Jump to navigation
OWA 2003 Front-end proxy with Apache 2
I finally got around to moving the OWA 2003 proxy at work to Apache 2 (from Apache 1.3). It was ridiculous how much easier it was to get working in Apache 2. I should have done this months ago.
Expect a HOWTO coming soon.
Also... I'm currently trying to get Exchange 2003 RPC over HTTP to work through Apache 2. It's ugly. I'm either missing something very obvious or this is going to be quite difficult. A friend suggested we set up an ISA server (as it has an RPC over HTTP proxy built in). I know... I should've strangled him (yeah... you Shawn! ;-) ).
Getting RPC over HTTP working through Apache may require a special plug-in. That could be fun (OR NOT!).
UPDATE: Oooohhhh! I found a nasty bug in my Apache 2 version of the OWA front-end proxy. Apparently, the Apache proxy doesn't like it when percent signs (%) are used in the URI. You see... Microsoft thought it would be a good idea to call up each email by using the subject line as the key (as opposed to... oh... THE TRULY UNIQUE IDENTIFIER every Exchange message has). Because of this, we get all sorts of interesting characters in the URIs (like spaces and percent signs and other things one should never use). I made a small kludge that seems to work well. I'll include that in the forthcoming HOWTO.
UPDATE (Thu Jun 23 11:10:46 JST 2005): I've put this off for too long. I'll see if I can get this done today.
UPDATE (Thu Jun 23 22:16:11 JST 2005): The HOWTO is posted. You can find it at
Comments
Do you know when you'll have this HOWTO finished? I'm planning setting up an OWA front-end soon and would love to have your HOWTO available.
Thanks mate.
I thought I'd have completed it already, but time was not on my side. I've got a couple of programs to write and beer to drink, but I will try to finish it this weekend. If not, I hope to have it done before the end of next week. Again... there's the time thing so please, do not hold your breath waiting for this.
Setting up an OWA front-end proxy with Apache 2.0 is not that dissimilar from 1.3. There are some significant differences, but none you couldn't figure out. If you do give it a try and hit a snag, feel free to email me.
And google is your friend.
Any word on the Apache 2 HOWTO? I'm attempting this and know enough about Apache to host a site, but nothing about proxying/ssl through Apache... Any help for an Apache newb appreciated!
I keep getting a lot of requests for this. It's half complete and not yet presentable (prcrastination is a wonderful thing). I'll get off my arse and get this done.
In the mean time, the "HOWTO: OWA 2K and 2K3 Front-end SSL Proxy with Apache 1.3" at
http://3cx.org/item/38 should get you started. Feel free to email me if you need help.
BTW, I have RPC-over-HTTP working reverse proxied by Apache2. Obviously, you have to configure the Exchange box as a single RPC back-end server and make changes to RPCProxy and hard code ports on your GC (using the helpful MS article - Q833401) and proxy the /rpc virtual directory in addition to the OWA dirs.
One issue I've found so far is that if you restart Apache, IIS on the Exchange box gets very confused and stops allowing RPC requests - Outlook just won't log into the server. To fix that, I've found that hitting OWA again jogs it into action for some reason.
Let me know if you'd like me to post my config.
Rgds,
Simon
@Simon
If you could post your config (or even more info), I would very much appreciate it. Thanks for the information!
I struggled with implementing this for a few days, but then got overloaded with other work. I've not yet gone back to it. Now that I know there is hope, I'll try attacking this again.
Thanks.
Mike
OK, so I'm still having a few funny issues with this config, as opposed to opening 80/443 directly to Exchange <shudder>.
BTW, this is very similar to proxying OWA really. A couple of other things involved. Like most people probably checking out this article, I only have a single Win2k3/Exch SP1 back-end server and an Apache reverse-proxy.
1) Check Q-article 833401 (
http://support.microsoft.co...) to configure your Exchange server as a backend. Basically follow these instructions in the doc:-
a) Install the RPCProxy using 'Add/Remove Programs'. BTW, do make sure you reapply Win2k3 SP1 after installing this if you get the RTM version. This installs two virtual directories - /rpc and /rpcwithcert.
b) Configure correct permissions on the /rpc virtual directory (don't require SSL, you'll see why in a sec)
c) Hard-code the ports to communicate with the GC with the "ValidPorts" registry value using the Exchange server name
d) Hard-code proxy communications on all GCs by configuring the "NSPI interface protocol sequences" registry key
2) OK, before all of the testing stuff with Outlook, there is an important step they don't mention if you have a proxy. You want the proxy to terminate the SSL and communicate 80 back to the Exchange server, right? Well, you have to tell RPC to accept port 80 unencrypted traffic. Check the following article to see how that's done, they call it SSL offloading (whateva):
http://www.microsoft.com/te...
3) Now, here's my httpd config to check out. You'll see stuff which I'm sure true Apache gurus will cringe at, but adapt to your own setup accordingly. Put your cert on the Apache box, obviously, and serve on 443. You'll find my OWA proxy settings and a nice redirect from 80 -> 443 in there too:
<VirtualHost ***IP_that_you're_serving_on***:80>
DocumentRoot "/var/www/proxy_dir"
ServerName ***URL***
Redirect / https://***URL***/exchange
ErrorLog /var/www/proxy_dir/logs/error_log
LogLevel emerg
TransferLog /var/www/proxy_dir/logs/access_log
</VirtualHost>
<IfModule mod_ssl.c>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
<VirtualHost ***IP_that_you're_serving_on***:443>
DocumentRoot "/usr/local/apache/htdocs"
ServerName ***URL***:443
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
RequestHeader set Front-End-Https "On"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
ProxyRequests off
ProxyPreserveHost On
<Location /exchange>
ProxyPass http://***address_of_Exchange_server***/exchange
ProxyPassReverse http://***address_of_Exchange_server***/exchange
SSLRequireSSL
</Location>
<Location /exchweb>
ProxyPass http://***address_of_Exchange_server***/exchweb
ProxyPassReverse http://***address_of_Exchange_server***/exchweb
SSLRequireSSL
</Location>
<Location /public>
ProxyPass http://***address_of_Exchange_server***/public
ProxyPassReverse http://***address_of_Exchange_server***/public
SSLRequireSSL
</Location>
<Location /rpc>
ProxyPass http://***address_of_Exchange_server***/rpc
ProxyPassReverse http://***address_of_Exchange_server***/rpc
SSLRequireSSL
</Location>
<Location />
ProxyPass http://***address_of_Exchange_server***/
ProxyPassReverse http://***address_of_Exchange_server***/
SSLRequireSSL
</Location>
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
</IfModule>
4) Test it out! Run the Outlook /rpcdiag deal to get a nice interface to figure out what might be wrong, and check the Apache SSL logs for any funny errors. Oh, and make sure URLScan, if you have it installed, is not blocking anything it shouldn't.
Again, sometimes you do get some funny pauses happening, especially if you're on a shady connection. If anyone can find any way to make this more stable - I've been looking at the disable-cache thing potentially solving that - let me know.
Rgds,
Simon Blackstein
Simon,
Thank you for this excellent comment. It appears you've put quite a bit of work into it. I'm going to give this a go soon (and hopefully stave off installing an ISA server... *shudder*).
I really do appreciate your coming back to share this.
Regards,
MikeG
I need some help.
I have been following this guide and all the help but cannot get it to work. First I thought it's an authentication issue but then I used Ethereal at the client on the Internet and saw why it doesn't work.
I connect to the proxy (
http://xxx.xxx.xxx.xxx/exch...) and get the login pop-up. After entering my username and password the client tries to connect to the exchange server directly (192.168.1.10 in this case).
I used a very simple configuration:
ProxyPass /exchange
http://192.168.1.10/exchange/
ProxyPassReverse /exchange
http://192.168.1.10/exchange/
Any ideas?
Thank you for the quick response.
I did what you suggested and it still doesn't work. I think I should add more information.
I am using Apache 2.0 on Suse 10.0 as the proxy and Exchange 2000 as the back-end. I am not using https at the moment because I want it to work with the simpler http before I configure my PIX, etc.
I am looking at the packet capture on the Internet client and one of the http packets receives includes the parts WWW-Authenticate: Negotioate, WWW-Authenticate NTLM, WWW-Authenticate: Basic realm="192.168.201.10"
I assume that is why the client is then trying to get the mailbox folders from 192.168.201.10.
Is it possible it does not work because I use proxypass /exchange
http://192.168.1.10/exchange instead of an URI?
I trying to install mod_proxy_html, maybe that will make it work.
I appreciate any suggestions.
Add Comments
![[QUIT SLASHDOT TODAY]](/misc/quit-slashdot.gif){kind=small}
Thanks mate.