Is anyone successfully runnin OWA2K behind Apache/mod_ssl?

We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web
servers, and want to add OWA2K to the list (that's Outlook Web Access for
Microsoft Exchange 2000).

It works fine with OWA from Exchange 5.5 - which was basically just HTML
plus some javascript - but OWA2K (under IE5+) uses all sorts of whizzy M$
stuff, and doesn't work!

If you access OWA2K with a non-IE browser (e.g. Mozilla), OWA2K reverts to
the older format and works fine - it just doesn't work well from IE (ironic
isn't it :-)

It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20% of the time and
IE6 just dies. It goes without saying that all these browsers work fine when
talking directly to the OWA2K server: it's only via the RP that they fail.

I've done packet sniffs and compares and can't see anything out of the
ordinary. I think it's an OWA issue, or an IE security-context issue, but
can't say for sure.

Anyone else got any stories about this?

Thanks

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone successfully runnin OWA2K behind Apache/mod_ssl?

In message <20021107080335.GB26837@trimble.co.nz> you write:

|> We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web
|> servers, and want to add OWA2K to the list (that's Outlook Web Access for
|> Microsoft Exchange 2000).

|> Anyone else got any stories about this?

Two things:

1) For me, it seems to work with IE only if I explicitly disallow any
authentication scheme but Basic. IE defaults to NTLM which doesn't
seem to work across Apache reverse.

2) OWA inserts a " HTML
tag which means that you may have to play dirty tricks with DNS
and/or nsswitch.conf to get it to work from the outside.

vb
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Is anyone successfully runnin OWA2K behind Apache/mod_ssl?

I had a discussion with someone about this off the list, but we didn't
resolve it. Until recently we too used a reverse proxy to connect to
Exchange 5.5, but this became too much hassle to keep up.

How about turning off keep-alives on the Exchange 2000 server? This might
help, as keep-alives don't give very much performance advantage anyway.
After all, the apache-mod_ssl server will have keep-alives disabled (or
should do).

-
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@rnib.org.uk

If we could learn one thing from September 11th 2001, it would be the utter
absurdity of moral relativism.


> -----Original Message-----
> From: Jason Haar [mailto:Jason.Haar@trimble.co.nz]
> Sent: 07 November 2002 08:04
> To: modssl-users@modssl.org
> Subject: Is anyone successfully runnin OWA2K behind Apache/mod_ssl?
>
>
> We're using Apache/mod_ssl to provide a reverse-proxy to some
> backend Web
> servers, and want to add OWA2K to the list (that's Outlook
> Web Access for
> Microsoft Exchange 2000).
>
> It works fine with OWA from Exchange 5.5 - which was
> basically just HTML
> plus some javascript - but OWA2K (under IE5+) uses all sorts
> of whizzy M$
> stuff, and doesn't work!
>
> If you access OWA2K with a non-IE browser (e.g. Mozilla),
> OWA2K reverts to
> the older format and works fine - it just doesn't work well
> from IE (ironic
> isn't it :-)
>
> It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20%
> of the time and
> IE6 just dies. It goes without saying that all these browsers
> work fine when
> talking directly to the OWA2K server: it's only via the RP
> that they fail.
>
> I've done packet sniffs and compares and can't see anything out of the
> ordinary. I think it's an OWA issue, or an IE
> security-context issue, but
> can't say for sure.
>
> Anyone else got any stories about this?
>
> Thanks
>
> --
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

-

NOTICE: The information contained in this email and any attachments is
confidential and may be legally privileged. If you are not the
intended recipient you are hereby notified that you must not use,
disclose, distribute, copy, print or rely on this email's content. If
you are not the intended recipient, please notify the sender
immediately and then delete the email and any attachments from your
system.

RNIB has made strenuous efforts to ensure that emails and any
attachments generated by its staff are free from viruses. However, it
cannot accept any responsibility for any viruses which are
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email
and any attachments are those of the author and do not necessarily
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE : Is anyone successfully runnin OWA2K behind Apache/mod_ssl?

Hi,

I will try to explain what I found about owa and apache 1.3 reverse
proxy

It's possible to reverse proxy owa with apache 1.3, but with owa
configured without ntlm.

1) The authentication process, is sending first a 401 to ask browser to
authenticate with a method, if this first method is not supported by the
browser, it's sending another 401 until browser and owa found the right
authentication method.

The apache 1.3 proxy is not supporting HTTP1.1 so, when it see the 401
coming back from owa, it close the connection btw RP and OWA, the client
is still connected. OWA will now try to send RP the next 401 and it's
impossible because the RP closed the connection.

If you disable in OWA the NTLM method, it will work. If you want to
handle NTLM, you have to try apache 2.0 which handle that really well.

2) 443 --> 80
I used to do that with apache 2.0 but I have few problem with base href,
so I do 443 --> 443 and it's working really well. The aim is to setup a
really low encryption btw RP and OWA to be more faster.

I will try to insert the header you speak about (front-end-https = on)
to see if it's working.

Hope you understood my bad English.

Regards,

Estrade Matthieu


-----Message d'origine-----
De : owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] De la part de Volker Borchert
Envoyé : Thursday, November 07, 2002 10:06 AM
À : modssl-users@modssl.org
Objet : Re: Is anyone successfully runnin OWA2K behind Apache/mod_ssl?

In message <20021107080335.GB26837@trimble.co.nz> you write:

|> We're using Apache/mod_ssl to provide a reverse-proxy to some backend
Web
|> servers, and want to add OWA2K to the list (that's Outlook Web Access
for
|> Microsoft Exchange 2000).

|> Anyone else got any stories about this?

Two things:

1) For me, it seems to work with IE only if I explicitly disallow any
authentication scheme but Basic. IE defaults to NTLM which doesn't
seem to work across Apache reverse.

2) OWA inserts a " HTML
tag which means that you may have to play dirty tricks with DNS
and/or nsswitch.conf to get it to work from the outside.

vb
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

__________________________________________________
Modem offert : 150,92 euros remboursés sur le Pack eXtense de Wanadoo !
Haut débit à partir de 30 euros/mois : http://www.ifrance.com/_reloc/w



__________________________________________________
Modem offert : 150,92 euros remboursés sur le Pack eXtense de Wanadoo !
Haut débit à partir de 30 euros/mois : http://www.ifrance.com/_reloc/w

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org