Setup Apache as a proxy server for Exchange

Your mission is to install an Exchange server in our LAN with the Web interface (also called Outlook Web Access) available on Internet trought https without setting up Exchange on the DMZ and without ISA server that is way too expensive.

Now, it doesn't look really impossible... so far...

What I discovered almost immediately is that that crappy Exchange always return to the web client absolute URL, something like http://ip.address.of.server/... and this is a big no-no for using a proxy.

So, after a lot of screaming, cursing and RTFMing I figured it out...

First of all is necessary to have a clear picture of the server names involved in the game.

So let's put it like this:
192.168.1.100 is Exchange (LAN) the server name isn't really important in this case.
10.0.0.80 is the Apache Proxy (DMZ) and available from Internet with IP x.y.z.k

We have to decide the name that will be used to access the Web interface from the internet, let's make it something like webmail.domain.com. And keep this in mind because is the cornerstone of the whole thing.

Be sure also to have registered a DNS entry that will resolve the FQDN into the correct IP address. So doing a ping webmail.domain.com I should receive an answer from x.y.z.k.

NOTE: Name and IP addresses are (of course) fictional, don't use these, use your real IPs and names.

To setup Exchange for https you have to create a certificate or a request for a certificate and have the real certificate signed by some external CA. Do whatever you want about it, but be really sure to use the FQDN of the web access for the certificate or request.

So, request the certificate for webmail.domain.com and not for another name (like the machine name or the IP address).

Exchange will use the name in the certificate in every html page and as a referral, so if you get the wrong name/url is a mess.

When exchange is configured and working, try accessing the web interface from your internal network, so point your browser to https://192.168.1.100/ and you should see the webmail login page.

Note the Address bar of the browser, should display something like https://192.168.1.100/....URL=https://webmail.domain.com

If it display something else, you have a problem.

To end the test, go on a different machine, and edit the file c:\winnt\system32\drivers\etc\hosts and add a line like
192.168.1.100 webmail.domain.com
And then try to access https://webmail.domain.com in the local browser, you should see again the webmail login page.

Please DON'T ask me how to create a certificate for Exchange, just read the documentation on the Microsoft support site for this.

You need to have both mod_ssl and mod_proxy compiled into apache, as a module or static, it doesn't really matter.

Maybe you need to recompile Apache to have it working. See the documentation on www.apache.org or www.modssl.org.

Again, you'll have to create or require a certificate, and again you have to use the FQDN name of webmail.domain.com as common name of the certificate.

To configure apache is a breeze: edit httpd.conf, locate the SSL part and add the following lines for the proxy:

ServerName webmail.domain.com
ProxyPass               /       https://webmail.domain.com/
ProxyPassReverse        /       https://webmail.domain.com/

Once done this there is only one single detail missing: to add in /etc/hosts a reference to webmail.domain.com so he get resolved in the Lan address of the machine:

192.168.1.100	webmail.domain.com

Start Apache with SSL support and check that from the proxy a ping to webmail.domain.com is solved in 192.168.1.100, be sure that the firewall allow https to pass to the proxy.

Now, if you've done everything correctly, you should be able to point a browser from anywhere in the world to https://webmail.domain.com and see the login page of Exchange in the full glory.

After some discussion with Scott Lowe on alt.apache.configuratio, Scott came out with this alternate solution that doesn't require https on Exchange:

    ServerAdmin webmaster@domain.com
    ServerName webmail.domain.com
    RequestHeader set Front-End-Https "On"
    ProxyRequests Off
    ProxyPreserveHost On
    SSLEngine On
    SSLRequireSSL
    ...more SSL directives...

    
        ProxyPass http://192.168.1.100/exchange
        ProxyPassReverse http://192.168.1.100/exchange
    

    
        ProxyPass http://192.168.1.100/exchweb
        ProxyPassReverse http://192.168.1.100/exchweb
    

    
        ProxyPass http://192.168.1.100/public
        ProxyPassReverse http://192.168.1.100/public
   

As you can see, Scott used 3 'location' directives to proxy only the 3 directories used by Exchange. On the Exchange server is necessary to add a line to the HOSTS file to link 'webmail.domain.com' to the same IP of Exchange, forcing Exchange to use that as his FQDN.

The RequestHeader directive is the key of the problem, this instruct Exchange to use https instead of http in his pages. The ProxyPreserveHost allow us to use the FQDN of the proxy where the one of the Exchange server is.

Note: I haven't tested this solution myself, so if it doesn't work for you complain to Scott and not with me.

Gabriele di Geronimo send this information:

This is a problem I encountered only using Internet Explorer, after getting the login screen I get a "404" page or an "Internal Server Error".
After fiddling in the proxy and in the configuration of Exchange it seems that the problem is due to the 'Use Windows Authentication' option in IIS on the server side. Turning it off everything works as expected.
Since Apache doesn't return any problem nor does IIS, I've no idea really where this problem is caming from, I've found this by trial and error.

Comments are added when and more important if I have the time to review them and after removing Spam, Crap, Phishing and the like. So don't hold your breath. And if your comment doesn't appear, is probably becuase it wasn't worth it.

---

Previous Next

Davide Bianchi, works as Unix/Linux administrator for an hosting provider in The Netherlands.

Do you want to contribute? read how.  
 

This site is made by me with blood, sweat and gunpowder, if you want to republish or redistribute any part of it, please drop me (or the author of the article if is not me) a mail.