Re: [squid-users] OWA on Exchange 2003 proxy

From: Jonathan Giles <jong@dont-contact.us>
Date: Thu, 30 Oct 2003 15:03:28 -0500

Thanks again for the help, Henrik.

I got squid3 to compile and install, now having trouble getting it to
work.

in squid.conf in ver. 3, these are the options I have made:

----
https_port 443 cert=/etc/openssl/cacert.pem 
key=/etc/openssl/privkey.pem accel defaultsite=owa.clinedavis.com
cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on
---
in /etc/hosts
---
10.1.16.67      owa.clinedavis.com
---
and when I go to the squid server I get this...
Bad Request (Invalid URL)
in access.log I get this
1067539553.232      1 10.1.16.100 TCP_NEGATIVE_HIT/400 270 GET 
https://owa.clinedavis.com/ - NONE/- text/html
1067543543.673     23 10.1.16.100 TCP_MISS/400 262 GET 
https://owa.clinedavis.com/ - FIRST_UP_PARENT/owa.clinedavis.com 
text/html
when I change the ip in etc/hosts to some other  web server, it works.
In squid2  this following config works, but still has that not loading 
folders problem.
squid.conf
----
https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem
httpd_accel_host owa.clinedavis.com
cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on
----
Any help would be greatly appreciated.
Thanks,
jg
On Wednesday, October 29, 2003, at 05:00  PM, Henrik Nordstrom wrote:
> On Wed, 29 Oct 2003, Jonathan Giles wrote:
>
>> 1)  forms based authentication mode turns on ssl on the exchange
>> server.  Https connections fail because it does not like the test cert
>> we put on the exchange server.  Is there any way to tell squid to
>> ignore the problem with the ssl test cert on the 2003 exchange server?
>
> If you use Squid-3 then you can tell Exchange that https is added by a
> frontend server such as Squid. See the cache_peer directive in Squid-3.
>
>> We can skip forms based auths if we can cause squid to time out
>> sessions...  Seems as though exchange credentials are stored on the 
>> web
>> client, and are not destroyed until the web client is quit.
>
> Correct.
>
>> 2)  if using IE on Windows, exchange2003 goes into high gear mode and
>> gives special features to the client, and this does not work on the
>> squid system I configured for exchange2000.  I believe there is a
>> redirect that is causing the proxy to spin it's gears, as the mail
>> folder list never gets populated with mail messages.  So, if someone
>> here has a suggestion with regards to this issue, or if there is a way
>> to stop letting Exchange 2003 know that the client is IE on windows, 
>> it
>> would be very helpful.
>
> You quite likely need to use the above Squid-3 feature for this to work
> properly..
>
> Modern Exchange OWA installations uses WebDAV for folder access etc 
> when
> accessed by MSIE clients and this requires that OWA knows exacly by 
> which
> means it is accessed. Any front-end server such as a Squid reverse 
> proxy
> MUST NOT modify the URL (including the host component) and if the
> front-end uses SSL while using plain HTTP to the OWA server then it 
> must
> tell so to the OWA by using the custom X-Front-End-HTTPS header.
>
> Regards
> Henrik
>
>
>
---=---=---
Jonathan Giles
Senior Unix Administrator
Cline Davis Mann
---
Privileged/Confidential Information may be contained in this
message.  If you are not the addressee indicated in this message
(or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone.  In such case,
you should destroy this message and kindly notify the sender
by reply e-mail.  Please advise immediately if you or your
employer do not consent to Internet e-mail of this kind.
Opinions, conclusions, and other information in this message
that do not relate to the official business of CDM shall
be understood as neither given nor endorsed by it.
Received on Thu Oct 30 2003 - 13:03:37 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:46 MST