[squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM

Hi,

I try to setup squid as ssl reverse proxy for publishing OWA services
(webmail, rpc/http and activesync), now the publish is made by a ISA
server and I want to replace this ISA Server.

the flow:

Internet => Firewall(NAT) => Squid Reverse Proxy on DMZ( https port
8443) => Firewall(8443 open) => Exchange Server (NLB IP on https port 443)

I can get webmail working well, not yet tested activesync but the use of
RPC over HTTP doesn't work, I get a 401 error code when I try to logon
with outlook :

squid access log:

1215017068.440 253 193.251.14.120 TCP_MISS/401 482 RPC_IN_DATA
https://webmail.company.com:8443/rpc/rpcproxy.dll?<exchange>:6001 -
FIRST_UP_PARENT/exchangeServer text/html
1215017080.291 96 193.251.14.120 TCP_MISS/401 482 RPC_IN_DATA
https://webmail.company.com:8443/rpc/rpcproxy.dll?<exchange>:6001 -
FIRST_UP_PARENT/exchangeServer text/html
1215017080.537 85 193.251.14.120 TCP_MISS/401 482 RPC_OUT_DATA
https://webmail.company.com:8443/rpc/rpcproxy.dll?<exchange>:6001 -
FIRST_UP_PARENT/exchangeServer text/html

IIS log:

2008-07-02 13:30:49 W3SVC1 172.16.18.136 RPC_OUT_DATA /rpc/rpcproxy.dll
<exchange>:6001 443 - 172.16.18.128 MSRPC 401 1 0
2008-07-02 13:31:28 W3SVC1 172.16.18.136 RPC_IN_DATA /rpc/rpcproxy.dll
<exchange>:6001 443 - 172.16.18.128 MSRPC 401 1 0
2008-07-02 13:31:34 W3SVC1 172.16.18.136 RPC_OUT_DATA /rpc/rpcproxy.dll
<exchange>:6001 443 - 172.16.18.128 MSRPC 401 1 0

The IIS RPC service is configured to use ""Windows Integrated
Authentication" so I think maybe I need to setup some NTLM auth settings
for fix this problem. The GC and DC are on the same LAN of the exchange
server, no firewall issues with rpc ports(6001, 6002 and 6004).

I have tried with the versions 3.0STABLE7 ans 2.7STABLE3.

If someone has some ideas and solutions for resolve this issue.

Thanks a lot

squid.conf:

# Define the required extension methods
extension_methods RPC_IN_DATA RPC_OUT_DATA

# Publish the RPCoHTTP service via SSL
https_port <squid_ip>:8443

cert=/etc/apache2/ssl/cert.pem defaultsite=webmail.toto.com

cache_peer <exchange_ip> parent 443 0 no-query originserver
front-end-https=auto ssl sslflags=DONT_VERIFY_PEER name=exchangeServer

acl EXCH dstdomain .toto.com
acl all src 0.0.0.0/0.0.0.0
no_cache deny all

#no local caching
maximum_object_size 0 KB
minimum_object_size 0 KB
access_log /usr/local/squid/var/logs/access.log squid

cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH

# Lock down access to just the Exchange Server!
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
Received on Thu Jul 03 2008 - 05:28:15 MDT