?
Solved

Proxying OWA (Exchange 2000) with Apache 2.0

Posted on 2003-03-12
13
Medium Priority
?
1,233 Views
Last Modified: 2013-12-06
Hello Experts,

I really need your help here. This is the scenario:
I have a brand new exchange 2000 server with installed OWA behind a firewall in the trusted internal network.
In the DMZ I have linux Red Hat 7.2 + Apache 2.0.40 running as a web server and as proxy server.
To communicate with OWA on the other side of the FW, I use the port 8181 that is mapped to 10.0.0.3 port 80 in the internal side.

Now...
I used to be able to proxy OWA 5.5 using just

ProxyPass / http://192.168.0.1:8181/
ProxyPassReverse / http://192.168.0.1:8181/

but now this seems not working with OWA 2000. When I use apache to access OWA after the successfull authenthication I receive a page with two frames, but the frames are empty. this is anyway part of the page I got back:

<!--Copyright (c) 2000-2001 Microsoft Corporation.  All rights reserved.-->
<!--CURRENT FILE== "IE5" "WIN32" frameset -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=utf-8">
<HTML>
     <TITLE>Microsoft Outlook Web Access</TITLE>
     <HEAD>
          <BASE href="http://192.168.0.1/exchange/User/">
         
     </HEAD>
... etc. So Why is the port missing?

I hope somebody can help me.
Thanks in Advance.
0
Comment
Question by:fromano2802
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
13 Comments
 
LVL 20

Expert Comment

by:Gns
ID: 8124107
Do you get the same result in both rich and reach mode? Hm, yes you do, don't you.

Not an answer, but perhaps a workaround: Don't use the 8181 PAT in the FW, but use static 192.168.0.[1,2,3,4]:80 <-> 10.0.0.3:80 through the FW instead. That way the proxy (reverse) rules don't have to handle aught but the address.

-- Glenn
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8127184
Correct me if I'm wrong, but shouldn't the
<BASE href=... contain either just "/exchange/User/" or "http://yourproxyipaddress/exchange/User/" for this to work?
Having it read href=http://192.168.0.1:8181/ wont fix things, right?

Maybe OWA think it lives at IP 192.168.0.1 and this actually comes from the OWA configuration?
(I know that with other web applications it's sometimes possible to alter "base" url in the configuration, just for this purpose)
On the other hand I'd expect to see http://10.0.0.3/exchange/User if that was the case!?

I've never dealt with OWA, though we have it where I work, and it allows to be proxied (I just tried it ;-)).. I think it's an older version though and there are no <base href in the returned html code as far as I've seen.

/b
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8127221
Hi!

This might give you some insight:
http://www.mail-archive.com/modssl-users@modssl.org/msg15460.html

As I understand it you cannot proxie the OWA by IP, you need to do it by FQDN (Fully Qualified Domain Name).

Regards
/Hans - Erik Skyttberg
0
Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

 

Author Comment

by:fromano2802
ID: 8127898
Hi everyone,

thank you for your answers. Here are my comments to you guys.

To Gns:

I can't use port 80 on the firewall to map OWA because that port has already been used for other purposes.

To bummerlord:

In the <BASE href=... tag, I would expect to find "http://192.168.0.1:8181", but the port is missing.
Here another question,
Is it possible to make OWA listen to a port different than 80?

To heskyttberg:

I will give a try to the solution you propose, but I have the feeling that this is not a problem about IP or FQDN.

Thank you again for your help.
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8128157
fromano2802, are the clients supposed to contact 192.168.0.1 directly??
They will if href= points it out in the HTML code.
The reson for using FQND in the solution mentioned by Erik is that external clients will resolv FQDN to the reverse proxy IP address, and internal clients will resolv it to the Internal IP... thus to avoid having the proxy server query the internal DNS (and route the internal network from DMZ) the FQDN has to appear in the local hosts file as well.

So let say you have owa.yourdomain.net as 123.123.123.123 in external DNS, you'd then "map" this IP to your proxy server (e.g. 192.168.0.2).
In your proxy server you have owa.yourdomain.net as 192.168.0.1 in the local hosts file.

It could also be that OWA assembles the <BASE href= from what ever Host: header the client, the proxy in this case) supplies, in the request (big qestion mark here)
Worth trying though..
At least try adding the OWA FQDN name to your hosts file and wrtie the ProxyPass, and ProxyPassReverse directives with FQDN.

/b
0
 

Author Comment

by:fromano2802
ID: 8128242
Hi bummerlord,

The problem I see here is that the name of the server hosting OWA is not visible outside my FW, the only FQDNs visible are www.mydomain.com and webmail.mydomain.com.
So, even if I specify a name for my FW (I can't connect directly to my OWA server), this won't be resolved by an external DNS.

0
 
LVL 20

Accepted Solution

by:
Gns earned 500 total points
ID: 8128525
> I can't use port 80 on the firewall to map OWA because that port has already been used for other purposes.

And you cannot add a "virtual external interface" with a separate address? webmail and www both point to the same target address, don't they?
You should at least be able to set up and test it without changing the public webmail DNS reference.
Or perhaps you only have one public IP address? In that case ... bummer (:-).

Hans-Eriks suggestion looks really unpalatable (no reflection on him), but workable.
My employer drew approximately the same conclusion as David Marshall and his crew. Personally I detest OWA and would have prefered some simpler IMAP-based solution (especially after IIS lockdown "turned off" the ability to change password "remote"). If you go with a public OWA, use SSL and some SecurID like system (we chose RSA-ACE and SecurID).

I'll try to simulate this ... since we do have a M-Sexchange 2000, I should be able to verify its "workability".

-- glenn
0
 
LVL 6

Assisted Solution

by:bummerlord
bummerlord earned 500 total points
ID: 8129073
fromano2802, If www.mydomain.com resolvs to the IP maped to the proxy server, then you will have problem knowing what site to proxy for. It's possible that you may have to add another A record to the external DNS (pointing out the same IP as www.mydomain.com, or you could use CNAME) and use that name in /etc/hosts and in your Proxy directives in httpd.conf. (you'll have to use a virtual host for this other name, put the proxypass directives for owa in there only)

As Gns suggests.. use SSL for this site at least.
If you can't, then .... damn! You should! ;-)

(Remember to compile openssl from source, disable SSLv2 etc etc)

/b


/b
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8129083
IS that a double "/b" .. or am I drunk already?!;-)
0
 

Author Comment

by:fromano2802
ID: 8129204
Bummerlord, I have just one public IP address and www and webmail are pointing to it.
I didn't have any problem before (when I was using OWA 5.5) and I don't have any problem now to proxy the requests for www and for webmail. Infact I use 2 different Virtual Hosts in my httpd.conf for that.
As you suggest the proxypass directive for owa is only in the webmail VH.
Anyway, I managed to make OWA listening to another port adding a new Exchange HTTP Virual Host, now I have to solve the problem of the host name returned by owa.

SSL... well I am seriously thinking about it... but one step at the time, before I need to make owa running the way I want. :)
0
 
LVL 6

Expert Comment

by:bummerlord
ID: 8137330
ok, webmail.yourdomain.com is for the OWA (or did I get this all wrong?)
If you add webmail.yourdomain.com to the hosts file in your proxy pointing to 192.168.0.1 and use the FQDN in your proxypass directives... does that fix the returned hostname from OWA?
/b
0
 

Expert Comment

by:CleanupPing
ID: 9087721
fromano2802:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 2

Expert Comment

by:TheWeakestLink
ID: 9288268
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
Split points between Gns and bummerlord
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

TheWeakestLink
EE Cleanup Volunteer
0

Featured Post

WordPress Tutorial 4: Recommended Plugins

Now that you have WordPress installed, understand the interface, and know how to install new parts, let’s take a look at our recommended plugins.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
In my business, I use the LTS (Long Term Support) versions of Linux. My workstations do real work, and so I rarely have the patience to deal with silly problems caused by an upgraded kernel that had experimental software on it to begin with from a r…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month13 days, 4 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question