[squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM

Wed, 02 Jul 2008 22:28:41 -0700 

Hi,
I try to setup squid as ssl reverse proxy for publishing OWA services (webmail, rpc/http and activesync), now the publish is made by a ISA server and I want to replace this ISA Server. 

the flow:


Internet => Firewall(NAT) => Squid Reverse Proxy on DMZ( https port 
8443) => Firewall(8443 open) => Exchange Server (NLB IP on https port 443)



I can get webmail working well, not yet tested activesync but the use of 
RPC over HTTP doesn't work, I get a 401 error code when I try to logon 
with outlook :


squid access log:


1215017068.440    253 193.251.14.120 TCP_MISS/401 482 RPC_IN_DATA 
https://webmail.company.com:8443/rpc/rpcproxy.dll?<exchange>:6001 - 
FIRST_UP_PARENT/exchangeServer text/html
1215017080.291     96 193.251.14.120 TCP_MISS/401 482 RPC_IN_DATA 
https://webmail.company.com:8443/rpc/rpcproxy.dll?<exchange>:6001 - 
FIRST_UP_PARENT/exchangeServer text/html
1215017080.537     85 193.251.14.120 TCP_MISS/401 482 RPC_OUT_DATA 
https://webmail.company.com:8443/rpc/rpcproxy.dll?<exchange>:6001 - 
FIRST_UP_PARENT/exchangeServer text/html


IIS log:


2008-07-02 13:30:49 W3SVC1 172.16.18.136 RPC_OUT_DATA /rpc/rpcproxy.dll 
<exchange>:6001 443 - 172.16.18.128 MSRPC 401 1 0
2008-07-02 13:31:28 W3SVC1 172.16.18.136 RPC_IN_DATA /rpc/rpcproxy.dll 
<exchange>:6001 443 - 172.16.18.128 MSRPC 401 1 0
2008-07-02 13:31:34 W3SVC1 172.16.18.136 RPC_OUT_DATA /rpc/rpcproxy.dll 
<exchange>:6001 443 - 172.16.18.128 MSRPC 401 1 0


The IIS RPC service is configured to use ""Windows Integrated

Authentication" so I think maybe I need to setup some NTLM auth settings 
for fix this problem. The GC and DC are on the same LAN of the exchange 
server, no firewall issues with rpc ports(6001, 6002 and 6004).


I have tried with the versions 3.0STABLE7 ans 2.7STABLE3.

If someone has some ideas and solutions for resolve this issue.

Thanks a lot


squid.conf:

# Define the required extension methods
extension_methods RPC_IN_DATA RPC_OUT_DATA

# Publish the RPCoHTTP service via SSL
https_port <squid_ip>:8443

cert=/etc/apache2/ssl/cert.pem defaultsite=webmail.toto.com


cache_peer <exchange_ip> parent 443 0 no-query originserver 
front-end-https=auto ssl sslflags=DONT_VERIFY_PEER name=exchangeServer


acl EXCH dstdomain .toto.com
acl all src 0.0.0.0/0.0.0.0
no_cache deny all

#no local caching
maximum_object_size 0 KB
minimum_object_size 0 KB
access_log /usr/local/squid/var/logs/access.log squid

cache_peer_access exchangeServer allow EXCH
cache_peer_access exchangeServer deny all
never_direct allow EXCH

# Lock down access to just the Exchange Server!
http_access allow EXCH
http_access deny all
miss_access allow EXCH
miss_access deny all

























					Reply via email to