HAProxy and Exchange 2016 MAPI/RPC over HTTP (no replies)

Hi,

i have haproxy 1.7.8 @Ubuntu 16.04 up and running.
Outlook Webaccess and the Administration Panel are working fine but I can't get Outlook to work, it repeatly asks for credentials (it is working if I try it directly without the loadbalancer).
Microsofts Connectivity Analyzer tells:
Testing HTTP Authentication Methods for URL https://xxx/rpc/rpcproxy.dll?xxx:6002.
The HTTP authentication methods are correct.

Additional Details

The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLM
HTTP Response Headers:
request-id: b57cf3ce-4d29-4a15-9246-7527db63bea1
Server: Microsoft-IIS/8.5
WWW-Authenticate: Negotiate,NTLM,Basic realm="xxx"
Date: Thu, 03 Aug 2017 07:57:54 GMT
Content-Length: 0
Elapsed Time: 1502 ms.


Attempting to ping RPC proxy xxx.
RPC Proxy can't be pinged.

Additional Details

An unexpected network-level exception was encountered.

This is the log output of haproxy:
Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14546 [03/Aug/2017:09:50:50.774] ft_exch~ oa/exch02 377/0/9/4/390 401 269 - - ---- 1/1/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1.2/ECDHE-RSA-AES256-SHA384/xxx/-} RPC_IN_DATA xxx/rpc/rpcproxy.dll HTTP/1.1
Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14547 [03/Aug/2017:09:50:51.519] ft_exch~ oa/exch02 176/0/7/5/188 401 269 - - ---- 2/2/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA xxx/rpc/rpcproxy.dll?xxx:6002 HTTP/1.1
Aug 3 09:50:51 localhost haproxy[1880]: 13.67.59.89:14547 [03/Aug/2017:09:50:51.708] ft_exch~ oa/exch02 175/0/0/4/180 401 269 - - ---- 2/2/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1
Aug 3 09:50:52 localhost haproxy[1880]: 13.67.59.89:14549 [03/Aug/2017:09:50:52.239] ft_exch~ oa/exch02 182/0/7/4/193 401 582 - - ---- 3/3/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1
Aug 3 09:50:52 localhost haproxy[1880]: 13.67.59.89:14549 [03/Aug/2017:09:50:52.433] ft_exch~ oa/exch02 177/0/0/169/346 404 282 - - ---- 3/3/0/1/0 0/0 {xxx|MSRPC} {0} {TLSv1/ECDHE-RSA-AES256-SHA/xxx/-} RPC_IN_DATA xxx/Rpc/RpcProxy.dll?xxx:6001 HTTP/1.1

Firewall is deaktivated

And this is my configuration:
global
log 127.0.0.1 local0 debug
log /var/lib/haproxy/dev/log local0 debug
log /var/lib/haproxy/dev/log local1 notice

chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none
# Default SSL material locations
#ca-base /etc/ssl/certs
#crt-base /etc/ssl/private
crt-base /etc/ssl/ca/certs
ca-base /etc/ssl/ca/intermediate/certs


# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option httplog
option dontlognull
option http-keep-alive
option prefer-last-server
option forwardfor
option http-server-close
no option httpclose
no option forceclose
no option http-tunnel
balance leastconn
default-server inter 3s rise 2 fall 3
timeout client 600s
timeout http-request 10s
timeout connect 4s
timeout server 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend ft_exch
bind 0.0.0.0:443 name https ssl crt /etc/ssl/z/bundle.pem no-sslv3
capture request header Host len 32
capture request header User-Agent len 64
capture response header Content-Length len 10
log /var/lib/haproxy/dev/log local4 debug
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ss l_fc_session_id]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ HTTP/1.1"
option http-keep-alive
option socket-stats
stats uri /haproxy?stats
stats realm Strictly\ Private
stats auth admin:xxx

maxconn 1000
acl ssl_connection ssl_fc
acl host_mail hdr(Host) -i xxx
acl path_slash path /
acl path_autodiscover path_beg -i /Autodiscover/Autodiscover.xml
acl path_activesync path_beg -i /Microsoft-Server-ActiveSync
acl path_ews path_beg -i /ews/
acl path_owa path_beg -i /owa/
acl path_oa path_beg -i /rpc/rpcproxy.dll
acl path_ecp path_beg -i /ecp/
acl path_oab path_beg -i /oab/
acl path_mapi path_beg -i /mapi/
acl path_check path_end -i HealthCheck.htm
http-request deny if path_check
http-request redirect scheme https code 302 unless ssl_connection
http-request redirect location /owa/ code 302 if path_slash host_mail
use_backend autodiscover if path_autodiscover
use_backend activesync if path_activesync
use_backend ews if path_ews
use_backend owa if path_owa
use_backend oa if path_oa
use_backend ecp if path_ecp
use_backend oab if path_oab
use_backend mapi if path_mapi
default_backend default

backend activesync
option httpchk GET /Microsoft-Server-ActiveSync/HealthCheck.htm
http-check expect string 200\ OK
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


backend autodiscover
option httpchk GET /Autodiscover/HealthCheck.htm
http-check expect string 200\ OK
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


backend ecp
option httpchk GET /ECP/HealthCheck.htm
http-check expect string 200\ OK
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


backend ews
option httpchk GET /EWS/HealthCheck.htm
http-check expect string 200\ OK
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


backend mapi
balance source
option httpchk GET /mapi/HealthCheck.htm
http-check expect string 200\ OK
option http-keep-alive
option prefer-last-server
timeout server 600s
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


backend oab
option httpchk GET /OAB/HealthCheck.htm
http-check expect string 200\ OK
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


backend oa
balance source
option httpchk GET /RPC/HealthCheck.htm
http-check expect string 200\ OK
option http-keep-alive
option prefer-last-server
timeout server 600s
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


backend owa
option httpchk GET /owa/HealthCheck.htm
http-check expect string 200\ OK
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


backend default
timeout server 60s
server exch01 xxx:443 ssl verify none maxconn 1000 weight 10 check
server exch02 xxx:443 ssl verify none maxconn 1000 weight 10 check


hope someone can help I'm googling and experimenting for weeks now but it seems like everybody is using Exchange 2013 and that people that are telling they have a working configuration won't post it.

Thanks in advance

Regards

Philipp