Otdfbt

Is there a risk to write an invitation letter for a stranger to obtain a Czech (Schengen) visa?

How can I maintain game balance while allowing my player to craft genuinely useful items?

Why can't I craft scaffolding in Minecraft 1.14?

Right indicator flash-frequency has increased and rear-right bulb is out

Operator currying: how to convert f[a,b][c,d] to a+c,b+d?

Print the new site header

How did Frodo know where the Bree village was?

How can caller ID be faked?

First occurrence in the Sixers sequence

How can I prevent a user from copying files on another hard drive?

How to recover a single blank shot from a film camera

Would a 7805 5v regulator drain a 9v battery?

How useful is the GRE Exam?

What is this airplane that sits in front of Barringer High School in Newark, NJ?

You may find me... puzzling

I have found ports on my Samsung smart tv running a display service. What can I do with it?

In the US, can a former president run again?

Got a new frameset, don't know why I need this split ring collar?

Is swap gate equivalent to just exchanging the wire of the two qubits?

Using roof rails to set up hammock

Can a character with the Polearm Master feat make an opportunity attack against an invisible creature that enters their reach?

What is the context for Napoleon's quote "[the Austrians] did not know the value of five minutes"?

How could I create a situation in which a PC has to make a saving throw or be forced to pet a dog?

Time at 1G acceleration to travel 100 000 light years

Outlook Anywhere not working through proxy with HTTPS inspection

Proper syntax for generating an SSL certificate CSR to protect an Exchange 2007 serverExchange 2003 Outlook Anywhere - Changed certificate, not workingOutlook Anywhere asking for passwordOWA, Outlook Anywhere, RPCPing InconsistenciesClarifying terminology: MAPI vs RPC/HTTPS vs Outlook AnywhereLocal CA for remote web serverOutlook Anywhere remote https connection issueExchange 2010 Outlook Anywhere not working - RPC Proxy, Address Book?Linux HTTPS Header inspectionApache2.4: Forward proxy for client certificate authentication to IIS7

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

I'm currently working at a customer's site where they use a web proxy with HTTPS inspection: for each HTTPS connection, the proxy acts as a man-in-the-middle by terminating the HTTPS channel, generating a new certificate using its own internal CA and presenting it to the client; of course, the client complains about the certificate being invalid: in order to avoid this, I've imported the proxy root certificate in my computer's local certificate store. I can succesfully browse HTTPS web sites and I receive no warnings; this includes OWA on my company's Exchange server.

However, Outlook Anywhere (which uses the exact same public name and certificate as OWA) doesn't work. Outlook gives no error messages, it simply doesn't connect at all.

Why? And How can I fix this?

proxy exchange-2010 ssl-certificate https outlook-anywhere

share|improve this question

asked Apr 17 '13 at 9:36

MassimoMassimo

53.6k45172288

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  In the Microsoft Exchange Proxy Settings (Outlook Anywhere) in Outlook, have you tried unchecking "Only connect to proxy servers that have this principal name in their certificate"?
  
  – 1.618
  Apr 17 '13 at 13:12
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That was my first guess. But it gets automatically checked again as soon as I launch Outlook.
  
  – Massimo
  Apr 17 '13 at 13:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is it being set by Group Policy?
  
  – 1.618
  Apr 17 '13 at 14:35
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  No, there's no GPO configuring that; and anyway, my laptop is not even joined to the domain.
  
  – Massimo
  Apr 17 '13 at 14:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you get any useful feedback using the downloadable client from www.testexchangeconnectivity.com ? I haven't used it in a while, but I think it supports Outlook Anywhere tests.
  
  – Jeremy Lyons
  Apr 18 '13 at 3:24
  

  
  
  
  

 | 
show 2 more comments

2

I'm currently working at a customer's site where they use a web proxy with HTTPS inspection: for each HTTPS connection, the proxy acts as a man-in-the-middle by terminating the HTTPS channel, generating a new certificate using its own internal CA and presenting it to the client; of course, the client complains about the certificate being invalid: in order to avoid this, I've imported the proxy root certificate in my computer's local certificate store. I can succesfully browse HTTPS web sites and I receive no warnings; this includes OWA on my company's Exchange server.

However, Outlook Anywhere (which uses the exact same public name and certificate as OWA) doesn't work. Outlook gives no error messages, it simply doesn't connect at all.

Why? And How can I fix this?

proxy exchange-2010 ssl-certificate https outlook-anywhere

share|improve this question

asked Apr 17 '13 at 9:36

MassimoMassimo

53.6k45172288

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  In the Microsoft Exchange Proxy Settings (Outlook Anywhere) in Outlook, have you tried unchecking "Only connect to proxy servers that have this principal name in their certificate"?
  
  – 1.618
  Apr 17 '13 at 13:12
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  That was my first guess. But it gets automatically checked again as soon as I launch Outlook.
  
  – Massimo
  Apr 17 '13 at 13:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Is it being set by Group Policy?
  
  – 1.618
  Apr 17 '13 at 14:35
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  No, there's no GPO configuring that; and anyway, my laptop is not even joined to the domain.
  
  – Massimo
  Apr 17 '13 at 14:44
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Do you get any useful feedback using the downloadable client from www.testexchangeconnectivity.com ? I haven't used it in a while, but I think it supports Outlook Anywhere tests.
  
  – Jeremy Lyons
  Apr 18 '13 at 3:24
  

  
  
  
  

 | 
show 2 more comments

I'm currently working at a customer's site where they use a web proxy with HTTPS inspection: for each HTTPS connection, the proxy acts as a man-in-the-middle by terminating the HTTPS channel, generating a new certificate using its own internal CA and presenting it to the client; of course, the client complains about the certificate being invalid: in order to avoid this, I've imported the proxy root certificate in my computer's local certificate store. I can succesfully browse HTTPS web sites and I receive no warnings; this includes OWA on my company's Exchange server.

However, Outlook Anywhere (which uses the exact same public name and certificate as OWA) doesn't work. Outlook gives no error messages, it simply doesn't connect at all.

Why? And How can I fix this?

proxy exchange-2010 ssl-certificate https outlook-anywhere

share|improve this question

asked Apr 17 '13 at 9:36

MassimoMassimo

53.6k45172288

share|improve this question

asked Apr 17 '13 at 9:36

MassimoMassimo

53.6k45172288

share|improve this question

asked Apr 17 '13 at 9:36

MassimoMassimo

53.6k45172288

asked Apr 17 '13 at 9:36

MassimoMassimo

53.6k45172288

asked Apr 17 '13 at 9:36

MassimoMassimo

53.6k45172288

2 Answers
2

active

oldest

votes

0

What is the proxy server they are using? I know with WinGate you can configure some pretty funky policies based on a number of things which may help you?

I would suggest you have a look through the proxy servers log files, it should give you a clue as to why it is failing.

share|improve this answer

answered Jul 12 '13 at 0:28

JaseJase

1116

add a comment | 

0

The Outlook client is behaving exactly as designed--it is effectively protecting your Outlook Anywhere traffic from a 'man-in-the-middle' attack.

The 'Only connect to proxy servers that have this principal name in their certificate' option is likely being re-asserted by the client autodiscover process--again, as designed.

I believe your only options are to (1) work with the deep-packet-inspection-firewall administrator to modify policies within the proxy server to handle your Outlook Anywhere traffic as an exception and eliminate the 'man-in-the-middle' inspection (e.g. convince the admin to 'trust' traffic from your Exchange Client Access Server), (2) see if the client can provide you with access to a 'guest' network which bypasses the deep-packet-inspection MITM proxy server, or (3) resign yourself to using OWA to access your mailbox while on that client's network.

share|improve this answer

answered Oct 8 '13 at 4:30

jnaabjnaab

900611

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f500119%2foutlook-anywhere-not-working-through-proxy-with-https-inspection%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

What is the proxy server they are using? I know with WinGate you can configure some pretty funky policies based on a number of things which may help you?

I would suggest you have a look through the proxy servers log files, it should give you a clue as to why it is failing.

share|improve this answer

answered Jul 12 '13 at 0:28

JaseJase

1116

add a comment | 

0

What is the proxy server they are using? I know with WinGate you can configure some pretty funky policies based on a number of things which may help you?

I would suggest you have a look through the proxy servers log files, it should give you a clue as to why it is failing.

share|improve this answer

answered Jul 12 '13 at 0:28

JaseJase

1116

add a comment | 

What is the proxy server they are using? I know with WinGate you can configure some pretty funky policies based on a number of things which may help you?

I would suggest you have a look through the proxy servers log files, it should give you a clue as to why it is failing.

share|improve this answer

answered Jul 12 '13 at 0:28

JaseJase

1116

share|improve this answer

answered Jul 12 '13 at 0:28

JaseJase

1116

answered Jul 12 '13 at 0:28

JaseJase

1116

answered Jul 12 '13 at 0:28

JaseJase

1116

0

The Outlook client is behaving exactly as designed--it is effectively protecting your Outlook Anywhere traffic from a 'man-in-the-middle' attack.

The 'Only connect to proxy servers that have this principal name in their certificate' option is likely being re-asserted by the client autodiscover process--again, as designed.

I believe your only options are to (1) work with the deep-packet-inspection-firewall administrator to modify policies within the proxy server to handle your Outlook Anywhere traffic as an exception and eliminate the 'man-in-the-middle' inspection (e.g. convince the admin to 'trust' traffic from your Exchange Client Access Server), (2) see if the client can provide you with access to a 'guest' network which bypasses the deep-packet-inspection MITM proxy server, or (3) resign yourself to using OWA to access your mailbox while on that client's network.

share|improve this answer

answered Oct 8 '13 at 4:30

jnaabjnaab

900611

add a comment | 

0

The Outlook client is behaving exactly as designed--it is effectively protecting your Outlook Anywhere traffic from a 'man-in-the-middle' attack.

The 'Only connect to proxy servers that have this principal name in their certificate' option is likely being re-asserted by the client autodiscover process--again, as designed.

I believe your only options are to (1) work with the deep-packet-inspection-firewall administrator to modify policies within the proxy server to handle your Outlook Anywhere traffic as an exception and eliminate the 'man-in-the-middle' inspection (e.g. convince the admin to 'trust' traffic from your Exchange Client Access Server), (2) see if the client can provide you with access to a 'guest' network which bypasses the deep-packet-inspection MITM proxy server, or (3) resign yourself to using OWA to access your mailbox while on that client's network.

share|improve this answer

answered Oct 8 '13 at 4:30

jnaabjnaab

900611

add a comment | 

The Outlook client is behaving exactly as designed--it is effectively protecting your Outlook Anywhere traffic from a 'man-in-the-middle' attack.

The 'Only connect to proxy servers that have this principal name in their certificate' option is likely being re-asserted by the client autodiscover process--again, as designed.

I believe your only options are to (1) work with the deep-packet-inspection-firewall administrator to modify policies within the proxy server to handle your Outlook Anywhere traffic as an exception and eliminate the 'man-in-the-middle' inspection (e.g. convince the admin to 'trust' traffic from your Exchange Client Access Server), (2) see if the client can provide you with access to a 'guest' network which bypasses the deep-packet-inspection MITM proxy server, or (3) resign yourself to using OWA to access your mailbox while on that client's network.

share|improve this answer

answered Oct 8 '13 at 4:30

jnaabjnaab

900611

share|improve this answer

answered Oct 8 '13 at 4:30

jnaabjnaab

900611

answered Oct 8 '13 at 4:30

jnaabjnaab

900611

answered Oct 8 '13 at 4:30

jnaabjnaab

900611