Koozali.org: home of the SME Server

ProxyPass for Exchange / Outlook Web Access

Offline mmccarn

  • *
  • 2,626
  • +10/-0
ProxyPass for Exchange / Outlook Web Access
« on: February 15, 2008, 02:29:38 PM »
I have successfully configured access to Outlook Web Access on my internal Exchange 2003 server as follows (replace "a.b.c.d" with the LAN IP of your exchange server):
Code: [Select]
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
echo '# ProxyPass Support for Internal Exchange Server
        ProxyPreserveHost On

        #OWA % character in email subject fix
        RewriteEngine On
        RewriteMap percentsubject int:escape
        RewriteCond $1 ^/exchange/.*\%.*$
        RewriteRule (/exchange/.*) ${percentsubject:$1} [P]

        #OWA
        ProxyPass /exchange https://a.b.c.d/exchange
        ProxyPassReverse /exchange https://a.b.c.d/exchange
        ProxyPass /Exchange https://a.b.c.d/exchange
        ProxyPassReverse /Exchange https://a.b.c.d/exchange
        ProxyPass /exchweb https://a.b.c.d/exchweb
        ProxyPassReverse /exchweb https://a.b.c.d/exchweb
        ProxyPass /public https://a.b.c.d/public
        ProxyPassReverse /public https://a.b.c.d/public
        ProxyPass /iisadmpwd https://a.b.c.d/iisadmpwd
        ProxyPassReverse /iisadmpwd https://a.b.c.d/iisadmpwd

        #OMA
        ProxyPass /oma https://a.b.c.d/oma
        ProxyPassReverse /oma https://a.b.c.d/oma

        #ActiveSync (for WM5+ devices)
        ProxyPass /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
        ProxyPassReverse /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync

        #Force 'RequestHeader' in order to get IE to work
# End of Exchange settings
' > 91ProxyPassOWA
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith

I could now login to OWA at https://any.sme.domainname.com/exchange from Firefox (and presumably Opera or Safari), but I could not login using IE7.

In order to login from Internet Explorer I needed to disable "Integrated Windows authentication" in IIS on the Exchange Server as follows:
* start the Internet Information Services (IIS) Manager on the Exchange 2003 server
* Expand Web Sites
* Expand Default Web Site
* right-click on Exchange and select "Properties"
* click on the Directory Security tab
* click on the Edit button for "Authentication and access control"
* remove the check from "Integrated Windows authentication"
* Click OK
* Click OK again

(Note: no restarts were required on the Exchange server - as soon as I made the above changes I could login successfully using Internet Explorer)

References / More information:
The above information is based mostly on this post:
* http://systembash.com/content/outlook-web-access-apache-proxy/
(Note: I found the "RequestHeader" directive discussed here to be unnecessary on my SME 7.2 system)

Here is an expanded entry that includes info on Exchange 2007:
* http://www.utahsysadmin.com/2007/12/20/apache-reverseproxy-for-owa/

And here are the apache docs for mod_proxy and mod_headers:
* http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
* http://httpd.apache.org/docs/2.0/mod/mod_headers.html

Question:
How would I have done this using the existing SME proxypass directives instead of by creating a custom template fragment?  Is it possible, or is the existing SME proxypass functionality tied to virtual domains?


Offline william_syd

  • ****
  • 1,608
  • +0/-0
  • Nothing to see here.
    • http://www.magicwilly.info

Offline gundar

  • *
  • 25
  • +0/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #2 on: April 27, 2009, 12:31:37 AM »
Hi

This works well except...

I had to add a line or two to support /owa which is the directory expected for owa to run.

and,

It works with EVERY domain hosted on the SME 7.4 server. Can you advise if there is a way to narrow it down to one publically resolvable domain?

Many thanks, and please, when you are in the 'hood, allow me to buy you a coffee for this excellent post.

Rgds


Gund

Offline gundar

  • *
  • 25
  • +0/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #3 on: April 27, 2009, 02:35:06 AM »
Resolved myself with heaps of reading...

I have 7.4 with more than one virtual host that has publically accessible fqdn. To achieve this ISP like setup, I built the SME server and all other server with a ficticious domain like private.local and setup everything in the network such that it is not routable from outside. In this scenario, only the SME server is publically accessible (and behind a WAG54GP2 router with ports 80, 443 open). I then went to DYNDNS.ORG and created an account and bought two domains for my own interests:

domainA.com
domainB.co.nz

and used the DynDNS administrator to setup cnames like:

www.domainA.com -> domainA.com
remote.domainA.com -> domainA.com
www.domainB -> domainB.co.nz

etc (you get 5 hosts per domain on a standrd account). Also, note, DynDNS does not sell co.nz domains, I had to buy that from domainz.com and point the DNS to DynDNS' DNS servers. In the end, any hosts point to my static IP address the good folks at World Exchange gave me for an extra $20. I know I am not using dynamic dns, but I already had a DynDNS account, which provides redundant DNS, so it seemed easier.

Then, I setup SME server with cool add-ons like Wordpress etc. in each iBay as required such that www.domainA.com and www.domainB.co.nz go to different Wordpress blogs by default (I used the FAQ on contribs.org and the instructons on wordpress.org to setup wordpress in an iBay).

On my LAN and on a 192.168.* address (non-routable) I have an exchange server.

My requirements are to have the OWA component available from outside the LAN and a 'home office' webpage.

So, to be difficult, I want www.domainA.com to go to SME iBay and homeoffice.domainA.com to go to Windows server - iis.private.local and have iis.private.local/owa work correctly.

This is so that I can 'hide' IIS and my Exchange behind Apache, and later, a single certificate (I have not done this yet).

To achieve this, Apache must resolve everything to iBays, as it does, except that one virtual host and it's /owa directories.


1. Enable SSLProxy:
 - create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSLProxyEngine containing only the words "SSLProxyEngine on" on a single line, no quotes.

2. Using this threads info as above, except, include a VirtualHosts directive for the remote domain:
 - create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/76ProxyPass

which looks like this:


# Forward remote.domainA.com to iis.private.local

<VirtualHost 0.0.0.0:80>
 ServerName remote.domainA.com
 ProxyPass / http://iis.private.local/
 ProxyPassReverse / http://iis.private.local/
</VirtualHost>

<VirtualHost 0.0.0.0:443>
 ServerName remote.domainA.com
 ProxyPass / https://iis.private.local/
 ProxyPassReverse / https://iis.private.local/

# Preserve meta info in the http line as a resolvable request
 ProxyPreserveHost On

#OWA % character in email subject fix
 RewriteEngine On
 RewriteMap percentsubject int:escape
 RewriteCond $1 ^/exchange/.*\%.*$
 RewriteRule (/exchange/.*) ${percentsubject:$1} [P]

#OWA
 ProxyPass /exchange https://iis.private.local/exchange
 ProxyPassReverse /exchange https://iis.private.local/exchange
 ProxyPass /owa https://iis.private.local/owa
 ProxyPassReverse /owa https://iis.private.local/owa
 ProxyPass /Exchange https://iis.private.local/exchange
 ProxyPassReverse /Exchange https://iis.private.local/exchange
 ProxyPass /exchweb https://iis.private.local/exchweb
 ProxyPassReverse /exchweb https://iis.private.local/exchweb
 ProxyPass /public https://iis.private.local/public
 ProxyPassReverse /public https://iis.private.local/public
 ProxyPass /iisadmpwd https://iis.private.local/iisadmpwd
 ProxyPassReverse /iisadmpwd https://iis.private.local/iisadmpwd

#OMA
 ProxyPass /oma https://iis.private.local/oma
 ProxyPassReverse /oma https://iis.private.local/oma

#ActiveSync (for WM5+ devices)
 ProxyPass /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
 ProxyPassReverse /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync

# End of Exchange settings

</VirtualHost>



where iis.private.local is the private instance of IIS. and remote.domainA.com is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on).

3. Expand template
-  expand-template /etc/httpd/conf/httpd.conf

4. Restart the E-Smith webserver
- sv restart httpd-e-smith


Note: You can use IPaddresses, but I find this cumbersome to maintain and open to error. All fqdns must be resolvable internally and externally respectively. If this is confusing, start small. Also, IIS will not have a default page for you except to say the site is under construction, you must create a basic webpage with a link to the owa page if you wish to have good WAF (wife acceptance factor).


Testing:

From another computer at your mates place/internet cafe, go to http://www.domainA.com, it should go to the wordpress server as you have setup. http://www.domainB.com should go to that other wordpress server as setup by yourself. If you go to any https site, it should also give you a certificate and open the respective wordpress server as setup.

But. If you go to http://remote.domainA.com or https://remote.domainA.com it should go to the IIS server and on no other address (allowing you to start selling webhosting without fear your customer stumbles onto your IIS). Next step, create a default page on IIS that has useful information for your own home office and includes links to webamil for people who cannot remember long or confusing urls etc.


Resources that matter apart from this excellent thread:

http://bugs.contribs.org/show_bug.cgi?id=1612
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass - does not work for https!
..and the usual apache doco and where would I be without Google?

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #4 on: April 28, 2009, 05:58:45 PM »
It sounds like it's almost time to put this into a wiki page!

Here's another interesting tid-bit:  I figured out the info in the original post because I wanted to setup a client with redundant internet connections:

Code: [Select]
ISP1    ISP2
 |       |
SME1    SME2
   \    /
  Exchange

With no customization, SME1 and SME2 will both perform spam filtering and deliver emails to the Exchange server.

With proxypass configured, Outlook Web access works from either address.

Offline gundar

  • *
  • 25
  • +0/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #5 on: April 28, 2009, 11:16:37 PM »
Hi

After reading the Apache docs (well, not all of them), it seems that ProxyPass is designed such that you could have one SME server:

ISP1      ISP2       ISPn
    \         |          /
     SME/ProxyPass
              |
  Exchange/Web etc

I suppose the limit to this idea above is that SME needs to be smart about how to manage multiple gateways or redundant links to maintain sessions etc. My knowledge gets a little thin here, but I assume some magic needs to take place in the SME server to load balance with compensation or awareness of the possible latency differences between links. I may just be over complicating this though. I ask this becasue I have two lines coming into my house and this is a possibility for me...

So the next question is, in this case, how do you balance domain names and traffic between two or more Internet links?

Cheers

Gund

Offline steve288

  • *
  • 336
  • +0/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #6 on: May 14, 2009, 07:49:57 PM »
Thanks for this info it is extremely usefull. I would like to add a few notes to help others who may be looking at this.

I tried to run it at first after having first put in my ip address for a.b.c.d and got a message about

"Bad Gateway. The proxy server received an invalid response from an upstream server."

After doing some research on this, the error seems to indicate that there is a problem between the protocol of the server and the browser/client. I realized that we don't use https in house to access our OWA Exchange server but rather http. So It was getting to the server but they could not talk.  I then took the code and changed all references from https to http and re ran it. This time it worked fine.  Hooray!!. However I thought perhaps I should enable https now. In the past it was not an issue because we were not on the web. By the way it is my understanding that https basically encrypts the passwords and mail unlike http which sends it clear text. So potentially a person could sniff out your stream and get that data.

To do this you need to create a certificate on the exchange server. I followed these very good instructions :
www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html?
In particular follow the "Installing the Microsoft Certificate Service" topic.

Once you do this you will need to run the code listed in the first post again but this time if you didn't the first time leave all the uses of https alone just put your ip address in the a.b.c.d .

Once I did this it worked fine. IE7 by the way worked fine for me. If you have problems with IE7, close it and reopen it. Don't just open a new page.

The notes given in the first post about getting IE7 to work are right. I looked at mine and they matched the OP comments, and my IE Worked fine.

Again I hope this helps others.

Offline dws4wdr

  • *
  • 25
  • +0/-0
    • Web Design and Graphics
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #7 on: May 28, 2009, 05:33:20 PM »
Great info thanks,
What about exchange settings?
1: Do I use SME as my GW?
2: Do I need to tell exchange that SME is a smart host?
3: In this configuration does SME still filter and virus scan all incoming mail?

I know this isn't a MS board but ya'll have got this working already. Thanks
David

Offline gundar

  • *
  • 25
  • +0/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #8 on: May 28, 2009, 11:10:09 PM »
Hi

Without knowing what your setup is, I will try to answer as best as possible - I am using Exchange 2007 on Windows 2003R2 and SME7.4

1: Do I use SME as my GW?

Technically, no. Since the comms are now between the SME server and Exchange, and not between the client and Exchange, there is no need for routing of packets outside of the network, except from the SME server and the Internet. All the reading I have done on this suggests that the Exchange server now no longer requires a gateway and this was a big security bonus for me. Sadly, it would not work without one and I made the gateway the SME server (which does route and this should be tested). I had no certificate problems reported by other users and I just get a cert warning when I connect to OWA. Exchange is a default install (next, next, next...) except that I had to specify that Exchange must receive email from SME in an unsecured way - Hub Transport - Receiver Rule, find default rule, check authentication, it is TLS/SSL by default, ADD 'anonymous', I recall - Check this first and be sur eof the security risks!

2: Do I need to tell exchange that SME is a smart host?

If you wish. This part is not about web access as much as it is about SMTP services and wether or not Exchange can resolve the domain it is sending the email to. With Exchange you can have direct send to Internet with it's own DNS resolution mechanism or you can use SME as a smart host, for whichever mechanism you choose, be sure the server of your choice can see the internet on port 25TCP and port 52UDP and TCP for domain resolution and packets can come in on 25TCP.

If you send all mail from Exchange direclty, then the server running Echange needs Internet access, ditto for SME.

I use SME as smart host, remember to enable SMTP proxy from the server-manager and make sure the ports and routing work as described. This way I use the logs on the SME server if things won't work as expected. I further had email problems as I am on a residential plan, so in server-manager, I added the SMTP information for my ISP. So Email from Exchange goes to the SME server, then to the the ISP SMTP server then gets delivered (more often than not).

You can use Telnet and Tracert utilities in Windows to test access and functionality, there are similar tools for Linux (SME) that work the same way and give the same feedback.

3: In this configuration does SME still filter and virus scan all incoming mail?

Only if SMTP proxy is being used. Search in the documentation, it is not long and the section that covers this is not extensive.

I know this isn't a MS board but ya'll have got this working already. Thanks

No worries, glad to help.



Gund
« Last Edit: May 28, 2009, 11:11:49 PM by gundar »

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #9 on: May 29, 2009, 03:50:28 PM »
Great info thanks,
What about exchange settings?
1: Do I use SME as my GW?
2: Do I need to tell exchange that SME is a smart host?
3: In this configuration does SME still filter and virus scan all incoming mail?

I know this isn't a MS board but ya'll have got this working already. Thanks

I would reply that this 'ProxyPass' how-to is unrelated to the 3 questions you are asking.

1) You can use your SME as the gateway for your Exchange server, or not. 

Since 'ProxyPass' re-sources each web request at the SME server, it allows access to internal web servers that do NOT use the SME as their default gateway. 

I use this to provide backup webmail access for clients with two internet connections - the primary SME (which is the default gateway for LAN clients) is configured to forward web traffic directly to the Exchange server, the secondary SME (using a different ISP) uses ProxyPass to pass web requests to the Exchange server.

2) You can set the SME as the smarthost for your Exchange server, or not.

I don't; I allow my Exchange server to deliver email directly using MX records, and I don't have the SMTP proxy enabled on the primary SME server.

3) You can configure your MX record settings to pass in-bound email through your SME server, then configure the SME server to filter spam and viruses, or not.

In the above dual-ISP scenario, I have both SME servers configured to forward emails to the Exchange box, with primary and backup MX records configured accordingly.  If either ISP goes down, email still flows...

Nothing in any of the instructions in this discussion affects any of these items...

Quote from: gundar
3: In this configuration does SME still filter and virus scan all incoming mail?

Only if SMTP proxy is being used. Search in the documentation, it is not long and the section that covers this is not extensive.
I would correct this to say:
  • only if your MX record directs email to the SME server
  • and the SME server is configured to direct incoming email to the Exchange server
  • and the SME server is configured to filter spam and viruses

The SME SMTP proxy is used to filter and control outbound SMTP traffic.

Offline raem

  • *
  • 3,972
  • +4/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #10 on: January 16, 2012, 08:43:50 PM »
mmccarn, gundar and all

Quote
Wouldn't this (http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass) be the proper place?

Based on various forum posts I have updated
http://wiki.contribs.org/SME_Server:Documentation:FAQ#Proxy_Pass

Can people check the accuracy of what I have done.

There may be some corrections, layout improvements and additional information needed.

I don't use Exchange or OWA so am less familiar with the subject matter covered.
I added the content as best as I saw it was necessary or needed, there is other stuff in this forum thread that may need to be added. Would more knowledgable people on the use of Exchange with SME please review my FAQ additions and correct or update or add to them as necessary. Thanks.
At least this useful info is in the FAQ now, rather than hiding in forum posts.
...

Offline gundar

  • *
  • 25
  • +0/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #11 on: January 16, 2012, 08:55:26 PM »
Hi. I posted here over two years ago, so beware the info may not cover later versions of Exchange.

Also, I was unsuccessful in getting permission to post to the Wiki (I sent more than one applicaiton with no response at all) and have since moved on. SMe is a great product, but I think that more people should be allowed to contribute or it will just die.

Offline raem

  • *
  • 3,972
  • +4/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #12 on: January 16, 2012, 09:17:32 PM »
gundar

Quote
I posted here over two years ago, so beware the info may not cover later versions of Exchange.

That's partly why I asked others to review the ProxyPass wiki article changes I made.


Quote
Also, I was unsuccessful in getting permission to post to the Wiki (I sent more than one applicaiton with no response at all) and have since moved on. SMe is a great product, but I think that more people should be allowed to contribute or it will just die.

I don't know why that is or was, but I see you are currently shown as a member of the Wiki & Docs team, so you DO have access to the wiki to change and edit FAQs and other articles etc.
Maybe at the time the requests went astray and perhaps you did not notice when you were given wiki access status. I think the procedure was changed about 2 years or so ago. We are all volunteers so you have to be tolerant of that fact, none of us is perfect and for most of us our time committment to SME server work is limited.

AFAIK anybody is free to contribute, it may have simply been an administrative issue that stopped you from getting immediate Wiki edit access. You have it now so please come back and feel free to contribute. I have been involved for nearly 12 years now since SME 3.x and seen many bumps and hurdles along the way with the "organisation", but through all that SME continues on and is still a very good product worth using and being involved with. There is no sign of it dying in my opinion, despite what some less than positive critics have said over the years (I'm not referring to you). Progress may be slow, some may say steady, but that is only because more or enough people do not contribute, whereas they are free to contribute whenever they want.

If at first you don't succeed then try try again.

IIRC your login name and password should be the same as for your Forum access.
« Last Edit: January 16, 2012, 09:19:05 PM by raem »
...

Offline kuludown

  • 1
  • +0/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #13 on: February 01, 2012, 02:18:50 AM »
I have gotten this working with Exchange 2010 for those interested... just let me know and I will post my config.

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: ProxyPass for Exchange / Outlook Web Access
« Reply #14 on: February 01, 2012, 02:27:07 AM »
kuludown

Please request wiki edit status ie to become a member of the Wiki & Docs Team
look in your Forum profile under Group membership

and add your findings to
http://wiki.contribs.org/SME_Server:Documentation:FAQ#ProxyPass_for_Exchange_Outlook_Web_Access

Thanks
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.