Apache reverse proxy x OWA authentication

Apache reverse proxy x OWA authentication

am 24.10.2002 14:36:20 von Fabiano Felix

Hi all,

I configure an Apache with reverse proxy to an OWA (Exchange2K) in the
internal network, but I have a problem with the authentication. When I
receive the authentication box (from a external client), the basic realm
shows the internal IP address from OWA, and the client try connect to
this address. I find in to the Internet, but I didnt find any information.

Can you help me?

With best regards,

Fabiano

RE: Apache reverse proxy x OWA authentication

am 24.10.2002 16:30:36 von agfoust

We are having a similar problem and haven't solved it yet. I believe that
the backend OWA server needs to have the original Host: header requested by
the browser passed through. There's a proxy directive in Apache 2 called
ProxyPreserveHost which sounds like it might do just that.

http://httpd.apache.org/docs-2.0/mod/mod_proxy.html#proxypre servehost

There's also a tech. note on Microsoft's web site that mentions that an HTTP
header may have to be set, but it isn't clear whether this is required or
not.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307 347

We tried to get end-to-end SSL working with reverse proxy and ran into
problems with Apache 1.3.26 (haven't tried with Apache 2 yet). Our backend
https connection must pass through a regular Apache 1.3.26 proxy (not a
reverse proxy) and this doesn't appear to be implemented. The ProxyRemote
method seems to malfunction for backend SSL connections. A direct (no
intermediary proxy) https backend connection does appear to work.


-----Original Message-----
From: Fabiano Felix [mailto:felix@getnet.com.br]
Sent: Thursday, October 24, 2002 8:36 AM
To: modproxy-dev@apache.org
Subject: Apache reverse proxy x OWA authentication


Hi all,

I configure an Apache with reverse proxy to an OWA (Exchange2K) in the
internal network, but I have a problem with the authentication. When I
receive the authentication box (from a external client), the basic realm
shows the internal IP address from OWA, and the client try connect to
this address. I find in to the Internet, but I didnt find any information.

Can you help me?

With best regards,

Fabiano

Re: Apache reverse proxy x OWA authentication

am 11.11.2002 13:55:48 von Fabiano Felix

Hello ,

I have success in reverse proxy to OWA/Exch2K with Apache2, but I have
another problem: in some parts of OWA (specifically in pages that they
require NTFS authentication), I receive the following message:
Unknow authentication method.

I have too a https backend...

I search but I didnt find any solution, someone has some idea ???

With best regards,

Fabiano

i.t wrote:

>>We are having a similar problem and haven't solved it yet. I believe that
>>the backend OWA server needs to have the original Host: header requested by
>>the browser passed through. There's a proxy directive in Apache 2 called
>>ProxyPreserveHost which sounds like it might do just that.
>>
>>http://httpd.apache.org/docs-2.0/mod/mod_proxy.html#proxyp reservehost
>>
>>There's also a tech. note on Microsoft's web site that mentions that an
>>HTTP header may have to be set, but it isn't clear whether this is required
>>or not.
>>
>>http://support.microsoft.com/default.aspx?scid=kb;en-us;Q3 07347
>>
>>We tried to get end-to-end SSL working with reverse proxy and ran into
>>problems with Apache 1.3.26 (haven't tried with Apache 2 yet). Our backend
>>https connection must pass through a regular Apache 1.3.26 proxy (not a
>>reverse proxy) and this doesn't appear to be implemented. The ProxyRemote
>>method seems to malfunction for backend SSL connections. A direct (no
>>intermediary proxy) https backend connection does appear to work.
>>
>>
>
>what we have experienced with OWA-Clients and Exchange is:
>to avoid problems with IE5/6 you have to use Squid (with extensions methods)
>or Apache 2.0.4x
>we have even tested 1.3.28dev (beg. Oct);
>1.3.24 works with basic auth, but you have to add dav support getting the
>client to work with the inbox and other webmail functionality
>
>Regards
>
>

Re: Apache reverse proxy x OWA authentication

am 11.11.2002 18:30:30 von robin.blanchard

I finally got a reverse proxy to e2k via apache-1.3.2[6,7]. You need to
install mod_proxy_add_forward with the following modification. On the
IIS/OWA box, deselect "integrated windows auth". This allowsIE clients
to auth through the apache1 proxy...

--- mod_proxy_add_forward-20020710.c Tue Nov 5 14:22:06 2002
+++ mod_proxy_add_forward-ssl.c Tue Nov 5 14:25:26 2002
@@ -185,6 +185,8 @@

ap_table_set(r->headers_in, "X-Server-Hostname",
r->server->server_hostname);
+ /* turn on front-end-https headed, so OWA will put HTTPS into
urls */
+ ap_table_set(r->headers_in, "front-end-https","on");

return OK;
}



Fabiano Felix wrote:
> Hello ,
>
> I have success in reverse proxy to OWA/Exch2K with Apache2, but I have
> another problem: in some parts of OWA (specifically in pages that they
> require NTFS authentication), I receive the following message:
> Unknow authentication method.
>
> I have too a https backend...
>
> I search but I didnt find any solution, someone has some idea ???
>
> With best regards,
>
> Fabiano
>
> i.t wrote:
>
>>> We are having a similar problem and haven't solved it yet. I believe
>>> that
>>> the backend OWA server needs to have the original Host: header
>>> requested by
>>> the browser passed through. There's a proxy directive in Apache 2 called
>>> ProxyPreserveHost which sounds like it might do just that.
>>>
>>> http://httpd.apache.org/docs-2.0/mod/mod_proxy.html#proxypre servehost
>>>
>>> There's also a tech. note on Microsoft's web site that mentions that an
>>> HTTP header may have to be set, but it isn't clear whether this is
>>> required
>>> or not.
>>>
>>> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307 347
>>>
>>> We tried to get end-to-end SSL working with reverse proxy and ran into
>>> problems with Apache 1.3.26 (haven't tried with Apache 2 yet). Our
>>> backend
>>> https connection must pass through a regular Apache 1.3.26 proxy (not a
>>> reverse proxy) and this doesn't appear to be implemented. The
>>> ProxyRemote
>>> method seems to malfunction for backend SSL connections. A direct (no
>>> intermediary proxy) https backend connection does appear to work.
>>>
>>
>>
>> what we have experienced with OWA-Clients and Exchange is:
>> to avoid problems with IE5/6 you have to use Squid (with extensions
>> methods) or Apache 2.0.4x
>> we have even tested 1.3.28dev (beg. Oct);
>> 1.3.24 works with basic auth, but you have to add dav support getting
>> the client to work with the inbox and other webmail functionality
>>
>> Regards
>>
>>
>
>
>

--
----------------------------------------
Robin P. Blanchard
Systems Integration Specialist
Georgia Center for Continuing Education
fon: 706.542.2404 <|> fax: 706.542.6546
----------------------------------------

RE: Apache reverse proxy x OWA authentication

am 11.11.2002 18:34:56 von SWilcoxon

Sounds familiar doesn't it?

S.W.

> -----Original Message-----
> From: Robin P. Blanchard [mailto:robin.blanchard@georgiacenter.org]
> Sent: Monday, November 11, 2002 11:31 AM
> To: modproxy-dev@apache.org
> Subject: Re: Apache reverse proxy x OWA authentication
>=20
>=20
> I finally got a reverse proxy to e2k via apache-1.3.2[6,7].=20
> You need to=20
> install mod_proxy_add_forward with the following modification. On the=20
> IIS/OWA box, deselect "integrated windows auth". This=20
> allowsIE clients=20
> to auth through the apache1 proxy...
>=20
> --- mod_proxy_add_forward-20020710.c Tue Nov 5 14:22:06 2002
> +++ mod_proxy_add_forward-ssl.c Tue Nov 5 14:25:26 2002
> @@ -185,6 +185,8 @@
>=20
> ap_table_set(r->headers_in, "X-Server-Hostname",
> r->server->server_hostname);
> + /* turn on front-end-https headed, so OWA will put HTTPS into=20
> urls */
> + ap_table_set(r->headers_in, "front-end-https","on");
>=20
> return OK;
> }
>=20
>=20
>=20
> Fabiano Felix wrote:
> > Hello ,
> >=20
> > I have success in reverse proxy to OWA/Exch2K with Apache2,=20
> but I have=20
> > another problem: in some parts of OWA (specifically in=20
> pages that they=20
> > require NTFS authentication), I receive the following message:
> > Unknow authentication method.
> >=20
> > I have too a https backend...
> >=20
> > I search but I didnt find any solution, someone has some idea ???
> >=20
> > With best regards,
> >=20
> > Fabiano
> >=20
> > i.t wrote:
> >=20
> >>> We are having a similar problem and haven't solved it=20
> yet. I believe=20
> >>> that
> >>> the backend OWA server needs to have the original Host: header=20
> >>> requested by
> >>> the browser passed through. There's a proxy directive in=20
> Apache 2 called
> >>> ProxyPreserveHost which sounds like it might do just that.
> >>>
> >>>=20
> http://httpd.apache.org/docs-2.0/mod/mod_proxy.html#proxypre servehost
> >>>
> >>> There's also a tech. note on Microsoft's web site that=20
> mentions that an
> >>> HTTP header may have to be set, but it isn't clear=20
> whether this is=20
> >>> required
> >>> or not.
> >>>
> >>> http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;Q3 07347
> >>>
> >>> We tried to get end-to-end SSL working with reverse proxy=20
> and ran into
> >>> problems with Apache 1.3.26 (haven't tried with Apache 2=20
> yet). Our=20
> >>> backend
> >>> https connection must pass through a regular Apache=20
> 1.3.26 proxy (not a
> >>> reverse proxy) and this doesn't appear to be implemented. The=20
> >>> ProxyRemote
> >>> method seems to malfunction for backend SSL connections.=20
> A direct (no
> >>> intermediary proxy) https backend connection does appear to work.
> >>> =20
> >>
> >>
> >> what we have experienced with OWA-Clients and Exchange is:
> >> to avoid problems with IE5/6 you have to use Squid (with=20
> extensions=20
> >> methods) or Apache 2.0.4x
> >> we have even tested 1.3.28dev (beg. Oct);
> >> 1.3.24 works with basic auth, but you have to add dav=20
> support getting=20
> >> the client to work with the inbox and other webmail functionality
> >>
> >> Regards
> >> =20
> >>
> >=20
> >=20
> >=20
>=20
> --=20
> ----------------------------------------
> Robin P. Blanchard
> Systems Integration Specialist
> Georgia Center for Continuing Education
> fon: 706.542.2404 <|> fax: 706.542.6546
> ----------------------------------------
>=20
>=20

Re: Apache reverse proxy x OWA authentication

am 11.11.2002 19:21:09 von Chuck Murcko

On Monday, November 11, 2002, at 10:34 AM, Wilcoxon, Steve wrote:

> Sounds familiar doesn't it?
>

Yep. Looks like the whole set of bugfixes I commited at around 1.3.20
(inc. this one) got scrubbed out at some point.

Chuck