Re: [squid-users] Problems with Active Sync over squid with basic auth. Any successful config for Active Sync and Outlook Anywhere on Exchange 2010 replacing an ISA server?

Thu, 19 Jan 2012 02:13:37 -0800 

On 19/01/2012 10:13 p.m., Isenberg, Holger wrote:

Is anyone using squid successful as reverse proxy for Outlook Anywhere (RPC 
over https) and Active Sync for an Exchange 2010?

Trying to use squid 3.2.0.13 to replace an ISA server forwarding RPC over https 
for Outlook Anywhere and Active Sync for Outlook mobile devices like Android 
and iPhone I had some success but problems with some Active Sync clients are 
still a show stopper.

RPC over https works fine with that squid version.

The problem is the very first http OPTIONS request for Active Sync which is 
using http Basic Authentication from an Android with TouchDown as client app. 
The cache.log shows the following request and response:

Mobile sending:
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
User-Agent: TouchDown(MSRPC)/7.1.00012/
TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
Connection: keep-alive
X-MS-PolicyKey: 0
MS-ASProtocolVersion: 2.5
Authorization: Basic dGVxxxxxxxxxxxxxxxxxx==
Content-Length: 0
Host: webmail.domain.com

Squid sending to IIS (Basic dGV... ist the same as above):
OPTIONS /Microsoft-Server-ActiveSync HTTP/1.1
User-Agent: TouchDown(MSRPC)/7.1.00012/
TD-Info: com.nitrodesk.droid20.nitroid/7.1.00012/NON-PCF/
X-MS-PolicyKey: 0
MS-ASProtocolVersion: 2.5
Authorization: Basic dGVxxxxxxxxxxxxxxxxxxx==
Content-Length: 0
Host: webmail.domain.com
Surrogate-Capability: webmail.domain.com="Surrogate/1.0"
Cache-Control: max-age=259200
Connection: keep-alive

IIS responding:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic realm="webmail.domain.com"
X-Powered-By: ASP.NET
Date: Wed, 18 Jan 2012 14:38:32 GMT
Content-Length: 1344

There the connection is closed by the client. Maybe the headers added by squid 
are not accepted by IIS? Is there any parameter to disable adding 
Surrogate-Capability, Cache-Control and Connection to the forwarded request?
401 status means the header not being accepted is the "Authorization:" header. 

Connection is unchanged from what was passed to Squid, just re-positioned.
Surrogate-Capability is a bit new yes, but HTTP requires ignoring unsupported headers. IIS would be incapable of performing regular HTTP traffic if it were that sensitive to unknown headers coming from clients. Weird stuff is the norm rather than the exception in HTTP.
To debug further you can try opening a connection to IIS with telnet and send variations of those headers to it cut-n-paste style. Or use the squidclient tool to tailor the request particulars. 


Amos

Reply via email to