Jump to navigation
HOWTO: OWA 2K/2K3 Front-end SSL Proxy with Apache 2.0
Last update: Thurs Jul 21, 2005
NOTE: I simply cannot respond to the amount of email I am receiving regarding this. Please do not take it personally if I ignore you. Thanks. For assistance, I suggest hitting the
newsgroups or the comments following this HOWTO.
This HOWTO was adapted from an earlier version that covered Apache 1.3. If you're looking for that, it can be found
here [
http://3cx.org/item/38].
Keywords: outlook web access, OWA, front-end-https, proxy, libproxy.so, protect OWA, front-end-proxy, header, SSL, front, end, mod_proxy, apache, 2000, 2003, NT, windows
[I have successfully implemented this solution with SSL-aware Apache 2.0.46 on Debian Sarge and Redhat Enterprise Linux 3.1. This "HOWTO" does not cover setting up an OWA or SSL-aware Apache server. That's up to you. Sorry.]
Outlook Web Access 2000 and 2003 (OWA) runs on Microsoft's Internet Information Service (IIS). IIS is considered by many to be the swiss cheese of web servers (and I agree with this... sort of). I would never consider putting an IIS box on a publicly accessible network simply because it's just too much work to secure.
The point of having an OWA server is moot if one is not willing to allow access to it from the world. So, we need to somehow make the OWA service publicly accessible while not actually making the box itself publicly accessible (hopefully that makes sense. ;-). The answer? Proxy incoming requests with something a little more secure - namely Apache. Apache comes with a nice proxy module called mod_proxy. It does everything we need.
INTERNET +--------------+
| | APACHE PROXY |
| +--------------+
+----------+ |
| FIREWALL |------------------
+----------+ Service net
|
|
+------------+
Int Net -----| OWA SERVER |
+------------+
Remote users want to access OWA. They type https://webmail.somedomain.com into their browser. Their workstation/laptop then asks their DNS for the IP address of webmail.somedomain.com. The DNS replies with the IP address of the APACHE PROXY. The browser then connects to the proxy and sends its request. The APACHE PROXY then connects to the the internal OWA SERVER and requests the objects on behalf of the remote user. Simple enough.
Be aware that in this example, the Apache "proxy" is on a locked down service network. Nothing gets in or out of this net unless it is required. For the Apache "proxy", connection requests destined for port 443 (https) are allowed through the firewall from the world. Connection requests from the Apache "proxy" are allowed through to destination port 443 on the internal OWA server. That's it. If the Apache "proxy" generates any traffic other than that, alarms go off (i.e. WARNING! WARNING! You may be 0wn3d!). I highly recommend this configuration for all pubicly accessible services.
Now, to make this bit of magic work, we need to do several things.
- Configure Apache to use the mod_proxy modules.
- Add a RequestHeader and several ProxyPass configuration directives to the Apache config file.
- Add an entry to the Apache server's /etc/hosts file.
1. Configure Apache to use the mod_proxy modules.
Ensure Apache's configuration file (httpd.conf) includes the following lines.
LoadModule proxy_module <path to modules dir>/mod_proxy.so
LoadModule proxy_http_module <path to modules dir>/mod_proxy_http.so
LoadModule proxy_connect_module <path to modules dir>/mod_proxy_connect.so
NOTE: If mod_proxy is not part of your distribution's Apache package or you did not compile Apache with the mod_proxy option turned on, httpd may not start (it'll probably only complain).
2. Add a RequestHeader and these ProxyPass configuration directives to your Apache config file. You may place them in the main section of the config or in a VirtualHost section. It all depends how you have your server configured. I've done it in both and either will work.
RequestHeader set Front-End-Https "On"
ProxyPass /exchange http://webmail.somedomain.com/exchange/
ProxyPassReverse /exchange http://webmail.somedomain.com/exchange/
ProxyPass /exchweb http://webmail.somedomain.com/exchweb/
ProxyPassReverse /exchweb http://webmail.somedomain.com/exchweb/
ProxyPass /public http://webmail.somedomain.com/public/
ProxyPassReverse /public http://webmail.somedomain.com/public/
ProxyPass /iisadmpwd http://webmail.somedomain.com/iisadmpwd/
ProxyPassReverse /iisadmpwd http://webmail.somedomain.com/iisadmpwd/
CacheDisable *
3. And finally add an entry to the Apache server's /etc/hosts file.
You may notice the ProxyPass directives redirect several directories to webmail.somedomain.com. But how can we redirect to webmail.somedomain.com if the Apache server is webmail.somedomain.com? We need to add an entry to the /etc/hosts file pointing webmail.somedomain.com to the internal OWA IP address.
192.168.0.100 webmail.somedomain.com
Be sure your server is configured to look in your hosts file before consulting the DNS. Check your /etc/host.conf file to make sure. It should read like this.
order hosts, bind
multi on
Now start Apache. Watch your logs for any errors. Make sure the appropriate access is configured through your firewall (world --> proxy dst tcp 443 and proxy --> internal OWA server dst tcp 443). Also remember to watch the logs on your internal OWA server.
Some things to watch include
- Browser warnings about secure and insecure items on the same page - this could be a sign that the Front-End-Header isn't working properly
- Apache complaining about bad directives in its config file - could be a misspeled directive or a configuration conflict with your distro's version of Apache
- Apache warning it could not find a certain object or could not find the OWA server - make sure you've added the right IP address to your /etc/hosts and that you've redirected all the required directories in your Apache config file (ProxyPass and ProxyReverse directives).
If you try implementing this and have problems or (sorry -- I'm bombarded with questions) have something you think I should add (or modify) to these instructions, feel free to contact me at mikeg@3cx.org.
|
When I implemented this, I ran into a nasty bug. Exchange, for some strange reason, looks up each email using the subject line (as opposed to say... THE FRIGGIN UNIQUE IDENTIFIER!). That means the email subject is part of the URL. If a percent symbol (%) is in the subject line of the requested email, Apache will complain that it cannot find the URL. This has to do with the way mod_proxy does encoding/decoding of URI escape sequences.
By using the following mod_rewrite rules and a simple bash script, one can easily work around this problem.
Insert this right before your "front-end" Proxy* directives in httpd.conf.
# Using mod_rewrite to fix a problem when percent symbols are in
# the subject line of the OWA email (the email subject is used
# in the web query - WTF?). The entire URI is passed to a small
# bash script I wrote that replaces all occurrences of the % symbol
# with the URI escape sequence (%25). That seems to make everything
# happy.
RewriteEngine On
RewriteMap damnpercent prg:/usr/local/bin/percent_rewrite
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${damnpercent:$1} [P]
The simple bash script uses sed to work its magic. You'll notice I am also sending the original and changed URL to a log file in /tmp. This helps with troubleshooting and can be shut off when you're confidant everything is working. (This could easily be rewritten in any language.)
#!/bin/bash
LOGFILE=/tmp/percent_rewrite.log
cat /dev/null > $LOGFILE
while read URL
do
NEWURL=$(echo "$URL" | sed -e "s/%/%25/g")
echo "Changing $URL to $NEWURL" >> $LOGFILE
echo $NEWURL
done
Keep in mind that this script only works if you implemented my solution exactly as I have. A man from Germany tried a modified solution, but could never get the percent rewrite to function properly. He used the ProxyPreserveHost directive, which I do not. By using this directive, you can dispense with the /etc/hosts hack and use the real OWA hostname in the ProxyPass directives (but not the ProxyPassReverse directives). I tried this and it works wonderfully... except for the percent symbol problem. I never could get the rewrite to work with the ProxyPreserveHost setup. I suspect this is due to my lack of understanding of the inner workings of both Apache's proxy subsystem and mod_rewrite.
|
|
Outlook RPC over HTTP with Apache 2.0
Simon Blackstein returned and added an excellent comment about Outlook RPC over HTTP via Apache 2.0 proxying to this post (http://3cx.org/item/35). He says he still has a few minor issues, but I believe he'll work them out. Hopefully he'll report back here with any "fixes".
Here is his comment in full (with a few minor changes only to assist my HTMLization).
Simon wrote:
OK, so I'm still having a few funny issues with this config, as opposed to opening 80/443 directly to Exchange *shudder*.
BTW, this is very similar to proxying OWA really. A couple of other things involved. Like most people probably checking out this article, I only have a single Win2k3/Exch SP1 back-end server and an Apache reverse-proxy.
- Check Q-article 833401 (http://support.microsoft.co...) to configure your Exchange server as a backend. Basically follow these instructions in the doc:-
- Install the RPCProxy using 'Add/Remove Programs'. BTW, do make sure you reapply Win2k3 SP1 after installing this if you get the RTM version. This installs two virtual directories - /rpc and /rpcwithcert.
- Configure correct permissions on the /rpc virtual directory (don't require SSL, you'll see why in a sec)
- Hard-code the ports to communicate with the GC with the "ValidPorts" registry value using the Exchange server name
- Hard-code proxy communications on all GCs by configuring the "NSPI interface protocol sequences" registry key
- OK, before all of the testing stuff with Outlook, there is an important step they don't mention if you have a proxy. You want the proxy to terminate the SSL and communicate 80 back to the Exchange server, right? Well, you have to tell RPC to accept port 80 unencrypted traffic. Check the following article to see how that's done, they call it SSL offloading (whateva):
http://www.microsoft.com/te...
- Now, here's my httpd config to check out. You'll see stuff which I'm sure true Apache gurus will cringe at, but adapt to your own setup accordingly. Put your cert on the Apache box, obviously, and serve on 443. You'll find my OWA proxy settings and a nice redirect from 80 -> 443 in there too:
<VirtualHost ***IP_that_you're_serving_on***:80>
DocumentRoot "/var/www/proxy_dir"
ServerName ***URL***
Redirect / https://***URL***/exchange
ErrorLog /var/www/proxy_dir/logs/error_log
LogLevel emerg
TransferLog /var/www/proxy_dir/logs/access_log
</VirtualHost>
<IfModule mod_ssl.c>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
<VirtualHost ***IP_that_you're_serving_on***:443>
DocumentRoot "/usr/local/apache/htdocs"
ServerName ***URL***:443
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
RequestHeader set Front-End-Https "On"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
ProxyRequests off
ProxyPreserveHost On
<Location /exchange>
ProxyPass http://***address_of_Exchange_server***/exchange
ProxyPassReverse http://***address_of_Exchange_server***/exchange
SSLRequireSSL
</Location>
<Location /exchweb>
ProxyPass http://***address_of_Exchange_server***/exchweb
ProxyPassReverse http://***address_of_Exchange_server***/exchweb
SSLRequireSSL
</Location>
<Location /public>
ProxyPass http://***address_of_Exchange_server***/public
ProxyPassReverse http://***address_of_Exchange_server***/public
SSLRequireSSL
</Location>
<Location /rpc>
ProxyPass http://***address_of_Exchange_server***/rpc
ProxyPassReverse http://***address_of_Exchange_server***/rpc
SSLRequireSSL
</Location>
<Location />
ProxyPass http://***address_of_Exchange_server***/
ProxyPassReverse http://***address_of_Exchange_server***/
SSLRequireSSL
</Location>
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
</IfModule>
- Test it out! Run the Outlook /rpcdiag deal to get a nice interface to figure out what might be wrong, and check the Apache SSL logs for any funny errors. Oh, and make sure URLScan, if you have it installed, is not blocking anything it shouldn't.
Again, sometimes you do get some funny pauses happening, especially if you're on a shady connection. If anyone can find any way to make this more stable - I've been looking at the disable-cache thing potentially solving that - let me know.
Rgds,
Simon Blackstein
|
Comments
Mikeg,
This rocks. I got this working in just under 30 minutes. I'm struggling with the percent issue though. I want to figure that part out on my own. If I cannot, I'll give in and beg you for the fix. :)
Thanks.
I updated this with the percent problem fix. If you're still trying to figure it out on your own, don't look SniperAce!
This solution really rocks. Anyway, I have a question. Is there a way of say, make apache connect to some outbound server using it's certificate? I mean, what if the Server in the internal net needs to contact some server on the internet and I want that external server to see the certificate of the apache and NOT of the internal server? With a simple forward proxy this would not be possible, as the certificate is transparently routed through. Can you guys imagine a solution to this?
Thanks, Chris
Oh Yes, this works ABSOLUTLEY awesomely! My setup: Whitebox Linux
Stock RPM's for httpd, mod_ssl and openssl.
Windows2K3 SP1 Exchange 2K3 SP1
A couple small snags I had that maybe will help you:
make sure you include the following in the virtual directory statement: SSLProxyEngine on
ProxyPreserveHost on
added these statements just before the RewriteEngine statment.
I am about to go thru this whole mess but I need the mod_headers for apache2 for solaris can anyone tell me where I can find it,
Thanks, Francois
i've tried this a few days ago and found out that the connection sometimes fails or get reset. while sniffing with ssldump i can see that the rpc_in_data/rpc_out_data "http" (header) requests are send in one tcp packet from the client to apache/mod_proxy but the outgoing traffic (from apache to rpc proxy) often is split into more smaller packets (one tcp packet per line). since the rpc traffic is binary data encapsulated in the http body i guess this is a problem!? i have not protocol design knowledge so maybe i am wrong. but there is a mod_proxy extension to get another binary protocol work with mod_proxy.
http://httpd.apache.org/doc...
so maybe i am not wrong!?
btw. with squid in accel mode it works without this problems and sniffing with ssldump shows that squid does not change the packet size.
btw2. does anybody know if outlook 2003 is able to send a client certificate to authenicate to apache/squid/rpc-proxy whatever? and does anybody know if outlook is able to use a proxy with basic auth to connect to a rpc-proxy? this are 2 important features to make it a more secure and usefull solution. but hey, its M$ ;)
regards
the2nd
I've had this running for about two months now with a frontend server and two backends. Seems to work ok, however, HTTP+RPC seems to take awhile to connect initially and is intermittent. I can't seem to get OMA working. Has anyone gotten OMA working (I added the Proxypass, ProxyReverse statements for OMA)?
Thanks,
marly
I've tried this and it works quite well, except that I cannot attach files to an email with OWA. The list of attachements desperatly remains empty. Has anybody encountered the same problem?
Sorry for my awful english :)
I have encountered stephane problem. It seems that apache doesn't convert files path spaces into somewhat OWA understand.
If you try to replace c:\test test\file.pdf by c:\test%\file.pdf, it will work... I have no solutions for the moment...
...great howto, works (almost) fine for out apache 2.0.51 reverse proxy to outlook 2003 web access!
We have the following problem: When pressing "reply" button we get a 404 error:
The requested URL /exchangedro/Entwürfe/AW: Schulungen-3.EML was not found on this server.
Please note the /exchangedro/ ....this should be /exchange/dro/!! 'dro' is my login name. The proxy seems to eat the imoportant slash, without proxy reply is working normal.
Has anybody solved this yet? Any help is appreciated. Many thanks.
Dirk
..thanks to Niels Jäckels help there is a solution to the problem above:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule exchange([^/].*) /exchange/$1 [R,QSA,L]
RewriteRule exchweb([^/].*) /exchweb/$1 [R,QSA,L]
</IfModule>
Put this before your proxy rules in httpd.conf and the problem disappears.
Dirk
I can't get this to run properly. It seems that authentication on the proxy don't get to the OWA server. Any ideas ?
Here my httpd.conf:
<VirtualHost *:40000>
# ServerAdmin webmaster@dummy-host.example.com
# DocumentRoot /www/docs/dummy-host.example.com
ServerName <proxy host>
ErrorLog logs/<proxy host>.com-error.log
CustomLog logs/<proxy host>.com-access.log common
RewriteEngine On
RewriteLog logs/rewrite.log
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /OrgChart http://<OrgChart host>:40000/OrgChart
ProxyPassReverse /OrgChart http://<OrgChart host>:40000/OrgChart
<Location /OWA>
ProxyPass http://<OWA host>/exchange
ProxyPassReverse http://<OWA host>/exchange
AuthName "Outlook BERNMOBIL"
AuthType SSPI
SSPIAuth On
SSPIAuthoritative On
SSPIOfferBasic On
SSPIBasicPreferred On
require valid-user
</Location>
ProxyPass /exchange http://<OWA host>/exchange
ProxyPassReverse /exchange http://<OWA host>/exchange
ProxyPass /exchweb http://<OWA host>/exchweb
ProxyPassReverse /exchweb http://<OWA host>/exchweb
ProxyPass /public http://<OWA host>/public
ProxyPassReverse /public http://<OWA host>/public
ProxyPass /iisadmpwd http://<OWA host>/iisadmpwd
ProxyPassReverse /iisadmpwd http://<OWA host>/iisadmpwd
</VirtualHost>
Thank you.
I have unselected the Integrated Authentication and kept only the Basic AUT H mode enabled on the IIS pages (exchange, exchweb, public).
Best wishes,
Andras
I'm having a similar problem to what is mentioned above with attachments.
Sometimes the attachment works and sometimes the screen just refreshes and nothing is attached.
I thought that it might have been the problem with apache not encoding the correct URL with spaces - But I can't seem to replicate it.
Is there a way to troubleshoot this problem?
Thanks,
Clark
Has anyone noticed problems connecting with HTTP+RPC with more than 5 clients? It seems once I have more than 5 clients it doesn’t want to allow anymore connections.
Any ideas?
Thanks,
marly
Hello,
I have followed the instructions and I needed to make a couple of slight changes to get this to work properly.
I implemented this in a virtual host section. I am running Exchange 2000 with Apache 2 as the reverse proxy.
After I have implemented the solution above, I don't see how the connection from the proxy server to the OWA server is running over ssl. The proxy requests are using regular http, and I had to disable require SSL access on teh OWA site in order to get this to work.
I feel that the connection from the public internet to the proxy is secure, but not the internal connection, is this a problem?
I had to add these directives:
SSLEngine on
SSLCertificateFile .....
SSLCertificateKeyFile .....
I get these errors in the apache log:
[Sat Feb 11 09:08:02 2006] [error] SSL Proxy requested for webmail.xxxxxxx.com:443 but not enabled [Hint: SSLProxyE
ngine]
[Sat Feb 11 09:08:02 2006] [error] proxy: failed to enable ssl support for 192.168.10.2:443 (webmail.xxxxxxxxxx.com
)
Hi
I have implemented your OWA config script and it works great. Thanks for the information.
I am now looking to get activesync proxpassing through apache, as we now have some PDAs with this functionality.
I have tried to follow the same method as the OWA
ProxyPass /microsoft-server-activesync
http://fosters.wgsn.com/mic...
ProxyPassReverse /microsoft-server-activesync
http://fosters.wgsn.com/mic...
But it doesnt seem to work with the PDA, the logs show a 404 error when trying to proxpass pass to our front end exchange 2003 server
Can any one help with this?
I have the ActiveSync feature working with Apache 1.x simply with these directives:
ProxyPass /Microsoft-Server-ActiveSync/
http://server/Microsoft-Ser...
ProxyPass /Microsoft-Server-ActiveSync
http://server/Microsoft-Ser...
Remember that apache is case sensitive, and the PDA will send the request with the above capitalization.
I should point out one more thing. It works with Apache 2 in the exact same way, but beware of using Forms Based Authentication when trying to get ActiveSync working. If you want to use FBA with activesync, you'll need to separate your OWA and ActiveSync virtual servers on your IIS machine. Personally, I have this configuration set up:
Default: FBA turned off, used for internal OWA and external ActiveSync and HTTP-RPC. Has no particular host header assigned to it.
OWA External: FBA turned on, used only for external OWA. Exchange and Public virtual directories defined via System Manager. Host header set to external FQDN.
Apache configuration is simply:
RequestHeader set Front-End-HTTPS "on"
RewriteEngine on
RewriteRule ^/exchange$
https://external.fqdn/excha... [R]
ProxyPass /exchange/
http://external.fqdn/exchange/
ProxyPass /public/
http://external.fqdn/public/
ProxyPass /exchweb/
http://external.fqdn/exchweb/
ProxyPass /Microsoft-Server-ActiveSync
http://internal.fqdn/Micros...
ProxyPass /rpc/
http://internal.fqdn/rpc/
I don't have any ProxyPassReverse's because I haven't found them to be required (and omitting it seems to speed up load times slightly).
We've been having a hell of a time with our Apache/OWA configuration that is very similar to this. Specifically, since we enabled NTLM authentication to the external OWA users (needed to support Mobile IIS devices) we started to get sporadic 'page cannot be displayed' for elements within the OWA session as well as the 'secure/insecure' warnings (which turned out to be refering to the 'page cannot...' error page itself).
This turned out to be related to NTLMs expectation for persistent channels, a-la:
http://groups.google.ca/gro...
It ultimately appears that editing apache2.conf and changing the value of KeepAliveTimeout to match IIS (120 seconds) and editing ssl.conf to disable the 'ssl protocol adjustment' related to keep-alives has resolved the issue.
... and now you know.
I have found that accessing OWA with IE6 does not work at all, but Firefox works fine.
This is apparently due to IE6 attempting NTLM authentication, which dies via the proxy.
One option is to turn of "Integrated Windows Authentication" on the IIS box.
Another option I have found is to use the following config to strip out the headers going back to the client advertising NTLM.
There may be a better to do this, but it works for me:
Header unset WWW-Authenticate
Header set WWW-Authenticate "Basic realm=\"webmail.hostname\""
This removes all WWW-Authenbticate headers, then puts back the header advertising Basic authentication.
I have a problem with adding attachments through a message using OWA.
Clicking "Attach" after selecting the file just refreshes the page and no attachment appears in the attachment list.
This does work WITHOUT SSL with the only difference between the virtualhosts beeing the RequestHeader attribute (and the additional SSL attributes of course).
RequestHeader set Front-End-Https "On"
The rest is just ProxyPass and ProxyPassReverse attributes.
Any clues?
i have it all setup. however when i try and use /exchange for owa all i get is page cannot be displayed.
it works fine for OMA but not for OWA. Any ideas ?
I'm having the same problems with attachments not showing up in the list. (although very small ones <8K work without problem !!!) The % is the pathname of attachements doesn't work, my setup is apache 2.0.55+mod_ssl+mod_proxy. The rest works perfectly, subject with a percentage is no problem. I don't (have to) rewrite anything !! turn SSL session caching off and on doesn't help. Has someone found a solution yet ?
As a response to myself and my SSL+attachment problem (see above).
I found a solution to this, add
SetEnv proxy-sendchunked 1
to your SSL virtual host.
I haven't really worked out exactly why this works, but it probably sets som headers IIS wants.
Or maybe I was wrong..turned out that the file I tried with was smaller than 8K...fuck.
Same problem as the previous poster, same apache-version too.
Ok, this time I've nailed it.
The problem is with mod_proxy in apache 2.0.55.
If you can, upgrade/downgrade to some other version OR apply the patch avaiable at
http://issues.apache.org/bu...
Hello everybody.
I'm running apache 2.2.2 on OWA2003sp2
I'm getting this error on the apache box:
proxy: error reading status line from remote server 3.3.3.33, referer:
https://mail.XXX.YY/exchang...
proxy: Error reading from remote server returned by /exchange/rcalderoli/, referer:
https://mail.XXX.YY/exchang...
Doing a refresh on the browser 'resolves' the problem.
Hints?
Hi all,
Anyone successfully got OWA (2003) working through apache 2.2.0 (the version that comes with FC5)?
I've encountered a problem where the WWW-Authenticate header is being dropped by the reverse proxy after a user has enters their username / password. I think it may be a bug, but there's no updates available through yum (and I hesitate to try any of the testing / development versions on a production system).
I'm yet to find a workaround that doesn't involve rolling back to Apache 2.0. Any ideas / feedback are welcome.
Hi,
I'm trying to configure RPC over https for outlook. I configured ssl offloading. However I can't seem to get this working
Do you configure this with basic authentication? In your explanation on RPC over http you speak of GC with the "ValidPorts" register and NSPI interface protocol sequences". I can't seem to find info on this in the provided link. Can anyone help me
kind regards
Pieter
PS What is the abbreviation GC?
I seem to be getting alot of the following errors. Everything works fine execept when sending attachments the message appears to hang. If you close the message window, the message will be in the drafts folder. You then can send it from the drafts folder without an issue.
Here are the errors I am receiving:
[error] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : proxy: prefetch request body failed to frontend from xxx.xxx.xxx.xxx ()
and
[warn] (OS 121)The semaphore timeout period has expired. : winnt_accept: Asynchronous AcceptEx failed.
[warn] (OS 64)The specified network name is no longer available. : winnt_accept: Asynchronous AcceptEx failed.
I am runnning this on a Windows 2000 box with Apache/2.0.58 (Win32) mod_ssl/2.0.52 OpenSSL/0.9.7e
Any Ideas?
Hi,
I am trying to get the active-sync running.
I have only one exchange server (No Front End Server) so have configured an additional virtual directory in iis in line with microsoft document:
http://support.microsoft.co...
I want to secure the active-sync communications with ssl. (Well I think I do anyways..??)
Do I need to install a 'Public' (Verisign/THWATE/etc) cert on the apache box? Or can I use the same one I created for OWA?? (WM v5.0, ActiveSync v4.2).
If i choose just to use http for active-sync, how can I alter the http headers as suggested by Chad Kitchling (above) given that the virtual directory resides in the 'Default Web Site' of IIS?
Hope this makes sense?? Cheers.
Hi,
I solved all my SSL problems etc. Took a while and alot of reading - but hey..
My full solution is located on tek-tips website:
http://www.tek-tips.com/vie...
HOPE THIS HELPS SOMEONE!!
Great resource, thanks !
I've just done this with Apache 2.2.2 on Cygwin (for testing, should work an any platform).
I had to use the "header unset"/"header add" method mentioned above to manually trigger basic authentication, and for some reason I don't seem to have the "percent problem" - I tested several subject lines with multiple % signs, and each came up properly without the RewriteRule statement (in fact, with the RewriteRule, it kept re-writing things unnecessarily, and I kept getting 500 internal server errors).
I'm proxying to OWA on Exchange 2000 SP3, for reference. All IE6 clients.
Just a follow-up - I also had to add "SetEnv proxy-nokeepalive 1" to my httpd-ssl.conf file - otherwise it seemed connect users to previous HTTP sessions (eg, previous users' OWA mailboxes) - not good :)
Anyone got Remote Web Workplace working with mod_proxy?
The site loads fine, but i can not take over a computer, im trying this internally
OWA works perfect btw
as Andrew Heberle, I needed to insert headers below:
Header unset WWW-Authenticate
Header set WWW-Authenticate "Basic realm=\"webmail.hostname\""
to support external access from IE (no problem with Firefox!) and mobile devices with ActiveSync.
Mixing of Windows Authentication and Basic Authentication is really dangerous!!! Doubly check your settings on IIS.
Hi,
very nice collection of tipps and tricks!
Has anybody given thought on how to secure, i.e. authenticate on the Apache reverse proxy? As some people may have found out, doing both basic auth on r.-proxy and basic auth in IIS/OWA simultaneously does not work!
So what are the alternatives? FBA in OWA, RSA Securid on Apache ... any other ideas?
tavla oyun
I have the problem
on my linux box RHEL4+ apache 2.0.52
When I open the
http://Http://labmail.domai... it redirects to htts://labmail.domain.com/exchange and then I see index of exchange directory
What it wrong ?
I think alot of people have run across this issue. You did a good job providing advice.
Fantastico
with the addition of the turning of NTLM for IE clients (we have integrated auth turned on for LAN clients) we have it working nicely :D
Using Gentoo Linux and Apache2 to redirect exchange 2003.
Great article, I'm just running into one problem, and I cannot solve with this.
I have to enter my auth info into Apache/OWA twice. I'm not sure why this is.
Taking a wild guess, I know that the link for OWA loads up a frame bar, and I'm wondering if/why I'm authenticating twice to OWA.
However, once I am inside the firewall (not proxy'ing through Apache), I can auth to OWA just once
Hi,
OWA is working fine , but iam facing problem with RPC over HTTPS .
Here is the log iam getting and taking long time for connecting and finally prompt exchange not available.
10.41.0.11 - - [24/Jun/2007:17:06:45 -0400] "RPC_IN_DATA /rpc/rpcproxy.dll?myexch:6002 HTTP/1.1" 302 349 "-
" "MSRPC"
10.41.0.11 - - [24/Jun/2007:17:06:45 -0400] "RPC_OUT_DATA /rpc/rpcproxy.dll?myexch:593 HTTP/1.1" 302 348 "-
" "MSRPC"
10.41.0.11 - - [24/Jun/2007:17:06:45 -0400] "RPC_IN_DATA /rpc/rpcproxy.dll?myexch:593 HTTP/1.1" 302 348 "-"
"MSRPC"
Hi Reddy,
I just rebuilt my web/reverse proxy server from scratch and am having the problems you are facing.
Seems as though M$ have broken the HTTP standard and apache have fixed a security hole which now breaks rpc/https.
'Oliver' has posted this above, but a few more links of interest might be:
http://issues.apache.org/bu...
http://cve.mitre.org/cgi-bi...
http://permalink.gmane.org/...
If anyone finds out how to 'fix'/workaround this please post!
Cheers - Chris.
here is an updated set of rules to make the percent rewrite work in all cases.
RewriteEngine On
RewriteMap percent int:escape
RewriteCond $1 \%
RewriteRule (^/exchange/.*) https://<SERVER>/${percent:$1} [proxy]
obviously replace <SERVER> with the internal server name.
This info was very helpful,thanks
thanks for the info- this is good to know
I am having the same issue as Mike..
I released a general mod_perl authentication front end (AppSamurai) that can block all unauthenticated access, allow ActiveSync to authenticate using SecurID or other tokens, or do all sorts of other things. I use it, with mod_proxy, as part of a production OWA/ActiveSync reverse proxy system. (It can do other things, but that was the impetus to create it.)
I only mention it here because it can be easily combined with the mod_proxy rules and setup above and may be useful to some of you. A canned OWA proxy Apache config is included. It is under same license as Perl (GPL/Artistic), so hopefully my shameless plug is semi-excusable. If you are interested, see:
http://appsamurai.sourcefor...
Apache 2.0, based linux need root access to manipulate the server. After changes make sure to restart server.
We have a problem with ours:
We get the OWA login screen (looks like a BASIC authentication), when we enter the credentials, it comes right back to that screen. It never logs in, or it never get's to the second step.
Help!
Thanks for help, Keep up the good work.
Just a quick post to say thanks for the excellent guide - worked perfectly with our setup (Apache 2.2.8 SSL frontend connecting to a backend SSL OWA Win2K3 Exchange 2003 box).
The following two links are also handy:
http://www.msexchange.org/t...
http://www.securityfocus.co...
Finally, in case it is useful to anyone, this is our webmail virtual host config:
<IfModule ssl_module>
<VirtualHost 1.2.3.4:80>
ServerAdmin webmaster@domain.com
DocumentRoot /usr/local/apache/htdocs/webmail.domain.com
ServerName webmail.domain.com
ErrorLog /var/log/apache/webmail.domain.com/errors.log
CustomLog /var/log/apache/webmail.domain.com/access.log combined
# Redirect to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerAdmin webmaster@domain.com
DocumentRoot /usr/local/apache/htdocs/webmail.domain.com
ServerName webmail.domain.com
ErrorLog /var/log/apache/webmail.domain.com/errors.log
CustomLog /var/log/apache/webmail.domain.com/access.log combined
# Turn on SSL support
SSLEngine on
SSLProxyEngine on
# MSIE SSL tweaks
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
# Fix eating of slash problem
RewriteEngine On
RewriteRule exchange([^/].*) /exchange/$1 [R,QSA,L]
RewriteRule exchweb([^/].*) /exchweb/$1 [R,QSA,L]
# Handle % character in email subject lines
RewriteMap damnpercent prg:/usr/local/bin/percent_rewrite
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${damnpercent:$1} [P]
# Setup proxy to MS Exchange (OWA)
RequestHeader set Front-End-Https "On"
ProxyPass /exchange
https://webmail.domain.com/...
ProxyPassReverse /exchange
https://webmail.domain.com/...
ProxyPass /exchweb
https://webmail.domain.com/...
ProxyPassReverse /exchweb
https://webmail.domain.com/...
ProxyPass /public
https://webmail.domain.com/...
ProxyPassReverse /public
https://webmail.domain.com/...
ProxyPass /iisadmpwd
https://webmail.domain.com/...
ProxyPassReverse /iisadmpwd
https://webmail.domain.com/...
CacheDisable *
# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
<Directory />
SSLRequireSSL
</Directory>
</VirtualHost>
</IfModule>
I'm struggling with the percent issue though. Can someone help me with a fix please?
Thanks.
Hi to all
has anyone fixed the problem regarding RPC over https using an apache versione older than 2.0.53 ?
Thanks
Keep up the good work.
For Outlook using RPC over HTTP, does anyone know how to verify that Outlook is actually using an SSL connection to the apache proxy?
I'm wary of disabling SSL between Apache and Exchange, but I can't get RPCoHTTP working without it. So I want to ensure that our Outlook clients out on the Internet are still using SSL even though it's not forced.
I've a lot of problem with rpc, apache version 2.052.38 on a centos 4
Everything ele is ok no error on the log. I've disabled the SSL restriction on IIS and configured outlook without "msstd" parameter.
Any Idea? an apache upgrade is needed?
Regards
L.
how to work for exchange 2007?
Someone has RPC working?
Could you past your config and apache version?
thank's
L.
I'm curious how people are creating/converting their SSL certificates. In this tutorial the certificates are listed as:
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
I have an SSL cert purchased from RapidSSL and exporting it from my Exchange server only allows me to save it in a PEM format. I'm seeing errors in my logfile about "no client certs found for SSL proxy".
Can anyone shed some light on this?
Anyone have this working with Exchange 2007 ?
I think some one should come up with a new howto for getting this to work. It appears that the solutions are all over the place.
I at present have Centos with Apache 2.X doing proxy to the SBS 2003 exchange server and it is not working at all. followed a lot of notes but nothing is working. I get 500 errors. I can connect from the linux server with Firefox to the SBS2003 exchange via the browser with out issue. Just no proxy working.
With respect to Jeff's question about exporting certs:
Forgive me if this isn't concise or exhaustive (I don't have the cert services snap-in infront of me), but in order to export it as a .crt, have to view the certificate (in certificate services)and then right click the dialog window where you're viewing the actual contents of the cert, and it will give you an option to copy/export it, and if you do it will basically save it in .crt format.
I first discovered this when I created my own SSL certificate using certificate services in order to set up secure imap for someone's iphone to get exchange mail (reads, "too cheap to buy a cert"). I almost pulled my hair out trying to figure out how to get the damn cert in .crt format. I was about to give up when I stumbled onto the answer. It's ridiculous that this is how you go about it.
If you can't figure it out from the preceding description, let me know and I'll go to work and walk back through exactly how I did it and then post it.
Good luck!
Looking for a solution for Exchange 2007. According to this guy it wont work because Apache doesnt support RPC_IN_DATA and RPC_OUT_DATA commands
http://projectdream.org/wor...
Addendum To John:
I may be mistaken on this, but I'm not sure the certificate would be valid if you tried to transfer it to another machine. I thought that was part of the point of certificates and part of the reason they subject you to some level of scrutiny when you purchase a cert from a trusted CA.
I'm not saying this with so much conviction that you should allow my comment to overrider your certainty...
I basically just fumbled my way through it so I wouldn't have to allow unsecure IMAP.
Erm, I meant the previous to be "Addendum to Jeff" no John
I've ruined everything!
Anyone has found a fix for RPC issue on Exchange 2003??
thanks
L.
I have SBS 2003 for e-mail and Windows Home Server for client backup. I run a FreeBSD VM on SBS with Apache and using the guide above I now have OWA working. What I'd also like to do is get the WHS web server proxied too, so that files can be accessed outside the local net. I'm not having any lukc with this and in fact I had the same problem when I first tried to set up the SBS proxying on my own. In both cases the VDIR that is causing problems is /Remote (/home works to get to the main page on WHS, and /Exchange etc work for OWA). When I try accessing anything in this vdir I get a 500 internal server error response. I see nothing untoward in the Apache logs; it appears to be forwarding the request, and I see nothing in the IIS logs.
Has anyone tried this with either SBS or WHS and if so, is there a solution?
Ah, got my setup working. Turned out I had two problems compounding the issue - the forwarding must be on port 443 (turning off SSL required in the IIS setup is not good enough), and any asp handlers in Apache must be disabled (I had mod_mono loaded).
Anyone had the problem of funny characters appearing at the foot of the email after sending?
I seem to have a whole line of funny characters. When viewed in IE they don't show up but when viewed in Thunderbird they appear?
Everything else is working superb! Thanks for all the help posted by everyone on this page.
I think some one should come up with a new howto for getting this to work. It appears that the solutions are all over the place.
Someone has RPC working?
Could you past your config and apache version?
thank's
Add Comments
![[QUIT SLASHDOT TODAY]](/misc/quit-slashdot.gif){kind=small}