Re: [squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server? from Amos Jeffries on 2012-01-19 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 19 Jan 2012 23:13:25 +1300

On 19/01/2012 10:13 p.m., Isenberg, Holger wrote:
> Is anyone using squid successful as reverse proxy for Outlook Anywhere (RPC over https) and Active Sync for an Exchange 2010?
>
> Trying to use squid 3.2.0.13 to replace an ISA server forwarding RPC over https for Outlook Anywhere and Active Sync for Outlook mobile devices like Android and iPhone I had some success but problems with some Active Sync clients are still a show stopper.
>
> RPC over https works fine with that squid version.
>
> The problem is the very first http OPTIONS request for Active Sync which is using http Basic Authentication from an Android with TouchDown as client app. The cache.log shows the following request and response:
>
> Mobile sending:
> OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
> User-Agent: TouchDown(MSRPC)/7.1.00012/
> TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
> Connection: keep-alive
> X-MS-PolicyKey: 0
> MS-ASProtocolVersion: 2.5
> Authorization: Basic dGVxxxxxxxxxxxxxxxxxx==
> Content-Length: 0
> Host: webmail.domain.com
>
> Squid sending to IIS (Basic dGV... ist the same as above):
> OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
> User-Agent: TouchDown(MSRPC)/7.1.00012/
> TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
> X-MS-PolicyKey: 0
> MS-ASProtocolVersion: 2.5
> Authorization: Basic dGVxxxxxxxxxxxxxxxxxxx==
> Content-Length: 0
> Host: webmail.domain.com
> Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
> Cache-Control: max-age=259200
> Connection: keep-alive
>
> IIS responding:
> HTTP/1.1 401 Unauthorized
> Content-Type: text/html
> Server: Microsoft-IIS/7.5
> WWW-Authenticate: Basic realm="webmail.domain.com"
> X-Powered-By: ASP.NET
> Date: Wed, 18 Jan 2012 14:38:32 GMT
> Content-Length: 1344
>
> There the connection is closed by the client. Maybe the headers added by squid are not accepted by IIS? Is there any parameter to disable adding Surrogate-Capability, Cache-Control and Connection to the forwarded request?

401 status means the header not being accepted is the "Authorization:"
header.

Connection is unchanged from what was passed to Squid, just re-positioned.

Surrogate-Capability is a bit new yes, but HTTP requires ignoring
unsupported headers. IIS would be incapable of performing regular HTTP
traffic if it were that sensitive to unknown headers coming from
clients. Weird stuff is the norm rather than the exception in HTTP.

To debug further you can try opening a connection to IIS with telnet and
send variations of those headers to it cut-n-paste style. Or use the
squidclient tool to tailor the request particulars.

Amos
Received on Thu Jan 19 2012 - 10:13:34 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 19 2012 - 12:00:03 MST