624
edits
Changes
From SME Server
Jump to navigationJump to searchSME Server:Documentation:FAQ (view source)
Revision as of 21:32, 16 January 2012
, 21:32, 16 January 2012Section added for ProxyPass for Exchange Outlook Web Access
http://forums.contribs.org/index.php/topic,40075.0.html
http://forums.contribs.org/index.php/topic,40075.0.html
====ProxyPass for Exchange Outlook Web Access====
Users wishing to implement this setup are strongly advised to read in full this forum thread http://forums.contribs.org/index.php/topic,40075.0.html from which the following information was obtained.
*How can I configure Outlook Web Access access to an internal Exchange 2003 server ?
Issue the following commands (replace "a.b.c.d" with the LAN IP of your exchange server):
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
echo '# ProxyPass Support for Internal Exchange Server
ProxyPreserveHost On
#OWA % character in email subject fix
RewriteEngine On
RewriteMap percentsubject int:escape
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
#OWA
ProxyPass /exchange https://a.b.c.d/exchange
ProxyPassReverse /exchange https://a.b.c.d/exchange
ProxyPass /Exchange https://a.b.c.d/exchange
ProxyPassReverse /Exchange https://a.b.c.d/exchange
ProxyPass /exchweb https://a.b.c.d/exchweb
ProxyPassReverse /exchweb https://a.b.c.d/exchweb
ProxyPass /public https://a.b.c.d/public
ProxyPassReverse /public https://a.b.c.d/public
ProxyPass /iisadmpwd https://a.b.c.d/iisadmpwd
ProxyPassReverse /iisadmpwd https://a.b.c.d/iisadmpwd
#OMA
ProxyPass /oma https://a.b.c.d/oma
ProxyPassReverse /oma https://a.b.c.d/oma
#ActiveSync (for WM5+ devices)
ProxyPass /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
#Force 'RequestHeader' in order to get IE to work
# End of Exchange settings
' > 91ProxyPassOWA
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith
It is then possible to login to OWA at https://any.sme.domainname.com/exchange from Firefox (and presumably Opera or Safari), but not login using IE7.
In order to login from Internet Explorer it is necessary to disable "Integrated Windows authentication" in IIS on the Exchange Server as follows:
*start the Internet Information Services (IIS) Manager on the Exchange 2003 server
*Expand Web Sites
*Expand Default Web Site
*right-click on Exchange and select "Properties"
*click on the Directory Security tab
*click on the Edit button for "Authentication and access control"
*remove the check from "Integrated Windows authentication"
*Click OK
*Click OK again
Note: no restarts were required on the Exchange server - as soon as the above changes are made it is possible to login successfully using Internet Explorer
*References & More information:
The above information is based mostly on this post:
http://systembash.com/content/outlook-web-access-apache-proxy/
Note: The "RequestHeader" directive discussed here was unnecessary when tested on a SME 7.2 system
Here is an expanded entry that includes info on Exchange 2007:
http://www.utahsysadmin.com/2007/12/20/apache-reverseproxy-for-owa/
Here are the apache docs for mod_proxy and mod_headers:
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html#proxypass
http://httpd.apache.org/docs/2.0/mod/mod_headers.html
*User feedback & additional information re above method:
This method works well except that it was necessary to add a line or two to support /owa which is the directory expected for owa to run. It works with every domain hosted on the SME 7.4 server used. To limit it to one publically resolvable domain, was resolved as follows:
This applies to a SME 7.4 with more than one virtual host that has publically accessible FQDN. To achieve this ISP like setup, the SME server (and all other server) was configured with a ficticious domain like private.local and everything in the network setup such that it is not routable from outside. In this scenario, only the SME server is publically accessible (and behind a WAG54GP2 router with ports 80, 443 open). Using DYNDNS.ORG an account was created and two domains purchased:
domainA.com
domainB.co.nz
Use the DynDNS administrator to setup cnames like:
www.domainA.com -> domainA.com
remote.domainA.com -> domainA.com
www.domainB -> domainB.co.nz
Also note that DynDNS does not sell co.nz domains, these were purchased from domainz.com and pointed the DNS to the DynDNS DNS servers. In the end, any hosts point to the static IP address obtained from World Exchange for an extra $20. In this situation dynamic dns is not being used, but the DynDNS account existed, and it provided redundant DNS, so was easy to retain.
SME server was setup with add-ons like Wordpress etc. in each iBay as required such that www.domainA.com and www.domainB.co.nz go to different Wordpress blogs by default (refer to the FAQ on contribs.org and the instructons on wordpress.org to setup wordpress in an iBay).
On the LAN and on a 192.168.* address (non-routable) there is an Exchange server.
The requirements were to have the OWA component available from outside the LAN and a 'home office' webpage.
Making it slightly more difficult to implement, the requirement was for www.domainA.com to go to SME iBay and homeoffice.domainA.com to go to Windows server - iis.private.local and have iis.private.local/owa work correctly.
This is so that the IIS and Exchange server can be "hidden" behind Apache, and a single certificate obtained & utilised.
To achieve this, Apache must resolve everything to iBays, except the one virtual host and it's /owa directories.
1. Enable SSLProxy:
create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSLProxyEngine containing only the words "SSLProxyEngine on" on a single line, no quotes.
2. Using this threads info as above, except, include a VirtualHosts directive for the remote domain:
create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/76ProxyPass
which looks like this:
# Forward remote.domainA.com to iis.private.local
<VirtualHost 0.0.0.0:80>
ServerName remote.domainA.com
ProxyPass / http://iis.private.local/
ProxyPassReverse / http://iis.private.local/
</VirtualHost>
<VirtualHost 0.0.0.0:443>
ServerName remote.domainA.com
ProxyPass / https://iis.private.local/
ProxyPassReverse / https://iis.private.local/
# Preserve meta info in the http line as a resolvable request
ProxyPreserveHost On
#OWA % character in email subject fix
RewriteEngine On
RewriteMap percentsubject int:escape
RewriteCond $1 ^/exchange/.*\%.*$
RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
#OWA
ProxyPass /exchange https://iis.private.local/exchange
ProxyPassReverse /exchange https://iis.private.local/exchange
ProxyPass /owa https://iis.private.local/owa
ProxyPassReverse /owa https://iis.private.local/owa
ProxyPass /Exchange https://iis.private.local/exchange
ProxyPassReverse /Exchange https://iis.private.local/exchange
ProxyPass /exchweb https://iis.private.local/exchweb
ProxyPassReverse /exchweb https://iis.private.local/exchweb
ProxyPass /public https://iis.private.local/public
ProxyPassReverse /public https://iis.private.local/public
ProxyPass /iisadmpwd https://iis.private.local/iisadmpwd
ProxyPassReverse /iisadmpwd https://iis.private.local/iisadmpwd
#OMA
ProxyPass /oma https://iis.private.local/oma
ProxyPassReverse /oma https://iis.private.local/oma
#ActiveSync (for WM5+ devices)
ProxyPass /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
# End of Exchange settings
</VirtualHost>
where iis.private.local is the private instance of IIS. and remote.domainA.com is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on).
3. Expand template & Restart the SME webserver
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith
Note: You can use IPaddresses, but this is cumbersome to maintain and open to error. All FQDN's must be resolvable internally and externally respectively. If this is confusing, start small. Also, IIS will not have a default page except to say the site is under construction, it is necessary to create a basic webpage with a link to the owa page to make usage easy.
Testing:
From another external computer at another location or internet cafe, go to http://www.domainA.com, it should go to the wordpress server as has been setup.
http://www.domainB.com should go to that other wordpress server as setup. If you access any https site, it should also give a certificate and open the respective wordpress server as has been setup.
If you access http://remote.domainA.com or https://remote.domainA.com it should go to the IIS server and no other address (this for example will allow you to sell webhosting without the possibility of customers accessing the IIS server). Next step is to create a default page on IIS that has useful information for the own home office and includes links to webmail for people who cannot remember long or confusing URLs etc.
*Other useful resources:
http://bugs.contribs.org/show_bug.cgi?id=1612
The apache docs
Google
===Shell Access===
===Shell Access===
