[FW1] OWA 2000 behind https security server

Tue, 31 Jul 2001 17:57:02 -0700 


Dear all,

 
We want to set up the following:
 
______  https _____  http  _________
|Client|--------->|FW1|-------->|OWA 200|
~~~~~          ~~~~~         ~~~~~~~~
 
The client accesses an Outlook Web Access 2000 server as a virtual
server on the firewall ( http://firewall.bla.com/owa
<http://firewall.bla.com/owa>  maps to http://intranet-name/
<http://intranet-name/> )
 
How ever, the OWA server passes some URLS back which are in the form of
http://firewall.bla.com/exchange <http://firewall.bla.com/exchange> .
 
This would terminate the encrypted connection and will not work in our
configuration.
 
We found a MS knowledge base article which describes this:
 
http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP?LN=EN-US
<http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP?LN=EN-US
&SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=E
XCH2K>
&SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=E
XCH2K
 

CAUSE


This problem is caused because the back-end server sometimes needs to
send the client URLs to items, such as when the OWA client retrieves a
list of messages in the inbox. When the client uses SSL to connect to
the front-end server, the front-end server terminates the SSL connection
and HTTP traffic between the front-end server and back-end server is in
clear text. The front-end server notifies the back-end server that SSL
was used so that when returning URLs, the back-end uses https:// instead
of http://. The front-end server notifies the back-end server that SSL
was used by passing in this HTTP header with each request: 


Front-End-Https: On 

When the back-end server receives this header in a request, it sends
back https:// URLs instead of http:// when it responds. When there is a
separate server between the client and front-end that terminates the SSL
connection, it needs to be able to add this header to notify the
front-end server that SSL was used so that the front-end can in turn
notify the back-end. 



RESOLUTION


To resolve this problem, configure the proxy server to add the following
header on upstream requests when OWA SSL requests are received: 


Front-End-Https: On 

If the server cannot add this header, then you can also configure that
server to re-initiate SSL between itself and the front-end. Although
there is a performance hit for this, it ensures that the front-end
server adds the header when it proxies the requests to the back-end
server. 

 
 
Is there a way to add the mentioned header to the stream?
 
Regards, 
Frank Breedijk
ICT Security Officer

T: +31 20 88 78 113
F: +31 20 88 78 101
M: +31 6 29 007 623
E: [EMAIL PROTECTED]
http://www.interxion.com/ <http://www.interxion.com/> 

Interxion HeadQuarters BV
Gyroscoopweg 144
1042 AZ  Amsterdam
The Netherlands

where the internet lives  



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to