I have installed Exchange 2013 with Mailbox and Client Access Server Role.

For reverse proxy, I have configured Windows 2012 IIS ARR 2.5.

Although I am able to connect Outlook Web App using ARR, none of the other Exchange Web Services work (Autodiscover, OAB, OOF and Outlook Anywhere)

I have configured separate URL's for each of the services as per the TechNet blog article http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx

If I point my DNS to Exchange 2013 server directly, then everything works.

If I try to open the Autodiscover URL from ARR server https://fqdnofexchange/autodiscover/autodiscover.xml , I get HTTP Error 502.3 - Bad gateway

If I try to open the Autodiscover URL from ARR server https://fqdnofARR/autodiscover/autodiscover.xml , I get page cannot be displayed error.

I have cross checked the URL rewrite rules and they are configured exactly as per the document.

I have installed Exchange 2013 with Mailbox and Client Access Server Role.

For reverse proxy, I have configured Windows 2012 IIS ARR 2.5.

Although I am able to connect Outlook Web App using ARR, none of the other Exchange Web Services work (Autodiscover, OAB, OOF and Outlook Anywhere)

I have configured separate URL's for each of the services as per the TechNet blog article http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx

If I point my DNS to Exchange 2013 server directly, then everything works.

If I try to open the Autodiscover URL from ARR server https://fqdnofexchange/autodiscover/autodiscover.xml , I get HTTP Error 502.3 - Bad gateway

If I try to open the Autodiscover URL from ARR server https://fqdnofARR/autodiscover/autodiscover.xml , I get page cannot be displayed error.

I have cross checked the URL rewrite rules and they are configured exactly as per the document.

• Moved by Yan Li_Microsoft community contributor Monday, October 14, 2013 6:19 AM move to the right forum
• Merged by Simon_WuMicrosoft contingent staff, Moderator Monday, October 14, 2013 6:28 AM duplicate

Hi,

1. Whats the type of the certificate you use, is it a third-party or Enterprise CA?

If it is an Enterprise CA certificate, please make sure the root CA certificate is also installed in the ARR servers trust root cert store.

2. Try temporary disabling the AV programs or firewall and see whether the issue persists.

Thanks,

Simon

Hi,

We are using internal Microsoft CA. The root certificate has been installed on the ARR server.

Currently there is no antivirus software installed on the server.

Kindly find below the snapshots of configuration.

Let me know if you require any further information.

Hi

I get the same problem, ie autodiscover not working with ARR+Exchange 2013 for external users. I went through the log files and I think the problem comes from the way ARR process the first response 401 returned by the cas.

When you run an autodiscover from an external user, as the cas as 'Windows integrated' & 'basic authentication' enabled, the first request in basic is always failed with a 401 (information coming from a MS guy, but I am not an expert in authent challenge/response and IIS so I don't know the reason). BUT, it seems as if this is the normal behavior in IIS.

When the client gets this first 401, it sends a new request with the correct credentials encoded for a basic authent and then it's OK.

With ARR, the problem comes from the fact that ARR "maps" this error in a 502 - Bad Gateway error and sends it back to the client.

And this 502 stops autodiscover process as it considers that it's a permanent error :-(.

Just a test : temporarely disable 'Windows integrated' on autodiscover vdir on your cas and I think it will be ok.

It's just a test as if you do that, all internal users will be prompted to enter credentials for autodiscover.

Then, the problem is : how we configure ARR to just pass proxy errors as it without doing any mapping 401 -> 502 ?

One again, I am not en expert and perhaps you're facing another problem. But, if you can configure ARR to do that, I think we'll save together our problem.

• Marked as answer by Simon_WuMicrosoft contingent staff, Moderator Monday, October 21, 2013 5:19 PM

Hi,

Thanks for sharing the details. I will check on Monday and revert back.

Regards,

Joel D'Souza

Hi Jean,

This is exactly what is happening, disabling the Windows Authentication allowed the system to work perfectly, albeit with the extra requirements for internal users. I am currently trying to get ARR to stopping giving these errors ona 401 Challenge, will let you know if I have any luck.

Regards,

Ryan

Hi,

have you tried the following hotfix: http://www.microsoft.com/en-us/download/details.aspx?id=30333

Details: "This hotfix addresses a problem in Application Request Routing Version 2.5. When ARR is installed on Windows Server 2012, it fails to proxy Windows authentication."

Regards,

Patrik

• Proposed as answer by Jean-Christophe C.1 Tuesday, November 05, 2013 3:45 PM

Hi Patrik,

Yep, just installed the fix and ... it runs :-)

Thank you very much Patrik.

Just an info: I didn't need to restart the server after installing the fix, just did an  iisreset

Regards,

Jean

We met same problem for ARR 3.0 on windows server 2012 R2.

Will there be a similar fix?

Hi!

Did you find any solution for ARR3 on WS2012R2?

Got the same issue.

Regards, Alexey

Would like to see a patch for ARR3.0 on Windows Server 2012.

Thomas