This site isn't optimized for vision with any specific browser, nor
it requires special fonts or resolution.
You're free to see it as you wish.
Last Update: 04/12/2008
Setup Apache as a proxy server for Exchange |
| by Davide Bianchi | How to setup Apache as a proxy for Microsoft Exchange |
| Good morning Mr. Phelps |
Your mission is to install an Exchange server in our LAN with the Web
interface (also called Outlook Web Access) available on Internet trought
https without setting up Exchange on the DMZ and without
ISA server that is way too expensive. Now, it doesn't look really impossible... so far... What I discovered almost immediately is that that crappy Exchange always return to the web client absolute URL, something like http://ip.address.of.server/... and this is a big no-no for using a proxy. So, after a lot of screaming, cursing and RTFMing I figured it out...
|
|
| First thing first: decide the names |
First of all is necessary to have a clear picture of the server names
involved in the game.
So let's put it like this: We have to decide the name that will be used to access the Web interface from the internet, let's make it something like webmail.domain.com. And keep this in mind because is the cornerstone of the whole thing. Be sure also to have registered a DNS entry that will resolve the FQDN into the correct IP address. So doing a ping webmail.domain.com I should receive an answer from x.y.z.k. NOTE: Name and IP addresses are (of course) fictional, don't use these, use your real IPs and names.
|
|
| Setup Exchange for https |
To setup Exchange for https you have to create a certificate or a
request for a certificate and have the real certificate signed by some
external CA. Do whatever you want about it, but be really sure
to use the FQDN of the web access for the certificate or request. So, request the certificate for webmail.domain.com and not for another name (like the machine name or the IP address). Exchange will use the name in the certificate in every html page and as a referral, so if you get the wrong name/url is a mess. When exchange is configured and working, try accessing the web interface from your internal network, so point your browser to https://192.168.1.100/ and you should see the webmail login page. Note the Address bar of the browser, should display something like https://192.168.1.100/....URL=https://webmail.domain.com If it display something else, you have a problem.
To end the test, go on a different machine, and edit the file
c:\winnt\system32\drivers\etc\hosts and add a line like Please DON'T ask me how to create a certificate for Exchange, just read the documentation on the Microsoft support site for this.
|
|
| Setting up Apache for https and proxy |
You need to have both mod_ssl and mod_proxy compiled into apache, as
a module or static, it doesn't really matter. Maybe you need to recompile Apache to have it working. See the documentation on www.apache.org or www.modssl.org. Again, you'll have to create or require a certificate, and again you have to use the FQDN name of webmail.domain.com as common name of the certificate.
|
|
| Setup Apache as a proxy |
To configure apache is a breeze: edit httpd.conf, locate the SSL
part and add the following lines for the proxy:
Once done this there is only one single detail missing: to add in /etc/hosts a reference to webmail.domain.com so he get resolved in the Lan address of the machine:
192.168.1.100 webmail.domain.com |
|
| Test the whole contraption |
Start Apache with SSL support and check that from the proxy a ping
to webmail.domain.com is solved in 192.168.1.100, be sure that the
firewall allow https to pass to the proxy. Now, if you've done everything correctly, you should be able to point a browser from anywhere in the world to https://webmail.domain.com and see the login page of Exchange in the full glory.
|
|
| Update |
After some discussion with Scott Lowe on alt.apache.configuratio, Scott
came out with this alternate solution that doesn't require https on
Exchange:
As you can see, Scott used 3 'location' directives to proxy only the 3 directories used by Exchange. On the Exchange server is necessary to add a line to the HOSTS file to link 'webmail.domain.com' to the same IP of Exchange, forcing Exchange to use that as his FQDN. The RequestHeader directive is the key of the problem, this instruct Exchange to use https instead of http in his pages. The ProxyPreserveHost allow us to use the FQDN of the proxy where the one of the Exchange server is. Note: I haven't tested this solution myself, so if it doesn't work for you complain to Scott and not with me.
|
|
| Update (2) |
Gabriele di Geronimo send this information:
This is a problem I encountered only using Internet Explorer, after getting the login screen I get a "404" page or an "Internal Server Error". After fiddling in the proxy and in the configuration of Exchange it seems that the problem is due to the 'Use Windows Authentication' option in IIS on the server side. Turning it off everything works as expected. Since Apache doesn't return any problem nor does IIS, I've no idea really where this problem is caming from, I've found this by trial and error.
|
|
Comments Max length of comments: 1000 chars. |
nessun commento.
Add a comment (max 1000 chars)
|
| Author |
Davide Bianchi,
works as Unix/Linux administrator for a "network security" company of Haarlem. Contacts: mail: davide AT onlyforfun.net , ICQ: 268751033, Jabber: davideyeahsure AT gmail.com Skype: davideyahsure |
| Contribuire | Volete contribuire? Leggete come! |
| Copyright | This site is made by me with blood, sweat and gunpowder, if you want to republish or redistribute any part of it, please drop me (or the author of the article if is not me) a mail. |
This site isn't optimized for vision with any specific browser, nor
it requires special fonts or resolution.
You're free to see it as you wish.
Last Update: 04/12/2008