Search squid archive

Re: Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 19/01/2012 10:13 p.m., Isenberg, Holger wrote:

Is anyone using squid successful as reverse proxy for Outlook Anywhere (RPC over https) and Active Sync for an Exchange 2010?

Trying to use squid 3.2.0.13 to replace an ISA server forwarding RPC over https for Outlook Anywhere and Active Sync for Outlook mobile devices like Android and iPhone I had some success but problems with some Active Sync clients are still a show stopper.

RPC over https works fine with that squid version.

The problem is the very first http OPTIONS request for Active Sync which is using http Basic Authentication from an Android with TouchDown as client app. The cache.log shows the following request and response:

Mobile sending:
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
User-Agent: TouchDown(MSRPC)/7.1.00012/
TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
Connection: keep-alive
X-MS-PolicyKey: 0
MS-ASProtocolVersion: 2.5
Authorization: Basic dGVxxxxxxxxxxxxxxxxxx==
Content-Length: 0
Host: webmail.domain.com

Squid sending to IIS (Basic dGV... ist the same as above):
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
User-Agent: TouchDown(MSRPC)/7.1.00012/
TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
X-MS-PolicyKey: 0
MS-ASProtocolVersion: 2.5
Authorization: Basic dGVxxxxxxxxxxxxxxxxxxx==
Content-Length: 0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
Cache-Control: max-age=259200
Connection: keep-alive

IIS responding:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm="webmail.domain.com"
X-Powered-By: ASP.NET
Date: Wed, 18 Jan 2012 14:38:32 GMT
Content-Length: 1344

There the connection is closed by the client. Maybe the headers added by squid are not accepted by IIS? Is there any parameter to disable adding Surrogate-Capability, Cache-Control and Connection to the forwarded request?
401 status means the header not being accepted is the "Authorization:" header. 

Connection is unchanged from what was passed to Squid, just re-positioned.
Surrogate-Capability is a bit new yes, but HTTP requires ignoring unsupported headers. IIS would be incapable of performing regular HTTP traffic if it were that sensitive to unknown headers coming from clients. Weird stuff is the norm rather than the exception in HTTP.
To debug further you can try opening a connection to IIS with telnet and send variations of those headers to it cut-n-paste style. Or use the squidclient tool to tailor the request particulars. 


Amos
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux