NGINX als Reverse Proxy für Exchange 2010/2013/2016

Als Linux Distribution habe ich ein Ubuntu 16.04.02 LTS verwendet.
Als Zertifikatsanbieter habe ich hierbei Lets‘ Encrpyt verwendet.

Die externe Domäne ist: mail.external.eval
Der interne Exchange ist: exchange.mhdom.eval

Installation NGINX und notwendige komponenten

# apt install nginx nginx-extras

Installation der Let’s Encrypt Komponenten, erstellen und einbinden des Zertifikats

# add-apt-repository ppa:certbot/certbot
# apt-get update
# apt-get install certbot

Ausstellen der Zertifikats

# service nginx stop
# certbot certonly --standalone -d [mail.external.eval]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mail.external.eval
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/mail.external.eval/fullchain.pem. Your cert
   will expire on ####-##-##. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Bearbeiten der NGINX Konfiguration

# vi /etc/nginx/conf.d/exchange.conf
server {
    listen 80;
    server_name mail.external.eval;
    return 301 https://$host$request_uri;
}

server {
    tcp_nodelay on;
    listen 443;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/mail.external.eval/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.external.eval/privkey.pem;

    ssl_session_timeout 5m;
    server_name mail.external.eval;

    location / {
            return 301 https://mail.external.eval/owa;
    }

    proxy_http_version      1.1;
    proxy_read_timeout      360;
    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header      Authorization;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_pass_request_headers on;
    more_set_input_headers 'Authorization: $http_authorization';
    proxy_set_header Accept-Encoding "";
    more_set_headers -s 401 'WWW-Authenticate: Basic realm="exchange.mhdom.eval"';
    proxy_buffering off;
    proxy_set_header Connection "Keep-Alive";

    location ~* ^/owa { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/Microsoft-Server-ActiveSync { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/ecp { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/rpc { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/mapi { proxy_pass https://exchange.mhdom.eval; }
    location ~* ^/ews { proxy_pass https://srv01.hoelzle.local; }
    location ~* ^/autodiscover { proxy_pass https://srv01.hoelzle.local; }

    error_log /var/log/nginx/owa-ssl-error.log;
    access_log /var/log/nginx/owa-ssl-access.log;
}
# vi /etc/nginx/nginx.conf
    ...
    http {
        ##
        # Basic Settings
        ##
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
        client_max_body_size 2000M;
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
    ....

Nun noch den NGINX starten (service nginx start) oder am besten den ganzen Server einmal neu starten (reboot).

Update 24.07.2018
Wenn die Anmeldung von extern nicht möglich ist, muss am IIS auf dem Exchange bei „EWS“ und „MAPI“ die Standardauthentifizierung aktiviert werden: