Skip to content

Exchanging Squids

January 25, 2013

Even though my organization has switched to Office 365, I thought it might be good to post a solution I found previously to using a reverse proxy for our Exchange server. It took me quite a while to get this one right since I was unaware of a disagreement with how Apache and Microsoft handle the HTTP protocol that keeps Apache from being able to handle RPC over HTTPS (required for Outlook Anywhere). SO, the only working solution that I’ve found for an Exchange reverse proxy that isn’t ISA/Forefront is Squid with some special config options. Here is the config that worked for me:


visible_hostname webmail.myorg.com
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid3/access.log combined
cache_log /var/log/squid3/cache.log
cache_store_log none
cache_mgr nomail_address_given
forwarded_for transparent
ignore_expect_100 on
ssl_unclean_shutdown on


https_port 443 accel cert=/usr/certs/webmail.myorg.com.crt key=/usr/certs/webmail.myorg.com.pem \
cafile=/usr/certs/gd_bundle.crt defaultsite=webmail.myorg.com

cache_peer mailserv.myorg.local \
parent 443 0 \
proxy-only \
no-query \
no-digest \
front-end-https=on \
originserver \
login=PASS \
ssl \
sslflags=DONT_VERIFY_PEER \
connection-auth=on \
name=ExchangeCAS


acl exch_url url_regex -i webmail.myorg.com/owa
acl exch_url url_regex -i webmail.myorg.com/microsoft-server-activesync
acl exch_url url_regex -i webmail.myorg.com/rpc


cache_peer_access ExchangeCAS allow exch_url
cache_peer_access ExchangeCAS deny all
never_direct allow exch_url
http_access allow exch_url
http_access deny all
miss_access allow exch_url
miss_access deny all
deny_info https://webmail.myorg.com/owa all

Make sure to replace webmail.myorg.com with the public URL of your webmail service and mailserv.myorg.local with the internal FQDN of your mail server. If the reverse proxy server is situated in a DMZ separate from your mail server, make sure to add the FQDN of your mail server (with IP address) to your /etc/hosts file and open ports 80 and 443 from the reverse proxy server to the mail server.

If you haven’t done it before, you might also be wondering how to get the CRT and PEM files. You need to start by exporting the certificate from your existing Exchange server. Make sure that this certificate is a publicly-trusted certificate (from Digicert or other SSL cert vendor) installed on your Exchange server and that it has both the public URL as the primary name and the FQDN as an alternate. Also make sure that you export the private key along with the certificate. Once you’ve copied the exported certificate and private key (should be a PKCS#12 file – .pfx) to the reverse proxy server, use openssl to convert the key to PEM and the certificate to CRT. Use the following commands:


openssl pkcs12 -in webmail.myorg.com.pfx -out webmail.myorg.com.pem -nocerts
openssl pkcs12 -in webmail.myorg.com.pfx -out webmail.myorg.com.crt -nokeys

Advertisements

From → Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: