Squid 3 - Exchange 2013 SP1



  • Hello

    Huge issue with Exchange 2013 SP1 and the new protocol MAPI over HTTP (in place of RPC over HTTPS)

    Squid has no GUI settings for MAPI and I tried to change the squid_reverse conf manually with no success at all.

    Can someone help me ?

    Thanks



  • i already committed a change, just needs to be approved by the core team…



  • Cool

    I changed the conf file without the GUI … and managed to make it worked

    GUI is a welcomed change
    ;D



  • did you just add the /mapi uri or didi you change other settings, too ?



  • After digging in my conf
    here is what I did (simpler in fact)

    Simple mapping through GUI with this URI

    mydomainename.com/mapi.*$



  • well, that's one thing the gui does, too ;-)
    how did you configure the external auth in exchange 2013 ?
    set negotiate auth on outlook-anywhere ?



  • in squid 3.3 (beta) there will be passthru auth implemented (which means you can pass all types of auth to the backend)  :)



  • It's negotiate (if I remember correctly)

    What could be a very (but very) good thing is to easily block the ECP ! (it's not that simple)

    I'm eagerly awaiting for that new package !



  • The package is here !!!  :D



  • Just to be curious, are you running an exchange dag ?



  • Nope it's just for my lab for the moment
    BUT
    It's one of my many project …

    The question about the DAG is because there is only one IP adress in squid RP ?



  • No,
    As the reverse ip, just put the dag ip.
    Just asked bacause of a config question ;-)



  • ok

    I have an issue with the update

    Jun 7 14:30:49 squid: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 82: cache_peer 192.168.0.4 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robinname=rvp_xxx_80

    Jun 7 14:30:49 php: rc.start_packages: The command '/usr/pbi/squid-amd64/sbin/squid -f /usr/pbi/squid-amd64/etc/squid/squid.conf' returned exit code '1', the output was '2014/06/07 14:30:49| parse_peer: token='round-robinname=rvp_xxx_80' FATAL: Bungled /usr/pbi/squid-amd64/etc/squid/squid.conf line 82: cache_peer 192.168.0.4 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robinname=rvp_xxx_80 Squid Cache (Version 3.3.10): Terminated abnormally. CPU Usage: 0.010 seconds = 0.005 user + 0.005 sys Maximum Resident Size: 38032 KB Page faults with physical i/o: 0'



  • Oh, i see…
    There's a missing space after round-robin.
    I'll patch this later this evening ...
    Sorry ...



  • patch checked in, should be committed tonight…



  • It should now work. The patch is online ;-)



  • It's the 3.3.10 PKG 2.2.5 ?



  • Yes



  • maybe a snapchot before to avoid a veeam restore  ;)



  • Done and working  ;D



  • Good news ;-)



  • Oupsy

    Got a strange issue

    The Microsoft Connectivity Analyzer is checking the host autodiscover.mydomain.com for an HTTP redirect to the Autodiscover service.
    The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.

    An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: <title>ERREUR: L'URL demandée n'a pas pu être trouvé</title>

    ERROR

    The requested URL could not be retrieved


    L'erreur suivante s'est produite en essayant d'accéder à l'URL : http://autodiscover.sdskh.com/Autodiscover/Autodiscover.xml

    Accès interdit.

    La configuration du contrôle d'accès, empêche votre requête d'être acceptée. Si vous pensez que c'est une erreur, contactez votre fournisseur d'accès.

    Votre administrateur proxy est admin@localhost.


    Générer le Tue, 10 Jun 2014 08:46:04 GMT par localhost (squid/3.3.10)

    I think I need some help  ;)

    EDIT: I created with GUI webserver exch80 and exch443
    Then mapped to autodiscover.mydomain.com (map to both exch80 and exch443) then added mapi.mydomaine.com (map to exch44)
    Everything works. I think there is an issue in the package



  • are you running 32 or 64 bit pfSense ?



  • 64



  • No idea what is the issue ? :o



  • autodiscover omly works with SSL (with the package) and the analyzer first tries 80 and then as a fallback solution 443, so by design there is no port 80 autodiscover…
    does it not work at all without port 80 ?



  • impossible to negociate on port 80 (ok) or 443

    I have unchecked booth mapi and autodiscover
    with my own rules it works

    very strange isn't it ?

    BTW … thanks for your reply



  • could you post (or send me) your squid.conf file ? (/usr/pbi/squid-i386/etc/squid/squid.conf)



  • YES

    This file is automatically generated by pfSense

    Do not edit manually !

    http_port 127.0.0.1:3128
    icp_port 0
    dns_v4_first off
    pid_filename /var/run/squid.pid
    cache_effective_user proxy
    cache_effective_group proxy
    error_default_language fr
    icon_directory /usr/pbi/squid-amd64/etc/squid/icons
    visible_hostname localhost
    cache_mgr admin@localhost
    access_log /var/squid/log/access.log
    cache_log /var/squid/log/cache.log
    cache_store_log none
    netdb_filename /var/squid/log/netdb.state
    pinger_enable on
    pinger_program /usr/pbi/squid-amd64/libexec/squid/pinger

    logfile_rotate 1
    debug_options rotate=1
    shutdown_lifetime 3 seconds
    uri_whitespace strip

    acl dynamic urlpath_regex cgi-bin ?
    cache deny dynamic

    cache_mem 8 MB
    maximum_object_size_in_memory 32 KB
    memory_replacement_policy heap GDSF
    cache_replacement_policy heap LFUDA
    cache_dir ufs /var/squid/cache 100 16 256
    minimum_object_size 0 KB
    maximum_object_size 4 KB
    offline_mode off
    cache_swap_low 90
    cache_swap_high 95
    cache allow all

    No redirector configured

    #Remote proxies

    Setup some default acls

    From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

    acl localhost src 127.0.0.1/32

    acl allsrc src all
    acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 50080 3128 3127 1025-65535
    acl sslports port 443 563 50080

    From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.

    #acl manager proto cache_object

    acl purge method PURGE
    acl connect method CONNECT

    Define protocols used for redirects

    acl HTTP proto HTTP
    acl HTTPS proto HTTPS
    http_access allow manager localhost

    http_access deny manager
    http_access allow purge localhost
    http_access deny purge
    http_access deny !safeports
    http_access deny CONNECT !sslports

    Always allow localhost connections

    From 3.2 further configuration cleanups have been done to make things easier and safer.

    The manager, localhost, and to_localhost ACL definitions are now built-in.

    http_access allow localhost

    request_body_max_size 0 KB
    delay_pools 1
    delay_class 1 2
    delay_parameters 1 -1/-1 -1/-1
    delay_initial_bucket_level 100
    delay_access 1 allow allsrc

    Reverse Proxy settings

    http_port 127.0.0.1:80 accel defaultsite=mydomain.etc vhost
    https_port 127.0.0.1:443 accel cert=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.crt key=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.key defaultsite=mydomain.etc vhost
    http_port 192.168.1.200:80 accel defaultsite=mydomain.etc vhost
    https_port 192.168.1.200:443 accel cert=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.crt key=/usr/pbi/squid-amd64/etc/squid/533e8cd7ce7f0.key defaultsite=mydomain.etc vhost
    cache_peer 192.168.0.8 parent 443 0 proxy-only no-query originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs
    #Syno HTTPS (8151)
    cache_peer 192.168.0.100 parent 8151 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_hqcdiskstation_8151

    #Syno HTTP (8150)
    cache_peer 192.168.0.100 parent 8150 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_hqcdiskstation_8150

    #rdweb_80
    cache_peer 192.168.0.10 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_rdweb_80

    #rdweb_443
    cache_peer 192.168.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_rdweb_443

    #tkobservium_80
    cache_peer 192.168.0.27 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_tkobservium_80

    #rdc_443
    cache_peer 192.168.0.10 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_rdc_443

    #osxserver_80
    cache_peer 192.168.0.18 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_osxserver_80

    #osxserver_443
    cache_peer 192.168.0.18 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_osxserver_443

    #lamp_80
    cache_peer 192.168.0.28 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_lamp_80

    #exch2013_443
    cache_peer 192.168.0.8 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_exch2013_443

    #ras_443
    cache_peer 192.168.0.23 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=rvp_ras_443

    #exch2013_80
    cache_peer 192.168.0.8 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_exch2013_80

    #fan_80
    cache_peer 192.168.0.29 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU round-robin name=rvp_fan_80

    ignore_expect_100 on
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/owa.$
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/exchange.
    $
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/public.$
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/exchweb.
    $
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/ecp.$
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/OAB.
    $
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/Microsoft-Server-ActiveSync.$
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/rpc/rpcproxy.dll.
    $
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/rpcwithcert/rpcproxy.dll.$
    acl OWA_URI_pfs url_regex -i ^https://mydomain.etc/EWS.
    $
    acl rvm_hqcdiskstation8151 url_regex -i ^https://synologyssl.mydomain.etc.$
    acl rvm_hqcdiskstation8150 url_regex -i ^http://synology.mydomain.etc.
    $
    acl rvm_tkobservium_80 url_regex -i tkobservium.mydomain.etc
    acl rvm_rdweb_443 url_regex -i ^https://rdweb.mydomain.etc/.$
    acl rvm_rdc_443 url_regex -i ^https://rdc.mydomain.etc/rpcwithcert/rpcproxy.dll.
    $
    acl rvm_rdc_443 url_regex -i ^https://rdc.mydomain.etc/rpc/rpcproxy.dll.$
    acl rvm_rdweb_80 url_regex -i http://rdweb.mydomain.etc
    acl rvm_osxserver_443 url_regex -i ^https://osxserver.mydomain.etc.
    $
    acl rvm_osxserver_80 url_regex -i ^http://osxserver.mydomain.etc/.$
    acl rvm_lamp_80 url_regex -i lamp.mydomain.etc
    acl rvm_exch2013_443 url_regex -i mydomain.etc/mapi/.
    $
    acl rvm_ras_443 url_regex -i ^https://ras.mydomain.etc/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}.$
    acl rvm_exch2013_443 url_regex -i ^https://autodiscover.mydomain.etc/.
    $
    acl rvm_exch2013_80 url_regex -i ^http://autodiscover.mydomain.etc/.*$
    acl rvm_fan_80 url_regex -i fan.mydomain.etc
    cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs
    cache_peer_access OWA_HOST_pfs deny allsrc
    never_direct allow OWA_URI_pfs
    http_access allow OWA_URI_pfs
    cache_peer_access rvp_hqcdiskstation_8151 allow rvm_hqcdiskstation8151
    cache_peer_access rvp_hqcdiskstation_8150 allow rvm_hqcdiskstation8150
    cache_peer_access rvp_tkobservium_80 allow rvm_tkobservium_80
    cache_peer_access rvp_rdweb_443 allow rvm_rdweb_443
    cache_peer_access rvp_rdc_443 allow rvm_rdc_443
    cache_peer_access rvp_rdweb_80 allow rvm_rdweb_80
    cache_peer_access rvp_osxserver_443 allow rvm_osxserver_443
    cache_peer_access rvp_osxserver_80 allow rvm_osxserver_80
    cache_peer_access rvp_lamp_80 allow rvm_lamp_80
    cache_peer_access rvp_exch2013_443 allow rvm_exch2013_443
    cache_peer_access rvp_ras_443 allow rvm_ras_443
    cache_peer_access rvp_exch2013_443 allow rvm_exch2013_443
    cache_peer_access rvp_exch2013_80 allow rvm_exch2013_80
    cache_peer_access rvp_fan_80 allow rvm_fan_80
    cache_peer_access rvp_hqcdiskstation_8151 deny allsrc
    cache_peer_access rvp_shqcsubsonic_80 deny allsrc
    cache_peer_access rvp_hqcdiskstation_8150 deny allsrc
    cache_peer_access rvp_tkobservium_80 deny allsrc
    cache_peer_access rvp_rdweb_443 deny allsrc
    cache_peer_access rvp_rdc_443 deny allsrc
    cache_peer_access rvp_rdweb_80 deny allsrc
    cache_peer_access rvp_osxserver_443 deny allsrc
    cache_peer_access rvp_osxserver_80 deny allsrc
    cache_peer_access rvp_lamp_80 deny allsrc
    cache_peer_access rvp_exch2013_443 deny allsrc
    cache_peer_access rvp_newznab2_80 deny allsrc
    cache_peer_access rvp_ras_443 deny allsrc
    cache_peer_access rvp_exch2013_443 deny allsrc
    cache_peer_access rvp_exch2013_80 deny allsrc
    cache_peer_access rvp_fan_80 deny allsrc
    never_direct allow rvm_hqcdiskstation8151
    never_direct allow rvm_hqcdiskstation8150
    never_direct allow rvm_tkobservium_80
    never_direct allow rvm_rdweb_443
    never_direct allow rvm_rdc_443
    never_direct allow rvm_rdweb_80
    never_direct allow rvm_osxserver_443
    never_direct allow rvm_osxserver_80
    never_direct allow rvm_lamp_80
    never_direct allow rvm_exch2013_443
    never_direct allow rvm_ras_443
    never_direct allow rvm_exch2013_443
    never_direct allow rvm_exch2013_80
    never_direct allow rvm_fan_80
    http_access allow rvm_hqcdiskstation8151
    http_access allow rvm_hqcdiskstation8150
    http_access allow rvm_tkobservium_80
    http_access allow rvm_rdweb_443
    http_access allow rvm_rdc_443
    http_access allow rvm_rdweb_80
    http_access allow rvm_osxserver_443
    http_access allow rvm_osxserver_80
    http_access allow rvm_lamp_80
    http_access allow rvm_exch2013_443
    http_access allow rvm_TK13_NEWZNAB2
    http_access allow rvm_ras_443
    http_access allow rvm_exch2013_443
    http_access allow rvm_exch2013_80
    http_access allow rvm_fan_80

    Custom options before auth

    auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ncsa_auth /var/etc/squid.passwd
    auth_param basic children 5
    auth_param basic realm Please enter your credentials to access the proxy
    auth_param basic credentialsttl 5 minutes
    acl password proxy_auth REQUIRED

    Custom options after auth

    Default block all to be sure

    http_access deny allsrc



  • would you mind posting the lines you changed in your squid-reverse.inc for review ?
    i could add them to the official package…



  • With pleasure

    But you're going to laugh … I don't find that file  ;D



  • or just send me the file you have on your pfsense as a pn ;-)
    one never finds things when searching ;-)



  • with the next release of the squid package, AutoDiscover HTTP is included ;-)
    so, no need to send the file anymore ;-)


Log in to reply