All,
I am working on hiding an Exchange server within the internal network and using a Linux system within the DMZ to process incoming webmail requests in a reverse-proxy setup.
Currently the Exchange server (2003) is setup with a Verisign certificate to provide
https:// access to OWA. The firewall only allows 443 (https) and 25 (smtp) access to this system.
I have been looking over the following two links as a guide to this process.
http://3cx.org/nucleus/plugins/print/print.php?itemid=46
http://blog.scottlowe.org/2005/12/03/protecting-owa-with-apache/
My reverse-proxy setup is a Linux server / Apache 2, with the webserver's configuration handled within a Virtual Hosts file (instead of in the main body of the conf file).
As I am going through this I am faced with the following questions.
1.) Currently to access OWA one would type in
https:// followed by the external address of the OWA server. In the case of the ProxyPass and ReverseProxyPass statements in the articles - why
http:// instead of
https:// Is it the RequestHeader directive to set Front-End-Https "On" that takes care of this?
2.) Currently the Exchange server has it's Verisign certificate running on the IIS server to provide secure web traffic. It appears in these articles that the proxy server now controls the Verisign certificate and the internal OWA server is returned to
http:// - no certificate - Is this correct? Am I having the current web certificate regenerated to work under an Apache server instead of IIS?
3.) Could you please check my Virtual Hosts config vs. ones you've seen work and let me know if any changes need to be made?
This is a very important project that I need to have up soon!!!
Below is the current configuration of my Virtual Hosts file on the Exchange server (with actual names disguised):
#
# Virtual Hosts
#
# Using name-based virtual hosting.
#
##########################
##########
##########
##########
##########
#####
#
NameVirtualHost *:80
NameVirtualHost *:443
#
# Using mod_rewrite to fix a problem when percent symbols are in
# the subject line of the OWA email (the email subject is used
# in the web query). The entire URI is passed to a small
# bash script that replaces all occurrences of the % symbol
# with the URI escape sequence (%25). That seems to make everything
# happy.
#
SSLProxyEngine on
ProxyPreserveHost on
RewriteEngine On
RewriteMap damnpercent prg:/usr/local/bin/percent
_rewrite
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${damnpercent:$1} [P]
ProxyRequests Off
#
<VirtualHost *:443>
DocumentRoot /usr/local/apache2/htdocs/
webmail_pr
oxy/
RequestHeader set Front-End-Https "On"
ProxyRequests Off
ProxyPreserveHost On
ErrorLog logs/interceptor.mydomain.
com-error_
log
CustomLog logs/interceptor.mydomain.
com-access
_log common
SSLEngine On
SSLCertificateFile /usr/local/apache2/webmail
-proxy/pro
xy-cert.pe
m
<Location /exchange>
ProxyPass http://mail.mydomain.com/exchange
ProxyPassReverse http://mail.mydomain.com/exchange
SSLRequireSSL
</Location>
<Location /exchweb>
ProxyPass http://mail.mydomain.com/exchweb
ProxyPassReverse http://mail.mydomain.com/exchweb
SSLRequireSSL
</Location>
<Location /public>
ProxyPass http://mail.mydomain.com/public
ProxyPassReverse http://mail.mydomain.com/public
SSLRequireSSL
</Location>
<Location /iisadmpwd>
ProxyPass http://mail.mydomain.com/iisadmpwd
ProxyPassReverse http://mail.mydomain.com/iisadmpwd
SSLRequireSSL
</Location>
CacheDisable *
</VirtualHost>
##########################
##########
##########
##########
##########
##########
###