yesterday I tried to publish my Exchange Server via WAF and already worked around all the known pitfalls but was not successful at first attempt.
I always got an error "502 bad gateway" if surfing to any path of the Exchange server. Log files were not really helpful, they delivered something like:
2014:02:07-18:28:29 utm reverseproxy: [Fri Feb 07 18:28:29.496010 2014] [proxy_http:error] [pid 4381:tid 3954834288] (103)Software caused connection abort: [client 80.152.***.***:37824] AH01102: error reading status line from remote server 192.168.11.4:443
2014:02:07-18:28:29 utm reverseproxy: [Fri Feb 07 18:28:29.496104 2014] [proxy:error] [pid 4381:tid 3954834288] [client 80.152.***.***:37824] AH00898: Error reading from remote server returned by /owa/auth/logon.aspx
2014:02:07-18:28:29 utm reverseproxy: srcip="80.152.***.***" localip="92.50.***.***" size="417" user="-" host="80.152.***.***" method="GET" statuscode="502" reason="-" extra="-" time="231045" url="/owa/auth/logon.aspx" server="mail.************x.de" referer="-" cookie="cookieTest=1" set-cookie="-"
Finally I figured out, what went wrong: I created an internal CA for my network and rolled out computer certificates to all my servers, including the Exchange server.
However, as recommended by NIST and BSI I created a SHA2 CA with SHA512 and subsequent also the computer certificates are SHA512.
The publishing certificate for my Exchange, which I placed on the UTM was only SHA1 (signed by GeoTrust).
As I changed the internal Exchange certificate to SHA1 as well everything worked as expected.
Is there any chance to fix this behaviour?
Best regards,
Markus
