OWA 2K/2K3 Front-end SSL Proxy with Apache 2.0
[12:44 AM | 0 comments ]

Outlook Web Access 2000 and 2003 (OWA) runs on Microsoft's Internet Information Service (IIS). IIS is considered by many to be the swiss cheese of web servers (and I agree with this... sort of). I would never consider putting an IIS box on a publicly accessible network simply because it's just too much work to secure.

The point of having an OWA server is moot if one is not willing to allow access to it from the world. So, we need to somehow make the OWA service publicly accessible while not actually making the box itself publicly accessible (hopefully that makes sense. ;-). The answer? Proxy incoming requests with something a little more secure - namely Apache. Apache comes with a nice proxy module called mod_proxy. It does everything we need.


INTERNET +--------------+
| | APACHE PROXY |
| +--------------+
+----------+ |
| FIREWALL |------------------
+----------+ Service net
|
|
+------------+
Int Net -----| OWA SERVER |
+------------+

Remote users want to access OWA. They type https://webmail.somedomain.com into their browser. Their workstation/laptop then asks their DNS for the IP address of webmail.somedomain.com. The DNS replies with the IP address of the APACHE PROXY. The browser then connects to the proxy and sends its request. The APACHE PROXY then connects to the the internal OWA SERVER and requests the objects on behalf of the remote user. Simple enough.

Be aware that in this example, the Apache "proxy" is on a locked down service network. Nothing gets in or out of this net unless it is required. For the Apache "proxy", connection requests destined for port 443 (https) are allowed through the firewall from the world. Connection requests from the Apache "proxy" are allowed through to destination port 443 on the internal OWA server. That's it. If the Apache "proxy" generates any traffic other than that, alarms go off (i.e. WARNING! WARNING! You may be 0wn3d!). I highly recommend this configuration for all pubicly accessible services.

Now, to make this bit of magic work, we need to do several things.

  1. Configure Apache to use the mod_proxy modules.
  2. Add a RequestHeader and several ProxyPass configuration directives to the Apache config file.
  3. Add an entry to the Apache server's /etc/hosts file.

1. Configure Apache to use the mod_proxy modules.

Ensure Apache's configuration file (httpd.conf) includes the following lines. 

LoadModule proxy_module /mod_proxy.so
LoadModule proxy_http_module /mod_proxy_http.so
LoadModule proxy_connect_module /mod_proxy_connect.so

NOTE: If mod_proxy is not part of your distribution's Apache package or you did not compile Apache with the mod_proxy option turned on, httpd may not start (it'll probably only complain).


2. Add a RequestHeader and these ProxyPass configuration directives to your Apache config file. You may place them in the main section of the config or in a VirtualHost section. It all depends how you have your server configured. I've done it in both and either will work. 

RequestHeader set Front-End-Https "On"

ProxyPass /exchange http://webmail.somedomain.com/exchange/
ProxyPassReverse /exchange http://webmail.somedomain.com/exchange/
ProxyPass /exchweb http://webmail.somedomain.com/exchweb/

ProxyPassReverse /exchweb http://webmail.somedomain.com/exchweb/
ProxyPass /public http://webmail.somedomain.com/public/
ProxyPassReverse /public http://webmail.somedomain.com/public/
ProxyPass /iisadmpwd http://webmail.somedomain.com/iisadmpwd/
ProxyPassReverse /iisadmpwd http://webmail.somedomain.com/iisadmpwd/
CacheDisable *


3. And finally add an entry to the Apache server's /etc/hosts file.

You may notice the ProxyPass directives redirect several directories to webmail.somedomain.com. But how can we redirect to webmail.somedomain.com if the Apache server is webmail.somedomain.com? We need to add an entry to the /etc/hosts file pointing webmail.somedomain.com to the internal OWA IP address. 

192.168.0.100  webmail.somedomain.com

Be sure your server is configured to look in your hosts file before consulting the DNS. Check your /etc/host.conf file to make sure. It should read like this. 

order hosts, bind
multi on

Now start Apache. Watch your logs for any errors. Make sure the appropriate access is configured through your firewall (world --> proxy dst tcp 443 and proxy --> internal OWA server dst tcp 443). Also remember to watch the logs on your internal OWA server.

Some things to watch include

  • Browser warnings about secure and insecure items on the same page - this could be a sign that the Front-End-Header isn't working properly
  • Apache complaining about bad directives in its config file - could be a misspeled directive or a configuration conflict with your distro's version of Apache
  • Apache warning it could not find a certain object or could not find the OWA server - make sure you've added the right IP address to your /etc/hosts and that you've redirected all the required directories in your Apache config file (ProxyPass and ProxyReverse directives).

BTW, this is very similar to proxying OWA really. A couple of other things involved. Like most people probably checking out this article, I only have a single Win2k3/Exch SP1 back-end server and an Apache reverse-proxy.

  1. Check Q-article 833401 (http://support.microsoft.co...) to configure your Exchange server as a backend. Basically follow these instructions in the doc:-
    1. Install the RPCProxy using 'Add/Remove Programs'. BTW, do make sure you reapply Win2k3 SP1 after installing this if you get the RTM version. This installs two virtual directories - /rpc and /rpcwithcert.
    2. Configure correct permissions on the /rpc virtual directory (don't require SSL, you'll see why in a sec)
    3. Hard-code the ports to communicate with the GC with the "ValidPorts" registry value using the Exchange server name
    4. Hard-code proxy communications on all GCs by configuring the "NSPI interface protocol sequences" registry key
  2. OK, before all of the testing stuff with Outlook, there is an important step they don't mention if you have a proxy. You want the proxy to terminate the SSL and communicate 80 back to the Exchange server, right? Well, you have to tell RPC to accept port 80 unencrypted traffic. Check the following article to see how that's done, they call it SSL offloading (whateva):

    http://www.microsoft.com/te...

  3. Now, here's my httpd config to check out. You'll see stuff which I'm sure true Apache gurus will cringe at, but adapt to your own setup accordingly. Put your cert on the Apache box, obviously, and serve on 443. You'll find my OWA proxy settings and a nice redirect from 80 -> 443 in there too:


    DocumentRoot "/var/www/proxy_dir"
    ServerName ***URL***
    Redirect / https://***URL***/exchange
    ErrorLog /var/www/proxy_dir/logs/error_log
    LogLevel emerg
    TransferLog /var/www/proxy_dir/logs/access_log



    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin


    Listen 443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl .crl
    SSLPassPhraseDialog builtin
    SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
    SSLSessionCacheTimeout 300
    SSLMutex file:/usr/local/apache/logs/ssl_mutex



    DocumentRoot "/usr/local/apache/htdocs"
    ServerName ***URL***:443
    ErrorLog /usr/local/apache/logs/error_log
    TransferLog /usr/local/apache/logs/access_log
    RequestHeader set Front-End-Https "On"
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
    SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
    ProxyRequests off
    ProxyPreserveHost On

    ProxyPass http://***address_of_Exchange_server***/exchange
    ProxyPassReverse http://***address_of_Exchange_server***/exchange
    SSLRequireSSL


    ProxyPass http://***address_of_Exchange_server***/exchweb
    ProxyPassReverse http://***address_of_Exchange_server***/exchweb
    SSLRequireSSL


    ProxyPass http://***address_of_Exchange_server***/public
    ProxyPassReverse http://***address_of_Exchange_server***/public
    SSLRequireSSL


    ProxyPass http://***address_of_Exchange_server***/rpc
    ProxyPassReverse http://***address_of_Exchange_server***/rpc
    SSLRequireSSL


    ProxyPass http://***address_of_Exchange_server***/
    ProxyPassReverse http://***address_of_Exchange_server***/
    SSLRequireSSL


    SSLOptions +StdEnvVars


    SSLOptions +StdEnvVars


    SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

    CustomLog /usr/local/apache/logs/ssl_request_log \
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"





  4. Test it out! Run the Outlook /rpcdiag deal to get a nice interface to figure out what might be wrong, and check the Apache SSL logs for any funny errors. Oh, and make sure URLScan, if you have it installed, is not blocking anything it shouldn't.

0 comments

Post a Comment