Hi, i´m trying to get squid working as reverse Proxy for Exchange 2016. Actually it works quite smooth for OWA but fails again and again when trying to connecto to the EAS Site of my Exchange. From the IIS-Logs of the mailserver i can see 401 replys two or three times and then squid sends the user credentials which results in a 200 message. When using EAS the connect (from Exchange remote connectivty analyzer) connects to the autodiscover site first – which produces about three 401´s and then to the eas-site – again about two or three 401´s. Most times after the 5th 401 reply (not authenticated) squid cuts off the Connection – is there any way to push squid to do more retries after a 401 error? Here´s my IIS-Log: 2016-02-10 13:18:56 10.89.5.3 OPTIONS /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=PBUQLXUG4EOZTNG08F3BGG&cafeReqId=f7e3c699-96b5-4e79-8a54-03334a9fe7fe; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 0 0 78 2016-02-10 13:18:56 10.89.5.3 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=LBQ9QZKE0YCFS3BZUOYG&cafeReqId=392f5e78-5272-4ed1-a062-c1706e341dbf; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 0 0 0 2016-02-10 13:19:04 10.89.5.3 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=XTSRHRKWV0ETDZKCRLXO6W&cafeReqId=684a8948-eeb9-401f-a9bf-61d2581f138f; 443 DOMAIN\test 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 200 0 0 7515 2016-02-10 13:19:05 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=POVVU5U8Z0SDIKZWQEPRNA&cafeReqId=109adc1a-93f9-4491-aadc-b615e5b7c36a; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 0 Line 390924: 2016-02-10 13:19:07 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=YDXPIAVIDEYCERPKPSRQ&cafeReqId=402020a7-2bd9-4540-9050-b6dd9e34a136; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 124 Line 390929: 2016-02-10 13:19:07 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=PTIZMVB6NUOH1AJ1MGWWA&cafeReqId=2b329cfa-a318-4102-bb5c-3a7652e84d5d; 443 DOMAIN\test 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 200 0 0 390 Line 390934: 2016-02-10 13:19:07 10.89.5.3 POST /Microsoft-Server-ActiveSync/default.eas Cmd=FolderSync&User=test&DeviceId=1797657923&DeviceType=TestActiveSyncConnectivity&CorrelationID=<empty>;&ClientId=QC284CQDGK2JMD9TA6X6G&cafeReqId=d9ceafa7-9767-4552-bb34-2444c6435a10; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 0 And here´s my Squid.conf: # This file is automatically generated by pfSense # Do not edit manually ! icp_port 0 dns_v4_first on pid_filename /var/run/squid/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons visible_hostname localhost cache_mgr admin@localhost access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger logfile_rotate 10 debug_options rotate=10 shutdown_lifetime 3 seconds forwarded_for on uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 64 MB maximum_object_size_in_memory 256 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA minimum_object_size 0 KB maximum_object_size 4 MB cache_dir ufs /var/squid/cache 100 16 256 offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080 1025-65535 acl sslports port 443 563 8080 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings http_port 10.0.0.3:80 accel defaultsite=mail.DOMAIN.de vhost https_port 10.0.0.3:443 accel cert=/usr/pbi/squid-amd64/local/etc/squid/56b21e54ee18f.crt key=/usr/pbi/squid-amd64/local/etc/squid/56b21e54ee18f.key defaultsite=mail.DOMAIN.de vhost cache_peer 10.89.5.3 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_1_pfs cache_peer 10.89.5.3 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_1_pfs acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/owa.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/exchange.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/public.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/exchweb.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/ecp.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/OAB.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/Microsoft-Server-ActiveSync.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/rpc/rpcproxy.dll.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/rpcwithcert/rpcproxy.dll.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/mapi.*$ acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/EWS.*$ acl OWA_URI_pfs url_regex -i ^http://mail.DOMAIN.de/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^http://autodiscover.DOMAIN.de/AutoDiscover/AutoDiscover.xml acl OWA_URI_pfs url_regex -i ^https://autodiscover.DOMAIN.de/AutoDiscover/AutoDiscover.xml cache_peer_access OWA_HOST_443_1_pfs allow OWA_URI_pfs cache_peer_access OWA_HOST_80_1_pfs allow OWA_URI_pfs cache_peer_access OWA_HOST_443_1_pfs deny allsrc cache_peer_access OWA_HOST_80_1_pfs deny allsrc never_direct allow OWA_URI_pfs http_access allow OWA_URI_pfs # Custom options before auth # Setup allowed ACLs # Default block all to be sure http_access deny allsrc I also tried to Change the squid.conf to a example config from the faq´s – which had the same effect as described above. Any ideas anybody? Thx for your help in advance… Greetings, Philipp |
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
