Is it possible to put Exchange behind the Cloudflare Tunnel + Access

I’ve configured Zero Trust following the documentation and set up a Tunnel to our network. I’ve configured a self-hosted application for MS Exchange (on-prem). We were hoping to restrict access to it. However, now we just are unable to connect via a mail client. but we ARE able to access it via owa, ecp through the access + tunnel config. Any help is greatly appreciated!

1 Like

I have the same question. I set up Exchange 2019 behind a zero trust tunnel, OWA and ECP works, but Microsoft Remote Connectivity Analyzer gives me an error when I try to test ActiveSync (which also uses Standard HTTPS/TLS)

An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.
HTTP Response Headers:
Connection: keep-alive
Request-Id: 45928eb1-18ca-4f94-a2eb-ba4a6e81b0fa
X-Feserver: MAIL
X-Owa-Version: 15.2.1118.7
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/\/report\/v3?s=HHUUbbR0zLU0cRTUuAnDlKbM2HIOH7FpLlR4PNGN8tjWYlzIay5kpR67Kqz7KVeQ%2BoO1%2By3AWgJ%2B1vAsRqG7Y0poF3UdnIVEYjZIX5q4IxU6eZEFlQldx7kC3ol4JQ1fLqE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
CF-RAY: 790372151a81aa91-DFW
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Content-Length: 0
Date: Fri, 27 Jan 2023 18:10:31 GMT
Server: cloudflare
WWW-Authenticate: Basic realm="***********"
X-Powered-By: ASP.NET

Is this request not possible?

I haven’t tested this completely myself yet, but it is probably possible if you enable MAPI over HTTP:

Because Outlook would normally use some ports for MAPI that Cloudflare would block/filter, if you enable MAPI over HTTP it should switch to using ports that would flow through Cloudflare. Obviously this isn’t a supported configuration from either Microsoft or Cloudflare, but in theory, if Outlook can get the autodiscover record, resolve the hosts correctly, and access Exchange through supported ports, it should work.