[squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?

Is anyone using squid successful as reverse proxy for Outlook Anywhere (RPC over https) and Active Sync for an Exchange 2010?

Trying to use squid 3.2.0.13 to replace an ISA server forwarding RPC over https for Outlook Anywhere and Active Sync for Outlook mobile devices like Android and iPhone I had some success but problems with some Active Sync clients are still a show stopper.

RPC over https works fine with that squid version.

The problem is the very first http OPTIONS request for Active Sync which is using http Basic Authentication from an Android with TouchDown as client app. The cache.log shows the following request and response:

Mobile sending:
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
User-Agent: TouchDown(MSRPC)/7.1.00012/
TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
Connection: keep-alive
X-MS-PolicyKey: 0
MS-ASProtocolVersion: 2.5
Authorization: Basic dGVxxxxxxxxxxxxxxxxxx==
Content-Length: 0
Host: webmail.domain.com

Squid sending to IIS (Basic dGV... ist the same as above):
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
User-Agent: TouchDown(MSRPC)/7.1.00012/
TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
X-MS-PolicyKey: 0
MS-ASProtocolVersion: 2.5
Authorization: Basic dGVxxxxxxxxxxxxxxxxxxx==
Content-Length: 0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
Cache-Control: max-age=259200
Connection: keep-alive

IIS responding:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm="webmail.domain.com"
X-Powered-By: ASP.NET
Date: Wed, 18 Jan 2012 14:38:32 GMT
Content-Length: 1344

There the connection is closed by the client. Maybe the headers added by squid are not accepted by IIS? Is there any parameter to disable adding Surrogate-Capability, Cache-Control and Connection to the forwarded request?

/opt/squid32/sbin/squid -v
Squid Cache: Version 3.2.0.13
configure options: '--prefix=/opt/squid32' '--enable-ssl'

squid.conf:

cache_effective_user squidext
cache_effective_group squidext
pid_filename /var/run/squidext.pid

acl srcall src all
acl EXCH dstdomain webmail.domain.com

ssl_unclean_shutdown on

httpd_suppress_version_string on
cache_mgr noemailaddress
visible_hostname webmail.domain.com

# Internet connector
https_port 172.17.200.25:443 accel cert=/etc/ssl/certs/webmail.domain.com.pem \
   key=/etc/ssl/certs/webmail.domain.com.pem defaultsite=webmail.domain.com

# destination server (IIS for Exchange)
cache_peer 192.168.100.24 parent 443 0 \
        ssl sslflags=DONT_VERIFY_PEER \
        sslcert=/etc/ssl/certs/webmail.domain.com.pem sslkey=/etc/ssl/certs/webmail.domain.com.pem \
        proxy-only no-query no-digest front-end-https=on sourcehash round-robin originserver \
        login=PASSTHRU name=exchange forceddomain=webmail.domain.com

debug_options ALL,2
logformat combined %>a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log stdio:/var/log/squidext/access.log combined
cache_log /var/log/squidext/cache.log

never_direct allow EXCH
http_access allow EXCH
http_access deny srcall
cache_peer_access exchange allow EXCH
cache_peer_access exchange deny srcall

via off
forwarded_for transparent

#eof
Received on Thu Jan 19 2012 - 09:14:20 MST