> > I've already got OWA working and would now like to get RPC [...]

Robert, is RPC over HTTPS forwarding to an Exchange 2003 server known to
not work?  I have a packet trace of a connection that worked over a port
forwarded session vs. a packet trace of what transpired when Pound was
involved.

--
Michael St. Laurent
Hartwell Corporation

I personnaly used Squid to achieve OWA and RPCoHTTP publication over SSL
since it didn't work with pound
Worked perfectly.

-----Message d'origine-----
De : Michael St. Laurent [mailto:mikes(at)hartwellcorp.com] 
Envoyé : lundi 2 juin 2008 19:39
À : pound(at)apsis.ch
Cc : roseg(at)apsis.ch
Objet : FW: [Pound Mailing List] RPC over https configuration
[...]

Robert, is RPC over HTTPS forwarding to an Exchange 2003 server known to
not work?  I have a packet trace of a connection that worked over a port
forwarded session vs. a packet trace of what transpired when Pound was
involved.

--
Michael St. Laurent
Hartwell Corporation
 

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

I'm concerned with the potential for security issues in that scenario as I
don't think Squid is meant to be used as an inbound proxy.

--
Michael St. Laurent
Hartwell Corporation
 
[...]

Yes, Squid is focused on 3 types of proxy : standard proxy, transparent
proxy and reverse proxy (accelerated mode as they explain).

I'd like to know too, if devs can share, how pound manage security and how
different (if they know) it is handled by squid.

-----Message d'origine-----
De : Michael St. Laurent [mailto:mikes(at)hartwellcorp.com] 
Envoyé : lundi 2 juin 2008 20:56
À : pound(at)apsis.ch
Objet : RE: [Pound Mailing List] RPC over https configuration

I'm concerned with the potential for security issues in that scenario as I
don't think Squid is meant to be used as an inbound proxy.

--
Michael St. Laurent
Hartwell Corporation
 
[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

Squid as an accelerator has been used for ages without any security concerns.



On 6/2/08, Michael St. Laurent <mikes(at)hartwellcorp.com>
wrote:[...][...][...][...]

Well, if there is no interest in getting Pound to work with it then I'll look
at Squid.  I'd still prefer to use Pound, however.  ;)
[...]

On Mon, 2008-06-02 at 10:39 -0700, Michael St. Laurent wrote:[...]

No, it is not known to not work. Unfortunately it is not known to work
either.

I would like to get this working if it doesn't, but I'll need your help:

1. "Does not work" is a bit vague, some more detail would be good: what
do you see in the client, what do you see in the Pound log, what is
shown in the Exchange log?

2. At least the relevant details of the config file.

3. Does it work over plain HTTP (rather than HTTPS)? Exchange is known
to try some strange authentication modes, so that could make a
difference.

4. Can you sniff the data stream? At best I would like to see a dump of
a direct connection (ideally, if you have tried it with Squid, similar
dumps of the client -> Squid and Squid -> Exchange would be even
better), as opposed to client -> Pound and Pound -> Exchange streams.

It would be very helpful if you could provide this - at least we would
have something to start looking into.[...]

> No, it is not known to not work. Unfortunately it is not known to
work[...]

Excellent!  <rubs hands together>
[...]

The client prompts for the login credentials, tries to connect for about
20 seconds then displays a message saying "Outlook cannot log on.  Check
the server name... <blah blah blah>"

The pound log:

Jun  3 10:05:48 hcfw1 pound: 216.237.48.26 RPC_OUT_DATA
/rpc/rpcproxy.dll?owa.hartwellcorp.com:6002 HTTP/1.1 - HTTP/1.0 503 RPC
Error: 6ba (owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.003 sec
Jun  3 10:05:48 hcfw1 pound: (b7debb90) e500 error copy client cont to
10.11.10.14:80/RPC_IN_DATA /rpc/rpcproxy.dll?owa.hartwellcorp.com:6002
HTTP/1.1: Success (0.011 sec)
Jun  3 10:05:48 hcfw1 pound: 216.237.48.26 RPC_OUT_DATA
/rpc/rpcproxy.dll?hcdc.hartwellcorp.com:6004 HTTP/1.1 - HTTP/1.0 503 RPC
Error: 6ba (owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.003 sec
Jun  3 10:05:48 hcfw1 pound: (b7debb90) e500 error copy client cont to
10.11.10.14:80/RPC_IN_DATA /rpc/rpcproxy.dll?hcdc.hartwellcorp.com:6004
HTTP/1.1: Success (0.011 sec)
Jun  3 10:06:09 hcfw1 pound: 216.237.48.26 RPC_OUT_DATA
/rpc/rpcproxy.dll?owa.hartwellcorp.com:6004 HTTP/1.1 - HTTP/1.0 503 RPC
Error: 6ba (owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.003 sec
Jun  3 10:06:09 hcfw1 pound: (b7debb90) e500 error copy client cont to
10.11.10.14:80/RPC_IN_DATA /rpc/rpcproxy.dll?owa.hartwellcorp.com:6004
HTTP/1.1: Success (0.011 sec)

The IIS Log file (c:\windows\system32\logfiles\w3svc1\):

2008-06-03 17:05:48 W3SVC1 10.11.10.14 RPC_OUT_DATA /rpc/rpcproxy.dll
owa.hartwellcorp.com:6002 80 adanl(at)hartwellcorp.com 10.127.1.1 MSRPC 200
0 0
2008-06-03 17:05:48 W3SVC1 10.11.10.14 RPC_OUT_DATA /rpc/rpcproxy.dll
hcdc.hartwellcorp.com:6004 80 adanl(at)hartwellcorp.com 10.127.1.1 MSRPC
200 0 0
2008-06-03 17:06:09 W3SVC1 10.11.10.14 RPC_OUT_DATA /rpc/rpcproxy.dll
owa.hartwellcorp.com:6004 80 adanl(at)hartwellcorp.com 10.127.1.1 MSRPC 200
0 0
[...]

#
# pound configuration file for version 2.4.2
#

User "nobody"
Group "nobody"
RootJail "/usr/share/pound"
LogLevel 2

ListenHTTP
    Address 216.237.48.18
    Port 80
    Service "sslredir"
        HeadRequire "Host: owa.hartwellcorp.com.*"
        Redirect "https://owa.hartwellcorp.com/exchange"
    End
End

ListenHTTPS
    Address 216.237.48.18
    AddHeader "Front-End-Https: on"
    Port    443
    Cert    "/etc/pki/tls/certs/pound-new.pem"
    Ciphers
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
    # Allow WebDAV and MS extensions
    xHTTP   4
    Service "exchange"
        URL "^/exchange|^/exchweb"
        HeadRequire "Host: owa.hartwellcorp.com.*"
        BackEnd
            Address 10.11.10.14
            Port    80
        End
    End
    Service "rpc"
        URL "^/rpc"
        HeadRequire "Host: owa.hartwellcorp.com.*"
        BackEnd
            Address 10.11.10.14
            Port    80
            TimeOut 300
        End
    End
    Service "exchangeredir"
        HeadRequire "Host: owa.hartwellcorp.com.*"
        Redirect "https://owa.hartwellcorp.com/exchange"
    End
End
[...]

No, that doesn't work either.  I changed the config file:

ListenHTTP
    Address 216.237.48.18
    Port 80
#    Service "sslredir"
#        HeadRequire "Host: owa.hartwellcorp.com.*"
#        Redirect "https://owa.hartwellcorp.com/exchange"
#    End
    Service "rpc"
        URL "^/rpc"
        HeadRequire "Host: owa.hartwellcorp.com.*"
        BackEnd
            Address 10.11.10.14
            Port    80
            TimeOut 300
        End
    End
End

The Pound log file contains this:

Jun  3 10:23:38 hcfw1 pound: (b7ebdb90) e501 bad request "RPC_IN_DATA
/rpc/rpcpr
oxy.dll?owa.hartwellcorp.com:6002 HTTP/1.1" from 216.237.48.28
Jun  3 10:23:38 hcfw1 pound: (b7ebdb90) e501 bad request "RPC_OUT_DATA
/rpc/rpcp
roxy.dll?owa.hartwellcorp.com:6002 HTTP/1.1" from 216.237.48.28
Jun  3 10:23:38 hcfw1 pound: (b7ebdb90) e501 bad request "RPC_IN_DATA
/rpc/rpcpr
oxy.dll?hcdc.hartwellcorp.com:6004 HTTP/1.1" from 216.237.48.28
Jun  3 10:23:38 hcfw1 pound: (b7ebdb90) e501 bad request "RPC_OUT_DATA
/rpc/rpcp
roxy.dll?hcdc.hartwellcorp.com:6004 HTTP/1.1" from 216.237.48.28
Jun  3 10:24:00 hcfw1 pound: (b7ebdb90) e501 bad request "RPC_IN_DATA
/rpc/rpcpr
oxy.dll?owa.hartwellcorp.com:6004 HTTP/1.1" from 216.237.48.28
Jun  3 10:24:00 hcfw1 pound: (b7ebdb90) e501 bad request "RPC_OUT_DATA
/rpc/rpcp
roxy.dll?owa.hartwellcorp.com:6004 HTTP/1.1" from 216.237.48.28
[...]

I have packet sniffs but they're large and it's probably not a good idea
to send them to the list.  You can download them from the FTP site
below:

Server: ftp.hartwellcorp.com
Login: pound
Password: pound

The file names should indicate which trace is for what.
[...]

Sure.  Let me know if you need anything else.  ;)

Michael St. Laurent wrote:[...][...][...][...]
I looked into this when I first started using pound.  This is a rather 
simplified explanation of what I discovered (and could be completely 
wrong - I don't know enough about RPC or HTTP).  When Outlook sends the 
first HTTP request it specifies a content-length of 1GB.  I think this 
is so the request stays open and RPC commands get sent via this 
"tunnel".  Pound (being the good proxy that it is) sits and waits for 
the 1GB of data to arrive and does not pass the request to the BE until 
it does.  Pound eventually times out waiting for the promised 1GB of 
data and gives up.

Here's Microsoft's details of the protocol:
http://technet.microsoft.com/en-us/library/aa995784(EXCHG.65).aspx
http://technet.microsoft.com/en-us/library/aa996706(EXCHG.65).aspx

On Tue, 2008-06-03 at 10:35 -0700, Michael St. Laurent wrote:[...]

Please try again - you missed the xHTTP directive, so all requests were
rejected.[...]

> Please try again - you missed the xHTTP directive, so all [...]

Whoops, right you are.  Okay, now it does exactly the same thing as the
https connection.  It's prompting for the login credentials then after
about 30 seconds it comes back with a "Your Exchange server is
unavailable" error message.

Pound error log:

Jun  4 10:45:10 hcfw1 pound: 216.237.48.29 RPC_IN_DATA
/rpc/rpcproxy.dll?hcex.hartwellcorp.com:593 HTTP/1.1 - HTTP/1.1 401
Unauthorized (owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.005 sec
Jun  4 10:45:10 hcfw1 pound: 216.237.48.29 RPC_OUT_DATA
/rpc/rpcproxy.dll?hcex.hartwellcorp.com:593 HTTP/1.1 - HTTP/1.1 401
Unauthorized (owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.007 sec
Jun  4 10:45:10 hcfw1 pound: 216.237.48.29 RPC_IN_DATA
/rpc/rpcproxy.dll?hcex.hartwellcorp.com:593 HTTP/1.1 - HTTP/1.1 200 OK
(owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.004 sec
Jun  4 10:45:10 hcfw1 pound: 216.237.48.29 RPC_OUT_DATA
/rpc/rpcproxy.dll?hcex.hartwellcorp.com:593 HTTP/1.1 - HTTP/1.1 200 OK
(owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.003 sec
Jun  4 10:45:10 hcfw1 pound: 216.237.48.29 RPC_OUT_DATA
/rpc/rpcproxy.dll?hcex.hartwellcorp.com:593 HTTP/1.1 - HTTP/1.0 503 RPC
Error: 6ba (owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.002 sec
Jun  4 10:45:10 hcfw1 pound: (b7e97b90) e500 error copy client cont to
10.11.10.14:80/RPC_IN_DATA /rpc/rpcproxy.dll?hcex.hartwellcorp.com:593
HTTP/1.1: Success (0.004 sec)
Jun  4 10:45:14 hcfw1 pound: 216.237.48.29 RPC_IN_DATA
/rpc/rpcproxy.dll?HCEX:6004 HTTP/1.1 - HTTP/1.1 401 Unauthorized
(owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.005 sec
Jun  4 10:45:14 hcfw1 pound: 216.237.48.29 RPC_OUT_DATA
/rpc/rpcproxy.dll?HCEX:6004 HTTP/1.1 - HTTP/1.1 401 Unauthorized
(owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.007 sec
Jun  4 10:45:14 hcfw1 pound: 216.237.48.29 RPC_IN_DATA
/rpc/rpcproxy.dll?HCEX:6004 HTTP/1.1 - HTTP/1.1 200 OK
(owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.004 sec
Jun  4 10:45:14 hcfw1 pound: 216.237.48.29 RPC_OUT_DATA
/rpc/rpcproxy.dll?HCEX:6004 HTTP/1.1 - HTTP/1.1 200 OK
(owa.hartwellcorp.com/rpc -> 10.11.10.14:80) 0.003 sec
Jun  4 10:45:24 hcfw1 pound: (b7e97b90) e500 error copy client cont to
10.11.10.14:80/RPC_IN_DATA /rpc/rpcproxy.dll?HCEX:6004 HTTP/1.1:
Connection timed out (10.000 sec)

Has anyone actually got Pound working between a Linux server and Exchange 2007?
I've been working on this on and off for several weeks and have not yet found a
working configuration example.

I currently have;

ListenHTTPS
        Address         AN.INTERNET.IP.ADDRESS
        Port            443
        Cert            "/opt/pound/ssl/self-signed-cert.net.pem"
        AddHeader       "Front-End-Https: on"
        Ciphers        
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
        # Use version 4 as this allows the MS RPCDATAIN, RPCDATAOUT
        xHTTP           4
        Service
                BackEnd
                        Address apps-1.uks.local
                        Port    80
                        Timeout 60
                End
        End
End

Configured using a self-signed cert that has been imported onto the desktops
using group policy and still get nowhere. From my logs I'm seeing the
following;

May 22 09:46:41 edgetransport pound: (b7be6bb0) e500 response error read from
10.0.50.40:443/GET / HTTP/1.1: Connection timed out (60.022 secs)


If I point an outlook client at 10.0.50.40:443 then I can connect to the
RPC/HTTPS service without issue.

Any help is greatly appreciated


Thanks
Gavin
[...]


Gavin Conway
Senior Engineer, Systems Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: gavin.conway(at)uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England
Number 3036806
This email must be read in conjunction with the legal & service notices on
http://www.uksolutions.co.uk/disclaimer

The RPC stuff is still being tweaked to make it compatible with The
Microsoft Way(tm).  ;)
[...]

Hi Micheal,

Thanks for getting back to me. Are you one of the developers for Pound? If so
what sort of timescales are you looking at for RPC over HTTPS and compatibility
with Exchange. If you aren't a developer from Pound then could I get the same
question answered by them.

Reason being I'm fighting quite hard not to have to setup a Windows Server
running ISA just to proxy the HTTPS/RPC connection from our edge.

Thanks
Gavin
[...]


Gavin Conway
Senior Engineer, Systems Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: gavin.conway(at)uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England
Number 3036806
This email must be read in conjunction with the legal & service notices on
http://www.uksolutions.co.uk/disclaimer

No, I'm in the same boat you are Gavin.  We're getting by using VPN
tunnels right now but are getting a lot of pressure to get RPCoHTTPS
working.  A lot of hotels and ISPs falsely claim that they don't block
VPN connections.
[...]

I'm not sure my Exchange 2007 RPC over HTTP is working... Because I don't use
it.  But anyway.

In watching the exchange, it looks like the communication limited by both the
Client timeout and the TimeOut on the backend.

It looks to me like the RPC_IN_DATA and RPC_OUT_DATA commands are returning a
Content-Length:1073741824.. Likely so they can keep a persistent connection in
both directions.

Pound limits the incoming (from the client) connection w/ huge content length
by the client timeout.  Which I can fully understand.  But it's causing the
cont errors you see in the log.  So I bumped my Client and TimeOut values to
3600, just to see what would happen.  The cont errors went away.  So you might
want to try that as a short term thing.

Copy_bin appears to be called properly, but I'm not sure if BIO buffering is
adding weird behavior.  (For instance, I see 20 bytes come in from the client,
but nothing goes out on the server side for a bit...)  In other words, it seems
pound is treating this just like any other web request .... Read the request in
bulk and write chunks, then read the response in bulk and write chunks.

I added some flushing to copy_bin and I decreased the BIO_read limit to 10
bytes to see if it would do more interactive transmission but it doesn't seem
to make a difference.  Then again, when I turned off my layers of testing
programs, it didn't work either.  So it's possible I didn't set up
OutlookAnywhere properly.

Testbed - VM -> NAT REDIRECT -> Pound on 443 -> tcpwatch -> stunnel
-> OWA on 443

I tried without stunnel (turning off the SSL requirement in IIS) but the
results were the same.

Hope this helps.

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540

[...]

Hi Joe,

Could you send over your Pound configuration to the group so that it's archived
as a potential working configuration.

Thanks
Gaivn
[...]


Gavin Conway
Senior Engineer, Systems Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: gavin.conway(at)uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England
Number 3036806
This email must be read in conjunction with the legal & service notices on
http://www.uksolutions.co.uk/disclaimer

On Wed, Jun 18, 2008 at 10:59 AM, Gavin Conway
<gavin.conway(at)uksolutions.co.uk> wrote:[...]

I, too, vote for this request.

[...]

Sure!  Might be good to note I was testing with Pound 2.4.3 as well.

===== pound.cfg =========
Client 3600
TimeOut 3600
Alive 60
LogLevel 5
Daemon 0

ListenHTTPS
        Address 0.0.0.0
        Port    443
        Cert    "my.owa.cert.pem"
        AddHeader       "Front-End-Https: on"
        Ciphers
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
        xHTTP   4
        Service
                Backend
                        Address my.owa.ip
                        Port    80
                End
        End
End

ListenHTTP
        Address 0.0.0.0
        Port    80
        xHTTP   4
        Service
                Backend
                        Address my.owa.ip
                        Port    80
                End
        End
End
======================

If your exchange server requires ssl and you don't want to change that, you can
add stunnel to the mix.  Just run stunnel on a local port (like 82) and have it
connect to my.owa.ip port 443.  Then change your backend to 127.0.0.1 port 82.

======== stunnel.cfg =======
foreground = yes
client = yes

[https]
  accept=127.0.0.1:82
  connect=my.owa.ip:443
============================

(Of course, in production, you'd likely want to set a user, group, chroot
directory, etc.)

If you want to see the exchange with the server, TCPWatch is invaluable.  You
can get it at http://hathawaymix.org/Software/TCPWatch

Assuming stunnel, run it as:
python tcpwatch.py 81:127.0.0.1:82
Without stunnel
python tcpwatch.py 81:my.owa.ip:80

And set your pound backend to 127.0.0.1:81.

If you're not actually on a machine with X, you can specify the -s flag to
tcpwatch so it does a console output.

Good luck!

Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540

[...]

Hi Joe,

Thanks for sending that out. Could you point an Outlook Client at your
RPCoHTTPS connection and let me know what you receive.

Also, browsing to;

https://yourpoundinstall/rpc/rpcproxy.dll

Should prompt you for a password 3 times and then present a blank page. I'm
asking this as I've replicated your config and whenever I try and call the
/rpcproxy.dll section myself I get an e500 error from Pound.

Cheers,
Gavin
[...]


Gavin Conway
Senior Engineer, Systems Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: gavin.conway(at)uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England
Number 3036806
This email must be read in conjunction with the legal & service notices on
http://www.uksolutions.co.uk/disclaimer

On Tue, 2008-06-03 at 10:35 -0700, Michael St. Laurent wrote:[...]

You seem to have sniffed the HTTPS stream, which is less than helpful.
Could you try again with plain HTTP?

One problem that I did notice: you seem to use Windows authentication
(NTLM). This is almost assured to cause problems, as Exchange thinks it
is talking to the Pound server, while the client sends a different set
of credentials. Search the archive for a detailed solution (using HTTP
authentication in IIS).[...]

On Tue, 2008-06-17 at 09:00 +0100, Gavin Conway wrote:[...]

I can't very well give you any assurance - we are still trying to figure
out what the problem is. Once diagnosis is complete a solution would be
quick to be offered.[...]

D'OH!!!  You're right.  Okay, it'll take me a bit to get things set up again. 
I'll reply again once I've got a new set of captures to look at. 
[...]

> You seem to have sniffed the HTTPS stream, which is less than
helpful.[...]

D'OH!!!  You're right.  Okay, it'll take me a bit to get things set up
again.  I'll reply again once I've got a new set of captures to look at.

[Resent because the copy of this email I just got back from the list
looked like it got scrambled for some reason.]

> Thanks for getting back to me. Are you one of the developers for Pound? If
so what sort of timescales are > you looking at for RPC over HTTPS and
compatibility with Exchange. If you aren't a developer from Pound then could I
get the same question answered by them.[...]
[...]



Hi Robert,

That being the case, what do you need to diagnose this? I have a basic
authentication system in place so if you need captures, configuration files,
tcpdumps then please let me know.

Thanks
Gavin

Gavin Conway
Senior Engineer, Systems Group, UKSolutions

Telephone: 0845 004 1333, option 2
Email: gavin.conway(at)uksolutions.co.uk
Web: http://www.uksolutions.co.uk/
UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England
Number 3036806
This email must be read in conjunction with the legal & service notices on
http://www.uksolutions.co.uk/disclaimer

> That being the case, what do you need to diagnose this? I [...]

He would like network sniffer captures of an HTTP (not HTTPS)
connection.  I believe he wants a successful one (so you may need to do
this from inside your proxy server) as well as what happens when Pound
is in the middle.