Probl\u00e8me fr\u00e9quent : Dans cet article, nous d\u00e9taillons :<\/p>\n\n\n\n Microsoft Exchange repose sur :<\/p>\n\n\n\n Lorsque le reverse proxy termine le SSL (mode L7 classique), il peut :<\/p>\n\n\n\n \ud83d\udc49 Typiquement, les utilisateurs voient Outlook redemander leurs identifiants en permanence.<\/p>\n\n\n\n Au lieu de terminer le SSL en frontal, nous utilisons :<\/p>\n\n\n\n Cela permet :<\/p>\n\n\n\n \u2714 Compatibilit\u00e9 totale NTLM SSL est termin\u00e9 par Exchange directement.<\/p>\n\n\n\n Nginx continue de g\u00e9rer :<\/p>\n\n\n\n Cette architecture est recommand\u00e9e si :<\/p>\n\n\n\n \u2714 S\u00e9paration claire des r\u00f4les Pour s\u00e9curiser davantage cette architecture :<\/p>\n\n\n\n H\u00e9berger Microsoft Exchange derri\u00e8re une seule IP publique est parfaitement possible, \u00e0 condition d\u2019utiliser la bonne approche.<\/p>\n\n\n\n La combinaison :<\/p>\n\n\n\n HAProxy en Layer 4 + Nginx en Layer 7<\/p>\n<\/blockquote>\n\n\n\n offre un \u00e9quilibre optimal entre compatibilit\u00e9, s\u00e9curit\u00e9 et flexibilit\u00e9.<\/p>\n\n\n\n Chez DYB, nous mettons en place ce type d\u2019architecture pour garantir :<\/p>\n\n\n\n Comment h\u00e9berger Microsoft Exchange derri\u00e8re une seule IP publique sans casser NTLM ou ActiveSync ? D\u00e9couvrez une architecture hybride avec HAProxy en Layer 4 et Nginx en Layer 7 pour garantir stabilit\u00e9, performance et compatibilit\u00e9 Outlook.<\/p>\n","protected":false},"author":1,"featured_media":100490,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,22,24],"tags":[21,50,23,28],"class_list":["post-100488","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-adminsys","category-cybersecurite","category-reseaux","tag-cybersecurite","tag-network","tag-pfsense","tag-windows"],"_links":{"self":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/comments?post=100488"}],"version-history":[{"count":2,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100488\/revisions"}],"predecessor-version":[{"id":100491,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/posts\/100488\/revisions\/100491"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media\/100490"}],"wp:attachment":[{"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/media?parent=100488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/categories?post=100488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dyb.eu\/blog\/wp-json\/wp\/v2\/tags?post=100488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Exchange utilise NTLM, ActiveSync, MAPI et des connexions persistantes<\/strong> qui ne supportent pas toujours correctement la terminaison SSL en Layer 7.<\/p>\n\n\n\n\n
\n\n\n\nPourquoi Exchange ne supporte pas toujours un reverse proxy L7 ?<\/h1>\n\n\n\n
\n
\n
\n\n\n\nSolution retenue : HAProxy en Layer 4 (TCP Passthrough)<\/h1>\n\n\n\n
\n
\u2714 Sessions ActiveSync stables
\u2714 Une seule IP publique
\u2714 Conservation de Nginx pour les autres applications<\/p>\n\n\n\n
\n\n\n\nSch\u00e9ma d\u2019architecture<\/h1>\n\n\n
![\"\"](\"https:\/\/dyb.eu\/blog\/wp-content\/uploads\/2026\/02\/haproxy-exchange.png\")
<\/figure>\n\n\n INTERNET\n |\n IP Publique\n |\n HAProxy (L4)\n TCP passthrough + SNI\n |\n ---------------------------------------\n | |\nMicrosoft Exchange Nginx Proxy Manager\n192.168.10.2 192.168.20.2\n<\/code><\/pre>\n\n\n\n
\n\n\n\nFlux d\u00e9taill\u00e9<\/h1>\n\n\n\n
Pour exchange.dyb.test<\/h3>\n\n\n\n
Client Outlook\n |\nTLS 443\n |\nHAProxy (lecture SNI)\n |\nTCP passthrough\n |\nExchange 192.168.10.2\n<\/code><\/pre>\n\n\n\n
\n\n\n\nPour les autres services web<\/h3>\n\n\n\n
Navigateur Web\n |\nTLS 443\n |\nHAProxy\n |\nNginx Proxy Manager\n |\nApplications internes\n<\/code><\/pre>\n\n\n\n\n
\n\n\n\nConfiguration HAProxy compl\u00e8te<\/h1>\n\n\n\n
global\n log \/dev\/log local0\n log \/dev\/log local1 notice\n chroot \/var\/lib\/haproxy\n stats socket \/run\/haproxy\/admin.sock mode 660 level admin\n user haproxy\n group haproxy\n daemon\n maxconn 50000\n\n ca-base \/etc\/ssl\/certs\n crt-base \/etc\/ssl\/private\n ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets\n\ndefaults\n log global\n mode tcp\n option tcplog\n option dontlognull\n timeout connect 10s\n timeout client 3600s\n timeout server 3600s\n timeout tunnel 3600s\n\nfrontend https_in\n bind *:443\n mode tcp\n\n tcp-request inspect-delay 5s\n tcp-request content accept if { req_ssl_hello_type 1 }\n\n use_backend exchange_back if { req_ssl_sni -i exchange.dyb.test }\n use_backend exchange_back if { req_ssl_sni -i autodiscover.dyb.test }\n\n default_backend npm_https_back\n\nfrontend http_in\n bind *:80\n mode tcp\n default_backend npm_http_back\n\nbackend exchange_back\n mode tcp\n\n stick-table type ip size 50k expire 30m\n stick on src\n\n server exchange01 192.168.10.2:443 check\n\nbackend npm_https_back\n mode tcp\n server npm01 192.168.20.2:443 check\n\nbackend npm_http_back\n mode tcp\n server npm01 192.168.20.2:80 check\n\nfrontend stats\n bind *:8404\n mode http\n stats enable\n stats uri \/stats\n stats refresh 10s\n stats auth admin:changeme\n<\/code><\/pre>\n\n\n\nComparatif Reverse Proxy Layer 4 vs Layer 7<\/h1>\n\n\n\n
Crit\u00e8re<\/th> Layer 4 (TCP)<\/th> Layer 7 (HTTP)<\/th><\/tr><\/thead> Niveau OSI<\/td> Transport<\/td> Application<\/td><\/tr> Terminaison SSL<\/td> Non obligatoire<\/td> Oui<\/td><\/tr> Lecture HTTP headers<\/td> Non<\/td> Oui<\/td><\/tr> Compatible NTLM<\/td> Oui<\/td> Parfois instable<\/td><\/tr> Compatible ActiveSync<\/td> Oui<\/td> Peut poser probl\u00e8me<\/td><\/tr> WAF possible<\/td> Non<\/td> Oui<\/td><\/tr> Performance<\/td> Tr\u00e8s \u00e9lev\u00e9e<\/td> \u00c9lev\u00e9e<\/td><\/tr> Id\u00e9al pour Exchange<\/td> \u2714<\/td> \u26a0\ufe0f<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\nQuand choisir cette architecture ?<\/h1>\n\n\n\n
\n
\n\n\n\nAvantages de l\u2019architecture hybride<\/h1>\n\n\n\n
\u2714 Haute compatibilit\u00e9 Exchange
\u2714 Scalabilit\u00e9
\u2714 Performance \u00e9lev\u00e9e
\u2714 Architecture maintenable<\/p>\n\n\n\n
\n\n\n\nS\u00e9curit\u00e9 : bonnes pratiques compl\u00e9mentaires<\/h1>\n\n\n\n
\n
\n\n\n\nConclusion<\/h1>\n\n\n\n
\n
\n