We help IT Professionals succeed at work.
Get Started
Help with reverse-proxy Apache OWA setup
All,
I am working on hiding an Exchange server within the internal network and using a Linux system within the DMZ to process incoming webmail requests in a reverse-proxy setup.
Currently the Exchange server (2003) is setup with a Verisign certificate to provide https:// access to OWA. The firewall only allows 443 (https) and 25 (smtp) access to this system.
I have been looking over the following two links as a guide to this process.
http://3cx.org/nucleus/plugins/print/print.php?itemid=46
http://blog.scottlowe.org/2005/12/03/protecting-owa-with-apache/
My reverse-proxy setup is a Linux server / Apache 2, with the webserver's configuration handled within a Virtual Hosts file (instead of in the main body of the conf file).
As I am going through this I am faced with the following questions.
1.) Currently to access OWA one would type in https:// followed by the external address of the OWA server. In the case of the ProxyPass and ReverseProxyPass statements in the articles - why http:// instead of https:// Is it the RequestHeader directive to set Front-End-Https "On" that takes care of this?
2.) Currently the Exchange server has it's Verisign certificate running on the IIS server to provide secure web traffic. It appears in these articles that the proxy server now controls the Verisign certificate and the internal OWA server is returned to http:// - no certificate - Is this correct? Am I having the current web certificate regenerated to work under an Apache server instead of IIS?
3.) Could you please check my Virtual Hosts config vs. ones you've seen work and let me know if any changes need to be made?
This is a very important project that I need to have up soon!!!
Below is the current configuration of my Virtual Hosts file on the Exchange server (with actual names disguised):
#
# Virtual Hosts
#
# Using name-based virtual hosting.
#
##########################
#
NameVirtualHost *:80
NameVirtualHost *:443
#
# Using mod_rewrite to fix a problem when percent symbols are in
# the subject line of the OWA email (the email subject is used
# in the web query). The entire URI is passed to a small
# bash script that replaces all occurrences of the % symbol
# with the URI escape sequence (%25). That seems to make everything
# happy.
#
SSLProxyEngine on
ProxyPreserveHost on
RewriteEngine On
RewriteMap damnpercent prg:/usr/local/bin/percent
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${damnpercent:$1} [P]
ProxyRequests Off
#
<VirtualHost *:443>
DocumentRoot /usr/local/apache2/htdocs/
RequestHeader set Front-End-Https "On"
ProxyRequests Off
ProxyPreserveHost On
ErrorLog logs/interceptor.mydomain.
CustomLog logs/interceptor.mydomain.
SSLEngine On
SSLCertificateFile /usr/local/apache2/webmail
<Location /exchange>
ProxyPass http://mail.mydomain.com/exchange
ProxyPassReverse http://mail.mydomain.com/exchange
SSLRequireSSL
</Location>
<Location /exchweb>
ProxyPass http://mail.mydomain.com/exchweb
ProxyPassReverse http://mail.mydomain.com/exchweb
SSLRequireSSL
</Location>
<Location /public>
ProxyPass http://mail.mydomain.com/public
ProxyPassReverse http://mail.mydomain.com/public
SSLRequireSSL
</Location>
<Location /iisadmpwd>
ProxyPass http://mail.mydomain.com/iisadmpwd
ProxyPassReverse http://mail.mydomain.com/iisadmpwd
SSLRequireSSL
</Location>
CacheDisable *
</VirtualHost>
##########################
I am working on hiding an Exchange server within the internal network and using a Linux system within the DMZ to process incoming webmail requests in a reverse-proxy setup.
Currently the Exchange server (2003) is setup with a Verisign certificate to provide https:// access to OWA. The firewall only allows 443 (https) and 25 (smtp) access to this system.
I have been looking over the following two links as a guide to this process.
http://3cx.org/nucleus/plugins/print/print.php?itemid=46
http://blog.scottlowe.org/2005/12/03/protecting-owa-with-apache/
My reverse-proxy setup is a Linux server / Apache 2, with the webserver's configuration handled within a Virtual Hosts file (instead of in the main body of the conf file).
As I am going through this I am faced with the following questions.
1.) Currently to access OWA one would type in https:// followed by the external address of the OWA server. In the case of the ProxyPass and ReverseProxyPass statements in the articles - why http:// instead of https:// Is it the RequestHeader directive to set Front-End-Https "On" that takes care of this?
2.) Currently the Exchange server has it's Verisign certificate running on the IIS server to provide secure web traffic. It appears in these articles that the proxy server now controls the Verisign certificate and the internal OWA server is returned to http:// - no certificate - Is this correct? Am I having the current web certificate regenerated to work under an Apache server instead of IIS?
3.) Could you please check my Virtual Hosts config vs. ones you've seen work and let me know if any changes need to be made?
This is a very important project that I need to have up soon!!!
Below is the current configuration of my Virtual Hosts file on the Exchange server (with actual names disguised):
#
# Virtual Hosts
#
# Using name-based virtual hosting.
#
##########################
#
NameVirtualHost *:80
NameVirtualHost *:443
#
# Using mod_rewrite to fix a problem when percent symbols are in
# the subject line of the OWA email (the email subject is used
# in the web query). The entire URI is passed to a small
# bash script that replaces all occurrences of the % symbol
# with the URI escape sequence (%25). That seems to make everything
# happy.
#
SSLProxyEngine on
ProxyPreserveHost on
RewriteEngine On
RewriteMap damnpercent prg:/usr/local/bin/percent
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${damnpercent:$1} [P]
ProxyRequests Off
#
<VirtualHost *:443>
DocumentRoot /usr/local/apache2/htdocs/
RequestHeader set Front-End-Https "On"
ProxyRequests Off
ProxyPreserveHost On
ErrorLog logs/interceptor.mydomain.
CustomLog logs/interceptor.mydomain.
SSLEngine On
SSLCertificateFile /usr/local/apache2/webmail
<Location /exchange>
ProxyPass http://mail.mydomain.com/exchange
ProxyPassReverse http://mail.mydomain.com/exchange
SSLRequireSSL
</Location>
<Location /exchweb>
ProxyPass http://mail.mydomain.com/exchweb
ProxyPassReverse http://mail.mydomain.com/exchweb
SSLRequireSSL
</Location>
<Location /public>
ProxyPass http://mail.mydomain.com/public
ProxyPassReverse http://mail.mydomain.com/public
SSLRequireSSL
</Location>
<Location /iisadmpwd>
ProxyPass http://mail.mydomain.com/iisadmpwd
ProxyPassReverse http://mail.mydomain.com/iisadmpwd
SSLRequireSSL
</Location>
CacheDisable *
</VirtualHost>
##########################
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE