Do you use let's encrypt?





7646 votes ~ 25 comments

 

Debian and Apache2 as an OWA Front-end

Posted by eddor1614 on Fri 30 Jun 2006 at 09:11

My company has only one external IP address and a DNS host name from the same Internet Provider. There are also two Exchange 2000 servers, mxbsas and mxrng. Until now the users could access OWA (Outlook Web Access) from outside the company only via mxbsas, this is because you can't use IIS as a front-end and the Standard version of MSEX2000 does not support this feature.

We have other alternatives for this, like buying another IP address and host name or Install MSEX Enterprise, but we already have a Linux Debian server running as a anti-virus/anti-spam for incoming/outgoing mail. I decided to try Apache2 and mod_proxy. This is what we do:

1) Install apache2, it's easy on Debian:

        # apt-get install apache2

2) Activate mod_proxy, mod_headers and mod_rewrite:

        # a2enmod proxy
        # a2enmod headers
        # a2enmod rewrite

3) The Exchange servers are setup to work only on HTTPS, we can configure apache to have mod_ssl enabled. We already have a Certificate from Thawte for exchange which at the time of this configuration was about to expire, so we ask our provider to give us a certificate for Apache2. Anyway, this could be done with a Self Signed Certificate, this configuration was explained previously here.

4) Create a new site in /etc/apache2/sites-available, named owa (or whatever):


<VirtualHost *:443>

DocumentRoot "/var/www/owa"
ServerName mail.mycompany.com:443
ServerAdmin support@mycompany.com
DirectoryIndex index.html index.php

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

SSLProxyEngine on

RewriteEngine On
RewriteRule     ^/$     /exchange       [L,R]

RequestHeader set Front-End-Https On
ProxyRequests On
ProxyPreserveHost On
ProxyVia full

<Proxy *>
        Order deny,allow
        Allow from all
</Proxy>

    ProxyPass        /exchange https://mxbsas.example.local/exchange
    ProxyPassReverse /exchange https://mxbsas.example.local/exchange

    ProxyPass        /exchweb https://mxbsas.example.local/exchweb
    ProxyPassReverse /exchweb https://mxbsas.example.local/exchweb

    ProxyPass        /public https://mxbsas.example.local/public
    ProxyPassReverse /public https://mxbsas.example.local/public

    ProxyPass        /exchangerng https://mxrng.example.local/exchangerng
    ProxyPassReverse /exchangerng https://mxrng.example.local/exchangerng

</VirtualHost>

5) Enable the new site and restart apache2:

# a2ensite owa
# /etc/init.d/apache2 reload

6) The directory /exchange of server mxrng has to be renamed, in my config I use /exchangerng. Open IIS and rename the directory.

That's all, now to access the OWA you can use:

mxbsas users: https://mail.mycompany.com/exchange
mxrng users: https://mail.mycompany.com/exchangerng

Note: each exchange has its own /exchweb and /public directory, we only use the one from mxbsas. The directory /exchange from mxrng should be renamed or OWA won't work. The directories /excheb and /public could not be renamed because OWA does not work.

 

 


Re: Debian and Apache2 as an OWA Front-end
Posted by Anonymous (82.146.xx.xx) on Fri 30 Jun 2006 at 21:32
While you're configuring Apache, it might be wise to install mod_security and add some security rules to protect your windows boxes. :-)

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by Anonymous (193.28.xx.xx) on Wed 5 Jul 2006 at 13:49
I use a little reverse proxy for this job. It's called pound
You can get it at www.apsis.ch/pound/

I think it's easier to manage then the mod_proxy and there are less problems with security patches.

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by eddor1614 (24.232.xx.xx) on Wed 5 Jul 2006 at 14:40
[ View Weblogs ]
does it work with MS Exchange?

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by Anonymous (67.101.xx.xx) on Thu 6 Jul 2006 at 01:18
I've been running pound in front of OWA on multiple production systems for the past 3-4 years, and have not had any problems at all. It's also functioning as an SSL wrapper/tunnel, saving time with the sometimes annoying process of installing certificates on a windows machine (luckily those arent my responsibility).

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by eddor1614 (24.232.xx.xx) on Thu 6 Jul 2006 at 13:48
[ View Weblogs ]
good.
thanks for the tip.

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by Anonymous (206.248.xx.xx) on Tue 11 Jul 2006 at 07:17
pound is in stable and testing Debian branches...

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by Steve (62.30.xx.xx) on Tue 11 Jul 2006 at 10:20
[ View Steve's Scratchpad | View Weblogs ]

Good point, pound would probably do the job in a fairly clean way.

We've introduced that previously..

Steve

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by Anonymous (64.119.xx.xx) on Wed 3 Feb 2010 at 17:38
You can proxy for ActiveSync in addition to OWA by adding these two lines to your configuration. These lines are case sensitive.
ProxyPass        /Microsoft-Server-ActiveSync https://mxbsas.example.local/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://mxbsas.example.local/Microsoft-Server-ActiveSync

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by Anonymous (151.204.xx.xx) on Thu 6 May 2010 at 18:40
Nice guide, I used it to set up an HTTP only reverse proxy.

One note is that on Lenny I had to also enable module proxy_http.
For SSL on Lenny I suspect proxy_connect may be needed.

[ Parent | Reply to this comment ]

Re: Debian and Apache2 as an OWA Front-end
Posted by Anonymous (196.1.xx.xx) on Wed 26 Oct 2011 at 15:17
Hi,

I setup Apache reverse proxy to Exchange 2010 on Debian. Everything works except ActiveSync.

When I try sending mail from my iPhone I get this on the Exchange IIS log:
SendMail&Log=V140_RpcC15_RpcL15_Erq1_S102_Error:InvalidWBXML

Everything else works perfect. What can I look at?

[ Parent | Reply to this comment ]