| Author |
|
gavinjm
Joined: 10 Feb 2014
Posts: 6
Location: South Africa
|
 Posted: Mon 10 Feb '14 10:14 Post subject: SSL Certificates and ReverseProxying to Exchange Server |
 |
|
Hi I have a Linux server serving as a gateway with Apache 2.2.3 (External and Internal connection)
I am trying to redirect https traffic, initiated externally to pass to the Exchange Server (OWA) located on the internal network using ProxyPass and ProxyPassReverse in my VirtualHost config.
When I https into my server I get Error code: ERR_SSL_PROTOCOL_ERROR (SSL Connection Error)
Do I use the certificates that the OWA server created for port 443 access for the SSLCertificateFile and ..KeyFile parameters in the VirtualHost config file??
Regards
Gavin |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Mon 10 Feb '14 12:41 Post subject: |
|
|
I am sorry, but what do you want to do exactly?
Using the apache reverse proxy as SSL Wrapper (which is easy)?
Internet -> SSL -> Apache -> HTTP -> Exchange
Or Using a "SSL Chain" (which is a bit more complicated)?
Internet -> SSL -> Apache -> SSL -> Exchange
Greets
JR |
|
| Back to top |
|
gavinjm
Joined: 10 Feb 2014
Posts: 6
Location: South Africa
|
| Posted: Tue 11 Feb '14 8:23 Post subject: |
|
|
Hi jr
I am trying to redirect all ssh traffic to the Exchange server (Exchange 2013) owa front-end located on the private network.
Gavin |
|
| Back to top |
|
gavinjm
Joined: 10 Feb 2014
Posts: 6
Location: South Africa
|
| Posted: Tue 11 Feb '14 9:02 Post subject: |
|
|
Here is my Virtual Hosts config
#
# My Virtual Hosts
#
<VirtualHost domain.name.co.za:443>
ErrorLog /var/log/httpd/domain.name.error.log
LogLevel error
Servername mail.domain.name
ServerAdmin emailaddress@domain.name
RewriteEngine On
RequestHeader set Front-End-Https "On"
ProxyPreserveHost On
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<proxy *>
AddDefaultCharSet Off
Order deny,allow
Allow from all
</proxy>
<Location />
ProxyPass https://172.16.0.4 retry=1 acquire=3000 timeout=600 KeepAlive=On
ProxyPassReverse https://172.16.0.4
SetEnv proxy-initial-not-pooled
</Location>
<Location /owa>
ProxyPass http://172.16.0.4/owa
ProxyPassReverse http://172.16.0.4/owa
</Location>
</VirtualHost> |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Tue 11 Feb '14 9:45 Post subject: |
|
|
For reverse proxying with a remote server which uses ssl you need the certificate from the remote server as well.
Therefore you should look for something like SSLProxyMachineCertificateFile. I am not sure if you can use the certificate from the remote server, but you can give it a try. |
|
| Back to top |
|
gavinjm
Joined: 10 Feb 2014
Posts: 6
Location: South Africa
|
| Posted: Tue 11 Feb '14 9:58 Post subject: |
|
|
Thanks I will give it a try... Export Certificate from Microsoft Exchange server. Then copy to Linux gateway server and configure Apache to use this certificate.
(May take a day or two). |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Tue 11 Feb '14 17:51 Post subject: |
|
|
Besides this pls have a look at your vhost conf, you use https to the root and http to owa.
Is that a typo error? |
|
| Back to top |
|
gavinjm
Joined: 10 Feb 2014
Posts: 6
Location: South Africa
|
| Posted: Tue 11 Feb '14 19:02 Post subject: |
|
|
Hi Thanks!
I changed them all to https, I am now being routed to the Exchange server, but am being presented with a blank screen by the Exchange(2013) proxy server, I have been modifying the Authentication settings on IIS, no luck so far. No errors in the site error log file. I am busy checking Exchange server logs!! because I am being redirected to proxy server local ip! My URL changes to the address of the internal proxy server. |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
|
| Back to top |
|
gavinjm
Joined: 10 Feb 2014
Posts: 6
Location: South Africa
|
| Posted: Thu 13 Feb '14 15:58 Post subject: |
|
|
I fixed it!!
I modified prxypass and proxypass reverse to read
https://172.16.0.4/ (ie left off the owa) in all instances in my config file. Reset authentications permissions on all the IIS sites in the Exchange server to their default. And presto I am can access my mail server and logon. Now there seems to be a timeout issue I get "error Your request can't be completed right now" when i attempt any activity on the mailbox (new mail, open mail, check calender etc).
Still not 100% certain of my certificates. I created a self signed cert for the Linux gateway server, and used it as per my vhttpd.conf file. But I created certificates on the exchange server.
So in my proxy config, wich Certificate should I use.
Certificate on Gateway or Certificate on Mail Server? |
|
| Back to top |
|
jraute
Joined: 13 Sep 2013
Posts: 188
Location: Rheinland, Germany
|
| Posted: Fri 14 Feb '14 14:04 Post subject: |
|
|
As far as i know, the path to the exchange server (owa) via browser ends typically with "/exchange" or something like that. (That is what i would try first - configure your ProxyPass/ProxyPassReverse settings that they point to the right url)
Have a look at the Internet Information Services (IIS) Manager
There you can see which default-sites are configured.
Regarding the certificates there are three ways:
1. browser -> certificate_1 -> apache -> http -> exchange
2. browser -> certificate_1 -> apache -> certificate_1 -> exchange
3. browser -> certificate_1 -> apache -> certificate_2 -> exchange
What would you like to do?
(If you get it running with the exchange certificate i would try to go that way, because it's easier than the configuration with two certificates - later on you still can try to test with two certificates, if you like) |
|
| Back to top |
|
