Hello list,
I've have a windows server 2008 with Exchange 2007, in a dmz, to which i
would like to access using a reverse proxy from the outside. I have set
squid as per example in
http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
Squid is version 3.1.3 from debian backports and the configuration follows:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
cache_peer mail.example.org parent 443 0 no-query proxy-only
originserver login=PASS ssl
sslflags=DONT_VERIFY_PEER,NO_DEFAULT_CA,DONT_VERIFY_DOMAIN
connection-auth=on
acl EXCH dstdomain .webmail.example.org
cache_peer_access mail.example.org allow EXCH
cache_peer_access mail.example.org deny all
never_direct allow EXCH
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_port 80
https_port 123.123.123.123:443 cert=/etc/ssl/certs/mail.example.org.pem
key=/etc/ssl/private/mail.example.org.key
cafile=/etc/ssl/certs/cabundle.pem defaultsite=webmail.example.org
connection-auth=on
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid3
refresh_pattern . 0 20% 4320
mail.example.org is the exchange server and webmail.example.org is the
squid proxy server.
squid was compiled with
--datadir=/usr/share/squid3 \
--sysconfdir=/etc/squid3 \
--mandir=/usr/share/man \
--with-cppunit-basedir=/usr \
--enable-inline \
--enable-async-io=8 \
--enable-storeio="ufs,aufs,diskd" \
--enable-removal-policies="lru,heap" \
--enable-delay-pools \
--enable-cache-digests \
--enable-underscores \
--enable-icap-client \
--enable-follow-x-forwarded-for \
--enable-auth="basic,digest,ntlm,negotiate" \
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM"
\
--enable-ntlm-auth-helpers="smb_lm," \
--enable-digest-auth-helpers="ldap,password" \
--enable-negotiate-auth-helpers="squid_kerb_auth" \
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group"
\
--enable-arp-acl \
--enable-esi \
--enable-ipv6 \
--enable-ssl \
--disable-translation \
--with-logdir=/var/log/squid3 \
--with-pidfile=/var/run/squid3.pid \
--with-filedescriptors=65536 \
--with-large-files \
--with-default-user=proxy
Access to OWA works just fine, but i'm not being able to access it
through Outlook client. The autodiscover process is working properly and
i get the first requests on the squid proxy, but then the client isn't
able to complete the account setup process. I get a recurring auth popup
in the email account setup wizard and i get the following in squid logs:
==> /var/log/squid3/access.log <==
1293624558.829 2 231.231.231.231 TCP_MISS/401 775 POST
https://webmail.example.org/autodiscover/autodiscover.xml -
FIRST_UP_PARENT/mail.example.org text/html
1293624558.890 2 231.231.231.231 TCP_MISS/401 442 POST
https://webmail.example.org/autodiscover/autodiscover.xml -
FIRST_UP_PARENT/mail.example.org text/html
==> /var/log/squid3/cache.log <==
2010/12/29 12:09:18| statusIfComplete: Request not yet fully sent "POST
https://webmail.example/autodiscover/autodiscover.xml"
If i understood correctly TCP_MISS/401 means there was an auth problem.
I have enabled basic auth in exchange and i have tested it using a web
browser. It starts by trying to use NTLM (which has to be enabled also)
and then fallsback to basic auth and it does work.
Any help is much appreciated. Also, if someone knows of documentation
regarding this type of setup, i would be glad to check it out.
Best Regards,
Hugo Monteiro.
-- fct.unl.pt:~# cat .signature Hugo Monteiro Email : hugo.monteiro_at_fct.unl.pt Telefone : +351 212948300 Ext.15307 Web : http://hmonteiro.net Divisão de Informática Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa Quinta da Torre 2829-516 Caparica Portugal Telefone: +351 212948596 Fax: +351 212948548 www.fct.unl.pt apoio_at_fct.unl.pt fct.unl.pt:~# _Received on Wed Dec 29 2010 - 12:19:05 MST
This archive was generated by hypermail 2.2.0 : Wed Dec 29 2010 - 12:00:03 MST