Reverse proxy fo Exchange 2013


  • Hello all,

    Hope everyone is doing fine.

    I have a little problem with configuring a reverse proxy with an exchange 2013 .

    I have pfsense virtual machine that I put on a DMZ.

    I installed the package reverse Proxy and I followed this procedure http://www.moh10ly.com/blog/pfsense/publishing-exchange-on-pfsense

    My Pfsense has 3 networks WAN LAN and DMZ

    The LAN and WAN are actually on the same subnet (I now it's maybe not a great idea…)

    My DMZ is on 192.168.5.3. So my pfsense is now published on the web but when I want enter the URL of my exchange instead of having my OWA , I have the GUI of my pfsense --'

    Please if someone can help I'll be really happy!



    ![Reverse proxy conf.jpg](/public/imported_attachments/1/Reverse proxy conf.jpg)
    ![Reverse proxy conf.jpg_thumb](/public/imported_attachments/1/Reverse proxy conf.jpg_thumb)


  • Hello Ayoub,

    I have no experience with pfsense as a reverse proxy but am very interested in what you're trying to achieve and will follow your case.

    Looking at your provided url with the step by step walkthrough it does look like it should yield you with a running configuration.

    You mention that you're redirected to your fpsense login page when connecting from the outside using the owa url, is this correct?

    If so, this should never happen, as a best practice you should always block access to your pfsense web login page from external sources (wan) this is the default behavior for the firewall.

    Besides this how is it connecting to you pfsense login page, not over port 80 or 443? Following the walkthrough the first steps are to change the default pfsense web gui port from 80 or 443 to something else, so even if the external address was accessed and redirected to the pfsense login page it should not be able to connect because the pfsense web gui is listening on other ports than 80 or 443.

    This is what came to my mind when reading through your case I don't know whether its any use to you, hopefully you'll figure it out.

    I think you should be able to get it to work using the walkthrough, otherwise you could look into creating mappings to your server, you can read about it here regarding pfsense as a reverse proxy server for ms lync:
    https://blogs.technet.microsoft.com/nexthop/2014/04/07/configuring-pfsense-as-a-reverse-proxy-for-lync-web-services/


  • Hello Daniel,

    thanks a lot.

    Yes indeed , when I enter my OWA address it's directly redirecting me to my authentication page.

    I already try to give to the admin console the 8443 port just to try but it becomes unavaible after this. So for now  I leave it like that.


  • Hi Ayoub,

    When you say "it becomes unavailable after this" do you mean after changing the port number you can't access the pfsense web login or you get nothing when trying to access the owa url.

    I think it's mandatory to change the pfsense web gui port number when using port 80 and/or 443 for services so I would start with changing the default pfsense web gui port to something other than that and try troubleshooting from there.

    Also when you say you try to access the owa url, are you trying this from the same internal network, if so you might be short circuiting the path, instead of accessing the owa url from the outside you're hitting it from the internal lan, if that makes any sense.

    For testing purposes, on your pc from which you're running tests, add your owa url address to your host file with your external ip number (ip used for public dns address for owa), that way you're certain you're trying to access the website from the outside.

    I will try out your setup in my own lab environment if I get around to it this weekend I'll let you know the results.


  • Hi Daniel,

    Yes when I change the the default pfsense web gui port to 8443 for example I cannot access to the the pfsense web login and the owa still doesn't work.

    I'm always trying from an outside site.

    I will see on my firewall if there is any logs that may show a block between pfsense and exchange.

    Thank you very much!


  • Hi Ayoub,

    I've been pretty busy and haven't gotten around to trying out the config untill now.

    Have you gotten any further on your quest?

    I read up on instructions on the web on how to configure reverse proxy for exchange and lync and have come to the conclusion that the instructions on:
    http://www.moh10ly.com/blog/pfsense/publishing-exchange-on-pfsense

    are not entirely how you should configure it, if you look at the last steps, he creates nat port forward rules which defeats the purpose of configuring reverse proxy.

    I was in the process of finalizing and saving my config on the reverse proxy general page when I received an error that I can't use ports below 1023 for the reverse http and https port, googling reveals that this is something which can't be altered because BSD by default does not allow the use of ports below 1023 unless you're root.

    The advice is to use an alternate reverse proxy solution, but I don't know whether other packages are available for pfsense, or to redirect to different port numbers, public 4443 redirects to internal 443.

    Is anyone else familiar with this issue?



  • Okay, I've tried playing with different reverse proxy settings but unfortunately it's not working, when I access the owa external url I can see that the firewall is allowing access, but then I'm greeted with a squid error page saying something went wrong, check your network or something like that.

    I looked at my exchange mail server firewall log and I don't see any traffic hitting the box, so it seems the traffic stops at the reverse proxy.

    Will do some more testing in the weekend, maybe try out modsecurity which is in the pfsense packages and also does reverse proxy.


  • Hello Daniel,

    Thanks for all the tests that you made.

    Me I checked on the network to see if there was something wrong but everything seems to be okay.

    I saw that windows has a reverse proxy . I don't know if it wo but I guess I have no other choice right now :s


  • Hello Ayoub,

    No problem, it's a shame we couldn't get it to work straight out of the box, I'm a consultant/windows system administrator and also do some network administration on the side and have a few small business customers.

    I'm all for opensource, if this had worked I would've recommended them pfsense as a possible firewall replacement, much less costs compared to buying a juniper or cisco box buying licenses to unlock features.

    With pfsense you get a lot of features for free, openvpn, squid, vlan's, snort, although getting everything working correctly can be a challenge, I'm still learning as we go, I would have opted for payed pfsense support though just in case.

    That's correct, windows server 2012r2 has a web application proxy built in, I have it configured at a customer working as a reverse proxy for exchange and lync, it just works, however it will cost you 2 extra windows server 2012r2 licenses if you're still running on physical machines, only 1 windows 2012r2 standard license is required when running virtual.

    You have to be aware that you need 2 servers, 1 serves as the web application proxy at the perimeter network and 1 adfs server for authentication on the internal network, eventhough you're using passthrough mode instead of claims based you have to have an adfs server, I only have experience with the former.

    There's plenty of walkthroughs on the web, however if you have any questions setting up a windows wap, adfs server I will be here to answer any of your questions.


  • Oh really I thought that only one server would be enough for excahnge.

    Is it really mandatory to use 2 servers?


  • For the win2k12r2 web application proxy to work it needs to communicate with an adfs server, during installation and configuration of the wap you'll be asked to set this up.

    So yes, I'm afraid you'll need 2 servers:

    DMZ
    win2k12r2 wap

    Internal network
    win2k12r2 adfs