Tuesday, August 3, 2010

Exchange 2010 CAS + Apache 2 Reverse Proxy

As I mentioned in a previous post I implemented an Apache 2 reverse proxy to proxy Exchange 2010  CAS traffic to my cluster node CAS servers to make failovers easy. It took a little bit of tweaking to make it all work properly with Activesync, OWA, and EWS but here it is!

Hopefully this will make your reverse proxy implementation a bit easier.
LoadModule  proxy_module         modules/mod_proxy.so
LoadModule  proxy_http_module    modules/mod_proxy_http.so
LoadModule  headers_module       modules/mod_headers.so
LoadModule  deflate_module       modules/mod_deflate.so
LoadFile    /usr/lib/libxml2.so
LoadModule  ssl_module           modules/mod_ssl.so
LoadModule  proxy_html_module    modules/mod_proxy_html.so




# *.DOMAIN.NET



  
        ProxyRequests Off
    SetEnv proxy-sendcl 1  
  
        ServerName *.domain.net:443
        ServerAlias *.domain.net:443

       
                Order deny,allow
                Allow from all
       

    # CAS Server
        ProxyPass / https://10.176.0.100/
        ProxyPassReverse / https://10.176.0.100/

    ProxyPreserveHost On
    ProxyVia Full
    RequestHeader edit Transfer-Encoding Chunked chunked early

    ErrorLog /var/log/apache2/error.log

    LogLevel info

    CustomLog /var/log/apache2/ssl_access.log combined

    Alias /doc/ "/usr/share/doc/"
    
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
    SSLProxyEngine on
    SSLCertificateFile    /etc/ssl/mail2.domain.net+gd_bundle.crt
    SSLCertificateKeyFile /etc/ssl/mail2.domain.net.key
    SSLCertificateChainFile /etc/ssl/mail2.domain.net+gd_bundle.crt


  
    
    RequestHeader unset Accept-Encoding
    #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
    #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
    #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
    #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
    #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
    #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
    

    
        SSLOptions +StdEnvVars
    
    
        SSLOptions +StdEnvVars
    

    BrowserMatch ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
Posted by at
Labels: , , , , ,

6 comments:

  1. marioSeptember 28, 2012 at 4:50 PM

    hi, does it work also with outlook anywhere (rpc over https)?

    ReplyDelete
  2. GregDecember 31, 2012 at 11:02 AM

    I would love to know if this works with Outlook Anywhere (rpc over https) as well!

    ReplyDelete
  3. AnonymousFebruary 5, 2013 at 11:16 AM

    Hy, I've also tried to use this for RPC over HTTPS and did not worked....maybe I configured it bad...
    Also want to know if it worked for you.

    ReplyDelete
  4. AnonymousMarch 27, 2013 at 1:37 AM

    FYI: There's a German howto @ http://www.sturbi.de/blog/index.php/2012/11/09/apache-als-exchange-owa-reverse-proxy/ adding a few quirks to make /ews work

    ReplyDelete
  5. LeonhardOctober 5, 2014 at 8:37 PM

    Outlook RPC over HTTP simply doesn't work.. see this https://issues.apache.org/bugzilla/show_bug.cgi?id=40029 and http://social.technet.microsoft.com/Forums/exchange/en-US/65e59a61-0d3e-4fe2-acd0-381558a890fd/outlook-anywhere-not-connecting

    ReplyDelete
  6. AnonymousJanuary 15, 2015 at 11:11 AM

    RPC over HTTP does work! Search for the apache module MSRPC. We have OWA/EWS/OutlookAnyWhere working behind an SSL Reverse Proxy.

    ReplyDelete

Subscribe to: Post Comments (Atom)