Squid 3 - Exchange 2013 SP1
-
i already committed a change, just needs to be approved by the core team…
-
Cool
I changed the conf file without the GUI … and managed to make it worked
GUI is a welcomed change
;D -
did you just add the /mapi uri or didi you change other settings, too ?
-
After digging in my conf
here is what I did (simpler in fact)Simple mapping through GUI with this URI
mydomainename.com/mapi.*$
-
well, that's one thing the gui does, too ;-)
how did you configure the external auth in exchange 2013 ?
set negotiate auth on outlook-anywhere ? -
in squid 3.3 (beta) there will be passthru auth implemented (which means you can pass all types of auth to the backend) :)
-
It's negotiate (if I remember correctly)
What could be a very (but very) good thing is to easily block the ECP ! (it's not that simple)
I'm eagerly awaiting for that new package !
-
The package is here !!! :D
-
Just to be curious, are you running an exchange dag ?
-
Nope it's just for my lab for the moment
BUT
It's one of my many project …The question about the DAG is because there is only one IP adress in squid RP ?
-
No,
As the reverse ip, just put the dag ip.
Just asked bacause of a config question ;-) -
ok
I have an issue with the update
Jun 7 14:30:49 squid: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 82: cache_peer 192.168.0.4 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robinname=rvp_xxx_80
Jun 7 14:30:49 php: rc.start_packages: The command '/usr/pbi/squid-amd64/sbin/squid -f /usr/pbi/squid-amd64/etc/squid/squid.conf' returned exit code '1', the output was '2014/06/07 14:30:49| parse_peer: token='round-robinname=rvp_xxx_80' FATAL: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 82: cache_peer 192.168.0.4 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robinname=rvp_xxx_80 Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.010 seconds = 0.005 user + 0.005 sys Maximum Resident Size: 38032 KB Page faults with physical i/o: 0'
-
Oh, i see…
There's a missing space after round-robin.
I'll patch this later this evening ...
Sorry ... -
patch checked in, should be committed tonight…
-
It should now work. The patch is online ;-)
-
It's the 3.3.10 PKG 2.2.5 ?
-
Yes
-
maybe a snapchot before to avoid a veeam restore ;)
-
Done and working ;D
-
Good news ;-)
-
Oupsy
Got a strange issue
The Microsoft Connectivity Analyzer is checking the host autodiscover.mydomain.com for an HTTP redirect to the Autodiscover service.
The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <title>ERREUR: L'URL demandée n'a pas pu être trouvé</title>
ERROR
The requested URL could not be retrieved
L'erreur suivante s'est produite en essayant d'accéder à l'URL : http://autodiscover.sdskh.com/Autodiscover/Autodiscover.xml
Accès interdit.
La configuration du contrôle d'accès, empêche votre requête d'être acceptée. Si vous pensez que c'est une erreur, contactez votre fournisseur d'accès.
Votre administrateur proxy est admin@localhost.
Générer le Tue, 10 Jun 2014 08:46:04 GMT par localhost (squid/3.3.10)
I think I need some help ;)
EDIT: I created with GUI webserver exch80 and exch443
Then mapped to autodiscover.mydomain.com (map to both exch80 and exch443) then added mapi.mydomaine.com (map to exch44)
Everything works. I think there is an issue in the package -
are you running 32 or 64 bit pfSense ?
-
64
-
No idea what is the issue ? :o
-
autodiscover omly works with SSL (with the package) and the analyzer first tries 80 and then as a fallback solution 443, so by design there is no port 80 autodiscover…
does it not work at all without port 80 ? -
impossible to negociate on port 80 (ok) or 443
I have unchecked booth mapi and autodiscover
with my own rules it worksvery strange isn't it ?
BTW … thanks for your reply
-
could you post (or send me) your squid.conf file ? (/usr/pbi/squid-i386/etc/squid/squid.conf)
-
YES
This file is automatically generated by pfSense
Do not edit manually !
http_port 127.0.0.1:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language fr
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/log/access.log
cache_log /var/squid/log/cache.log
cache_store_log none
netdb_filename /var/squid/log/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/libexec/squid/pingerlogfile_rotate 1
debug_options rotate=1
shutdown_lifetime 3 seconds
uri_whitespace stripacl dynamic urlpath_regex cgi-bin ?
cache deny dynamiccache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow allNo redirector configured
#Remote proxies
Setup some default acls
From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 50080 3128 3127 1025-65535
acl sslports port 443 563 50080From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECTDefine protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhosthttp_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslportsAlways allow localhost connections
From 3.2 further configuration cleanups have been done to make things easier and safer.
The manager, localhost, and to_localhost ACL definitions are now built-in.
http_access allow localhost
request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrcReverse Proxy settings
http_port 127.0.0.1:80 accel defaultsite=mydomain.etc vhost
https_port 127.0.0.1:443 accel cert=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.crt key=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.key defaultsite=mydomain.etc vhost
http_port 192.168.1.200:80 accel defaultsite=mydomain.etc vhost
https_port 192.168.1.200:443 accel cert=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.crt key=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.key defaultsite=mydomain.etc vhost
cache_peer 192.168.0.8 parent 443 0 proxy-only no-query originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs
#Syno HTTPS (8151)
cache_peer 192.168.0.100 parent 8151 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_hqcdiskstation_8151#Syno HTTP (8150)
cache_peer 192.168.0.100 parent 8150 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_hqcdiskstation_8150#rdweb_80
cache_peer 192.168.0.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_rdweb_80#rdweb_443
cache_peer 192.168.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_rdweb_443#tkobservium_80
cache_peer 192.168.0.27 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_tkobservium_80#rdc_443
cache_peer 192.168.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_rdc_443#osxserver_80
cache_peer 192.168.0.18 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_osxserver_80#osxserver_443
cache_peer 192.168.0.18 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_osxserver_443#lamp_80
cache_peer 192.168.0.28 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_lamp_80#exch2013_443
cache_peer 192.168.0.8 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_exch2013_443#ras_443
cache_peer 192.168.0.23 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_ras_443#exch2013_80
cache_peer 192.168.0.8 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_exch2013_80#fan_80
cache_peer 192.168.0.29 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_fan_80ignore_expect_100 on
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/owa.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/exchange.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/public.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/exchweb.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/ecp.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/OAB.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/Microsoft-Server-ActiveSync.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/rpc/rpcproxy.dll.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/rpcwithcert/rpcproxy.dll.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/EWS.$
acl rvm_hqcdiskstation8151 url_regex -i ^https://synologyssl.mydomain.etc.$
acl rvm_hqcdiskstation8150 url_regex -i ^http://synology.mydomain.etc.$
acl rvm_tkobservium_80 url_regex -i tkobservium.mydomain.etc
acl rvm_rdweb_443 url_regex -i ^https://rdweb.mydomain.etc/.$
acl rvm_rdc_443 url_regex -i ^https://rdc.mydomain.etc/rpcwithcert/rpcproxy.dll.$
acl rvm_rdc_443 url_regex -i ^https://rdc.mydomain.etc/rpc/rpcproxy.dll.$
acl rvm_rdweb_80 url_regex -i http://rdweb.mydomain.etc
acl rvm_osxserver_443 url_regex -i ^https://osxserver.mydomain.etc.$
acl rvm_osxserver_80 url_regex -i ^http://osxserver.mydomain.etc/.$
acl rvm_lamp_80 url_regex -i lamp.mydomain.etc
acl rvm_exch2013_443 url_regex -i mydomain.etc/mapi/.$
acl rvm_ras_443 url_regex -i ^https://ras.mydomain.etc/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}.$
acl rvm_exch2013_443 url_regex -i ^https://autodiscover.mydomain.etc/.$
acl rvm_exch2013_80 url_regex -i ^http://autodiscover.mydomain.etc/.*$
acl rvm_fan_80 url_regex -i fan.mydomain.etc
cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs
cache_peer_access OWA_HOST_pfs deny allsrc
never_direct allow OWA_URI_pfs
http_access allow OWA_URI_pfs
cache_peer_access rvp_hqcdiskstation_8151 allow rvm_hqcdiskstation8151
cache_peer_access rvp_hqcdiskstation_8150 allow rvm_hqcdiskstation8150
cache_peer_access rvp_tkobservium_80 allow rvm_tkobservium_80
cache_peer_access rvp_rdweb_443 allow rvm_rdweb_443
cache_peer_access rvp_rdc_443 allow rvm_rdc_443
cache_peer_access rvp_rdweb_80 allow rvm_rdweb_80
cache_peer_access rvp_osxserver_443 allow rvm_osxserver_443
cache_peer_access rvp_osxserver_80 allow rvm_osxserver_80
cache_peer_access rvp_lamp_80 allow rvm_lamp_80
cache_peer_access rvp_exch2013_443 allow rvm_exch2013_443
cache_peer_access rvp_ras_443 allow rvm_ras_443
cache_peer_access rvp_exch2013_443 allow rvm_exch2013_443
cache_peer_access rvp_exch2013_80 allow rvm_exch2013_80
cache_peer_access rvp_fan_80 allow rvm_fan_80
cache_peer_access rvp_hqcdiskstation_8151 deny allsrc
cache_peer_access rvp_shqcsubsonic_80 deny allsrc
cache_peer_access rvp_hqcdiskstation_8150 deny allsrc
cache_peer_access rvp_tkobservium_80 deny allsrc
cache_peer_access rvp_rdweb_443 deny allsrc
cache_peer_access rvp_rdc_443 deny allsrc
cache_peer_access rvp_rdweb_80 deny allsrc
cache_peer_access rvp_osxserver_443 deny allsrc
cache_peer_access rvp_osxserver_80 deny allsrc
cache_peer_access rvp_lamp_80 deny allsrc
cache_peer_access rvp_exch2013_443 deny allsrc
cache_peer_access rvp_newznab2_80 deny allsrc
cache_peer_access rvp_ras_443 deny allsrc
cache_peer_access rvp_exch2013_443 deny allsrc
cache_peer_access rvp_exch2013_80 deny allsrc
cache_peer_access rvp_fan_80 deny allsrc
never_direct allow rvm_hqcdiskstation8151
never_direct allow rvm_hqcdiskstation8150
never_direct allow rvm_tkobservium_80
never_direct allow rvm_rdweb_443
never_direct allow rvm_rdc_443
never_direct allow rvm_rdweb_80
never_direct allow rvm_osxserver_443
never_direct allow rvm_osxserver_80
never_direct allow rvm_lamp_80
never_direct allow rvm_exch2013_443
never_direct allow rvm_ras_443
never_direct allow rvm_exch2013_443
never_direct allow rvm_exch2013_80
never_direct allow rvm_fan_80
http_access allow rvm_hqcdiskstation8151
http_access allow rvm_hqcdiskstation8150
http_access allow rvm_tkobservium_80
http_access allow rvm_rdweb_443
http_access allow rvm_rdc_443
http_access allow rvm_rdweb_80
http_access allow rvm_osxserver_443
http_access allow rvm_osxserver_80
http_access allow rvm_lamp_80
http_access allow rvm_exch2013_443
http_access allow rvm_TK13_NEWZNAB2
http_access allow rvm_ras_443
http_access allow rvm_exch2013_443
http_access allow rvm_exch2013_80
http_access allow rvm_fan_80Custom options before auth
auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ncsa_auth /var/etc/squid.passwd
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIREDCustom options after auth
Default block all to be sure
http_access deny allsrc
-
would you mind posting the lines you changed in your squid-reverse.inc for review ?
i could add them to the official package… -
With pleasure
But you're going to laugh … I don't find that file ;D
-
or just send me the file you have on your pfsense as a pn ;-)
one never finds things when searching ;-) -
with the next release of the squid package, AutoDiscover HTTP is included ;-)
so, no need to send the file anymore ;-)