Tuesday, August 3, 2010

Exchange 2010 CAS + Apache 2 Reverse Proxy

As I mentioned in a previous post I implemented an Apache 2 reverse proxy to proxy Exchange 2010  CAS traffic to my cluster node CAS servers to make failovers easy. It took a little bit of tweaking to make it all work properly with Activesync, OWA, and EWS but here it is!

Hopefully this will make your reverse proxy implementation a bit easier.
LoadModule  proxy_module         modules/mod_proxy.so
LoadModule  proxy_http_module    modules/mod_proxy_http.so
LoadModule  headers_module       modules/mod_headers.so
LoadModule  deflate_module       modules/mod_deflate.so
LoadFile    /usr/lib/libxml2.so
LoadModule  ssl_module           modules/mod_ssl.so
LoadModule  proxy_html_module    modules/mod_proxy_html.so




# *.DOMAIN.NET



  
        ProxyRequests Off
    SetEnv proxy-sendcl 1  
  
        ServerName *.domain.net:443
        ServerAlias *.domain.net:443

       
                Order deny,allow
                Allow from all
       


    # CAS Server
        ProxyPass / https://10.176.0.100/
        ProxyPassReverse / https://10.176.0.100/

    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early

    ErrorLog /var/log/apache2/error.log

    LogLevel info

    CustomLog /var/log/apache2/ssl_access.log combined

    Alias /doc/ "/usr/share/doc/"
    
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    


    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile    /etc/ssl/mail2.domain.net+gd_bundle.crt
    SSLCertificateKeyFile /etc/ssl/mail2.domain.net.key
    SSLCertificateChainFile /etc/ssl/mail2.domain.net+gd_bundle.crt


  
    
    RequestHeader unset Accept-Encoding
    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    


    
        SSLOptions +StdEnvVars
    

    
        SSLOptions +StdEnvVars
    


    BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

6 comments:

  1. hi, does it work also with outlook anywhere (rpc over https)?

    ReplyDelete
  2. I would love to know if this works with Outlook Anywhere (rpc over https) as well!

    ReplyDelete
  3. Hy, I've also tried to use this for RPC over HTTPS and did not worked....maybe I configured it bad...
    Also want to know if it worked for you.

    ReplyDelete
  4. FYI: There's a German howto @ http://www.sturbi.de/blog/index.php/2012/11/09/apache-als-exchange-owa-reverse-proxy/ adding a few quirks to make /ews work

    ReplyDelete
  5. Outlook RPC over HTTP simply doesn't work.. see this https://issues.apache.org/bugzilla/show_bug.cgi?id=40029 and http://social.technet.microsoft.com/Forums/exchange/en-US/65e59a61-0d3e-4fe2-acd0-381558a890fd/outlook-anywhere-not-connecting

    ReplyDelete
  6. RPC over HTTP does work! Search for the apache module MSRPC. We have OWA/EWS/OutlookAnyWhere working behind an SSL Reverse Proxy.

    ReplyDelete