pramod1
asked on
squid proxy, active sync, autodiscover, squid proxy, exchange 2007
I am posting the result when I was testing active sync. through test exchange connectivity.com
how can I solve the problem.
The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
Testing HTTP Authentication Methods for URL https://mail2.mydomain.com/Microsoft-Server-ActiveSync/.
The HTTP authentication test failed.
we have existing url mail.mydomain.com/Microsof t-Server-A ctiveSync which is working fine
we developed new squid 3.3 and are trying to use mail2.mydomain.com for active sync which is failing.
Additional Details
A Web exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown. HTTP Response Headers: Mime-Version: 1.0 X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71 Vary: Accept-Language Content-Language: en X-Cache: MISS from mail2.mydomain.com X-Cache-Lookup: MISS from mail2.mydomain.com:5080 Connection: keep-alive Content-Length: 3860 Content-Type: text/html Date: Fri, 20 May 2016 11:16:17 GMT Server: squid
Elapsed Time: 307 ms.
I am getting below error on squid proxy logs
In the cache.log “fwdNegotiateSSL: Error negotiate SSL connection on FD 14: error:14090086:SSL routine:SSL3 routines: SSL3_GET_SERVER_CERTIFICAT E: certificate verify (1/-1/0)”
how can I solve the problem.
The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
Testing HTTP Authentication Methods for URL https://mail2.mydomain.com/Microsoft-Server-ActiveSync/.
The HTTP authentication test failed.
we have existing url mail.mydomain.com/Microsof
we developed new squid 3.3 and are trying to use mail2.mydomain.com for active sync which is failing.
Additional Details
A Web exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown. HTTP Response Headers: Mime-Version: 1.0 X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71 Vary: Accept-Language Content-Language: en X-Cache: MISS from mail2.mydomain.com X-Cache-Lookup: MISS from mail2.mydomain.com:5080 Connection: keep-alive Content-Length: 3860 Content-Type: text/html Date: Fri, 20 May 2016 11:16:17 GMT Server: squid
Elapsed Time: 307 ms.
I am getting below error on squid proxy logs
In the cache.log “fwdNegotiateSSL: Error negotiate SSL connection on FD 14: error:14090086:SSL routine:SSL3 routines: SSL3_GET_SERVER_CERTIFICAT
Double check your proxy configuration dealing with the connection to the active-sync
If your squid proxies, make sure you either add the CA that signed the internal host certificate, or make sure you remap/tag the certificate presented to match the host you are sending through.
see whether your prior config used a rewrite or remapped requests for mail2.yourdomain.com to mail2.yourdomain.lan
You might/could disable the cert verification within squid...
Your internal certificate is the cause of the failure.
Content-Length: 4100
X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71
If your squid proxies, make sure you either add the CA that signed the internal host certificate, or make sure you remap/tag the certificate presented to match the host you are sending through.
see whether your prior config used a rewrite or remapped requests for mail2.yourdomain.com to mail2.yourdomain.lan
You might/could disable the cert verification within squid...
<div id="sysmsg">
<p>The system returned:</p>
<blockquote id="data">
<pre>(71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)</p re>
<p>Certificate does not match domainname: /C=US/ST=PA/L=******/O=**********, Inc./OU=Information Technology/CN=ex2k7dc1.you rdomain-ma il.lan</p>
</blockquote>
</div>
Your internal certificate is the cause of the failure.
ASKER
see whether your prior config used a rewrite or remapped requests for mail2.yourdomain.com to mail2.yourdomain.lan
meaning mail.youdomain.com to mail2.yourdomain.com, because mail.youdomain.com is working fine on squid 2.6
meaning mail.youdomain.com to mail2.yourdomain.com, because mail.youdomain.com is working fine on squid 2.6
ASKER
what is mail2. yourdomain.com to mail2.yourdomin.lan?
Look at the error, squid gets an invalid certificate which is why it generates the error.,
Certificate does not match domainname: /C=US/ST=PA/L=******/O=*** ******, Inc./OU=Information Technology/CN=ex2k7dc1.*** **-mail.la n
Certificate does not match domainname: /C=US/ST=PA/L=******/O=***
ASKER
where do you see thsi
ASKER
where do you see this
ASKER
Certificate does not match domainname: /C=US/ST=PA/L=*******/O=** ********, Inc./OU=Information Technology/CN=ex2k7dc1.*** **-mail.la n -where do you see this
ASKER
ok got it
ASKER
but if I disable the cert, it won't work
When you define the forward rule in squid.conf for this make sure it is directed to the correct URl or update the certificate which is self generated as a SAN Subject Alternate name that includes both mail2.yourdomain.com and the ex2k7dc1.yourdomain-mail.l an within. at this point the certificate will match both the external and the internal hostname depending on the access...
ASKER
certificate I have is wild card certificate which is on squid 2.6 which I copied along with private key to new squid config 3.3, so is there any way I can check the cert it includes both mail2.yourdomain.com and the ex2k7dc1.*****-mail.lan within
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok I am closing the question as of now I will reopen if required.
ASKER
we made some changes in squid config file, it works but unlike mail.mydomain.com/owa(on squid 2.6) which shows in url, the new one opens and it shows exchange server name/owa instead but works fine
so what could be the difference, is it pulling the cert from where?
so what could be the difference, is it pulling the cert from where?
Check whether your 2.6 uses URL rewrite
Without seeing the config, you are asking me to try and guess what might be affecting this behavior.
Without seeing the config, you are asking me to try and guess what might be affecting this behavior.
Look at the 2.6 visible_hostname directive see if the same is defined on the 3.3 setup/config.
ASKER
you mean I should put mail.mydomain.com as I have put mail2.mydomain.com in visible host name
as it is pulling servername url and connecting
as it is pulling servername url and connecting
WIthout seeing what your current configuration on the 3.3 version is, I am just guessing that you might have missed one of the settings that you have in the 2.6 config that does not relay the response from the proxied system, exchange server back out to the user requesting access.
try the following
using openssl s_client -connect publicIP:443
once the connection is established
issue the
HEAD https://mail2.yourdomain.com/OWA HTTP/1.1
Host:
Referer:
See what you get in the response. HTTP HEAD request will only reflect the response header.
Change it to GET and you will get both the HTTP header information as well as the contents/data from the resource to which the request was proxied.
It seems to trigger a connection renegotiation.
TEst the same to the existing squid 2.6 and see the behavior and then run the same with the 3.3 setup.
try the following
using openssl s_client -connect publicIP:443
once the connection is established
issue the
HEAD https://mail2.yourdomain.com/OWA HTTP/1.1
Host:
Referer:
See what you get in the response. HTTP HEAD request will only reflect the response header.
Change it to GET and you will get both the HTTP header information as well as the contents/data from the resource to which the request was proxied.
It seems to trigger a connection renegotiation.
TEst the same to the existing squid 2.6 and see the behavior and then run the same with the 3.3 setup.
Your 3.3 config includes forward proxy parameters in addition to reverse proxy settings.
Can you check your squid.log file to see whether the requests are being connected or proxied.
Compare the log entries between the two versions.
Can you check your squid.log file to see whether the requests are being connected or proxied.
Compare the log entries between the two versions.
ASKER
where did you see can you just highlight, I would appreciate
ASKER
i don't see forward proxy parameters in addition to reverse proxy settings anywhere
I am really sorry, if u can point out
I am really sorry, if u can point out
YOu have it listening on port 3128
You have SAFE_PORTS, CONNECT, etc. defined.
http_access allow localnet
etc.
You need to make your 3.3 look as close as possible as your 2.6
Look at the squid.log to see whether squid sees the router as the source of the request .....
You have SAFE_PORTS, CONNECT, etc. defined.
http_access allow localnet
etc.
You need to make your 3.3 look as close as possible as your 2.6
Look at the squid.log to see whether squid sees the router as the source of the request .....
ASKER
when I type mail2.mydomain.com then the login comes fine taking exchange server name
when I type mail2.mydomain.com/owa (manually adding owa) then the login comes fine with default name mail2.mydomain.com/owa in the browser, so I need to manually add owa in browser
this happens in IE
in chrome I need to manually add https:// and then login comes fine with mail2.mydomain.com/owa
I don't know what I am missing in new config, in old config 2.6 I just type mail.mydomain.com and it works fine no need to add owain browser
when I type mail2.mydomain.com/owa (manually adding owa) then the login comes fine with default name mail2.mydomain.com/owa in the browser, so I need to manually add owa in browser
this happens in IE
in chrome I need to manually add https:// and then login comes fine with mail2.mydomain.com/owa
I don't know what I am missing in new config, in old config 2.6 I just type mail.mydomain.com and it works fine no need to add owain browser
ASKER
below is the result from testexchangeconnetcivity.c om
Testing HTTP Authentication Methods for URL https://mail2.mydomain.com/Microsoft-Server-ActiveSync/.
The HTTP authentication methods are correct.
Additional Details
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic
HTTP Response Headers:
X-Frame-Options: SAMEORIGIN
X-Cache: MISS from mail2.mydomain.com
X-Cache-Lookup: MISS from mail2.mydomain.com:80
Connection: keep-alive
Content-Length: 1293
Content-Type: text/html
Date: Tue, 24 May 2016 19:54:56 GMT
Server: Microsoft-IIS/7.0
WWW-Authenticate: Basic realm="mail2.mydomain.com"
Elapsed Time: 292 ms.
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Additional Details
Elapsed Time: 115 ms.
Test Steps
Attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7 em;font-fa mily:Verda na, Arial, Helvetica, sans-serif;background:#EEE EEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin: 0;color:#F FF;}
h2{font-size:1.7em;margin: 0;color:#C C0000;}
h3{font-size:1.2em;margin: 10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{backgro und:#FFF;w idth:96%;m argin-top: 8px;paddin g:10px;pos ition:rela tive;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"> <fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
HTTP Response Headers:
X-Frame-Options: SAMEORIGIN
X-Cache: MISS from mail2.mydomain.com
X-Cache-Lookup: MISS from mail2.mydomain.com:80
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Content-Type: text/html
Date: Tue, 24 May 2016 19:54:56 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Elapsed Time: 115 ms.
© 2013 Microsoft |
Testing HTTP Authentication Methods for URL https://mail2.mydomain.com/Microsoft-Server-ActiveSync/.
The HTTP authentication methods are correct.
Additional Details
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic
HTTP Response Headers:
X-Frame-Options: SAMEORIGIN
X-Cache: MISS from mail2.mydomain.com
X-Cache-Lookup: MISS from mail2.mydomain.com:80
Connection: keep-alive
Content-Length: 1293
Content-Type: text/html
Date: Tue, 24 May 2016 19:54:56 GMT
Server: Microsoft-IIS/7.0
WWW-Authenticate: Basic realm="mail2.mydomain.com"
Elapsed Time: 292 ms.
An ActiveSync session is being attempted with the server.
Errors were encountered while testing the Exchange ActiveSync session.
Additional Details
Elapsed Time: 115 ms.
Test Steps
Attempting to send the OPTIONS command to the server.
Testing of the OPTIONS command failed. For more information, see Additional Details.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:
h2{font-size:1.7em;margin:
h3{font-size:1.2em;margin:
#header{width:96%;margin:0
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{backgro
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container">
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
HTTP Response Headers:
X-Frame-Options: SAMEORIGIN
X-Cache: MISS from mail2.mydomain.com
X-Cache-Lookup: MISS from mail2.mydomain.com:80
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Content-Type: text/html
Date: Tue, 24 May 2016 19:54:56 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
Elapsed Time: 115 ms.
© 2013 Microsoft |
Your best to see what is going on is to look through the squid.logs to see what request is being seen and what response is being sent.
Are the two squid instances pointing to the same exchange/owa setup?
check IIS logs to see what you see there.
Looking at the front end of the request is not helpful you have access denial dealing with a configuration. likely the directory browsing is disable and thus preventing the access to mail2.yourdomain.com from being redirected out to owa .......
create check whether the two configurations in iis are identical.
Are the two squid instances pointing to the same exchange/owa setup?
check IIS logs to see what you see there.
Looking at the front end of the request is not helpful you have access denial dealing with a configuration. likely the directory browsing is disable and thus preventing the access to mail2.yourdomain.com from being redirected out to owa .......
create check whether the two configurations in iis are identical.
ASKER
You mean In Iis in exchange
ASKER
Where can I enable directory browsing
Check IIS
Check the IP to which your squid proxy is forwarding the request and see what is running oit
Do you have both squid servers point tothe same host?
Check the IP to which your squid proxy is forwarding the request and see what is running oit
Do you have both squid servers point tothe same host?
ASKER
yes mail.mydomain.com is redirecting to exchange same is with mail2
where can I see directory browsing
where can I see directory browsing
ASKER
directory browsing is enabled in iis that is why mail.mydomain.com is working
I think you've over complicated the situation unnecessarily.
On the system where you will be testing the squid3.3 setup
in /etc/hosts on linux/unix or c:\windows\system32\driver s\etc\host s
define
a.b.c.d mail.yourdomain.com
where a.b.c.d is the IP of the squid 3,3 setup.
You are battling multiple issue since you alter the hostname to reach the reverse proxy means the requested URL when passed by squid to exchange/IIS has to be defined within the same OWA/exchange site to see that they are the same.
lets try it this way, you have an existing phone system when extension 12 is dialed you ask and reach bob.
To test a new phone system, you have setup an extension 122 and request joe. You keep testing the new system dialing 122 and asking for Joe. While you are reaching bob.
in IIS on the exchange/owa you have to make sure that mail2.yourdomain.com is added to the list of host headers/binding to avoid having the request fall under the default web site on that system/ip.
On the system where you will be testing the squid3.3 setup
in /etc/hosts on linux/unix or c:\windows\system32\driver
define
a.b.c.d mail.yourdomain.com
where a.b.c.d is the IP of the squid 3,3 setup.
You are battling multiple issue since you alter the hostname to reach the reverse proxy means the requested URL when passed by squid to exchange/IIS has to be defined within the same OWA/exchange site to see that they are the same.
lets try it this way, you have an existing phone system when extension 12 is dialed you ask and reach bob.
To test a new phone system, you have setup an extension 122 and request joe. You keep testing the new system dialing 122 and asking for Joe. While you are reaching bob.
in IIS on the exchange/owa you have to make sure that mail2.yourdomain.com is added to the list of host headers/binding to avoid having the request fall under the default web site on that system/ip.
ASKER
I am not sure where to add in list of headers , I will look and send screen shot
ASKER
I am kind of confused where to add , I am sorry can u send me path or screen shot
ASKER
should I use https , if I choose that it is greyed out the url
capture-1.PNG
capture-1.PNG
ASKER
will I be using http ot https and should I write full name mail2.mydomain.com
MS has a command line tool to add host headers
Both include the directions for using Graphical User interface.
https://technet.microsoft.com/en-us/library/cc753195%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/cc731692%28v=ws.10%29.aspx
Both include the directions for using Graphical User interface.
https://technet.microsoft.com/en-us/library/cc753195%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/cc731692%28v=ws.10%29.aspx
ASKER
appcmd set site /site.name: mail2.gncaccess.com /+bindings.[protocol='http s',binding Informatio n='*:443:' ] where should I use on EMS on exchange
also graphical interface I can only use http?
also graphical interface I can only use http?
ASKER
5.In the Add Site Binding dialog box, add the binding information should I write mail2.mydomain.com?
you should add mail2.gncaccess.com to the existing mail.yourdomain.com do not replace. You want to add.
In the future when building a drop-in replacement, use the same configuration as the one you are replacing.
For purposes of testing, modify the system settings from which you will be testing to direct requests to the new versus the production server using changes to the hosts file on the local workstation /etc/hosts or c:\windows\system32\driver s\etc\host s
a.b.c.d host.mydomain.com
This way when you go to host.mydomain.com in your browser or any other application you are testing, the system will direct the request to a.b.c.d IP which wold be the new system that you are testing.
This way, when you are done, you alter the name to IP mapping in DNS and you are done. In your current setup, you have to change what URL being requested and might break the config if a typo or an entry was not altered to reflect the correct information for the production URL.
In the future when building a drop-in replacement, use the same configuration as the one you are replacing.
For purposes of testing, modify the system settings from which you will be testing to direct requests to the new versus the production server using changes to the hosts file on the local workstation /etc/hosts or c:\windows\system32\driver
a.b.c.d host.mydomain.com
This way when you go to host.mydomain.com in your browser or any other application you are testing, the system will direct the request to a.b.c.d IP which wold be the new system that you are testing.
This way, when you are done, you alter the name to IP mapping in DNS and you are done. In your current setup, you have to change what URL being requested and might break the config if a typo or an entry was not altered to reflect the correct information for the production URL.
ASKER
I am confused but I don't know where to add
Your setup is that exchane/owa uses the default web site on IIS which .........
You are testing a new squid setup by altering what you are requesting. with the default site it is not an issue as long as you maintain the referencing.
In your configs 2.6 has reference to IP 10.2.2.66 while your 3.3 config does not , what is the significance of this IP if any.
When building a new setup/testing when possible the environment should be replicated that the new ones tested can be dropped in without an issue. When you alter the URL being requested and thereby modifying what request is being passed along.
Once you are satisfied with the test, you would have to change the references from mail2.yourdomain.com to mail.yourdomain.com to drop it into production at which point something might break.
If you test as suggested by using the local workstations hosts file /etc/hosts or c:\windows\system32\driver s\etc\host s
newIP mail.yourdomain.com
all that would be needed to transition from squid 2.6 to squid 3.3 is to repoint on your firewall the port forwarding from 192.168.40.25 to 192.168.40.26 and that is it.
You are testing a new squid setup by altering what you are requesting. with the default site it is not an issue as long as you maintain the referencing.
In your configs 2.6 has reference to IP 10.2.2.66 while your 3.3 config does not , what is the significance of this IP if any.
When building a new setup/testing when possible the environment should be replicated that the new ones tested can be dropped in without an issue. When you alter the URL being requested and thereby modifying what request is being passed along.
Once you are satisfied with the test, you would have to change the references from mail2.yourdomain.com to mail.yourdomain.com to drop it into production at which point something might break.
If you test as suggested by using the local workstations hosts file /etc/hosts or c:\windows\system32\driver
newIP mail.yourdomain.com
all that would be needed to transition from squid 2.6 to squid 3.3 is to repoint on your firewall the port forwarding from 192.168.40.25 to 192.168.40.26 and that is it.
ASKER
any body can help