mod_proxy support for exchange 2000

In effort to build up a reverse proxy for Exchange 2000, I've determined:

1) using 1.3.26 or 1.3.28dev (CVS from a few minutes ago)
a. IE clients fail IIS's auth challenge
b. if those clients are sent first through squid, auth succeeds.
c. mozilla, netscape 4x, clients succeed.

here are the http header responses from 1.3.26 and 1.3.28dev:
# wget --server-response webmail.gactr.uga.edu
--13:13:54-- http://webmail.gactr.uga.edu/
=> `index.html'
Resolving webmail.gactr.uga.edu... done.
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 302 Found
2 Date: Mon, 30 Sep 2002 17:13:54 GMT
3 Server: Apache/1.3.26 (Unix) mod_mp3/0.35 PHP/4.2.3 mod_perl/1.27
mod_ssl/2.8.10 OpenSSL/0.9.6g
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Connection: close
6 Content-Type: text/html; charset=iso-8859-1
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--13:13:54-- http://webmail.gactr.uga.edu/exchange/
=> `index.html'
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Date: Mon, 30 Sep 2002 17:13:54 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="webmail.gactr.uga.edu"
7 Content-Length: 24
8 Content-Type: text/html
9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.26)
10 X-Cache: MISS from webmail.gactr.uga.edu
11 Keep-Alive: timeout=15, max=100
12 Connection: Keep-Alive
Unknown authentication scheme.

# wget --server-response webmail.gactr.uga.edu
--15:36:10-- http://webmail.gactr.uga.edu/
=> `index.html.3'
Resolving webmail.gactr.uga.edu... done.
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 302 Found
2 Date: Wed, 02 Oct 2002 19:36:10 GMT
3 Server: Apache/1.3.28-dev (Unix)
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Connection: close
6 Content-Type: text/html; charset=iso-8859-1
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--15:36:10-- http://webmail.gactr.uga.edu/exchange/
=> `index.html.3'
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Date: Wed, 02 Oct 2002 19:36:10 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="webmail.gactr.uga.edu"
7 Content-Length: 24
8 Content-Type: text/html
9 Via: 1.1 webmail.gactr.uga.edu (Apache/1.3.28-dev)
10 X-Cache: MISS from webmail.gactr.uga.edu
11 Keep-Alive: timeout=15, max=100
12 Connection: Keep-Alive
Unknown authentication scheme.


2) using 2.0.42 the proxy works properly. here are its http headers:
# wget --server-response webmail.gactr.uga.edu
--15:34:06-- http://webmail.gactr.uga.edu/
=> `index.html.3'
Resolving webmail.gactr.uga.edu... done.
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 302 Found
2 Date: Wed, 02 Oct 2002 19:34:06 GMT
3 Server: Apache/2.0.42 (Unix)
4 Location: http://webmail.gactr.uga.edu/exchange/
5 Content-Length: 302
6 Keep-Alive: timeout=15, max=100
7 Connection: Keep-Alive
8 Content-Type: text/html; charset=iso-8859-1
Location: http://webmail.gactr.uga.edu/exchange/ [following]
--15:34:06-- http://webmail.gactr.uga.edu/exchange/
=> `index.html.3'
Connecting to webmail.gactr.uga.edu[10.10.10.99]:80... connected.
HTTP request sent, awaiting response...
1 HTTP/1.1 401 Access Denied
2 Date: Wed, 02 Oct 2002 19:34:06 GMT
3 Server: Microsoft-IIS/5.0
4 WWW-Authenticate: Negotiate
5 WWW-Authenticate: NTLM
6 WWW-Authenticate: Basic realm="webmail.gactr.uga.edu"
7 Content-Type: text/html; charset=ISO-8859-1
8 Via: 1.0 webmail.gactr.uga.edu (Apache/2.0.42)
9 Content-Length: 24
10 Connection: close
Unknown authentication scheme.


Below in the vhost config I've been using to test this. As it seems to
me that the glaring difference between the 1.3.x proxy and the 2.0.x
proxy is the http 1.1 vs http 1.0 (also why IE clients will work with
the 1.3.x proxy when first sent through squid). I thus attempted to play
with the variables (commented out in the below config) for the 1.3.x
proxy. They produced no different results (as if the variables were
ignored).

I am hoping to implement this reverse proxy (behind SSL also) by 01
January and would very much like to have a 1.3.x solution as the
platform in question is FreeBSD; and PHP and auth_ldap modules will be
required. Thanks very much in advance.

I will gladly attempt to elaborate more if necessary.


# cat http.webmail.gactr.uga.edu.inc
Listen 10.10.10.99:80

ServerName webmail.gactr.uga.edu
UseCanonicalName On
CustomLog /tmp/transfer.log combined
ErrorLog /tmp/error.log

#SetEnv force-proxy-request-1.0
#SetEnv proxy-nokeepalive
##SetEnv nokeepalive
#SetEnv downgrade-1.0
#SetEnv force-response-1.0
#SetEnv redirect-carefully
##SetEnv force-no-vary

Redirect / http://webmail.gactr.uga.edu/exchange/
ProxyRequests Off
ProxyVia Full
#ProxyRemote * http://webmail.gactr.uga.edu
ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/
ProxyPassReverse /exchange/ http://webmail.gactr.uga.edu/exchange/
ProxyPass /public/ http://webmail.gactr.uga.edu/public/
ProxyPassReverse /public/ http://webmail.gactr.uga.edu/public/
ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/
ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/
ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/
ProxyPassReverse /exchweb/ http://webmail.gactr.uga.edu/exchweb/



--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------

Re: mod_proxy support for exchange 2000

Robin P. Blanchard wrote:

> In effort to build up a reverse proxy for Exchange 2000, I've determined:
>
> 1) using 1.3.26 or 1.3.28dev (CVS from a few minutes ago)
> a. IE clients fail IIS's auth challenge
> b. if those clients are sent first through squid, auth succeeds.
> c. mozilla, netscape 4x, clients succeed.

From the responses you have given I am not sure exactly what they
represent.

What I need to see to make head or tail of this is two set of headers:
The first needs to show the transaction from the browser to the reverse
proxy. The second needs to show the reverse proxy to the backend server.

What will also be useful is to add a set of traces for mozilla so I can
see what happens in the working case.

Use a tool like tcpflow on the reverse proxy to get these two traces.

In order to debug this, I need to be able to compare the headers sent
to/from the browser with the headers sent to/from the backend server to
see what has changed.

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."

Re: mod_proxy support for exchange 2000

>>What I need to see to make head or tail of this is two set of headers:
>>The first needs to show the transaction from the browser to the reverse
>>proxy. The second needs to show the reverse proxy to the backend server.
>>
>>Use a tool like tcpflow on the reverse proxy to get these two traces.

attached is tcpflow.tar.gz, containing:
tcpflow/
tcpflow/2.0.42/
tcpflow/2.0.42/mozilla
tcpflow/2.0.42/ie
tcpflow/1.3.26/
tcpflow/1.3.26/ie
tcpflow/1.3.26/mozilla

which (hopefully) will demonstrate IE's inability to login using the
1.3.26 reverse proxy.


--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------

Re: mod_proxy support for exchange 2000

Robin P. Blanchard wrote:

> attached is tcpflow.tar.gz, containing:

You forgot the attachment...

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."

Re: mod_proxy support for exchange 2000

Robin P. Blanchard wrote:

> attached is tcpflow.tar.gz, containing:
> tcpflow/
> tcpflow/2.0.42/
> tcpflow/2.0.42/mozilla
> tcpflow/2.0.42/ie
> tcpflow/1.3.26/
> tcpflow/1.3.26/ie
> tcpflow/1.3.26/mozilla

I can only see flows from the browser to apache, but not from apache to
exchange. I need to see both sides of the connection to see what is
changed on the way through the proxy.

Also the flows are very big - can you restrict it to just a single
request (or set of requests) that pass and/or fail...?

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."

Re: mod_proxy support for exchange 2000

ftp://ftp.wuga.org/pub/tcpflow.tar.gz

tcpflow/
tcpflow/2.0.42/
tcpflow/2.0.42/ie
tcpflow/1.3.26/
tcpflow/1.3.26/mozilla
tcpflow/1.3.26/ie1
tcpflow/1.3.24/
tcpflow/1.3.24/ie

the flows should now show both directions (into reverse proxy and into
IIS). the flows (for 1.3.26 and 2.0.42) are limited to the initial auth.


> I can only see flows from the browser to apache, but not from apache to
> exchange. I need to see both sides of the connection to see what is
> changed on the way through the proxy.
>
> Also the flows are very big - can you restrict it to just a single
> request (or set of requests) that pass and/or fail...?



--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------

Re: mod_proxy support for exchange 2000

> the flows should now show both directions (into reverse proxy and into
> IIS). the flows (for 1.3.26 and 2.0.42) are limited to the initial auth.

I do not see flows from apache;
the files are really large and hard to read;
probably it would really be better using tcpdump -W (output file) on the
server side when the response is coming in. This output file can easily be
read with Ethereal (Menu Tool, "Follow TCP/IP Stream") or any other tcpdump
wrapper.
i.t
--
. ___
| | Irmund Thum
| |

Re: mod_proxy support for exchange 2000

>>>the files are really large and hard to read;
>>>probably it would really be better using tcpdump -W (output file) on the
>>>server side when the response is coming in. This output file can easily
>>>be read with Ethereal (Menu Tool, "Follow TCP/IP Stream") or any other
>>>tcpdump wrapper.i.t@ithum.de

ok...
ftp://ftp.wuga.org/pub/reverse_proxy.tar.gz
reverse_proxy/tcpflow/1.3.26/ie
reverse_proxy/tcpflow/1.3.24/
reverse_proxy/tcpflow/1.3.24/ie
reverse_proxy/tcpdump/
reverse_proxy/tcpdump/1.3.26/
reverse_proxy/tcpdump/1.3.26/ie
reverse_proxy/tcpdump/2.0.42/
reverse_proxy/tcpdump/2.0.42/ie
reverse_proxy/tcpdump/1.3.24/
reverse_proxy/tcpdump/1.3.24/ie

tcpflows taken with:
# tcpflow -c \( host uga542004.it.gactr.gc.nat or host
webmail.gactr.uga.edu \) > ie

tcpdumps taken with:
# tcpdump -w ie \( host uga542004.it.gactr.gc.nat or host
webmail.gactr.uga.edu \)

current IE status:
1) 2.0.42: success
2) 1.3.26: auth failure
3) 1.3.24: auth sucess, inbox contents fail to display


--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------