Squid 3 - Exchange 2013 SP1

trendchiller

are you running 32 or 64 bit pfSense ?

stanthewizard

64

stanthewizard

No idea what is the issue ? :o

trendchiller

autodiscover omly works with SSL (with the package) and the analyzer first tries 80 and then as a fallback solution 443, so by design there is no port 80 autodiscover…
does it not work at all without port 80 ?

stanthewizard

impossible to negociate on port 80 (ok) or 443

I have unchecked booth mapi and autodiscover
with my own rules it works

very strange isn't it ?

BTW … thanks for your reply

trendchiller

could you post (or send me) your squid.conf file ? (/usr/pbi/squid-i386/etc/squid/squid.conf)

stanthewizard

YES

This file is automatically generated by pfSense

Do not edit manually !

http_port 127.0.0.1:3128
icp_port 0
dns_v4_first off
pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language fr
icon_directory /usr/pbi/squid-amd64/etc/squid/icons
visible_hostname localhost
cache_mgr admin@localhost
access_log /var/squid/log/access.log
cache_log /var/squid/log/cache.log
cache_store_log none
netdb_filename /var/squid/log/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/libexec/squid/pinger

logfile_rotate 1
debug_options rotate=1
shutdown_lifetime 3 seconds
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin ?
cache deny dynamic

cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all

No redirector configured

#Remote proxies

Setup some default acls

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

acl localhost src 127.0.0.1/32

acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 50080 3128 3127 1025-65535
acl sslports port 443 563 50080

From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

Define protocols used for redirects

acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

Always allow localhost connections

From 3.2 further configuration cleanups have been done to make things easier and safer.

The manager, localhost, and to_localhost ACL definitions are now built-in.

http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

Reverse Proxy settings

http_port 127.0.0.1:80 accel defaultsite=mydomain.etc vhost
https_port 127.0.0.1:443 accel cert=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.crt key=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.key defaultsite=mydomain.etc vhost
http_port 192.168.1.200:80 accel defaultsite=mydomain.etc vhost
https_port 192.168.1.200:443 accel cert=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.crt key=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.key defaultsite=mydomain.etc vhost
cache_peer 192.168.0.8 parent 443 0 proxy-only no-query originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs
#Syno HTTPS (8151)
cache_peer 192.168.0.100 parent 8151 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_hqcdiskstation_8151

#Syno HTTP (8150)
cache_peer 192.168.0.100 parent 8150 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_hqcdiskstation_8150

#rdweb_80
cache_peer 192.168.0.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_rdweb_80

#rdweb_443
cache_peer 192.168.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_rdweb_443

#tkobservium_80
cache_peer 192.168.0.27 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_tkobservium_80

#rdc_443
cache_peer 192.168.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_rdc_443

#osxserver_80
cache_peer 192.168.0.18 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_osxserver_80

#osxserver_443
cache_peer 192.168.0.18 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_osxserver_443

#lamp_80
cache_peer 192.168.0.28 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_lamp_80

#exch2013_443
cache_peer 192.168.0.8 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_exch2013_443

#ras_443
cache_peer 192.168.0.23 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_ras_443

#exch2013_80
cache_peer 192.168.0.8 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_exch2013_80

#fan_80
cache_peer 192.168.0.29 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_fan_80

ignore_expect_100 on
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/owa.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/exchange.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/public.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/exchweb.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/ecp.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/OAB.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/Microsoft-Server-ActiveSync.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/rpc/rpcproxy.dll.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/rpcwithcert/rpcproxy.dll.$
acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/EWS.$
acl rvm_hqcdiskstation8151 url_regex -i ^https://synologyssl.mydomain.etc.$
acl rvm_hqcdiskstation8150 url_regex -i ^http://synology.mydomain.etc.$
acl rvm_tkobservium_80 url_regex -i tkobservium.mydomain.etc
acl rvm_rdweb_443 url_regex -i ^https://rdweb.mydomain.etc/.$
acl rvm_rdc_443 url_regex -i ^https://rdc.mydomain.etc/rpcwithcert/rpcproxy.dll.$
acl rvm_rdc_443 url_regex -i ^https://rdc.mydomain.etc/rpc/rpcproxy.dll.$
acl rvm_rdweb_80 url_regex -i http://rdweb.mydomain.etc
acl rvm_osxserver_443 url_regex -i ^https://osxserver.mydomain.etc.$
acl rvm_osxserver_80 url_regex -i ^http://osxserver.mydomain.etc/.$
acl rvm_lamp_80 url_regex -i lamp.mydomain.etc
acl rvm_exch2013_443 url_regex -i mydomain.etc/mapi/.$
acl rvm_ras_443 url_regex -i ^https://ras.mydomain.etc/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}.$
acl rvm_exch2013_443 url_regex -i ^https://autodiscover.mydomain.etc/.$
acl rvm_exch2013_80 url_regex -i ^http://autodiscover.mydomain.etc/.*$
acl rvm_fan_80 url_regex -i fan.mydomain.etc
cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs
cache_peer_access OWA_HOST_pfs deny allsrc
never_direct allow OWA_URI_pfs
http_access allow OWA_URI_pfs
cache_peer_access rvp_hqcdiskstation_8151 allow rvm_hqcdiskstation8151
cache_peer_access rvp_hqcdiskstation_8150 allow rvm_hqcdiskstation8150
cache_peer_access rvp_tkobservium_80 allow rvm_tkobservium_80
cache_peer_access rvp_rdweb_443 allow rvm_rdweb_443
cache_peer_access rvp_rdc_443 allow rvm_rdc_443
cache_peer_access rvp_rdweb_80 allow rvm_rdweb_80
cache_peer_access rvp_osxserver_443 allow rvm_osxserver_443
cache_peer_access rvp_osxserver_80 allow rvm_osxserver_80
cache_peer_access rvp_lamp_80 allow rvm_lamp_80
cache_peer_access rvp_exch2013_443 allow rvm_exch2013_443
cache_peer_access rvp_ras_443 allow rvm_ras_443
cache_peer_access rvp_exch2013_443 allow rvm_exch2013_443
cache_peer_access rvp_exch2013_80 allow rvm_exch2013_80
cache_peer_access rvp_fan_80 allow rvm_fan_80
cache_peer_access rvp_hqcdiskstation_8151 deny allsrc
cache_peer_access rvp_shqcsubsonic_80 deny allsrc
cache_peer_access rvp_hqcdiskstation_8150 deny allsrc
cache_peer_access rvp_tkobservium_80 deny allsrc
cache_peer_access rvp_rdweb_443 deny allsrc
cache_peer_access rvp_rdc_443 deny allsrc
cache_peer_access rvp_rdweb_80 deny allsrc
cache_peer_access rvp_osxserver_443 deny allsrc
cache_peer_access rvp_osxserver_80 deny allsrc
cache_peer_access rvp_lamp_80 deny allsrc
cache_peer_access rvp_exch2013_443 deny allsrc
cache_peer_access rvp_newznab2_80 deny allsrc
cache_peer_access rvp_ras_443 deny allsrc
cache_peer_access rvp_exch2013_443 deny allsrc
cache_peer_access rvp_exch2013_80 deny allsrc
cache_peer_access rvp_fan_80 deny allsrc
never_direct allow rvm_hqcdiskstation8151
never_direct allow rvm_hqcdiskstation8150
never_direct allow rvm_tkobservium_80
never_direct allow rvm_rdweb_443
never_direct allow rvm_rdc_443
never_direct allow rvm_rdweb_80
never_direct allow rvm_osxserver_443
never_direct allow rvm_osxserver_80
never_direct allow rvm_lamp_80
never_direct allow rvm_exch2013_443
never_direct allow rvm_ras_443
never_direct allow rvm_exch2013_443
never_direct allow rvm_exch2013_80
never_direct allow rvm_fan_80
http_access allow rvm_hqcdiskstation8151
http_access allow rvm_hqcdiskstation8150
http_access allow rvm_tkobservium_80
http_access allow rvm_rdweb_443
http_access allow rvm_rdc_443
http_access allow rvm_rdweb_80
http_access allow rvm_osxserver_443
http_access allow rvm_osxserver_80
http_access allow rvm_lamp_80
http_access allow rvm_exch2013_443
http_access allow rvm_TK13_NEWZNAB2
http_access allow rvm_ras_443
http_access allow rvm_exch2013_443
http_access allow rvm_exch2013_80
http_access allow rvm_fan_80

Custom options before auth

auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ncsa_auth /var/etc/squid.passwd
auth_param basic children 5
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 5 minutes
acl password proxy_auth REQUIRED

Custom options after auth

Default block all to be sure

http_access deny allsrc

trendchiller

would you mind posting the lines you changed in your squid-reverse.inc for review ?
i could add them to the official package…

stanthewizard

With pleasure

But you're going to laugh … I don't find that file  ;D

trendchiller

or just send me the file you have on your pfsense as a pn ;-)
one never finds things when searching ;-)

trendchiller

with the next release of the squid package, AutoDiscover HTTP is included ;-)
so, no need to send the file anymore ;-)