squid proxy, active sync, autodiscover, squid proxy, exchange 2007

TCP_DENIED/403 "GET http://mail2.mydomain.com/ HTTP/1.1"

any body can help

Double check your proxy configuration dealing with the connection to the active-sync

Content-Length: 4100
X-Squid-Error: ERR_SECURE_CONNECT_FAIL 71

If your squid proxies, make sure you either add the CA that signed the internal host certificate, or make sure you remap/tag the certificate presented to match the host you are sending through.

see whether your prior config used a rewrite or remapped requests for mail2.yourdomain.com to mail2.yourdomain.lan

You might/could disable the cert verification within squid...

<div id="sysmsg">
<p>The system returned:</p>
<blockquote id="data">
<pre>(71) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)</pre>
<p>Certificate does not match domainname: /C=US/ST=PA/L=******/O=**********, Inc./OU=Information Technology/CN=ex2k7dc1.yourdomain-mail.lan</p>
</blockquote>
</div>

Your internal certificate is the cause of the failure.

see whether your prior config used a rewrite or remapped requests for mail2.yourdomain.com to mail2.yourdomain.lan

meaning mail.youdomain.com to mail2.yourdomain.com, because mail.youdomain.com is working fine on squid 2.6

what is mail2. yourdomain.com to mail2.yourdomin.lan?

Look at the error, squid gets an invalid certificate which is why it generates the error.,

Certificate does not match domainname: /C=US/ST=PA/L=******/O=*********, Inc./OU=Information Technology/CN=ex2k7dc1.*****-mail.lan

where do you see thsi

where do you see this

Certificate does not match domainname: /C=US/ST=PA/L=*******/O=**********, Inc./OU=Information Technology/CN=ex2k7dc1.*****-mail.lan -where do you see this

ok got it

but if I disable the cert, it won't work

When you define the forward rule in squid.conf for this make sure it is directed to the correct URl or update the certificate which is self generated as a SAN Subject Alternate name that includes both mail2.yourdomain.com and the ex2k7dc1.yourdomain-mail.lan within.  at this point the certificate will match both the external and the internal hostname depending on the access...

certificate I have is wild card certificate  which is on squid 2.6 which I copied along with private key to new squid config 3.3, so is there any way I can check the cert it includes both mail2.yourdomain.com and the ex2k7dc1.*****-mail.lan within

ok I am closing the question as of now  I will reopen if required.

we made some changes in squid config file, it works but unlike mail.mydomain.com/owa(on squid 2.6)  which shows in url, the new one opens and it shows exchange server name/owa instead but works fine

so what could be the difference, is it pulling the cert from where?

Check whether your 2.6 uses URL rewrite
Without seeing the config, you are asking me to try and guess what might be affecting this behavior.

Look at the 2.6 visible_hostname directive see if the same is defined on the 3.3 setup/config.

you mean I should put mail.mydomain.com as I have put mail2.mydomain.com in visible host name

as it is pulling servername url and connecting

WIthout seeing what your current configuration on the 3.3 version is, I am just guessing that you might have missed one of the settings that you have in the 2.6 config that does not relay the response from the proxied system, exchange server back out to the user requesting access.


try the following

using openssl s_client -connect publicIP:443
once the connection is established
issue the
HEAD https://mail2.yourdomain.com/OWA HTTP/1.1
Host:
Referer:

See what you get in the response. HTTP HEAD request will only reflect the response header.
Change it to GET and you will get both the HTTP header information as well as the contents/data from the resource to which the request was proxied.


It seems to trigger a connection renegotiation.

TEst the same to the existing squid 2.6 and see the behavior and then run the same with the 3.3 setup.

Your 3.3 config  includes forward proxy parameters in addition to reverse proxy settings.
Can you check your squid.log file to see whether the requests are being connected or proxied.

Compare the log entries between the two versions.

where did you see can you just highlight, I would appreciate

i don't see forward proxy parameters in addition to reverse proxy settings anywhere

I am really sorry, if u can point out

YOu have it listening on port 3128

You have SAFE_PORTS, CONNECT, etc. defined.

http_access allow localnet
etc.

You need to make your 3.3 look as close as possible as your 2.6

Look at the squid.log to see whether squid sees the router as the source of the request .....

when I type mail2.mydomain.com  then the login comes fine taking exchange server name
when I type mail2.mydomain.com/owa (manually adding owa) then the login comes fine with default name mail2.mydomain.com/owa in the browser, so I need to manually add owa in browser

this happens in IE

in chrome I need to manually add https:// and then login comes fine with mail2.mydomain.com/owa

I don't know what I am missing in new config, in old config 2.6 I just type mail.mydomain.com and it works fine no need to add owain browser

below is the result from testexchangeconnetcivity.com
 
Testing HTTP Authentication Methods for URL https://mail2.mydomain.com/Microsoft-Server-ActiveSync/.
  The HTTP authentication methods are correct.
 
 Additional Details
 
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic
HTTP Response Headers:
X-Frame-Options: SAMEORIGIN
X-Cache: MISS from mail2.mydomain.com
X-Cache-Lookup: MISS from mail2.mydomain.com:80
Connection: keep-alive
Content-Length: 1293
Content-Type: text/html
Date: Tue, 24 May 2016 19:54:56 GMT
Server: Microsoft-IIS/7.0
WWW-Authenticate: Basic realm="mail2.mydomain.com"


Elapsed Time: 292 ms.  

 

 An ActiveSync session is being attempted with the server.
  Errors were encountered while testing the Exchange ActiveSync session.
 
 Additional Details
 
Elapsed Time: 115 ms.  

 
 
 Test Steps
 
 Attempting to send the OPTIONS command to the server.
  Testing of the OPTIONS command failed. For more information, see Additional Details.
 
 Additional Details
 
An HTTP 403 forbidden response was received. The response appears to have come from IIS7. Body of the response: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
 <h2>403 - Forbidden: Access is denied.</h2>
 <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>
HTTP Response Headers:
X-Frame-Options: SAMEORIGIN
X-Cache: MISS from mail2.mydomain.com
X-Cache-Lookup: MISS from mail2.mydomain.com:80
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: private
Content-Type: text/html
Date: Tue, 24 May 2016 19:54:56 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727


Elapsed Time: 115 ms.  

 
 
 
 
 
 
 
 
 
 


© 2013 Microsoft |

Your best to see what is going on is to look through the squid.logs to see what request is being seen and what response is being sent.

Are the two squid instances pointing to the same exchange/owa setup?

check IIS logs to see what you see there.

Looking at the front end of the request is not helpful you have access denial dealing with a configuration. likely the directory browsing is disable and thus preventing the access to mail2.yourdomain.com from being redirected out to owa .......
create check whether the two configurations in iis are identical.

You mean In Iis in exchange

Where can I enable directory browsing

Check IIS
Check the IP to which your squid proxy is forwarding the request and see what is running oit

Do you have both squid servers point tothe same host?

yes mail.mydomain.com is redirecting to exchange same is with mail2
where can I see directory browsing

directory browsing is enabled in iis that is why mail.mydomain.com is working

I think you've over complicated the situation unnecessarily.

On the system where you will be testing the squid3.3 setup

in /etc/hosts on linux/unix or c:\windows\system32\drivers\etc\hosts
define
a.b.c.d mail.yourdomain.com
where a.b.c.d is the IP of the squid 3,3 setup.

You are battling multiple issue since you alter the hostname to reach the reverse proxy means the requested URL when passed by squid to exchange/IIS has to be defined within the same OWA/exchange site to see that they are the same.

lets try it this way, you have an existing phone system when extension 12 is dialed you ask and reach bob.
To test a new phone system, you have setup an extension 122 and request joe. You keep testing the new system dialing 122 and asking for Joe. While you are reaching bob.


in IIS on the exchange/owa you have to make sure that mail2.yourdomain.com is added to the list of host headers/binding to avoid having the request fall under the default web site on that system/ip.

I am not sure where to add in list of headers , I will look and send screen shot

I am kind of confused where to add , I am sorry can u send me path or screen shot

should I use https , if I choose that  it is greyed out the url
capture-1.PNG

will I be using http ot https and should I write full name mail2.mydomain.com

MS has a command line tool to add host headers

Both include the directions for using Graphical User interface.

https://technet.microsoft.com/en-us/library/cc753195%28v=ws.10%29.aspx
https://technet.microsoft.com/en-us/library/cc731692%28v=ws.10%29.aspx

appcmd set site /site.name: mail2.gncaccess.com  /+bindings.[protocol='https',bindingInformation='*:443:'] where should I use on EMS on exchange

also graphical interface I can only use http?

5.In the Add Site Binding dialog box, add the binding information should I write mail2.mydomain.com?

you should add mail2.gncaccess.com  to the existing mail.yourdomain.com  do not replace.  You want to add.

In the future when building a drop-in replacement, use the same configuration as the one you are replacing.
For purposes of testing, modify the system settings from which you will be testing to direct requests to the new versus the production server using changes to the hosts file on the local workstation /etc/hosts or c:\windows\system32\drivers\etc\hosts

a.b.c.d host.mydomain.com

This way when you go to host.mydomain.com in your browser or any other application you are testing, the system will direct the request to a.b.c.d IP which wold be the new system that you are testing.

This way, when you are done, you alter the name to IP mapping in DNS and you are done.  In your current setup, you have to change what URL being requested and might break the config if a typo or an entry was not altered to reflect the correct information for the production URL.

I am confused but I don't know where to add

Your setup is that exchane/owa uses the default web site on IIS which .........

You are testing a new squid setup by altering what you are requesting. with the default site it is not an issue as long as you maintain the referencing.

In your configs 2.6 has reference to IP 10.2.2.66 while your 3.3 config does not , what is the significance of this IP if any.

When building a new setup/testing when possible the environment should be replicated that the new ones tested can be dropped in without an issue. When you alter the URL being requested and thereby modifying what request is being passed along.
Once you are satisfied with the test, you would have to change the references from mail2.yourdomain.com to mail.yourdomain.com to drop it into production at which point something might break.

If you test as suggested by using the local workstations hosts file /etc/hosts or c:\windows\system32\drivers\etc\hosts
newIP mail.yourdomain.com

all that would be needed to transition from squid 2.6 to squid 3.3 is to repoint on your firewall the port forwarding from 192.168.40.25 to 192.168.40.26 and that is it.