Search squid archive

Re: Exchange reverse proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry for top posting, but, can anyone share some knowledge regarding this?

Thanks,

Hugo Monteiro.


On 12/29/2010 12:19 PM, Hugo Monteiro wrote:
Hello list,

I've have a windows server 2008 with Exchange 2007, in a dmz, to which i would like to access using a reverse proxy from the outside. I have set squid as per example in

http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc

Squid is version 3.1.3 from debian backports and the configuration follows:

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
cache_peer mail.example.org parent 443 0 no-query proxy-only originserver login=PASS ssl sslflags=DONT_VERIFY_PEER,NO_DEFAULT_CA,DONT_VERIFY_DOMAIN connection-auth=on
acl EXCH dstdomain .webmail.example.org
cache_peer_access mail.example.org allow EXCH
cache_peer_access mail.example.org deny all
never_direct allow EXCH
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 80
https_port 123.123.123.123:443 cert=/etc/ssl/certs/mail.example.org.pem key=/etc/ssl/private/mail.example.org.key cafile=/etc/ssl/certs/cabundle.pem defaultsite=webmail.example.org connection-auth=on
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern .               0       20%     4320


mail.example.org is the exchange server and webmail.example.org is the squid proxy server.

squid was compiled with

--datadir=/usr/share/squid3 \
--sysconfdir=/etc/squid3 \
--mandir=/usr/share/man \
--with-cppunit-basedir=/usr \
--enable-inline \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd" \
--enable-removal-policies="lru,heap" \
--enable-delay-pools \
--enable-cache-digests \
--enable-underscores \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth="basic,digest,ntlm,negotiate" \
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM" \
--enable-ntlm-auth-helpers="smb_lm," \
--enable-digest-auth-helpers="ldap,password" \
--enable-negotiate-auth-helpers="squid_kerb_auth" \
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group" \
--enable-arp-acl \
--enable-esi \
--enable-ipv6 \
--enable-ssl \
--disable-translation \
--with-logdir=/var/log/squid3 \
--with-pidfile=/var/run/squid3.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy


Access to OWA works just fine, but i'm not being able to access it through Outlook client. The autodiscover process is working properly and i get the first requests on the squid proxy, but then the client isn't able to complete the account setup process. I get a recurring auth popup in the email account setup wizard and i get the following in squid logs:

==> /var/log/squid3/access.log <==
1293624558.829 2 231.231.231.231 TCP_MISS/401 775 POST https://webmail.example.org/autodiscover/autodiscover.xml - FIRST_UP_PARENT/mail.example.org text/html 1293624558.890 2 231.231.231.231 TCP_MISS/401 442 POST https://webmail.example.org/autodiscover/autodiscover.xml - FIRST_UP_PARENT/mail.example.org text/html

==> /var/log/squid3/cache.log <==
2010/12/29 12:09:18| statusIfComplete: Request not yet fully sent "POST https://webmail.example/autodiscover/autodiscover.xml";

If i understood correctly TCP_MISS/401 means there was an auth problem. I have enabled basic auth in exchange and i have tested it using a web browser. It starts by trying to use NTLM (which has to be enabled also) and then fallsback to basic auth and it does work.


Any help is much appreciated. Also, if someone knows of documentation regarding this type of setup, i would be glad to check it out.

Best Regards,

Hugo Monteiro.



--
fct.unl.pt:~# cat .signature

Hugo Monteiro
Email	 : hugo.monteiro@xxxxxxxxxx
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net

Divisão de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio@xxxxxxxxxx

fct.unl.pt:~# _



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux