none
Exchange OWA IM integration with S4B with HAProxy in between not working RRS feed

  • Question

  • Hello,

    We recently added an HAProxy load-balancer for our Exchange server, and everything runs fine through it.

    Then, we decided to change the internal records (autodiscover, ews, mail) to also point to those HAProxy (because we have some services using EWS that can gain from having the connectivity to the Exchange servers load balanced). Before that, the internal DNS records were pointing directly on the Exchange servers.

    Sadly, after doing so, the Instant Messaging on OWA stopped working, and the logs were showing SignIn Timeout. We made sure the S4B servers are well allowed to contact the HAProxy, we saw EWS and Autodiscover flow without issues, but still it wouldn't work.

    So to summarize:

    S4B Servers -->  (resolve DNS)  --> Exchange Servers: OWA IM Working

    S4B Servers -->  HAProxy(s) Virtual IP  --> Exchange Servers:  OWA IM not Working

    As soon as we changed the Hosts file on the S4B front end servers to point back to Exchange Servers directly, it worked back.

    Does anyone have any experience with this? Is this scenario not supported?

    Thank you


    Wednesday, November 20, 2019 8:42 AM

Answers

  • Damn, after spending 3 days reading 50 internet blogs and posts, the final thing that made the trick was to make sure the certificate assigned for UM was the IIS certificate.

    This must be the worst documentation ever, on Exchange 2013, having a wildcard for IIS, and a specific SAN one assigned to UM works wonder. I don't even know why MS is letting us specifying SettingsOverride with custom certificate Thumbprint, if in the end we are forced to use the IIS one.

    We ended up creating internal IIS non-wildcard with all the SANs needed, and it worked like charm.

    Also: the port created by the CsTrustedApplicationPool? Completely useless, never listens on any computer.

    Friday, November 22, 2019 3:46 PM

All replies

  • Port 5199 is used when you create CSTrustedApplication to setup the integration. Does your HAProxy allow this?

    I have a guid ehere for the setup: https://gallery.technet.microsoft.com/Installing-Skype-for-78703118?redir=0

    Check the part IM in OWA in the documentation.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Wednesday, November 20, 2019 11:31 AM
  • Hello,

    Indeed we setup the Trusted application pool with a port, but I was not sure in which way it is used and what will be the final connection flow between Exchange and S4B.

    So declaring it, what does it tries to do?:

    Exchange Server(s) -->  request on port 5199 (Skype Pool Address) --> S4B Servers ?

    Or

    S4B Server(s) -->  request on port 5199 (HAProxy) --> Exchange Server(s) ?

    Or something else?

    Also note that on our Exchange 2013 installation (we are deploying 2016, that's when we realized the issue), we used to have zero CsTrustedApplicationPool (so no Port) declared, and everything was working fine.

    Thanks for your reply.


    Wednesday, November 20, 2019 11:52 AM
  • Hi, it is Skype that will connect to Exchange using that port If you haven't configured it before, then it just by chance this feature is working. If those DNS (EWS,Autodiscover,Mail) are pointing to Exchange 2016 servers, then i recommend you setup the integration using the guide. There are other steps that have to be done to get this to work as well.

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Wednesday, November 20, 2019 1:47 PM
  • Hello,

    I checked your PDF, and I see that you only use one Trusted Application for Exchange.

    In our case, we have 6 servers in total. How should we proceed? Would those steps be correct?:

    1. Create a certificate with e.g. owa.domain.com, and assign for IM on all Exchange servers
    2. Create a Trusted Application / Pool with owa.domain.com and port 5199
    3. Point the DNS record of owa.domain.com to HAProxy (and allow S4B Servers to contact them on port 5199)
    4. Open port 5199 on Exchange servers

    Thanks

    Wednesday, November 20, 2019 2:05 PM
  • If possible, should can assign the service to existing certificate for easier management. Otherwise you can finely create new certificate for this purpose.

    have you tested by editing hostfile on SBF servers to point to Ex2016 server to see if it works? I guess in your HAProxy it only points traffic to new Exchange 2016 servers? I guess it should be fine to setup cstrustedapplication to point to HAproxy if it supports it. Is it used for both internal and external traffic? What about the other way, from Exchange to SFB servers? That should be a part of my documentation to.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, November 21, 2019 7:18 AM
  • Pointing directly to the Exchange servers seems to work fine, but it's true those ports were not allowed by HAProxy (as I didn't know the flow with those ports would be from S4B Servers to Exchange).

    We will make more tests with the steps I indicated to see if it works, will let you know.

    For the certificate, we only have wildcard certificates next to server FQDN certificates, and I guess we cannot use them for OWA IM certificate. We will just create a new internal one, won't be a problem.

    The HAProxy are used for both external and internal traffic.

    Thursday, November 21, 2019 7:25 AM
  • Port 5199 is used when you create CSTrustedApplication to setup the integration. Does your HAProxy allow this?

    I have a guid ehere for the setup: https://gallery.technet.microsoft.com/Installing-Skype-for-78703118?redir=0

    Check the part IM in OWA in the documentation.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Also, how does Exchange knows it now have to listen on port 5199?

    Because if it is the case, I supposed in many documentation we should see this port to be allowed on Exchange servers on the firewall. Also, a netstat -a doesn't show Exchange listening on this port after declaring the CsTrustedApplication.
    Thursday, November 21, 2019 8:46 AM
  • Have you done the steps in my guide? There are steps you need to do on Exchange server side as well and not only SFB side. 

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Off2work

    Thursday, November 21, 2019 9:58 AM
  • We followed the steps, and also found online that because we have multiple servers, so we had to create an Application Pool with Multiple computers on S4B.

    The thing now:

    • On Exchange 2013 OWA: we can sign in to IM, we can send IM messages, and if someone reply from S4B client, it works.
    • On Exchange 2016 OWA: we can sign in to IM, we can send IM messages, BUT if someone reply from S4B client, it doesn't work with message "The action couldn't be completed. Please try again later."

    At this point neither Exchange or Skype servers seems to show errors that could lead us to the source of why messages cannot go back to Exchange 2016.

    Thursday, November 21, 2019 11:11 AM
  • Damn, after spending 3 days reading 50 internet blogs and posts, the final thing that made the trick was to make sure the certificate assigned for UM was the IIS certificate.

    This must be the worst documentation ever, on Exchange 2013, having a wildcard for IIS, and a specific SAN one assigned to UM works wonder. I don't even know why MS is letting us specifying SettingsOverride with custom certificate Thumbprint, if in the end we are forced to use the IIS one.

    We ended up creating internal IIS non-wildcard with all the SANs needed, and it worked like charm.

    Also: the port created by the CsTrustedApplicationPool? Completely useless, never listens on any computer.

    Friday, November 22, 2019 3:46 PM