Is it possible to put Exchange behind the Cloudflare Tunnel + Access

I’ve configured Zero Trust following the documentation and set up a Tunnel to our network. I’ve configured a self-hosted application for MS Exchange (on-prem). We were hoping to restrict access to it. However, now we just are unable to connect via a mail client. but we ARE able to access it via owa, ecp through the access + tunnel config. Any help is greatly appreciated!

1 Like

I have the same question. I set up Exchange 2019 behind a zero trust tunnel, OWA and ECP works, but Microsoft Remote Connectivity Analyzer gives me an error when I try to test ActiveSync (which also uses Standard HTTPS/TLS)

An HTTP 401 Unauthorized response was received from the server. This may be the result of invalid credentials or a configuration problem on the Exchange Server.
HTTP Response Headers:
Connection: keep-alive
Request-Id: 45928eb1-18ca-4f94-a2eb-ba4a6e81b0fa
X-Feserver: MAIL
X-Owa-Version: 15.2.1118.7
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HHUUbbR0zLU0cRTUuAnDlKbM2HIOH7FpLlR4PNGN8tjWYlzIay5kpR67Kqz7KVeQ%2BoO1%2By3AWgJ%2B1vAsRqG7Y0poF3UdnIVEYjZIX5q4IxU6eZEFlQldx7kC3ol4JQ1fLqE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
CF-RAY: 790372151a81aa91-DFW
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Content-Length: 0
Date: Fri, 27 Jan 2023 18:10:31 GMT
Server: cloudflare
WWW-Authenticate: Basic realm="***********"
X-Powered-By: ASP.NET

Is this request not possible?

I haven’t tested this completely myself yet, but it is probably possible if you enable MAPI over HTTP: https://learn.microsoft.com/en-us/exchange/clients/mapi-over-http/mapi-over-http

Because Outlook would normally use some ports for MAPI that Cloudflare would block/filter, if you enable MAPI over HTTP it should switch to using ports that would flow through Cloudflare. Obviously this isn’t a supported configuration from either Microsoft or Cloudflare, but in theory, if Outlook can get the autodiscover record, resolve the hosts correctly, and access Exchange through supported ports, it should work.

Unfortunately it doesn’t work smoothly and at times not at all. I’m assuming there are tunnel settings that may need to be manipulated, but unfortunately, mapi ove http doesn’t seem to work properly through cloudflare tunnels.