Friday 8 April 2016

Configure NGINX with Exchange 2010, 2013 and 2016 (including RPC / Outlook Anywhere access)

I have seen many threads on the internet with people complaining about RPC and Exchange (getting Outlook Anywhere to work.)

I have also seen several configurations all of which did not work correctly for me.

My configuration should work for 2010, 2013 and 2016:

server {
  listen 192.168.0.1:443 ssl;
  server_name owa.myserver.com;
  ssl_certificate /etc/nginx/ssl/cert.pem;
  ssl_certificate_key /etc/nginx/ssl/key.key;
  access_log  /var/log/nginx/mydomain.access.log  combined;
  error_log  /var/log/nginx/mydomain.error.log;
  client_max_body_size 3G;
  proxy_request_buffering off;
  ssl_session_timeout     5m;
  tcp_nodelay on;
    proxy_http_version      1.1;
    proxy_read_timeout      360;
    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header      Authorization;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_pass_request_headers on;
    more_set_input_headers 'Authorization: $http_authorization';
    proxy_set_header Accept-Encoding "";
    more_set_headers -s 401 'WWW-Authenticate: Basic realm="fqdnofyourexchangeserver"';
    proxy_buffering off;
    proxy_set_header Connection "Keep-Alive";
  location / {
  return 301 https://owa.myserver.com/owa;
  }
  location ~* ^/owa { proxy_pass https://fqdnofyourexchangeserver; }
  location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://fqdnofyourexchangeserver; }
  location ~* ^/ecp { proxy_pass https://fqdnofyourexchangeserver; }
  location ~* ^/rpc { proxy_pass https://fqdnofyourexchangeserver; }
}
# redirect all http traffic to https
server {
  listen 80;
  server_name owa.myserver.com;
  return 301 https://$host$request_uri;
}

** Note: Remember to use 'BASIC' authentication within the Outlook Anywhere connection setup - as NGINX does not support NTLM authentication - that is unless you have the 'Enterprise' edition!.

** Note 2: Also ensure that 'Windows Authentication' is disabled in your IIS application settings for EWS, OWA etc. as NGINX will return an error 401 if 'Basic Authentication' is not enabled.! **

3 comments:

  1. does more_set_input and more_set_headers work on open source version?
    I tried and it didn't worked for me.

    ReplyDelete
    Replies
    1. You will need to install the 'headers more' module for nginx: https://www.nginx.com/resources/wiki/modules/headers_more/.

      This will need to be configured before compilation of the software - so your distro's repo might not have it installed - you should be able to check if it's available with /sbin/nginx -V

      Delete
  2. I have tried with Exchange 2016 but Outlook still not working from internet, but activesync (email on smartphone) is working well.

    ReplyDelete