Modern Attachments behind a web proxy

With Exchange 2016 a huge improvement in regards of document collaboration with OneDrive for Business was introduced when you have a Hybrid configured.

You can read more about it here:

When I introduced Exchange 2016, I was more than happy to configure and make this feature available to my end-users. But after I run through the prerequisites and steps, I wasn’t able to get the option in OWA and with Outlook I received the following error:

ModernAttProxy01

The same happened when I was using Outlook for Mac. As different clients, protocols and servers where affected, I assumed a general issue and started troubleshooting.

Symptoms

After you run through all the prerequisites and properly configured Exchange, users using OWA won’t see the option. Also Outlook for Windows/Mac receives an error the recipients couldn’t be given access.

Troubleshooting

First I concentrated on OWA as this was the protocol with at least impact for end-users. The inspection of the application logs revealed an information, which pointed me into the right direction:

Log Name: Application
Source: MSExchange OWA
Date: 1/9/2017 2:34:48 PM
Event ID: 164
Task Category: Configuration
Level: Error
Keywords: Classic
User: N/A
Computer: FABEX02.fabrikam.local
Description:
There was a failure in finding the SharePoint endpoint. The document library and endpoint location couldn't be retrieved using "https://fab-my.sharepoint.com". System.Net.WebException: Unable to connect to the remote server
Event Xml:

164
2
3
0x80000000000000

2733019
Application
FABEX02.fabrikam.local

The document library and endpoint location couldn't be retrieved using "https://fab-my.sharepoint.com". System.Net.WebException: Unable to connect to the remote server

The key was the System.Net.WebException:

System.Net.WebException: Unable to connect to the remote server

At that point I have to mention that our servers have no direct access to the internet. A web proxy needs to be used. Therefore I double-checked the InternetWebProxy property set on all of our Exchange servers. But it was correct and working as F/B lookups with configured Exchange organization relationships was properly working.

Also configuring proxy settings for WinHTTP didn’t solve my problem.

Resolution

To address this issue, you need to keep in mind that Exchange was completely rewritten and it’s a .NET application. Thus means you need to configure a proxy differently, like described here:

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/proxy-configuration

Thus means I needed to modify the web.config files for each protocol I wanted to use (OWA, EWS, Mapi over Http). Here an example:

Original file

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.diagnostics>
    <sources>
      <source name="System.Runtime.Serialization" switchValue="Warning, Error, Critical">
        	<listeners>
          <add name="System.Runtime.Serialization" type="System.Diagnostics.EventLogTraceListener" initializeData="System.Runtime.Serialization" />
        </listeners>
      </source>
    </sources>
  </system.diagnostics>
  <location inheritInChildApplications="false">
    <system.net>
      <defaultProxy>
        <proxy usesystemdefault="true" bypassonlocal="true" />
        <bypasslist>
          <add address=".*" />
        </bypasslist>
      </defaultProxy>
    </system.net>
    <system.webServer>
      <!-- allows the server to data stream immediately from client-->
    </system.webServer>
  </location>
</configuration>

Edited file

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.diagnostics>
    <sources>
      <source name="System.Runtime.Serialization" switchValue="Warning, Error, Critical">
        	<listeners>
          <add name="System.Runtime.Serialization" type="System.Diagnostics.EventLogTraceListener" initializeData="System.Runtime.Serialization" />
        </listeners>
      </source>
    </sources>
  </system.diagnostics>
  <location inheritInChildApplications="false">
    <system.net>
      <defaultProxy>
        <proxy usesystemdefault="false" bypassonlocal="true" proxyaddress="http://proxy.fabrikam.local:8080/" />
        <bypasslist>
          <add address=".*\.fabrikam\.local" />
        </bypasslist>
      </defaultProxy>
    </system.net>
    <system.webServer>
      <!-- allows the server to data stream immediately from client-->
    </system.webServer>
  </location>
</configuration>

I highlighted the lines above, which are important and needs to be modified.

You need to configure the following properties:

Property

Description

usesystemdefault Gets or sets a Boolean value that controls whether the Internet Explorer Web proxy settings are used.
proxyaddress Gets or sets the URI that identifies the Web proxy server to use.
address Adds an IP address or DNS name to the proxy bypass list.

Note: This value needs to be a regular expression!

Note: OWA and MAPI seems to have similar settings, but EWS doesn’t have the node block at all and needs to be created!

These properties need to be set after each CU update, which can be challenging. As we are using Desired State Configuration in our environment, we are in a lucky position. If you’re also using DSC, you can use my DSC Resource xXMLConfigFile. The configuration we have is as follows:

XMLConfigFile ProxyOWA_proxyaddress
{
    ConfigPath = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\web.config'
    Ensure     = 'Present'
    XPath      = '//system.net/defaultProxy/proxy'
    Name       = 'proxyaddress'
    Value      = 'http://proxy.fabrikam.local:8080'
    isAttribute= $true
    DoBackup   = $true
}

XMLConfigFile ProxyOWA_bypasslist
{
    ConfigPath = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\web.config'
    Ensure     = 'Present'
    XPath      = '//system.net/defaultProxy/bypasslist/add'
    Name       = 'address'
    Value      = '.*\.fabrikam\.local'
    isAttribute= $true
    DoBackup   = $true
}

XMLConfigFile ProxyMAPIBE_proxyaddress
{
    ConfigPath = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\mapi\emsmdb\web.config'
    Ensure     = 'Present'
    XPath      = '//system.net/defaultProxy/proxy'
    Name       = 'proxyaddress'
    Value      = 'http://proxy.fabrikam.local:8080'
    isAttribute= $true
    DoBackup   = $true
}

XMLConfigFile ProxyMAPIBE_bypasslist
{
    ConfigPath = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\mapi\emsmdb\web.config'
    Ensure     = 'Present'
    XPath      = '//system.net/defaultProxy/bypasslist/add'
    Name       = 'address'
    Value      = '.*\.fabrikam\.local'
    isAttribute= $true
    DoBackup   = $true
}

XMLConfigFile ProxyEWS_System.Net
{
    ConfigPath         = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\web.config'
    Ensure             = 'Present'
    XPath              = '/*'
    Name               = 'system.net'
    Value              = $null
    isElementTextValue = $true
    DoBackup           = $true
}

XMLConfigFile ProxyEWS_defaultProxy
{
    ConfigPath         = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\web.config'
    Ensure             = 'Present'
    XPath              = '//system.net'
    Name               = 'defaultProxy'
    Value              = $null
    isElementTextValue = $true
    DoBackup           = $true
    DependsOn          = '[XMLConfigFile]ProxyEWS_System.Net'
}

XMLConfigFile ProxyEWS_proxy
{
    ConfigPath         = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\web.config'
    Ensure             = 'Present'
    XPath              = '//system.net/defaultProxy'
    Name               = 'proxy'
    Value              = $null
    isElementTextValue = $true
    DoBackup           = $true
    DependsOn          = '[XMLConfigFile]ProxyEWS_defaultProxy'
}

XMLConfigFile ProxyEWS_bypasslistElement
{
    ConfigPath         = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\web.config'
    Ensure             = 'Present'
    XPath              = '//system.net/defaultProxy'
    Name               = 'bypasslist'
    Value              = $null
    isElementTextValue = $true
    DoBackup           = $true
    DependsOn          = '[XMLConfigFile]ProxyEWS_defaultProxy'
}

XMLConfigFile ProxyEWS_add
{
    ConfigPath         = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\web.config'
    Ensure             = 'Present'
    XPath              = '//system.net/defaultProxy/bypasslist'
    Name               = 'add'
    Value              = $null
    isElementTextValue = $true
    DoBackup           = $true
    DependsOn          = '[XMLConfigFile]ProxyEWS_bypasslistElement'
}

XMLConfigFile ProxyEWS_bypassonlocal
{
    ConfigPath         = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\web.config'
    Ensure             = 'Present'
    XPath              = '//system.net/defaultProxy/proxy'
    Name               = 'bypassonlocal'
    Value              = 'true'
    isAttribute        = $true
    DoBackup           = $true
    DependsOn          = '[XMLConfigFile]ProxyEWS_add'
}

XMLConfigFile ProxyEWS_bypasslist
{
    ConfigPath         = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\web.config'
    Ensure             = 'Present'
    XPath              = '//system.net/defaultProxy/bypasslist/add'
    Name               = 'address'
    Value              = '.*\.fabrikam\.local'
    isAttribute        = $true
    DoBackup           = $true
    DependsOn          = '[XMLConfigFile]ProxyEWS_add'
}

XMLConfigFile ProxyEWS_proxyaddress
{
    ConfigPath         = 'C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\web.config'
    Ensure             = 'Present'
    XPath              = '//system.net/defaultProxy/proxy'
    Name               = 'proxyaddress'
    Value              = 'http://proxy.fabrikam.local:8080'
    isAttribute        = $true
    DoBackup           = $true
    DependsOn          = '[XMLConfigFile]ProxyEWS_add'
}

Conclusion

As of now we run only into the issue with Modern Attachments. But we don’t know, which new features in a Hybrid scenario lights up and might also suffer from this.

As you have seen there are several components involved and each one might need different treatment. Obviously this increases the complexity and makes it harder to troubleshoot and maintain.

In terms of supportability, we have a case open and Microsoft is currently working on a KB article.

Advertisements

One thought on “Modern Attachments behind a web proxy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s