
Jump to navigation Jump to search
Line 408: Line 408:     
What happens is that the browser connects to the SME server, then negotiates SSL (verifies the certificate and starts encrypting the connection), then sends the request (hostname + URL). Apache in the SME server then proxies the connection (creates the connection to the internal webserver, passes the request, passes back the response). There's no way that the internal server's certificate can be presented to the browser and used to enable encryption.
What happens is that the browser connects to the SME server, then negotiates SSL (verifies the certificate and starts encrypting the connection), then sends the request (hostname + URL). Apache in the SME server then proxies the connection (creates the connection to the internal webserver, passes the request, passes back the response). There's no way that the internal server's certificate can be presented to the browser and used to enable encryption.
===ProxyPass for Exchange Outlook Web Access===
Users wishing to implement this setup are strongly advised to read in full this forum thread,40075.0.html from which the following information was obtained.
*How can I configure Outlook Web Access access to an internal Exchange 2003 server ?
Issue the following commands (replace "a.b.c.d" with the LAN IP of your exchange server):
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
echo '# ProxyPass Support for Internal Exchange Server
        ProxyPreserveHost On
        #OWA % character in email subject fix
        RewriteEngine On
        RewriteMap percentsubject int:escape
        RewriteCond $1 ^/exchange/.*\%.*$
        RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
        ProxyPass /exchange https://a.b.c.d/exchange
        ProxyPassReverse /exchange https://a.b.c.d/exchange
        ProxyPass /Exchange https://a.b.c.d/exchange
        ProxyPassReverse /Exchange https://a.b.c.d/exchange
        ProxyPass /exchweb https://a.b.c.d/exchweb
        ProxyPassReverse /exchweb https://a.b.c.d/exchweb
        ProxyPass /public https://a.b.c.d/public
        ProxyPassReverse /public https://a.b.c.d/public
        ProxyPass /iisadmpwd https://a.b.c.d/iisadmpwd
        ProxyPassReverse /iisadmpwd https://a.b.c.d/iisadmpwd
        ProxyPass /oma https://a.b.c.d/oma
        ProxyPassReverse /oma https://a.b.c.d/oma
        #ActiveSync (for WM5+ devices)
        ProxyPass /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
        ProxyPassReverse /Microsoft-Server-ActiveSync https://a.b.c.d/Microsoft-Server-ActiveSync
        #Force 'RequestHeader' in order to get IE to work
# End of Exchange settings
' > 91ProxyPassOWA
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith
It is then possible to login to OWA at from Firefox (and presumably Opera or Safari), but not login using IE7.
In order to login from Internet Explorer it is necessary to disable "Integrated Windows authentication" in IIS on the Exchange Server as follows:
*start the Internet Information Services (IIS) Manager on the Exchange 2003 server
*Expand Web Sites
*Expand Default Web Site
*right-click on Exchange and select "Properties"
*click on the Directory Security tab
*click on the Edit button for "Authentication and access control"
*remove the check from "Integrated Windows authentication"
*Click OK
*Click OK again
Note: no restarts were required on the Exchange server - as soon as the above changes are made it is possible to login successfully using Internet Explorer
*References & More information:
The above information is based mostly on this post:
Note: The "RequestHeader" directive discussed here was unnecessary when tested on a SME 7.2 system
Here is an expanded entry that includes info on Exchange 2007:
Here are the apache docs for mod_proxy and mod_headers:
*User feedback & additional information re above method:
This method works well except that it was necessary to add a line or two to support /owa which is the directory expected for owa to run. It works with every domain hosted on the SME 7.4 server used. To limit it to one publically resolvable domain, was resolved as follows:
This applies to a SME 7.4 with more than one virtual host that has publically accessible FQDN. To achieve this ISP like setup, the SME server (and all other server) was configured with a ficticious domain like private.local and everything in the network setup such that it is not routable from outside. In this scenario, only the SME server is publically accessible (and behind a WAG54GP2 router with ports 80, 443 open). Using DYNDNS.ORG an account was created and two domains purchased:
Use the DynDNS administrator to setup cnames like:
 + ->
 + ->
www.domainB ->
Also note that DynDNS does not sell domains, these were purchased from and pointed the DNS to the DynDNS DNS servers. In the end, any hosts point to the static IP address obtained from World Exchange for an extra $20. In this situation dynamic dns is not being used, but the DynDNS account existed, and it provided redundant DNS, so was easy to retain.
SME server was setup with add-ons like Wordpress etc. in each iBay as required such that and go to different Wordpress blogs by default (refer to the FAQ on and the instructons on to setup wordpress in an iBay).
On the LAN and on a 192.168.* address (non-routable) there is an Exchange server.
The requirements were to have the OWA component available from outside the LAN and a 'home office' webpage.
Making it slightly more difficult to implement, the requirement was for to go to SME iBay and to go to Windows server - iis.private.local and have iis.private.local/owa work correctly.
This is so that the IIS and Exchange server can be "hidden" behind Apache, and a single certificate obtained & utilised.
To achieve this, Apache must resolve everything to iBays, except the one virtual host and it's /owa directories.
1. Enable SSLProxy:
create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSLProxyEngine containing only the words "SSLProxyEngine on" on a single line, no quotes.
2. Using this threads info as above, except, include a VirtualHosts directive for the remote domain:
create a file /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/76ProxyPass
which looks like this:
# Forward to iis.private.local
  ProxyPass / http://iis.private.local/
  ProxyPassReverse / http://iis.private.local/
  ProxyPass / https://iis.private.local/
  ProxyPassReverse / https://iis.private.local/
# Preserve meta info in the http line as a resolvable request
  ProxyPreserveHost On
#OWA % character in email subject fix
  RewriteEngine On
  RewriteMap percentsubject int:escape
  RewriteCond $1 ^/exchange/.*\%.*$
  RewriteRule (/exchange/.*) ${percentsubject:$1} [P]
  ProxyPass /exchange https://iis.private.local/exchange
  ProxyPassReverse /exchange https://iis.private.local/exchange
  ProxyPass /owa https://iis.private.local/owa
  ProxyPassReverse /owa https://iis.private.local/owa
  ProxyPass /Exchange https://iis.private.local/exchange
  ProxyPassReverse /Exchange https://iis.private.local/exchange
  ProxyPass /exchweb https://iis.private.local/exchweb
  ProxyPassReverse /exchweb https://iis.private.local/exchweb
  ProxyPass /public https://iis.private.local/public
  ProxyPassReverse /public https://iis.private.local/public
  ProxyPass /iisadmpwd https://iis.private.local/iisadmpwd
  ProxyPassReverse /iisadmpwd https://iis.private.local/iisadmpwd
  ProxyPass /oma https://iis.private.local/oma
  ProxyPassReverse /oma https://iis.private.local/oma
#ActiveSync (for WM5+ devices)
  ProxyPass /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
  ProxyPassReverse /Microsoft-Server-ActiveSync https://iis.private.local/Microsoft-Server-ActiveSync
# End of Exchange settings
where iis.private.local is the private instance of IIS. and is a publically addressable domain that resolves to the public side of the SME server. To be sure this works, you must be able to resolve iis.private.local from the sme server (add a hostname record with correct internal IP address). Ensure the Integrated Authentication is disabled for OWA (leave basic auth on).
3. Expand template & Restart the SME webserver
expand-template /etc/httpd/conf/httpd.conf
sv restart httpd-e-smith
Note: You can use IPaddresses, but this is cumbersome to maintain and open to error. All FQDN's must be resolvable internally and externally respectively. If this is confusing, start small. Also, IIS will not have a default page except to say the site is under construction, it is necessary to create a basic webpage with a link to the owa page to make usage easy.
From another external computer at another location or internet cafe, go to, it should go to the wordpress server as has been setup.
 + should go to that other wordpress server as setup. If you access any https site, it should also give a certificate and open the respective wordpress server as has been setup.
If you access or it should go to the IIS server and no other address (this for example will allow you to sell webhosting without the possibility of customers accessing the IIS server). Next step is to create a default page on IIS that has useful information for the own home office and includes links to webmail for people who cannot remember long or confusing URLs etc.
*Other useful resources:
The apache docs
==Shell Access==
==Shell Access==


Navigation menu