Sorry for top posting, but, can anyone share some knowledge regarding this?
Thanks,
Hugo Monteiro.
On 12/29/2010 12:19 PM, Hugo Monteiro wrote:
Hello list,
I've have a windows server 2008 with Exchange 2007, in a dmz, to which
i would like to access using a reverse proxy from the outside. I have
set squid as per example in
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
Squid is version 3.1.3 from debian backports and the configuration
follows:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
cache_peer mail.example.org parent 443 0 no-query proxy-only
originserver login=PASS ssl
sslflags=DONT_VERIFY_PEER,NO_DEFAULT_CA,DONT_VERIFY_DOMAIN
connection-auth=on
acl EXCH dstdomain .webmail.example.org
cache_peer_access mail.example.org allow EXCH
cache_peer_access mail.example.org deny all
never_direct allow EXCH
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 80
https_port 123.123.123.123:443
cert=/etc/ssl/certs/mail.example.org.pem
key=/etc/ssl/private/mail.example.org.key
cafile=/etc/ssl/certs/cabundle.pem defaultsite=webmail.example.org
connection-auth=on
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern . 0 20% 4320
mail.example.org is the exchange server and webmail.example.org is the
squid proxy server.
squid was compiled with
--datadir=/usr/share/squid3 \
--sysconfdir=/etc/squid3 \
--mandir=/usr/share/man \
--with-cppunit-basedir=/usr \
--enable-inline \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd" \
--enable-removal-policies="lru,heap" \
--enable-delay-pools \
--enable-cache-digests \
--enable-underscores \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth="basic,digest,ntlm,negotiate" \
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM"
\
--enable-ntlm-auth-helpers="smb_lm," \
--enable-digest-auth-helpers="ldap,password" \
--enable-negotiate-auth-helpers="squid_kerb_auth" \
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group"
\
--enable-arp-acl \
--enable-esi \
--enable-ipv6 \
--enable-ssl \
--disable-translation \
--with-logdir=/var/log/squid3 \
--with-pidfile=/var/run/squid3.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy
Access to OWA works just fine, but i'm not being able to access it
through Outlook client. The autodiscover process is working properly
and i get the first requests on the squid proxy, but then the client
isn't able to complete the account setup process. I get a recurring
auth popup in the email account setup wizard and i get the following
in squid logs:
==> /var/log/squid3/access.log <==
1293624558.829 2 231.231.231.231 TCP_MISS/401 775 POST
https://webmail.example.org/autodiscover/autodiscover.xml -
FIRST_UP_PARENT/mail.example.org text/html
1293624558.890 2 231.231.231.231 TCP_MISS/401 442 POST
https://webmail.example.org/autodiscover/autodiscover.xml -
FIRST_UP_PARENT/mail.example.org text/html
==> /var/log/squid3/cache.log <==
2010/12/29 12:09:18| statusIfComplete: Request not yet fully sent
"POST https://webmail.example/autodiscover/autodiscover.xml"
If i understood correctly TCP_MISS/401 means there was an auth
problem. I have enabled basic auth in exchange and i have tested it
using a web browser. It starts by trying to use NTLM (which has to be
enabled also) and then fallsback to basic auth and it does work.
Any help is much appreciated. Also, if someone knows of documentation
regarding this type of setup, i would be glad to check it out.
Best Regards,
Hugo Monteiro.
--
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email : hugo.monteiro@xxxxxxxxxx
Telefone : +351 212948300 Ext.15307
Web : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
Universidade Nova de Lisboa
Quinta da Torre 2829-516 Caparica Portugal
Telefone: +351 212948596 Fax: +351 212948548
www.fct.unl.pt apoio@xxxxxxxxxx
fct.unl.pt:~# _