Link to home
Start Free TrialLog in
Avatar of fromano2802
fromano2802

asked on

Proxying OWA (Exchange 2000) with Apache 2.0

Hello Experts,

I really need your help here. This is the scenario:
I have a brand new exchange 2000 server with installed OWA behind a firewall in the trusted internal network.
In the DMZ I have linux Red Hat 7.2 + Apache 2.0.40 running as a web server and as proxy server.
To communicate with OWA on the other side of the FW, I use the port 8181 that is mapped to 10.0.0.3 port 80 in the internal side.

Now...
I used to be able to proxy OWA 5.5 using just

ProxyPass / http://192.168.0.1:8181/
ProxyPassReverse / http://192.168.0.1:8181/

but now this seems not working with OWA 2000. When I use apache to access OWA after the successfull authenthication I receive a page with two frames, but the frames are empty. this is anyway part of the page I got back:

<!--Copyright (c) 2000-2001 Microsoft Corporation.  All rights reserved.-->
<!--CURRENT FILE== "IE5" "WIN32" frameset -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=utf-8">
<HTML>
     <TITLE>Microsoft Outlook Web Access</TITLE>
     <HEAD>
          <BASE href="http://192.168.0.1/exchange/User/">
         
     </HEAD>
... etc. So Why is the port missing?

I hope somebody can help me.
Thanks in Advance.
Avatar of Gns
Gns

Do you get the same result in both rich and reach mode? Hm, yes you do, don't you.

Not an answer, but perhaps a workaround: Don't use the 8181 PAT in the FW, but use static 192.168.0.[1,2,3,4]:80 <-> 10.0.0.3:80 through the FW instead. That way the proxy (reverse) rules don't have to handle aught but the address.

-- Glenn
Correct me if I'm wrong, but shouldn't the
<BASE href=... contain either just "/exchange/User/" or "http://yourproxyipaddress/exchange/User/" for this to work?
Having it read href=http://192.168.0.1:8181/ wont fix things, right?

Maybe OWA think it lives at IP 192.168.0.1 and this actually comes from the OWA configuration?
(I know that with other web applications it's sometimes possible to alter "base" url in the configuration, just for this purpose)
On the other hand I'd expect to see http://10.0.0.3/exchange/User if that was the case!?

I've never dealt with OWA, though we have it where I work, and it allows to be proxied (I just tried it ;-)).. I think it's an older version though and there are no <base href in the returned html code as far as I've seen.

/b
Hi!

This might give you some insight:
http://www.mail-archive.com/modssl-users@modssl.org/msg15460.html

As I understand it you cannot proxie the OWA by IP, you need to do it by FQDN (Fully Qualified Domain Name).

Regards
/Hans - Erik Skyttberg
Avatar of fromano2802

ASKER

Hi everyone,

thank you for your answers. Here are my comments to you guys.

To Gns:

I can't use port 80 on the firewall to map OWA because that port has already been used for other purposes.

To bummerlord:

In the <BASE href=... tag, I would expect to find "http://192.168.0.1:8181", but the port is missing.
Here another question,
Is it possible to make OWA listen to a port different than 80?

To heskyttberg:

I will give a try to the solution you propose, but I have the feeling that this is not a problem about IP or FQDN.

Thank you again for your help.
fromano2802, are the clients supposed to contact 192.168.0.1 directly??
They will if href= points it out in the HTML code.
The reson for using FQND in the solution mentioned by Erik is that external clients will resolv FQDN to the reverse proxy IP address, and internal clients will resolv it to the Internal IP... thus to avoid having the proxy server query the internal DNS (and route the internal network from DMZ) the FQDN has to appear in the local hosts file as well.

So let say you have owa.yourdomain.net as 123.123.123.123 in external DNS, you'd then "map" this IP to your proxy server (e.g. 192.168.0.2).
In your proxy server you have owa.yourdomain.net as 192.168.0.1 in the local hosts file.

It could also be that OWA assembles the <BASE href= from what ever Host: header the client, the proxy in this case) supplies, in the request (big qestion mark here)
Worth trying though..
At least try adding the OWA FQDN name to your hosts file and wrtie the ProxyPass, and ProxyPassReverse directives with FQDN.

/b
Hi bummerlord,

The problem I see here is that the name of the server hosting OWA is not visible outside my FW, the only FQDNs visible are www.mydomain.com and webmail.mydomain.com.
So, even if I specify a name for my FW (I can't connect directly to my OWA server), this won't be resolved by an external DNS.

ASKER CERTIFIED SOLUTION
Avatar of Gns
Gns

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
IS that a double "/b" .. or am I drunk already?!;-)
Bummerlord, I have just one public IP address and www and webmail are pointing to it.
I didn't have any problem before (when I was using OWA 5.5) and I don't have any problem now to proxy the requests for www and for webmail. Infact I use 2 different Virtual Hosts in my httpd.conf for that.
As you suggest the proxypass directive for owa is only in the webmail VH.
Anyway, I managed to make OWA listening to another port adding a new Exchange HTTP Virual Host, now I have to solve the problem of the host name returned by owa.

SSL... well I am seriously thinking about it... but one step at the time, before I need to make owa running the way I want. :)
ok, webmail.yourdomain.com is for the OWA (or did I get this all wrong?)
If you add webmail.yourdomain.com to the hosts file in your proxy pointing to 192.168.0.1 and use the FQDN in your proxypass directives... does that fix the returned hostname from OWA?
/b
fromano2802:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Split points between Gns and bummerlord
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

TheWeakestLink
EE Cleanup Volunteer