Topic: Running Exchange 2003 behind SME Server

[subby]

This is a big problem. We are running an Exchange Server within our network and everything works find with that. The problem we are having is getting the Outlook Web Access feature of Exchange 2003 to work properly. The problem is of course we need to use ProxyPass for this to work.
Here is the setup I am trying to run
http://www.website.com/mail ProxyPass -> http://192.168.x.xxx/exchange

The problem is, I have read that ProxyPreservePost On needs to be enabled, but the version of Apache with our SME server does not support this and I have no idea how to re-compile Apache without doing damage.

Without the ProxyPreserveHost, when the OWA loads, the browser tries to resolve the 192.168.x.xxx which is fine if I'm on the Intranet, but outside, this is useless.

I am willing to have something like
http://mail.website.com ProxyPass -> http://mail.website.com

work, but again, I have no idea on how to get this to work. I have modified the hosts file to include mail as an entry which points to the Exchange server, but any outside access doesn't see the http://mail.website.com

Any help would be greatly appreciated,

Thanks
Mathew

[ryan]

subby,

I run SME and IPCop as firewalls/routers with AD2003 and Exchange 2003 on the LAN.  Due to SME providing service on ports 80 and 443, OWA traffic can't simply be forwarded by SME.  Also, the SSL cert for SME is not the one you will have installed on IIS (assuming your using only https for OWA) adding another "issue" to your problem.

I use IPCOP to forward both 80 & 443 for OWA and RPC over HTTP.  IPCop is strictly a router, it can pass 80/443.  My ISP connection allows 12 useable IP addresses, so SME and IPCop have their own IP addresses.  If you have only a single internet IP address, SME can be configured to use the DMZ orange network from IPCop as it's internet connection...of course this means some port forwarding will be needed from IPCOP Red to SME orange, but it allows for both to function together.  Your LAN would then have 2 gateways, as both IPCop and SME would have a LAN nic.  Use policy to configure clients to use the correct proxy/gateway.

hope that helps

ryan

[bluepolo]

can't see why you would have Exchange behind SME. Presumably SMTP mail inbound fails as well? So Exchange gets no external email, or I guess you can just use SME as a relay. as the other poster says IPcop would do that job much better.

I guess you could move SME HTTPS from 443 to somewhere else and port forward 443

[subby]

Exchange works to receive mail since all you have to do is Port Forward port 25 to the Exchange server. Problem is using the OWA feature Exchange has, but I will look into the above possibility posted by ryan.

[ryan]

bluepolo,

SME is used to filter all inbound email on port 25.  ClamAV scans for viruses and RBL DNS blacklists block spam.  Surviving messages are then forwarded to Exchange 2003.  This setup is duplicated on another SME providing backup MX/mail.  If you have exchange on the internet, how do you avoid the spam that will go straight to your backup MX record?  A second exchange server?  Using SME is effective, reliable, and affordable.  SME also is pptp server, ftp server, and proxy server with squidguard and sarg.  

I do not have a single Microsoft box on the internet and plan to keep it that way unless I have no other choice..but then I would likely use the IPCop DMZ rather than the internet.

Exchange is used as my users are in AD and are addicted to the public folders and global address book.  

ryan

[bluepolo]

ryan, your answer shows a more complex setup than I envisaged from the OP message!

I guess you are using SME as a front end server (for email), so you could just change the https port on SME and thus leave 443 to port forward?

Or you could change IIS / SSL from 443 to something else? This would mean users having to type server:port/exchange, or you could create a custom front page for your https SME site that did the a red-direction for you?

I think!

[bluepolo]

just checked on my w2k3/exchange box, and you can easily change the SSL port, so if 443 is available on your SME, then create a web page which has a redirect to a new port and the correct virtual directory, then port forwrd this new SSL port.

BP

[ryan]

I use native 80/443 for OWA and RPC over HTTP requests, SME is not involved with these incoming port requests.  80/443 are port forwarded from the IPCop to exchange 2003.  For the users ease of use, they connect to OWA by entering "advsmail.azdvs.gov"  which is the default site on exchnage 2k3 IIS.  I have a meta header redirect in the default iisstart.htm file that redirects to:  https://advsmail.azdvs.gov/exchange which forces a ssl connection without having to put the 's' on http and the /exchange on the address.

So when a user connects, they actually connect through IPCop twice.  

Note:  this address will not work on the LAN if SME is the proxy since SME thinks it is azdvs.gov and has no record of 'advsmail'.  My AD DNS uses the ISP DNS for a forwarder, not SME.

My users know to accept the untrusted ssl cert warning they see when using OWA.  I created the certificate for exchange on SME rather than purchasing one from a trusted root ssl vendor.  The only reason https is needed is to protect clear text passwords, which is my requirement, not the end user.

The SME server only deals with incoming mail as it is the primary MX for the domain.  This is unrelated to  OWA pass thru access provided by IPCop.  

make sense?  I'm not sure after reading it..but submitting now anyway....

ryan

[KelvinLee]

I have no trouble port forwarding HTTPS to Exchange for OWA (have done so for many sites). As the SME servers don't have anything on them requiring HTTPS, I simply port forward 443 to the Exchange Server for OWA.

Kelvin

[bluepolo]

I have no trouble port forwarding HTTPS to Exchange for OWA (have done so for many sites). As the SME servers don't have anything on them requiring HTTPS, I simply port forward 443 to the Exchange Server for OWA.

Kelvin

Hoe do you connect to server manager? Does it not require SSL?

--Note to self: check 6.5RC1--

[KelvinLee]

Hoe do you connect to server manager?

http://smeservername/server-manager

For remote sites, VPN in first then same as above.

Kelvin