Hi,

I have a fairly common requirement of needing to reverse proxy Microsoft's
Oulook Web Access ("OWA"- web browser access to Exchange).
I have a Linux box located in our DMZ which will act as the reverse proxy
and I'm reasonably sure that all the required ports are open. The external
client will speak to the reverse proxy using https which will then speak to
the OWA server using http, thereby providing improved security. I started
off trying to do this using Apache but could not get it to work, so I
decided to try pound as it looked to be more straight forward to configure
but still can't get it to work. I'm using the IE6 browser but have tried
Mozilla as well with no sucess. I can connect to the OWA server
directly over http with no problems.

This is what happens (I'm testing this from an internal PC client just now
as external access to the pound server is not enabled yet) :

1. I hit the URL https://poundserver/exchange and get a message back
complaining about my temporarily generated certificate and asking me whether
I want to trust it. I click yes.
2. A login box pop's up asking me to login into Outlook Web access. I type
in my login details
3. My browser starts to load the site (skeleton frames are set up in my
browser) but a box pops up saying this site contains secure and nonsecure
items (which is weird) and do I want to display the nonsecure  ones. I click
yes
4. Both of the frames in my browser display "The Page cannot be displayed"
error.

This is exactly where I got with Apache! I would really appreciate advice
from anyone who has this working. I have read all the archives relating to
this but most seem to for earlier versions of Pound and the keywords won't
work with Pound v2.1.
I suspect that somehow the OWA server is redirecting my browser so that it
is by passing the proxy and speaking directly to it, the error about secure
and nonsecure items seems to confirm this (remember I'm testing this from an
internal PC)

This is my pound.cfg

Loglevel 4
ListenHTTPS
      Address 192.168.50.11
      AddHeader "Front-End_https: on"
      WebDAV 1
      Port    443
      Cert    "/usr/local/etc/server.pem"
          Service
              BackEnd
                 Address 10.123.0.6
                 Port    80
               End
          End
End

Does anyone have this working  or have any general advice on how to debug
this problem, before I go insane.

Thanks & Regards
Robin

Hi Robin,


3. My browser starts to load the site (skeleton frames are set up in my
> browser) but a box pops up saying this site contains secure and nonsecure
> items (which is weird) and do I want to display the nonsecure  ones. I
> click
> yes
> 4. Both of the frames in my browser display "The Page cannot be displayed"
> error.
>

I'm just working with a test setup, and I had almost exactly the same issue.
Now it works, and here's my config:

-- start of /etc/pond/pound.cfg --

User            www-data
Group           www-data
ExtendedHTTP    0
WebDAV          0
LogLevel        2
Alive           30
HTTPSHeaders 0 "Front-End-Https: on"
ListenHTTP *,80
ListenHTTPS *,443 /etc/pound/pound.pem
UrlGroup ".*"
BackEnd 10.1.1.51,80,1
EndGroup

-- end of file --


It seems to work nicely, but I'm sure some experts on this list will see
something that's gonna bite me later (please let me know!!)..

Cheers,
Frode

Hi, I'm not an expert in pound and trying to work with it :)

What version of pound do you have installed ( and on what OS) ?
Dirk 

-----Oorspronkelijk bericht-----
Van: Frode Egeland [mailto:egeland(at)gmail.com] 
Verzonden: donderdag 7 september 2006 11:29
Aan: pound(at)apsis.ch
Onderwerp: Re: [Pound Mailing List] Does anyone have Oulook Web Access
proxying working?

Hi Robin,


3. My browser starts to load the site (skeleton frames are set up in my
> browser) but a box pops up saying this site contains secure and 
> nonsecure items (which is weird) and do I want to display the 
> nonsecure  ones. I click yes 4. Both of the frames in my browser 
> display "The Page cannot be displayed"
> error.
>

I'm just working with a test setup, and I had almost exactly the same issue.
Now it works, and here's my config:

-- start of /etc/pond/pound.cfg --

User            www-data
Group           www-data
ExtendedHTTP    0
WebDAV          0
LogLevel        2
Alive           30
HTTPSHeaders 0 "Front-End-Https: on"
ListenHTTP *,80
ListenHTTPS *,443 /etc/pound/pound.pem
UrlGroup ".*"
BackEnd 10.1.1.51,80,1
EndGroup

-- end of file --


It seems to work nicely, but I'm sure some experts on this list will see
something that's gonna bite me later (please let me know!!)..

Cheers,
Frode


--
To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2006/2006-09/1157619366000/1157
621343000

Hi I'm using pound v2.1.

I am finding that some of the keywords people have suggest don't work with
pound 2.1 (e.g ExtendedHTTP &  HTTPSHeaders )

I did a bit more investigation, I downloaded a Mozilla plugin called
LiveHTTPHeaders which allows you to see what UPL's you browser is loading.
It appears as if Outllook is somehow redirecting the browser to a http://
address rather than a https one.  I thought that pound would deal with this
but I suspect it may be microsoft OWA doing something "non standard". The
page that gets loaded finally has https:// in the address bar, but some the
components of the frames that make it up the page seem to get loaded through
http. See below

#request# GET https://absm03.myco.co.uk/exchange/
GET /exchange/
#request# GET https://absm03.myco.co.uk/exchange/
GET /exchange/
#request# GET http://absm03.myco.co.uk/exchange/rsoperTest/?Cmd=navbar
#request# GET
http://absm03.myco.co.uk/exchange/rsoperTest/Inbox/?Cmd=contents
GET /exchange/rsoperTest/?Cmd=navbar
#request# GET
http://absm03.myco.co.uk/exchweb/6.5.7651.25/controls/owastyledl.css
GET /exchange/rsoperTest/Inbox/?Cmd=contents
#request# GET
http://absm03.myco.co.uk/exchweb/6.5.7651.25/controls/owastyledl.css
#request# GET
http://absm03.myco.co.uk/exchweb/6.5.7651.25/controls/dl_folderview.js


As my Reverse proxy is not listening for http this is where it fails. In the
pound.cfg that was posted by Frode (thanks!) it is listening for both http &
https. If I add a http proxy config to my current pound.cfg I can now sort
of get it to work, but I still get the message about secure and non secure
content and I have to login twice (with IE6).

If  we can get to the bottom of how the "http"  is leaking through the
reverse proxy it would be a done deal. Any Ideas?

Regards
Robin


On 9/7/06, dirk dekker <hf.dekker(at)chello.nl> wrote:
>
> Hi, I'm not an expert in pound and trying to work with it :)
>
> What version of pound do you have installed ( and on what OS) ?
> Dirk
>
> -----Oorspronkelijk bericht-----
> Van: Frode Egeland [mailto:egeland(at)gmail.com]
> Verzonden: donderdag 7 september 2006 11:29
> Aan: pound(at)apsis.ch
> Onderwerp: Re: [Pound Mailing List] Does anyone have Oulook Web Access
> proxying working?
>
> Hi Robin,
>
>
> 3. My browser starts to load the site (skeleton frames are set up in my
> > browser) but a box pops up saying this site contains secure and
> > nonsecure items (which is weird) and do I want to display the
> > nonsecure  ones. I click yes 4. Both of the frames in my browser
> > display "The Page cannot be displayed"
> > error.
> >
>
> I'm just working with a test setup, and I had almost exactly the same
> issue.
> Now it works, and here's my config:
>
> -- start of /etc/pond/pound.cfg --
>
> User            www-data
> Group           www-data
> ExtendedHTTP    0
> WebDAV          0
> LogLevel        2
> Alive           30
> HTTPSHeaders 0 "Front-End-Https: on"
> ListenHTTP *,80
> ListenHTTPS *,443 /etc/pound/pound.pem
> UrlGroup ".*"
> BackEnd 10.1.1.51,80,1
> EndGroup
>
> -- end of file --
>
>
> It seems to work nicely, but I'm sure some experts on this list will see
> something that's gonna bite me later (please let me know!!)..
>
> Cheers,
> Frode
>
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
> http://www.apsis.ch/pound/pound_list/archive/2006/2006-09/1157619366000/1157
> 621343000
>
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
>
http://www.apsis.ch/pound/pound_list/archive/2006/2006-09/1157619366000/1157622676000
>

On Thu, 7 Sep 2006 09:56:06 +0100, Robin Soper wrote
>       AddHeader "Front-End_https: on"

That must be "Front-End-Https: on" (hyphen, no underscore)

> Does anyone have this working  or have any general advice on how to debug
> this problem, before I go insane.

For IE you must make sure that only basic auth will be used as Kerberos or
NTLM cannot be proxied. And you need to tell OWA that SSL has been offloaded.
On
http://www.digital-labs.de/index.php?option=com_content&task=view&id=290&Itemid=27

you will find some screenshots on howto configure IIS. Texts are in German,
but the screenshots are English.

Cheers,
Frank

Frank - you are a genius - thanks a million

It now works perfectly for Firefox and IE6 (for some reason I didn't even
need to make the changes to IE recommended  in the web page - even though
some of the parameters are not set as recommended?)

Anyway for the record this is my *working* pound.cfg

Loglevel 1
ListenHTTPS
      Address 192.168.50.11
      WebDAV 1
      AddHeader "Front-End-Https: on"
      Port    443
      Cert    "/usr/local/etc/server.pem"
          Service
              BackEnd
                 Address 10.123.0.6
                 Port    80
               End
          End
End

Thanks & Regards
Robin


On 9/7/06, Frank Schmirler <frank.schmirler(at)linogate.com> wrote:
>
> On Thu, 7 Sep 2006 09:56:06 +0100, Robin Soper wrote
> >       AddHeader "Front-End_https: on"
>
> That must be "Front-End-Https: on" (hyphen, no underscore)
>
> > Does anyone have this working  or have any general advice on how to
> debug
> > this problem, before I go insane.
>
> For IE you must make sure that only basic auth will be used as Kerberos or
> NTLM cannot be proxied. And you need to tell OWA that SSL has been
> offloaded.
> On
>
>
http://www.digital-labs.de/index.php?option=com_content&task=view&id=290&Itemid=27
>
> you will find some screenshots on howto configure IIS. Texts are in
> German,
> but the screenshots are English.
>
> Cheers,
> Frank
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
>
http://www.apsis.ch/pound/pound_list/archive/2006/2006-09/1157619366000/1157630323000
>

On Thu, 7 Sep 2006 15:32:45 +0100, Robin Soper wrote
> Frank - you are a genius - thanks a million

You're welcome ;-)
 
> It now works perfectly for Firefox and IE6 (for some reason I didn't 
> even need to make the changes to IE recommended  in the web page - 
> even though some of the parameters are not set as recommended?)

Can you tell us which of the parameters are different?

Thanks,
Frank

The IE authenication was set to basic already. However the owaadmin
parameter that was recomended to be changed "Allow SSL offloading" is
current set to "No" - which you would think would stop the AddHeader
"Front-End-Https: on"  from working, but it work fine. Our OMA server only
listens for http - maybe this parameter effects only OMA systems
listening for https?

Regards
Robin


On 9/7/06, Frank Schmirler <frank.schmirler(at)linogate.com> wrote:
>
> On Thu, 7 Sep 2006 15:32:45 +0100, Robin Soper wrote
> > Frank - you are a genius - thanks a million
>
> You're welcome ;-)
>
> > It now works perfectly for Firefox and IE6 (for some reason I didn't
> > even need to make the changes to IE recommended  in the web page -
> > even though some of the parameters are not set as recommended?)
>
> Can you tell us which of the parameters are different?
>
> Thanks,
> Frank
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
>
http://www.apsis.ch/pound/pound_list/archive/2006/2006-09/1157619366000/1157640258000
>

On 9/7/06, Frank Schmirler <frank.schmirler(at)linogate.com> wrote:
>
> On Thu, 7 Sep 2006 09:56:06 +0100, Robin Soper wrote
> >       AddHeader "Front-End_https: on"
>
> That must be "Front-End-Https: on" (hyphen, no underscore)


That's what I had in my config! ;-P


Robin, I'm glad it's working for you now. :)
My setup allows both http and https connections (for testing), but I don't
get the double login you mentioned, probably due to the above header.. :)

Cheers,
Frode

On Thu, 7 Sep 2006 16:13:27 +0100, Robin Soper wrote
> The IE authenication was set to basic already. However the owaadmin
> parameter that was recomended to be changed "Allow SSL offloading" is
> current set to "No" - which you would think would stop the AddHeader
> "Front-End-Https: on"  from working, but it work fine. Our OMA 
> server only listens for http - maybe this parameter effects only OMA 
> systems listening for https?

IIRC OWA will produce wrong <base> tags (with http:// and not https://) if
this parameter is not set. Maybe OMA is different here. But I'm sure that SSL
offloading must be allowed if forms-based authentication is used.

Regards,
Frank

I should be able to test this as we have two OWA servers, a v2000 and a
v2003 system.
The 2000 is listening only on https and currently being used for external
Email access.
The 2003 server is new one not in production yet which is listening on http
only.
I will test the registry setting SSLOffloaded on the v2000 system and see if
my pound works with it.
Although I'll need to find a quiet time to do it as it requires an IIS
service restart ;^D

I'm assuming that   -->https-->pound-->https-->backend server isn't
possible.

Regards
Robin


On 9/8/06, Frank Schmirler <frank.schmirler(at)linogate.com> wrote:
>
> On Thu, 7 Sep 2006 16:13:27 +0100, Robin Soper wrote
> > The IE authenication was set to basic already. However the owaadmin
> > parameter that was recomended to be changed "Allow SSL offloading" is
> > current set to "No" - which you would think would stop the AddHeader
> > "Front-End-Https: on"  from working, but it work fine. Our OMA
> > server only listens for http - maybe this parameter effects only OMA
> > systems listening for https?
>
> IIRC OWA will produce wrong <base> tags (with http:// and not https://) if
> this parameter is not set. Maybe OMA is different here. But I'm sure that
> SSL
> offloading must be allowed if forms-based authentication is used.
>
> Regards,
> Frank
>
> --
> To unsubscribe send an email with subject 'unsubscribe' to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>
>
http://www.apsis.ch/pound/pound_list/archive/2006/2006-09/1157619366000/1157698788000
>