We help IT Professionals succeed at work.
Get Started

Help with reverse-proxy Apache OWA setup

verance
verance asked
on
5,974 Views
Last Modified: 2012-08-14
All,

I am working on hiding an Exchange server within the internal network and using a Linux system within the DMZ to process incoming webmail requests in a reverse-proxy setup.

Currently the Exchange server (2003) is setup with a Verisign certificate to provide https:// access to OWA.  The firewall only allows 443 (https) and 25 (smtp) access to this system.

I have been looking over the following two links as a guide to this process.
http://3cx.org/nucleus/plugins/print/print.php?itemid=46
http://blog.scottlowe.org/2005/12/03/protecting-owa-with-apache/

My reverse-proxy setup is a Linux server / Apache 2, with the webserver's configuration handled within a Virtual Hosts file (instead of in the main body of the conf file).

As I am going through this  I am faced with the following questions.
1.)  Currently to access OWA one would type in https:// followed by the external address of the OWA server.  In the case of the ProxyPass and ReverseProxyPass statements in the articles - why http:// instead of https://   Is it the RequestHeader directive to set Front-End-Https "On" that takes care of this?

2.)  Currently the Exchange server has it's Verisign certificate running on the IIS server to provide secure web traffic.  It appears in these articles that the proxy server now controls the Verisign certificate and the internal OWA server is returned to http://  - no certificate -   Is this correct?  Am I having the current web certificate regenerated to work under an Apache server instead of IIS?

3.)  Could you please check my Virtual Hosts config vs. ones you've seen work and let me know if any changes need to be made?


This is a very important project that I need to have up soon!!!


Below is the current configuration of my Virtual Hosts file on the Exchange server (with actual names disguised):

#
# Virtual Hosts
#
# Using name-based virtual hosting.
#
#######################################################################
#
NameVirtualHost *:80
NameVirtualHost *:443
#
# Using mod_rewrite to fix a problem when percent symbols are in
# the subject line of the OWA email (the email subject is used
# in the web query). The entire URI is passed to a small
# bash script that replaces all occurrences of the % symbol
# with the URI escape sequence (%25). That seems to make everything
# happy.
#
SSLProxyEngine on
ProxyPreserveHost on
RewriteEngine On
RewriteMap damnpercent prg:/usr/local/bin/percent_rewrite
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${damnpercent:$1} [P]
ProxyRequests Off
#
<VirtualHost *:443>
      DocumentRoot /usr/local/apache2/htdocs/webmail_proxy/
      RequestHeader set Front-End-Https "On"
          ProxyRequests Off  
          ProxyPreserveHost On
          ErrorLog logs/interceptor.mydomain.com-error_log
          CustomLog logs/interceptor.mydomain.com-access_log common

         SSLEngine On
      SSLCertificateFile /usr/local/apache2/webmail-proxy/proxy-cert.pem

          <Location /exchange>
          ProxyPass http://mail.mydomain.com/exchange
          ProxyPassReverse http://mail.mydomain.com/exchange
         SSLRequireSSL
          </Location>

          <Location /exchweb>
          ProxyPass http://mail.mydomain.com/exchweb
          ProxyPassReverse http://mail.mydomain.com/exchweb
          SSLRequireSSL
          </Location>

          <Location /public>
          ProxyPass http://mail.mydomain.com/public
         ProxyPassReverse http://mail.mydomain.com/public
          SSLRequireSSL
          </Location>
          
          <Location /iisadmpwd>
           ProxyPass http://mail.mydomain.com/iisadmpwd
       ProxyPassReverse http://mail.mydomain.com/iisadmpwd
       SSLRequireSSL
          </Location>
          
          CacheDisable *
          
</VirtualHost>

###############################################################################
Comment
Watch Question
This problem has been solved!
Unlock 2 Answers and 7 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant

An Experts Exchange subscription includes unlimited access to online courses.

Get Started
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE