Squid 3 - Exchange 2013 SP1

stanthewizard

It's the 3.3.10 PKG 2.2.5 ?

trendchiller

Yes

stanthewizard

maybe a snapchot before to avoid a veeam restore ;)

stanthewizard

Done and working ;D

trendchiller

Good news ;-)

stanthewizard

Oupsy

Got a strange issue

The Microsoft Connectivity Analyzer is checking the host autodiscover.mydomain.com for an HTTP redirect to the Autodiscover service.
The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.

An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <title>ERREUR: L'URL demandée n'a pas pu être trouvé</title>

ERROR

The requested URL could not be retrieved

L'erreur suivante s'est produite en essayant d'accéder à l'URL : http://autodiscover.sdskh.com/Autodiscover/Autodiscover.xml

Accès interdit.

La configuration du contrôle d'accès, empêche votre requête d'être acceptée. Si vous pensez que c'est une erreur, contactez votre fournisseur d'accès.

Votre administrateur proxy est admin@localhost.

Générer le Tue, 10 Jun 2014 08:46:04 GMT par localhost (squid/3.3.10)

I think I need some help ;)

EDIT: I created with GUI webserver exch80 and exch443
Then mapped to autodiscover.mydomain.com (map to both exch80 and exch443) then added mapi.mydomaine.com (map to exch44)
Everything works. I think there is an issue in the package

trendchiller

are you running 32 or 64 bit pfSense ?

stanthewizard

64

stanthewizard

No idea what is the issue ? :o

trendchiller

autodiscover omly works with SSL (with the package) and the analyzer first tries 80 and then as a fallback solution 443, so by design there is no port 80 autodiscover…
does it not work at all without port 80 ?

stanthewizard

impossible to negociate on port 80 (ok) or 443

I have unchecked booth mapi and autodiscover
with my own rules it works

very strange isn't it ?

BTW … thanks for your reply

trendchiller

could you post (or send me) your squid.conf file ? (/usr/pbi/squid-i386/etc/squid/squid.conf)

stanthewizard

YES

This file is automatically generated by pfSense

Do not edit manually !

http_port 127.0.0.1:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language fr
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/log/access.log
cache_log /var/squid/log/cache.log
cache_store_log none
netdb_filename /var/squid/log/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/libexec/squid/pinger

logfile_rotate 1
debug_options rotate=1
shutdown_lifetime 3 seconds
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic

cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

No redirector configured

#Remote proxies

Setup some default acls

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

acl localhost src 127.0.0.1/32

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 50080 3128 3127 1025-65535
acl sslports port 443 563 50080

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

Define protocols used for redirects

acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

Always allow localhost connections

From 3.2 further configuration cleanups have been done to make things easier and safer.

The manager, localhost, and to_localhost ACL definitions are now built-in.

http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

Reverse Proxy settings

http_port 127.0.0.1:80 accel defaultsite=mydomain.etc vhost
https_port 127.0.0.1:443 accel cert=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.crt key=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.key defaultsite=mydomain.etc vhost
http_port 192.168.1.200:80 accel defaultsite=mydomain.etc vhost
https_port 192.168.1.200:443 accel cert=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.crt key=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.key defaultsite=mydomain.etc vhost
cache_peer 192.168.0.8 parent 443 0 proxy-only no-query originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs
#Syno HTTPS (8151)
cache_peer 192.168.0.100 parent 8151 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_hqcdiskstation_8151

#Syno HTTP (8150)
cache_peer 192.168.0.100 parent 8150 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_hqcdiskstation_8150

#rdweb_80
cache_peer 192.168.0.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_rdweb_80

#rdweb_443
cache_peer 192.168.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_rdweb_443

#tkobservium_80
cache_peer 192.168.0.27 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_tkobservium_80

#rdc_443
cache_peer 192.168.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_rdc_443

#osxserver_80
cache_peer 192.168.0.18 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_osxserver_80

#osxserver_443
cache_peer 192.168.0.18 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_osxserver_443

#lamp_80
cache_peer 192.168.0.28 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_lamp_80

#exch2013_443
cache_peer 192.168.0.8 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_exch2013_443

#ras_443
cache_peer 192.168.0.23 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_ras_443

#exch2013_80
cache_peer 192.168.0.8 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_exch2013_80

#fan_80
cache_peer 192.168.0.29 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_fan_80

ignore_expect_100 on
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/owa.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/exchange.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/public.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/exchweb.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/ecp.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/OAB.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/Microsoft-Server-ActiveSync.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/rpc/rpcproxy.dll.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/rpcwithcert/rpcproxy.dll.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/EWS.$
acl rvm_hqcdiskstation8151 url_regex -i ^https://synologyssl.mydomain.etc.$
acl rvm_hqcdiskstation8150 url_regex -i ^http://synology.mydomain.etc.$
acl rvm_tkobservium_80 url_regex -i tkobservium.mydomain.etc
acl rvm_rdweb_443 url_regex -i ^https://rdweb.mydomain.etc/.$
acl rvm_rdc_443 url_regex -i ^https://rdc.mydomain.etc/rpcwithcert/rpcproxy.dll.$
acl rvm_rdc_443 url_regex -i ^https://rdc.mydomain.etc/rpc/rpcproxy.dll.$
acl rvm_rdweb_80 url_regex -i http://rdweb.mydomain.etc
acl rvm_osxserver_443 url_regex -i ^https://osxserver.mydomain.etc.$
acl rvm_osxserver_80 url_regex -i ^http://osxserver.mydomain.etc/.$
acl rvm_lamp_80 url_regex -i lamp.mydomain.etc
acl rvm_exch2013_443 url_regex -i mydomain.etc/mapi/.$
acl rvm_ras_443 url_regex -i ^https://ras.mydomain.etc/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}.$
acl rvm_exch2013_443 url_regex -i ^https://autodiscover.mydomain.etc/.$
acl rvm_exch2013_80 url_regex -i ^http://autodiscover.mydomain.etc/.*$
acl rvm_fan_80 url_regex -i fan.mydomain.etc
cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs
cache_peer_access OWA_HOST_pfs deny allsrc
never_direct allow OWA_URI_pfs
http_access allow OWA_URI_pfs
cache_peer_access rvp_hqcdiskstation_8151 allow rvm_hqcdiskstation8151
cache_peer_access rvp_hqcdiskstation_8150 allow rvm_hqcdiskstation8150
cache_peer_access rvp_tkobservium_80 allow rvm_tkobservium_80
cache_peer_access rvp_rdweb_443 allow rvm_rdweb_443
cache_peer_access rvp_rdc_443 allow rvm_rdc_443
cache_peer_access rvp_rdweb_80 allow rvm_rdweb_80
cache_peer_access rvp_osxserver_443 allow rvm_osxserver_443
cache_peer_access rvp_osxserver_80 allow rvm_osxserver_80
cache_peer_access rvp_lamp_80 allow rvm_lamp_80
cache_peer_access rvp_exch2013_443 allow rvm_exch2013_443
cache_peer_access rvp_ras_443 allow rvm_ras_443
cache_peer_access rvp_exch2013_443 allow rvm_exch2013_443
cache_peer_access rvp_exch2013_80 allow rvm_exch2013_80
cache_peer_access rvp_fan_80 allow rvm_fan_80
cache_peer_access rvp_hqcdiskstation_8151 deny allsrc
cache_peer_access rvp_shqcsubsonic_80 deny allsrc
cache_peer_access rvp_hqcdiskstation_8150 deny allsrc
cache_peer_access rvp_tkobservium_80 deny allsrc
cache_peer_access rvp_rdweb_443 deny allsrc
cache_peer_access rvp_rdc_443 deny allsrc
cache_peer_access rvp_rdweb_80 deny allsrc
cache_peer_access rvp_osxserver_443 deny allsrc
cache_peer_access rvp_osxserver_80 deny allsrc
cache_peer_access rvp_lamp_80 deny allsrc
cache_peer_access rvp_exch2013_443 deny allsrc
cache_peer_access rvp_newznab2_80 deny allsrc
cache_peer_access rvp_ras_443 deny allsrc
cache_peer_access rvp_exch2013_443 deny allsrc
cache_peer_access rvp_exch2013_80 deny allsrc
cache_peer_access rvp_fan_80 deny allsrc
never_direct allow rvm_hqcdiskstation8151
never_direct allow rvm_hqcdiskstation8150
never_direct allow rvm_tkobservium_80
never_direct allow rvm_rdweb_443
never_direct allow rvm_rdc_443
never_direct allow rvm_rdweb_80
never_direct allow rvm_osxserver_443
never_direct allow rvm_osxserver_80
never_direct allow rvm_lamp_80
never_direct allow rvm_exch2013_443
never_direct allow rvm_ras_443
never_direct allow rvm_exch2013_443
never_direct allow rvm_exch2013_80
never_direct allow rvm_fan_80
http_access allow rvm_hqcdiskstation8151
http_access allow rvm_hqcdiskstation8150
http_access allow rvm_tkobservium_80
http_access allow rvm_rdweb_443
http_access allow rvm_rdc_443
http_access allow rvm_rdweb_80
http_access allow rvm_osxserver_443
http_access allow rvm_osxserver_80
http_access allow rvm_lamp_80
http_access allow rvm_exch2013_443
http_access allow rvm_TK13_NEWZNAB2
http_access allow rvm_ras_443
http_access allow rvm_exch2013_443
http_access allow rvm_exch2013_80
http_access allow rvm_fan_80

Custom options before auth

auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ncsa_auth /var/etc/squid.passwd
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIRED

Custom options after auth

Default block all to be sure

http_access deny allsrc

trendchiller

would you mind posting the lines you changed in your squid-reverse.inc for review ?
i could add them to the official package…

stanthewizard

With pleasure

But you're going to laugh … I don't find that file ;D

trendchiller

or just send me the file you have on your pfsense as a pn ;-)
one never finds things when searching ;-)

trendchiller

with the next release of the squid package, AutoDiscover HTTP is included ;-)
so, no need to send the file anymore ;-)