tanti.org.uk

Owen & Felicia’s Website

  • Increase font size
  • Default font size
  • Decrease font size

Reverse Proxy for Exchange 2007

Owen Campbell
Print PDF

Overview

This article describes how to create a linux based reverse proxy for Exchange 2007 with support for Outlook Web Access (OWA), the Outlook client and ActiveSync.

Why?

There are a number of reasons why a reverse proxy might be used (e.g. load balancing, performance), but in my case, it's simple. I don't want my Exchange Server exposed directly to the internet as it's too important and I can't afford the risk of it being compromised.

Instead, I'd like a dedicated machine to respond to connections from the web, forward them to the Exchange Server and then serve the repsonse back to the client: a reverse proxy.

My Options

There are several systems available to provide the proxy service. These are the ones I considered and the logic I used to decide between them:

  1. Microsoft's ISA Server or Forefront Security for Exchange Server

    I'm sure either of these would have done the job admirably, but they involve spending money! If I'd been unable to get any other option working, this would have been my last resort.

  2. The Apache Web Server (http://www.apache.org)

    Apache can do reverse proxying and there are a few articles on the web describing how to use it for OWA and Outlook. However, these are mostly for Exchange Server 2003.

    The main problem is that Microsoft use some non-standard technology in Outlook and Apache doesn't support it. If I only wanted OWA, then Apache would do the job, but I want Outlook to work too.

  3. Pound (http://www.apsis.ch/pound)

    From the website,  Pound is "a reverse proxy, load balancer and HTTPS front-end for Web server(s)." It has support for Microsoft's non-standard URLs and would therefore seem an ideal candidate.

    However, there's a snag!!

    Pound is designed to terminate an SSL connection and forward the decrypted request to the target web server using http. Microsoft call this 'SSL Offloading' and they have a technet article on the subject at http://technet.microsoft.com/en-us/library/bb885060.aspx Part way down the article, there is a note which says "Microsoft Exchange ActiveSync does not support SSL offloading" and that effectively rules out Pound for me.

    If I just wanted OWA and Outlook, then Pound would be fine, but I want ActiveSync too.

  4. Squid (http://www.squid-cache.org)

    From the website, "Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more." It supports Microsoft's non-standard URLs and it can use either http or https to talk to the Exchange Server.

    We're in business!!

Making it Work

I'm not going to describe the detail of setting up a linux server with Squid. There are plenty of tutorials on the web if you're not sure. From here on, I'm assuming that you have a server available with Squid installed and running.

For my part, I'm using Ubuntu as my server's operating system and that causes an extra layer of aggravation: Ubuntu's standard Squid package does not support SSL!! I've written up how to get around the problem here: Squid with SSL on Ubuntu

I'm also going to assume that you already have Exchange up and running and that OWA, Outlook and ActiveSync all work properly if you connect directly to your Exchange server.

OWA

First off, let's get OWA up and running. It's simpler than Outlook and allows us to get the basics working before we delve into anything more complex.

You need to sort out your SSL Certificates before we go any further. We're aiming to get OWA running from a web browser without any certificate warnings. Although OWA will work quite happily if you accept any such warnings in your browser and continue, Outlook will fail and will not give you any such warning. We're using OWA here to ensure that everything is correct before we tackle Outlook.

On your squid server, you will need to install a server certificate and key that matches the URL you want to use to connect to Exchange. E.g. If you own 'mydomain.co.uk' and you want your OWA URL to be 'exchange.mydomain.co.uk/owa', then your certificate's Common Name must be 'exchange.mydomain.co.uk'

You can either buy a certificate from one of the online suppliers or create your own certification authority (CA) and certificate (again, lots of tutorials on the web). Either way, in order to avoid any certificate warnings, the CA certificate must be installed on any machine that wishes to connect to Exchange. Again, this isn't strictly necessary for OWA, but it is for Outlook

You'll also need to sort out your firewall and router. Obviously, I can't tell you how to do that, but you will need incoming https connections routed to your new proxy and https connections allowed from your proxy to your Exchange server.

To configure squid, replace your existing squid.conf file with the following (on Ubuntu this file is /etc/squid/squid.conf):

visible_hostname <hostname for this proxy server>
debug_options ALL,1
https_port 443  cert=<path to your certificate> key=<path to your certificate's private key> \
defaultsite=<certificate's common name>
cache_peer <ip address of your exchange server> parent 443 0 no-query proxy-only originserver \
login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=owaserver
acl all src 0.0.0.0/0.0.0.0
acl owa dstdomain <certificate's common name>
cache_peer_access owaserver allow owa
never_direct allow owa
http_access allow owa
http_access deny all
miss_access allow owa
miss_access deny all

Once squid has been restarted, you should now be able to point your browser at your proxy server and navigate to OWA without any certificate warnings.

Once you have OWA working, you simply need another couple of lines in squid.conf to tell it that you wish to use Microsoft's non-standard technology:

extension_methods RPC_IN_DATA RPC_OUT_DATA

so your squid.conf would now be:

visible_hostname <hostname for this proxy server>
debug_options ALL,1
extension_methods RPC_IN_DATA RPC_OUT_DATA
ttps_port 443  cert=<path to your certificate> key=<path to your certificate's private key> \
defaultsite=<certificate's common name>
cache_peer <ip address of your exchange server> parent 443 0 no-query proxy-only originserver \
login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=owaserver
acl all src 0.0.0.0/0.0.0.0
acl owa dstdomain <certificate's common name>
cache_peer_access owaserver allow owa
never_direct allow owa
http_access allow owa
http_access deny all
miss_access allow owa
miss_access deny all

Restart squid, and you should now be able to set Outlook's http proxy options (again, lots of guidance on the web as to how) to use your new server. You should also find that your mobile devices can use the server to access ActiveSync.

< Prev
 

Add comment


Security code
Refresh

Login

News Feed

feed-image RSS Feed for this page

amazon