Re: [squid-users] OWA on Exchange 2003 proxy
Henrik Nordstrom wrote: On Mon, 22 Mar 2004, Alan Lehman wrote: It is. I have login=pass, and authentication = basic (only) on eggchange. needs to be login=PASS (or login=PROXYPASS depending on your setup) Regards Henrik That works. Sorry to be so dense. Thanks for all your help.
RE: [squid-users] OWA on Exchange 2003 proxy
On Mon, 22 Mar 2004, Alan Lehman wrote: It is. I have login=pass, and authentication = basic (only) on eggchange. needs to be login=PASS (or login=PROXYPASS depending on your setup) Regards Henrik
Re: [squid-users] OWA on Exchange 2003 proxy
On Sun, 21 Mar 2004, Alan Lehman wrote: I tried 'login=pass' - no change. Any other ideas? I've experimented with the Exchange/IIS authentication setting. The results seem to be the same regardless of the setting. Should it be set for basic authentication only? Basic needs to be enabled. Regards Henrik
RE: [squid-users] OWA on Exchange 2003 proxy
On Sun, 21 Mar 2004, Alan Lehman wrote: I tried 'login=pass' - no change. Any other ideas? I've experimented with the Exchange/IIS authentication setting. The results seem to be the same regardless of the setting. Should it be set for basic authentication only? Basic needs to be enabled. Regards Henrik It is. I have login=pass, and authentication = basic (only) on eggchange. That was my last attempt that failed. Sorry if that wasn't clear. Thanks, Alan
Re: [squid-users] OWA on Exchange 2003 proxy
Henrik Nordstrom wrote: On Sat, 20 Mar 2004, Alan Lehman wrote: I am still not able to authenticate to Exchange. My client presents the userid/password dialog, but it refuses to grant access. I've tried IE6 and Mozilla 1.6. It appears Exchange is not receiving the user credentials. Have you told Squid to forward the login information? (see cache_peer). Regards Henrik I tried 'login=pass' - no change. Any other ideas? I've experimented with the Exchange/IIS authentication setting. The results seem to be the same regardless of the setting. Should it be set for basic authentication only? Thanks Alan
Re: [squid-users] OWA on Exchange 2003 proxy
Henrik Nordstrom wrote: On Tue, 9 Mar 2004, Alan Lehman wrote: I tried cache_peer with and without 'originserver' : cache_peer w.x.y.z parent 80 0 no-query originserver front-end-https=on and got this result: 1078805391.337 3 65.26.58.221 TCP_MISS/401 402 GET https://owa.gbutler.com/exchange/ - FIRST_UP_PARENT/w.x.y.z text/html Ok. This worked fine. Is squid passing the request to OWA as https? I need it to be http. The request was passed as http with instructions to OWA that the end-user was actually accessing the service using https:// using a SSL frontend server infront of the OWA (your Squid). If you want to use https between Squid and the OWA then configure the cache_peer as an ssl peer. Regards Henrik I am still not able to authenticate to Exchange. My client presents the userid/password dialog, but it refuses to grant access. I've tried IE6 and Mozilla 1.6. It appears Exchange is not receiving the user credentials. When I attempt to authenticate via squid I get something like this in the Exchange log: 2004-03-11 02:15:18 172.16.4.64 GET /exchange - 80 - w.x.y.z Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.6)+Gecko/20040113 401 2 2148074254 But when I connect directly to Exchange, it works and I see this (note the 'win\[userid]'): 2004-03-11 00:20:51 172.16.4.64 GET /exchange/[userid]/ - 80 win\[userid] a.b.c.d Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98;+Win+9x+4.90;+Q312461) 200 0 0 Thanks, Alan
Re: [squid-users] OWA on Exchange 2003 proxy
On Sat, 20 Mar 2004, Alan Lehman wrote: I am still not able to authenticate to Exchange. My client presents the userid/password dialog, but it refuses to grant access. I've tried IE6 and Mozilla 1.6. It appears Exchange is not receiving the user credentials. Have you told Squid to forward the login information? (see cache_peer). Regards Henrik
Re: [squid-users] OWA on Exchange 2003 proxy
On Tue, 9 Mar 2004, Alan Lehman wrote: I tried cache_peer with and without 'originserver' : cache_peer w.x.y.z parent 80 0 no-query originserver front-end-https=on and got this result: 1078805391.337 3 65.26.58.221 TCP_MISS/401 402 GET https://owa.gbutler.com/exchange/ - FIRST_UP_PARENT/w.x.y.z text/html Ok. This worked fine. Is squid passing the request to OWA as https? I need it to be http. The request was passed as http with instructions to OWA that the end-user was actually accessing the service using https:// using a SSL frontend server infront of the OWA (your Squid). If you want to use https between Squid and the OWA then configure the cache_peer as an ssl peer. Regards Henrik
Re: [squid-users] OWA on Exchange 2003 proxy
Henrik Nordstrom wrote: On Mon, 8 Mar 2004, Alan Lehman wrote: I am seeing this same problem with the following config. My OWA server listens for http connections on port 80. I want the clients to connect to squid with https on port 443. For this you must use squid-3 configured to use origin server class cache_peer for forwarding. Regards Henrik I am using squid3.0-PRE3. Sorry I forgot to state that. I tried cache_peer with and without 'originserver' : cache_peer w.x.y.z parent 80 0 no-query originserver front-end-https=on and got this result: 1078805391.337 3 65.26.58.221 TCP_MISS/401 402 GET https://owa.gbutler.com/exchange/ - FIRST_UP_PARENT/w.x.y.z text/html Is squid passing the request to OWA as https? I need it to be http. Thanks, Alan
Re: [squid-users] OWA on Exchange 2003 proxy
Eric Kahklen wrote: I just ran across your post. You are using Exchange 2003 correct?? Why are you setting this up? security?? I have a how to I am setting up to use with Exchange 2000. Eric Yes, it is Exchange 2003. I am doing it primarily for security. I would be interested in seeing your howto when it is available. Thanks, Alan
Re: [squid-users] OWA on Exchange 2003 proxy
Henrik Nordstrom wrote: On Fri, 31 Oct 2003, Jonathan Giles wrote: 1067612977.854 22 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/exchange - FIRST_UP_PARENT/owa.clinedavis.com text/html TCP_MISS means that the page wasn't in the cache, so I should just ignore it right? Right.. but the /400 code indicates a fatal error returned by the contacted server. Try specifying the OWA Server by IP address in your cache_peer directive. I think that your Squid for some reason is talking to itself instead of the owa server in this configuration. Note: You do not need to specify the server by name in cache_peer. Using IP addresses is fine here. but the name should work right? Yes. Regards Henrik I am seeing this same problem with the following config. My OWA server listens for http connections on port 80. I want the clients to connect to squid with https on port 443. etc/squid.conf: https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem defaultsite=owa.gbutler.com cache_peer w.x.y.z parent 80 0 no-query front-end-https=on etc/hosts: w.x.y.z owa.gbutler.com result: Bad Request (Invalid URL) 1078805575.510 6 65.26.58.221 TCP_MISS/400 253 GET https://owa.gbutler.com/exchange/ - FIRST_UP_PARENT/w.x.y.z text/html If I add 'login=pass' to cache_peer, I get the same result: 1078805481.996 6 65.26.58.221 TCP_MISS/400 253 GET https://owa.gbutler.com/exchange/ - FIRST_UP_PARENT/w.x.y.z text/html If I add 'originserver' to cache_peer, then it prompts for a login, but will not authenticate: 1078805391.337 3 65.26.58.221 TCP_MISS/401 402 GET https://owa.gbutler.com/exchange/ - FIRST_UP_PARENT/w.x.y.z text/html It seems to work fine if I configure for http clients on port 80. Do I need to do something else to use https clients with OWA on http? Thanks, Alan Lehman
Re: [squid-users] OWA on Exchange 2003 proxy
Thanks again for the help Henrik. Answers to your questions are below. On Thursday, October 30, 2003, at 05:57 PM, Henrik Nordstrom wrote: On Thu, 30 Oct 2003, Jonathan Giles wrote: in squid.conf in ver. 3, these are the options I have made: https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem accel defaultsite=owa.clinedavis.com cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on --- in /etc/hosts --- 10.1.16.67 owa.clinedavis.com --- and when I go to the squid server I get this... Bad Request (Invalid URL) Hmm.. you should not be seeing this error. I am confused as well. What does it mean? in access.log I get this 1067539553.232 1 10.1.16.100 TCP_NEGATIVE_HIT/400 270 GET https://owa.clinedavis.com/ - NONE/- text/html What was the first entry? This is a cache hit for an error which occurred earlier. you are probably right. These are definitely associated with the session: 1067612977.854 22 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/exchange - FIRST_UP_PARENT/owa.clinedavis.com text/html TCP_MISS means that the page wasn't in the cache, so I should just ignore it right? 1067543543.673 23 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/ - FIRST_UP_PARENT/owa.clinedavis.com text/html This looks better. when I change the ip in etc/hosts to some other web server, it works. Does the OWA server listen on 10.1.16.67 port 80? yes. Note: You do not need to specify the server by name in cache_peer. Using IP addresses is fine here. but the name should work right? In squid2 this following config works, but still has that not loading folders problem. What URL is the client asking for? For this to work the client must be asking for https://owa.clinedavis.com/ yup what the client is asking for is https://owa.clinedavis.com/exchange Regards Henrik ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] OWA on Exchange 2003 proxy
On Fri, 31 Oct 2003, Jonathan Giles wrote: 1067612977.854 22 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/exchange - FIRST_UP_PARENT/owa.clinedavis.com text/html TCP_MISS means that the page wasn't in the cache, so I should just ignore it right? Right.. but the /400 code indicates a fatal error returned by the contacted server. Try specifying the OWA Server by IP address in your cache_peer directive. I think that your Squid for some reason is talking to itself instead of the owa server in this configuration. Note: You do not need to specify the server by name in cache_peer. Using IP addresses is fine here. but the name should work right? Yes. Regards Henrik
Re: [squid-users] OWA on Exchange 2003 proxy
Thanks again for the help, Henrik. I got squid3 to compile and install, now having trouble getting it to work. in squid.conf in ver. 3, these are the options I have made: https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem accel defaultsite=owa.clinedavis.com cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on --- in /etc/hosts --- 10.1.16.67 owa.clinedavis.com --- and when I go to the squid server I get this... Bad Request (Invalid URL) in access.log I get this 1067539553.232 1 10.1.16.100 TCP_NEGATIVE_HIT/400 270 GET https://owa.clinedavis.com/ - NONE/- text/html 1067543543.673 23 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/ - FIRST_UP_PARENT/owa.clinedavis.com text/html when I change the ip in etc/hosts to some other web server, it works. In squid2 this following config works, but still has that not loading folders problem. squid.conf https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem httpd_accel_host owa.clinedavis.com cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on Any help would be greatly appreciated. Thanks, jg On Wednesday, October 29, 2003, at 05:00 PM, Henrik Nordstrom wrote: On Wed, 29 Oct 2003, Jonathan Giles wrote: 1) forms based authentication mode turns on ssl on the exchange server. Https connections fail because it does not like the test cert we put on the exchange server. Is there any way to tell squid to ignore the problem with the ssl test cert on the 2003 exchange server? If you use Squid-3 then you can tell Exchange that https is added by a frontend server such as Squid. See the cache_peer directive in Squid-3. We can skip forms based auths if we can cause squid to time out sessions... Seems as though exchange credentials are stored on the web client, and are not destroyed until the web client is quit. Correct. 2) if using IE on Windows, exchange2003 goes into high gear mode and gives special features to the client, and this does not work on the squid system I configured for exchange2000. I believe there is a redirect that is causing the proxy to spin it's gears, as the mail folder list never gets populated with mail messages. So, if someone here has a suggestion with regards to this issue, or if there is a way to stop letting Exchange 2003 know that the client is IE on windows, it would be very helpful. You quite likely need to use the above Squid-3 feature for this to work properly.. Modern Exchange OWA installations uses WebDAV for folder access etc when accessed by MSIE clients and this requires that OWA knows exacly by which means it is accessed. Any front-end server such as a Squid reverse proxy MUST NOT modify the URL (including the host component) and if the front-end uses SSL while using plain HTTP to the OWA server then it must tell so to the OWA by using the custom X-Front-End-HTTPS header. Regards Henrik ---=---=--- Jonathan Giles Senior Unix Administrator Cline Davis Mann --- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply e-mail. Please advise immediately if you or your employer do not consent to Internet e-mail of this kind. Opinions, conclusions, and other information in this message that do not relate to the official business of CDM shall be understood as neither given nor endorsed by it.
Re: [squid-users] OWA on Exchange 2003 proxy
On Thu, 30 Oct 2003, Jonathan Giles wrote: in squid.conf in ver. 3, these are the options I have made: https_port 443 cert=/etc/openssl/cacert.pem key=/etc/openssl/privkey.pem accel defaultsite=owa.clinedavis.com cache_peer owa.clinedavis.com parent 80 0 no-query front-end-https=on --- in /etc/hosts --- 10.1.16.67 owa.clinedavis.com --- and when I go to the squid server I get this... Bad Request (Invalid URL) Hmm.. you should not be seeing this error. in access.log I get this 1067539553.232 1 10.1.16.100 TCP_NEGATIVE_HIT/400 270 GET https://owa.clinedavis.com/ - NONE/- text/html What was the first entry? This is a cache hit for an error which occurred earlier. 1067543543.673 23 10.1.16.100 TCP_MISS/400 262 GET https://owa.clinedavis.com/ - FIRST_UP_PARENT/owa.clinedavis.com text/html This looks better. when I change the ip in etc/hosts to some other web server, it works. Does the OWA server listen on 10.1.16.67 port 80? Note: You do not need to specify the server by name in cache_peer. Using IP addresses is fine here. In squid2 this following config works, but still has that not loading folders problem. What URL is the client asking for? For this to work the client must be asking for https://owa.clinedavis.com/ Regards Henrik