On 08/07/11 01:25, Sidnei Moreira wrote:
hi,
i have searched the archive for a case like mine and could not find
any help, so i would like to post my actual issue.
i have an exchange 2010 server, configured to respond with a
self-signed certificate to internal computers on our lan.
i have a public certificate from a trusted CA, which does not include
my internal domain, and for a couple of reasons i can't add this local
internal domain to that public certificate.
so whenever an internal outlook client tries to connect internally,
exchange keeps saying that the certificates are not the same.
on the external side, i can't connect to the OWA site without popping
up the 'site is not trusted' message on the browser.
i read about squid reverse proxy feature, which receive connections
from the outside world using a public trusted certif. and pass it on
to exchange server.
i guess this could solve my problem, as i would not need to add the
public certificate to the exchange server, but only to the squid
server.
It solves your problem in a similar way that turning certificate
validation OFF will also do. With a great reduction in security.
I think you want to make exchange accept your self-signing CA used to
sign the internal domains. Such that it trusts clients contacting it
with internal certificates.
from the wiki page i copied the following configuration into my
squid.conf file, and adapted it. I am using squid version 3.0.STABLE1
Please don't. 3.0.STABEL1 has an enormously long list of bugs and
security vulnerabilities. If you must use 3.0 at all please be sure it
is the final release of that series.
Also be aware that recent releases of MS software are starting to
require HTTP/1.1 features more.
########################## START OF REVERSE PROXY CONFIG
SOURCE: http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
##########
extension_methods RPC_IN_DATA RPC_OUT_DATA
https_port<my-squid-server-internal-ip>:443
cert=/var/crt/my-public-domain-trusted-certificate.p7s
defaultsite=my-public-domain.com
cache_peer<my-exchange-server-internal-ip> parent 443 0 no-query
originserver login=PASS ssl
sslcert=/var/crt/my-self-signed-exchange-certificate.pfx
name=exchangeServer
acl EXCH dstdomain .rpc_domain_name
cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
########################## END OF REVERSE PROXY CONFIG
but, i am getting this error when restarting squid:
2011/07/07 08:39:18| parseConfigFile: 'squid.conf' line 90
unrecognized: 'https_port<my-squid-server-internal-ip>:443
cert=/var/crt/my-public-domain-trusted-certificate.p7s
defaultsite=my-public-domain.com'
2011/07/07 08:39:18| parse_peer: token='ssl'
FATAL: Bungled squid.conf line 91: cache_peer
<my-exchange-server-internal-ip> parent 443 0 no-query originserver
login=PASS ssl sslcert=/var/crt/my-self-signed-exchange-certificate.pfx
name=exchangeServer
Squid Cache (Version 3.0.STABLE1): Terminated abnormally.
3.0.STABLE1 is too old to support the 'ssl' parameter.
Squid also does not support the proprietary PFX format. Convert it to
the PEM format instead.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.14
Beta testers wanted for 3.2.0.9