Reverse Proxy RPCoverHttp Exchange 2013

e.ziehe

Hello Guys, i hope somebody can point me in the right direction.

We have installed Squid3-dev package on a PF 2.1 i386. After some research we bring it to work. And the most Exchange Services working well through squid. But only the RPCoverHttp feature does not working.
We have investigated some logs and found following information:

in the access.log on the pfsense box we can see every time 3 requests that will be answered from exchange wiht http code 401,401,503.

On the exchange server we found following correspondend lines:

2014-03-19T19:33:18.567Z,xxx,RpcHttp,"S:Stage=BeginRequest;S:OutlookSessionId=""{F1FB7F7D-D891-4B8D-9D01-967DF7172FB9} Outlook=15.0.4569.1508 OS=6.2.9200 CPUArchitecture=9"";S:AuthType=Basic;S:HttpVerb=METHOD_OTHER;S:UriQueryString=?efb24183-60c0-4974-8756-a4a688110935@xxx:6001;S:RequestId=1f3bdc04-61fd-4ccb-8e3e-918d4a6afaff;S:AssociationGuid=6d82b035-2989-4d00-a8b6-79d934ea1e5a;S:ClientIp=10.1.1.254"
2014-03-19T19:33:18.567Z,xxx,RpcHttp,"S:Stage=PostAuthorizeRequest;S:UserName=xxx;S:OutlookSessionId=""{F1FB7F7D-D891-4B8D-9D01-967DF7172FB9} Outlook=15.0.4569.1508 OS=6.2.9200 CPUArchitecture=9"";S:AuthType=Basic;S:HttpVerb=METHOD_OTHER;S:UriQueryString=?efb24183-60c0-4974-8756-a4a688110935@xxx:6001;S:RequestId=1f3bdc04-61fd-4ccb-8e3e-918d4a6afaff;S:AssociationGuid=6d82b035-2989-4d00-a8b6-79d934ea1e5a;S:ClientIp=10.1.1.254"
2014-03-19T19:33:18.583Z,xxx,RpcHttp,"S:Stage=EndRequest;S:UserName=xxx;S:OutlookSessionId=""{F1FB7F7D-D891-4B8D-9D01-967DF7172FB9} Outlook=15.0.4569.1508 OS=6.2.9200 CPUArchitecture=9"";S:AuthType=Basic;**S:Status=503 Must use POST;S:HttpVerb=METHOD_OTHER;**S:UriQueryString=?efb24183-60c0-4974-8756-a4a688110935@xxx:6001;S:RequestId=1f3bdc04-61fd-4ccb-8e3e-918d4a6afaff;S:AssociationGuid=6d82b035-2989-4d00-a8b6-79d934ea1e5a;S:ClientIp=10.1.1.254"

For me it looks like that squid sends a unrecognized http-verb, and the rpc-proxy does ignore this request. I found on the internet that the extension_methods configuration key is obsolete in squid 3.2++.

Now is the question how we can bring this to work. Or has somebody experience with such setup?
Please help us to replace a old ISA-Server box.

regards Enrico

e.ziehe

No answers.

So i Try another question. Has somebody successfully deployed Outlook- anywehre with pfsense ?

keyser

Yes, using the HAproxy-devel package which is an excellent http/https reverse proxy I have deploy'd exchange 2013 sp1 without issues.

tfjelde

The squid3-dev 3.3.10 pkg 2.2.1 is working with Exchange 2013 SP1 RPC over http as long as you don't activate the antivirus feature in the package.

for some reason it breaks the logon to exchange !

e.ziehe

@ keyser: Can you provide any HAproxy example configs to make Exchange 2013 get working?

@ tfjelde: We have deactivated it and problem is the same as discribed.

Best regards

keyser

I have only done a GUI config, and wouldn't know where to find the config file ;D

But basically i enabled HAproxy in setting and then created a Backend entry (backend tab) for my Exchange server. On that backend I just entered the LAN IP of my Exchange server and set it for port 443 and enabled SSL. Make sure "Transparent Client IP" is disabled. Everything else on that page is Default settings.

Then I created a Frontend entry (Frontend TAB - You could call it the listener part of a proxy).
Bind it to the WAN IP interface, and external port 443 and Type HTTP. Select the previously created backend as "backend server pool".

I have attached my ACL's to secure the access to the server so only valid URL path's are forwarded. Note: Two ACL's with the same name becomes a AND ACL where both statements need to be true to work.

The select SSL offloading and select the certificate you want the proxy to use on the listener (The certificate users will be presented with).
Everything else i default settings.

Remember to make an allow rule from the internet to the WAN interface port 443.

Works great for me.

keyser

Btw. The mentioned setup requires the Exchange server to run SSL and have a certificate that your PFsense trusts (knows the root signer of.
So the default selfsigned certificate in exch. 2013 does not work. You need a proper cert or a selfsignet cert where your have installed the issuers root CA cert on PFsense.

e.ziehe

Thanks to keyser, we have try it in our environmet. And HAproxy works for us to.