Can't access exchange services. TCP-DENIED/403 for OWA



  • Hi,

    I've already posted that in the french forum, but since I had no response and despite my poor english, I have to try here...

    I hope english speaking peopple will not be angry with me and my english :-)

    Anyway...

    I can not run my owa, nor outlook through my pf sense with squid and the publication exchange through the reverse proxy.

    Context: pro environment, pro system administrator, but layman pfsense, age of the firewall solution: new test for replacement solution TMG out of age ...

    Need: The goal is to publish exchange using the reverse proxy squid

    Scheme test platform ::
    exchange production server <-> pfsense <-> test's PC

    On exchange static route to pc test through pfsense
    On PC test static route to exchange through pfsense
    On IP test PC IP resolution fixed by hosts file to the used names (exch2013, autodiscover, owa)
    On DNS squid set to internal DNS resolving these names in IP

    WAN (modem / router / box): 1 network. 1 public IP on pf sense (192.168.87.11)

    LAN: 1 (172.17.0.2 the tmg being in .1) dhcp not concerned, dns local (used by pf sense)

    NAT rules: nothing relevant to mail access for owa, autodiscover, rcp / https nor activesync (443 and 80)

    Firewall rules:
    the rules to be taken into account are those defined by the pages https://www.itwriting.com/blog/9592-publishing-exchange-with-pfsense.html et http://www.moh10ly.com/blog/pfsense/publishing-exchange-on-pfsense.
    Basically, rules allowing the 443 and 80 from the wan to pf sense (here to everything to facilitate the setting) and rules of publication reverse proxy squid

    Added Packages: squid and its reverse proxy

    Other functions assigned to pfSense: nothing... for the moment

    (And here I leave french forum's requested formalism)

    Question: not possible to run owa, autodiscover, client already configured outlook, client exchange on mobile phone ...
    for the OWA which is the one on which I dug the most, The client does not connect with "access forbidden" or if the box "If checked, the reverse proxy will reset the TCP connection if the request is unauthorized" is checked then "The connection to the server has been reset".
    In the squid logs error 192.168.87.187 TCP_DENIED / 403 https://exch2013.mustinformatique.fr/owa
    In firewall logs I have permissions for frames on port 443

    Tracks imagined: many research on the net with no success (I searched a lot before choosing to post here)

    I tried to speak directly to the exchange server address. It works but does not go through the squid.

    I tried to change Compatibility mode from modern to intermediaite (and I have the impression that sometimes it worked for a few seconds I am at this change although I did not see it again during my last tests)

    I wonder if the problem comes:

    • certificate that I have not registered properly. I use on my exchange a multi-host certificate (which principal host name is exch2013.mydomain.com) provided by globalsign. It was provided with an intermediate certificate. I had to fight to convert my certificate as a pfx to the desired format ... But my last attempt (I did it several times) is what is on the procedure http: // www. moh10ly.com/blog/pfsense/publishing-exchange-on-pfsense. via Digicert's tool.
      As for the intermediate certificate, I tried to put it at the ACs level (System / Certificate Manager or Intermediate CA Certificate (If Needed)) or PackageReverse Proxy Server/GeneralGeneral without more success.

    • since I do not know how to tell the reverse proxy exchange must rely on the name "exch2013" and not on "mail" as I saw on most topics that I could find on this problem.

    • A setting of my exchange not in conformity with what pf sense wants that would be different from what TMG wants

    And in the log. I wonder if this 192.168.87.187 TCP_DENIED / 403 https://exch2013.mustinformatique.fr/owa me well indicates that it is squid himself who has refused (with wireshark I do not see besides frames 443 arrive on my exchange during my attempts against, from time to time, I see arriving frames coming from the pfsense but not synchronized with my requests ... Squid would establish the contact with the server regardless of requests that we done ... or maybe I misinterpreted some frames)

    Here, I am lost.
    What do you think?
    I hope someone will give me an answer ... I have my boss who turns me on because it's been several months since I have to put this in place ...

    Thank you... for reading me already!
    And sorry for this poor mix beetween my poor english and an automative traduction system.

    Regards.



  • Hi,
    Finnaly I've got it.
    Squid/pfsense takes the "External FQDN" for exchange URL publication!!!