

abarushka

Staff

Hello,

I assume that MS Outlook is configured to use other protocol than https. Therefore, you may need to configure another virtual server for different protocol.

Marcde_JAuthor

New Member

The only protocol is HTTPS, and MAPI over HTTPS.

In my same setup with a Virtual IP the firewall policy with only service enabled being HTTPS works just fine?

abarushka

Staff

Hello,

You may consider to sniff traffic on FortiGate (Microsoft Exchange facing interface) and try to reproduce the issue. It will give you a hint, whether TCP/TLS session was established successfully.

Marcde_JAuthor

New Member

I see on 7.4.1 cli there is:
set outlook-web-access enable|disable

I upgraded however still cannot set it on CLI?
command parse error. I assume the above would fix my issue?

abarushka

Staff

Hello,

I can see such setting in case of https virtual server:

config firewall vip
edit "abc"
set type server-load-balance
set server-type https
set extip a.b.c.d
set extintf "any"
set extport abc
config realservers
edit 1
set ip a.b.c.d
set port abc
next
end
next
end

# set outlook-web-access
disable Disable Outlook Web Access support.
enable Enable Outlook Web Access support.

Marcde_JAuthor

New Member

Hello. Yes. My issue is that i get the following error when trying to configure:

set outlook-web-access

command parse error before 'outlook-web-access'
Command fail. Return code -61

Marcde_JAuthor

New Member

Hi All. We are revisiting this issue with our new 200F firewalls.

We have observed the same behaviour when changing from VIP to Virtual Server - and can see the connection gets reset on POST from outlook trying to get the Autodiscover XML file.

Not sure if this provides any further Clarity or help in trying to get this solution to work?

BK_Bianko

New Member

Hi @Marcde_J ,

I am facing a very similar issue with Mapi Over HTTP, reported also on several other communities, also with other firewall equipments.In my case I have a Fortigate 100E.

Can you please elaborate a bit further on how did you manage to:

@Marcde_J wrote:

We have observed the same behaviour when changing from VIP to Virtual Server - and can see the connection gets reset on POST from outlook trying to get the Autodiscover XML file.

I tried both from Exchange with "netsh trace" and from the Fortigate with the packet capture but all I can see is encrypted traffic. Did you manage to see traffic in clear? Have you solved?

Thank you,

Francesco

smaruvala

Staff

Hi,

- What was the previous version in which it was working?
- I am suspecting the issue is seen with the mpai communication.

- Can you test with disabling the http2 version support on the virtual server.

set h2-support disable

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Virtual-server-stops-working-after-upgrading/ta-p/246189

Regards,

Shiva

BK_Bianko

New Member

Hi @smaruvala ,

nope, Outlook does use HTTP/1.1. Here below the Fiddler capture while starting Outlook:

smaruvala

Staff

Hi,

- Are there any communication towards the server which uses http2?

- Are you using Fiddler Classic? If I am not wrong fiddler classic does not support h2 protocol.

- I would suggest to test with disabling the http2 in the virtual server and verifying it. I have seen couple of issues related exchange servers which was related to http2 version.

Regards,

Shiva

Marcde_JAuthor

New Member

Hi All

To date no solution whatsoever

smaruvala

Staff

Hi,

Can you try to disable the support for http2 in the virtual server and test if it works correctly?

config firewall vip

edit <virtual_server_name>

set h2-support disable

Regards,

Shiva

MikeLa

New Member

I faced to the same issue,
we getting this working on FortiOS 7.4.0
using set http-supported-max-version http1 instead of set h2-support disable
And enabling full ssl inspection,
here is a working config sample :

config firewall vip     edit "_reverse proxy"         set type server-load-balance         set extip X.X.X.119         set extintf "any"         set server-type https         set ldb-method http-host         set persistence http-cookie         set extport 443         config realservers             edit 1                 set ip X.X.X.55                 set port 443                 set http-host "abc.xyz.eu"             next             edit 2                 set ip X.X.X.80                 set port 443                 set http-host "mail.xyz.eu"             next             edit 3                 set ip X.X.X.80                 set port 443                 set http-host "autodiscover.xyz.eu"             next         end         set http-supported-max-version http1         set ssl-mode full         set ssl-certificate "STAR.xyz.23-23.pfx"     next end

Regards,
Mike

fortimaxusa

New Member

Thinking outside the box here. I am just curious if you must use virtual server-type HTTPS (L7 balancer). Exchange 2016/2019 CAS/Mailbox role does not require session persistence because all sessions are stateless. There is no affinity requirement. Do not use NAT in the firewall policy to retain the source IP in the server logs. Finally, virtual servers support up to 5 health-check monitors of any type including the desirable HTTPS independently of the virtual server-type. You probably already configured them for the Exchange virtual directories... looking for "200 OK" response from healthcheck.htm. Why can you not use virtual server-type TCP (L4 balancer) instead and reduce proxy concerns at the FortiGate?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded