Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't access exchange services. TCP-DENIED/403 for OWA

    Cache/Proxy
    2
    6
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cyrcocq
      last edited by

      Hi,

      I've already posted that in the french forum, but since I had no response and despite my poor english, I have to try here...

      I hope english speaking peopple will not be angry with me and my english :-)

      Anyway...

      I can not run my owa, nor outlook through my pf sense with squid and the publication exchange through the reverse proxy.

      Context: pro environment, pro system administrator, but layman pfsense, age of the firewall solution: new test for replacement solution TMG out of age ...

      Need: The goal is to publish exchange using the reverse proxy squid

      Scheme test platform ::
      exchange production server <-> pfsense <-> test's PC

      On exchange static route to pc test through pfsense
      On PC test static route to exchange through pfsense
      On IP test PC IP resolution fixed by hosts file to the used names (exch2013, autodiscover, owa)
      On DNS squid set to internal DNS resolving these names in IP

      WAN (modem / router / box): 1 network. 1 public IP on pf sense (192.168.87.11)

      LAN: 1 (172.17.0.2 the tmg being in .1) dhcp not concerned, dns local (used by pf sense)

      NAT rules: nothing relevant to mail access for owa, autodiscover, rcp / https nor activesync (443 and 80)

      Firewall rules:
      the rules to be taken into account are those defined by the pages https://www.itwriting.com/blog/9592-publishing-exchange-with-pfsense.html et http://www.moh10ly.com/blog/pfsense/publishing-exchange-on-pfsense.
      Basically, rules allowing the 443 and 80 from the wan to pf sense (here to everything to facilitate the setting) and rules of publication reverse proxy squid

      Added Packages: squid and its reverse proxy

      Other functions assigned to pfSense: nothing... for the moment

      (And here I leave french forum's requested formalism)

      Question: not possible to run owa, autodiscover, client already configured outlook, client exchange on mobile phone ...
      for the OWA which is the one on which I dug the most, The client does not connect with "access forbidden" or if the box "If checked, the reverse proxy will reset the TCP connection if the request is unauthorized" is checked then "The connection to the server has been reset".
      In the squid logs error 192.168.87.187 TCP_DENIED / 403 https://exch2013.mustinformatique.fr/owa
      In firewall logs I have permissions for frames on port 443

      Tracks imagined: many research on the net with no success (I searched a lot before choosing to post here)

      I tried to speak directly to the exchange server address. It works but does not go through the squid.

      I tried to change Compatibility mode from modern to intermediaite (and I have the impression that sometimes it worked for a few seconds I am at this change although I did not see it again during my last tests)

      I wonder if the problem comes:

      • certificate that I have not registered properly. I use on my exchange a multi-host certificate (which principal host name is exch2013.mydomain.com) provided by globalsign. It was provided with an intermediate certificate. I had to fight to convert my certificate as a pfx to the desired format ... But my last attempt (I did it several times) is what is on the procedure http: // www. moh10ly.com/blog/pfsense/publishing-exchange-on-pfsense. via Digicert's tool.
        As for the intermediate certificate, I tried to put it at the ACs level (System / Certificate Manager or Intermediate CA Certificate (If Needed)) or PackageReverse Proxy Server/GeneralGeneral without more success.

      • since I do not know how to tell the reverse proxy exchange must rely on the name "exch2013" and not on "mail" as I saw on most topics that I could find on this problem.

      • A setting of my exchange not in conformity with what pf sense wants that would be different from what TMG wants

      And in the log. I wonder if this 192.168.87.187 TCP_DENIED / 403 https://exch2013.mustinformatique.fr/owa me well indicates that it is squid himself who has refused (with wireshark I do not see besides frames 443 arrive on my exchange during my attempts against, from time to time, I see arriving frames coming from the pfsense but not synchronized with my requests ... Squid would establish the contact with the server regardless of requests that we done ... or maybe I misinterpreted some frames)

      Here, I am lost.
      What do you think?
      I hope someone will give me an answer ... I have my boss who turns me on because it's been several months since I have to put this in place ...

      Thank you... for reading me already!
      And sorry for this poor mix beetween my poor english and an automative traduction system.

      Regards.

      1 Reply Last reply Reply Quote 0
      • C
        cyrcocq
        last edited by

        Hi,
        Finnaly I've got it.
        Squid/pfsense takes the "External FQDN" for exchange URL publication!!!

        1 Reply Last reply Reply Quote 0
        • A
          Alexander-swmdx
          last edited by

          Hello.
          I have the same problem.
          Tell me, how did you solve it?

          1 Reply Last reply Reply Quote 0
          • C
            cyrcocq
            last edited by

            Hi,
            It's quite simple.
            your external fqdn linked to your certificate must be filled in the External FQDN field.
            Regards.

            1 Reply Last reply Reply Quote 0
            • A
              Alexander-swmdx
              last edited by

              Unfortunately I did not understand you.

              I have parameters in Package\Reverse Proxy Server: General next Squid Reverse Proxy General Settings
              External FQDN: Mydomain.com

              Squid Reverse HTTPS Settings
              Reverse SSL Certificate: *.Mydomain.com ( I have an external certificate for *.Mydomain.com)

              In Intermediate CA Certificate - COMODO RSA Domain Validation Secure Server CA

              pfsense.png

              what am i doing wrong ?
              Regards.

              1 Reply Last reply Reply Quote 0
              • C
                cyrcocq
                last edited by

                Ouch... Really sorry!
                I think I've made a mistake...

                I don't have Pfsense server anymore but i think that It was not External FQDN but reverse https default site witch cares...

                And I'm wondering if you don't have to use an host name and not a domains one, something like host.mydomain.com and not only a domain.com...
                But My certificate wasn't a wildcard. So it could be wrong.

                To be complete there's some points I have to add here:

                • to get through this issue, I used the console to look at the squids configurations files. it's not so difficult and there can be found the ssl adresses usable to connect
                • I ve never been able to have everything working as it should with PFsense with squid on it. One colleague of mine tried again with a fresh install of Pfsense to be sure theyre's no artefact of what I did. But for me, as I read it so many times, pfsense does not work fine with squid (we forgot Squid and changed to a commercial solution)
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.