Re: [squid-users] Exchange reverse proxy from Hugo Monteiro on 2011-01-03 (squid-users)

From: Hugo Monteiro <hugo.monteiro_at_fct.unl.pt>
Date: Mon, 03 Jan 2011 10:45:46 +0000

Sorry for top posting, but, can anyone share some knowledge regarding this?

Thanks,

Hugo Monteiro.

On 12/29/2010 12:19 PM, Hugo Monteiro wrote:
> Hello list,
>
> I've have a windows server 2008 with Exchange 2007, in a dmz, to which
> i would like to access using a reverse proxy from the outside. I have
> set squid as per example in
>
> http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
>
> Squid is version 3.1.3 from debian backports and the configuration
> follows:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl localhost src ::1/128
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl to_localhost dst ::1/128
> cache_peer mail.example.org parent 443 0 no-query proxy-only
> originserver login=PASS ssl
> sslflags=DONT_VERIFY_PEER,NO_DEFAULT_CA,DONT_VERIFY_DOMAIN
> connection-auth=on
> acl EXCH dstdomain .webmail.example.org
> cache_peer_access mail.example.org allow EXCH
> cache_peer_access mail.example.org deny all
> never_direct allow EXCH
> http_access allow EXCH
> http_access deny all
> miss_access allow EXCH
> miss_access deny all
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 443 # https
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> http_port 80
> https_port 123.123.123.123:443
> cert=/etc/ssl/certs/mail.example.org.pem
> key=/etc/ssl/private/mail.example.org.key
> cafile=/etc/ssl/certs/cabundle.pem defaultsite=webmail.example.org
> connection-auth=on
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/spool/squid3
> refresh_pattern . 0 20% 4320
>
>
> mail.example.org is the exchange server and webmail.example.org is the
> squid proxy server.
>
> squid was compiled with
>
> --datadir=/usr/share/squid3 \
> --sysconfdir=/etc/squid3 \
> --mandir=/usr/share/man \
> --with-cppunit-basedir=/usr \
> --enable-inline \
> --enable-async-io=8 \
> --enable-storeio="ufs,aufs,diskd" \
> --enable-removal-policies="lru,heap" \
> --enable-delay-pools \
> --enable-cache-digests \
> --enable-underscores \
> --enable-icap-client \
> --enable-follow-x-forwarded-for \
> --enable-auth="basic,digest,ntlm,negotiate" \
> --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domain-NTLM"
> \
> --enable-ntlm-auth-helpers="smb_lm," \
> --enable-digest-auth-helpers="ldap,password" \
> --enable-negotiate-auth-helpers="squid_kerb_auth" \
> --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group"
> \
> --enable-arp-acl \
> --enable-esi \
> --enable-ipv6 \
> --enable-ssl \
> --disable-translation \
> --with-logdir=/var/log/squid3 \
> --with-pidfile=/var/run/squid3.pid \
> --with-filedescriptors=65536 \
> --with-large-files \
> --with-default-user=proxy
>
>
> Access to OWA works just fine, but i'm not being able to access it
> through Outlook client. The autodiscover process is working properly
> and i get the first requests on the squid proxy, but then the client
> isn't able to complete the account setup process. I get a recurring
> auth popup in the email account setup wizard and i get the following
> in squid logs:
>
> ==> /var/log/squid3/access.log <==
> 1293624558.829 2 231.231.231.231 TCP_MISS/401 775 POST
> https://webmail.example.org/autodiscover/autodiscover.xml -
> FIRST_UP_PARENT/mail.example.org text/html
> 1293624558.890 2 231.231.231.231 TCP_MISS/401 442 POST
> https://webmail.example.org/autodiscover/autodiscover.xml -
> FIRST_UP_PARENT/mail.example.org text/html
>
> ==> /var/log/squid3/cache.log <==
> 2010/12/29 12:09:18| statusIfComplete: Request not yet fully sent
> "POST https://webmail.example/autodiscover/autodiscover.xml"
>
> If i understood correctly TCP_MISS/401 means there was an auth
> problem. I have enabled basic auth in exchange and i have tested it
> using a web browser. It starts by trying to use NTLM (which has to be
> enabled also) and then fallsback to basic auth and it does work.
>
>
> Any help is much appreciated. Also, if someone knows of documentation
> regarding this type of setup, i would be glad to check it out.
>
> Best Regards,
>
> Hugo Monteiro.
>

-- 
fct.unl.pt:~# cat .signature
Hugo Monteiro
Email	 : hugo.monteiro_at_fct.unl.pt
Telefone : +351 212948300 Ext.15307
Web      : http://hmonteiro.net
Divisão de Informática
Faculdade de Ciências e Tecnologia da
		   Universidade Nova de Lisboa
Quinta da Torre   2829-516 Caparica   Portugal
Telefone: +351 212948596   Fax: +351 212948548
www.fct.unl.pt                apoio_at_fct.unl.pt
fct.unl.pt:~# _

Received on Mon Jan 03 2011 - 10:45:49 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 03 2011 - 12:00:00 MST