I hope one of y'all is out there and can help. I am trying to replace ISA server with squid. I have followed every guide I can find to make this work (Exchange 2007 behind squid). I have tried multiple versions of squid, multiple versions of Linux, multiple versions of squid.conf, etc (I have tried the ones at http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess and http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc ).
I can't get it to work. I can more or less get into OWA (it gives me a funky log in screen that looks different than via the way it worked with ISA) ) but http over RPC just asks for the password over and over and over. If I bypass squid, and sent the 443 straight to the Exchange server, it works fine.
There are so many variables it is frustrating and I want to duplicate a site someone has working. Can anyone help?
Questions:
1. What did you do about the certificates? I have a SAN Certificate and exported it from the exchange server and have put it in the appropriate lines in squid.conf. Some of the guides mention multiple certificates (one being a client and one being a server) but some guides shows all of them being the same one "/root/ssl/www.domain.com.crt key=/root/ssl/www.domain.com.key" - how and where did you get your certificate (I.E. did you export it from IIS in Exchange?)? I only have one certificate.
2. What is the deal on something called "Intermediate Certificates"?
3. On your Outlook clients, under "logon network security" do you have them set for "negotiate authentication", "Kerberos password authentication" or "password authentication (NTLM)"?
4. On your Outlook clients, under "proxy authentication settings" do you have them set for "basic authentication" or "NTLM authentication"?
5. I come from the Windows world and I have not done diddly squat with apache on the squid server. I just let it build the default. Is that OK? Do I need to do anything with apache?
6. I have the main firewall in the building forwarding all the 443 packets to the squid/apache server and nothing else (I.E. the squid/apache server does not face the internet...its gets packets forwarded to it from the firewall). Do you have any other ports hitting your squid server?
My squid is below.do you see anything wrong (it is using squid 3.1 on Fedora 12 and has the "connection-auth=off" added and the "extension_methods RPC_IN_DATA RPC_OUT_DATA" dropped )?
# extensions for Exchange RPC over HTTPS
# I dropped this line for squid 3.1??
# extension_methods RPC_IN_DATA RPC_OUT_DATA
# squid server is 10.0.1.135
# Exchange server is 10.0.1.101
# our external domain is ourexternaldomain.com
# here comes the relay configuration
# here comes the relay configuration
# I added connection-auth=off for squid version 3.1
https_port 10.0.1.135:443 connection-auth=off accel cert=/certifs/temp/cert.pem key=/certifs/temp/server.key defaultsite=ourexternaldomain.com vhost
cache_peer 127.0.0.1 parent 443 0 no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/certifs/temp/cert.pem sslkey=/certifs/temp/server.key name=webServer
cache_peer 10.0.1.101 parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER sslcert=/certifs/temp/cert.pem sslkey=/certifs/temp/server.key name=exchangeServer
# List of acceptable URLs to send to the Exchange server
acl exch_url url_regex -i ourexternaldomain.com/exchange
acl exch_url url_regex -i ourexternaldomain.com/exchweb
acl exch_url url_regex -i ourexternaldomain.com/public
acl exch_url url_regex -i ourexternaldomain.com/iisadmpwd
acl exch_url url_regex -i ourexternaldomain.com/oma
acl exch_url url_regex -i ourexternaldomain.com/microsoft-server-activesync
acl exch_url url_regex -i ourexternaldomain.com/rpc
acl exch_url url_regex -i ourexternaldomain.com/rpcwithcert
acl exch_url url_regex -i ourexternaldomain.com/exadmin
acl exch_url url_regex -i ourexternaldomain.com/owa
acl exch_url url_regex -i ourexternaldomain.com/autodiscover
acl exch_url url_regex -i ourexternaldomain.com/oab
acl exch_url url_regex -i ourexternaldomain.com/ews
# Send the Exchange URLs to the Exchange server
cache_peer_access exchangeServer allow exch_url
# Send everything else to the webserver
cache_peer_access webServer deny exch_url
# This is to protect ourselves
never_direct allow exch_url
#acl chunked dstdomain owa.ourexternaldomain.com
#header_access Accept-Encoding deny chunked
#acl EXCH dstdomain owa.ourexternaldomain.com
#cache_peer_access exchangeServer allow EXCH
#cache_peer_access webServer deny EXCH
#never_direct allow EXCH