« New location for SSL Certificates
Crontab Time Values »

Apache ReverseProxy for OWA

Here’s how I was able to get ReverseProxy working on Apache to protect an Exchange 2007 OWA instance. You’ll note that in certain areas I have the same thing multiple times with slight changes in capitalization. Microsoft does not understand case sensitivity nor POSIX compliance. All of the following goes inside a VirtualHost, of course. Please note, this was figured out on my own without official documentation (since I couldn’t find any) and would love to hear if you found something else. We also are not running rpc over https, so I’m not sure if the rpc directories are correct.

<IfModule mod_proxy.c>
SSLProxyEngine on
RequestHeader set Front-End-Https “On”

# Proxy all of the sub-directories, otherwise go to /owa/
# You’ll notice that some of these subdirectories are spelled
# multiple ways - MS can’t give us a definitive answer…

# Fix trailing slash problem
RedirectMatch permanent /$ https://external.mail.server/owa/
RedirectMatch permanent /owa$ https://external.mail.server/owa/

# Needed for Blackberry Phones
<Location /EWS>
ProxyPass https://internal.mail.server/EWS
ProxyPassReverse https://internal.mail.server/EWS
</Location>

# Enables legacy pre 2007 Exchange connections
<Location /exchange>
ProxyPass https://internal.mail.server/exchange
ProxyPassReverse https://internal.mail.server/exchange
</Location>

<Location /Exchange>
ProxyPass https://internal.mail.server/Exchange
ProxyPassReverse https://internal.mail.server/Exchange
</Location>

# Enables legacy pre 2007 Exchange connections
<Location /exchweb>
ProxyPass https://internal.mail.server/exchweb
ProxyPassReverse https://internal.mail.server/exchweb
</Location>

<Location /Exchweb>
ProxyPass https://internal.mail.server/Exchweb
ProxyPassReverse https://internal.mail.server/Exchweb
</Location>

# Enables Windows Mobile ActiveSync
<Location /Microsoft-Server-ActiveSync>
ProxyPass https://internal.mail.server/Microsoft-Server-ActiveSync
ProxyPassReverse https://internal.mail.server/Microsoft-Server-ActiveSync
</Location>

# Something about AutoDiscover is important
<Location /Autodiscover>
ProxyPass https://internal.mail.server/Autodiscover
ProxyPassReverse https://internal.mail.server/Autodiscover
</Location>

<Location /AutoDiscover>
ProxyPass https://internal.mail.server/AutoDiscover
ProxyPassReverse https://internal.mail.server/AutoDiscover
</Location>

<Location /autodiscover>
ProxyPass https://internal.mail.server/autodiscover
ProxyPassReverse https://internal.mail.server/autodiscover
</Location>

<Location /autoDiscover>
ProxyPass https://internal.mail.server/autoDiscover
ProxyPassReverse https://internal.mail.server/autoDiscover
</Location>

# Not sure if we need the rest of these
<Location /OAB>
ProxyPass https://internal.mail.server/OAB
ProxyPassReverse https://internal.mail.server/OAB
</Location>

<Location /public>
ProxyPass https://internal.mail.server/public
ProxyPassReverse https://internal.mail.server/public
</Location>

<Location /Public>
ProxyPass https://internal.mail.server/Public
ProxyPassReverse https://internal.mail.server/Public
</Location>

<Location /rpc>
ProxyPass https://internal.mail.server/rpc
ProxyPassReverse https://internal.mail.server/rpc
</Location>

<Location /RPC>
ProxyPass https://internal.mail.server/RPC
ProxyPassReverse https://internal.mail.server/RPC
</Location>

<Location /Rpc>
ProxyPass https://internal.mail.server/Rpc
ProxyPassReverse https://internal.mail.server/Rpc
</Location>

<Location /rpcwithcert>
ProxyPass https://internal.mail.server/rpcwithcert
ProxyPassReverse https://internal.mail.server/rpcwithcert
</Location>

<Location /RpcWithCert>
ProxyPass https://internal.mail.server/RpcWithCert
ProxyPassReverse https://internal.mail.server/RpcWithCert
</Location>

<Location /UnifiedMessaging>
ProxyPass https://internal.mail.server/UnifiedMessaging
ProxyPassReverse https://internal.mail.server/UnifiedMessaging
</Location>

<Location /unifiedmessaging>
ProxyPass https://internal.mail.server/unifiedmessaging
ProxyPassReverse https://internal.mail.server/unifiedmessaging
</Location>

<Location /unifiedMessaging>
ProxyPass https://internal.mail.server/unifiedMessaging
ProxyPassReverse https://internal.mail.server/unifiedMessaging
</Location>

# Really doubt we need this - should probably remove
<Location /aspnet_client>
ProxyPass https://internal.mail.server/aspnet_client
ProxyPassReverse https://internal.mail.server/aspnet_client
</Location>

# Actual Proxy for OWA (web browser based mail)
ProxyPass /owa/ https://internal.mail.server/owa/
ProxyPassReverse /owa/ https://internal.mail.server/owa/
</IfModule>

Sorry the formatting is a little messed up :(

« New location for SSL Certificates
Crontab Time Values »



Please VOTE for this page at: ADD TO DEL.ICIO.US | ADD TO DIGG | ADD TO FURL | ADD TO NEWSVINE | ADD TO NETSCAPE | ADD TO REDDIT | ADD TO STUMBLEUPON | ADD TO TECHNORATI FAVORITES | ADD TO SQUIDOO | ADD TO WINDOWS LIVE | ADD TO YAHOO MYWEB | ADD TO ASK | ADD TO GOOGLE

This entry was posted on Thursday, December 20th, 2007 @ 11:36 am on the category Technical.You can follow any responses to this entry through the RSS 2.0 You can leave a response, or trackback from your own site.

8 Comments


  1. drpixel says:

    Thank you very much!
    You save me a lot of “brain time”

    Posted July 13, 2008, 1:05 pm

  2. Jeremy Barthel says:

    Great stuff, I’m going to test this out in my lab to verify the RDP connections. I’ll let you know how it works out!

    Jeremy

    Posted July 22, 2008, 8:55 am

  3. Recent Links Tagged With "reverseproxy" - JabberTags says:

    [...] links >> reverseproxy OR REVERSE-PROXY Apache ReverseProxy for OWA Saved by kristrygg on Fri 03-10-2008 [...]

    Posted October 4, 2008, 7:49 pm

  4. Jon Gerdes says:

    Thank you very much for this. I tried to use my old 2003 config and found it somewhat wanting. So far your method is working nicely.

    Posted October 9, 2008, 9:15 am

  5. steve says:

    Indeed, many thanks for sharing.. this works great!

    Haven’t done extensive testing yet but for what its worth I deleted all of the rules at the end under the #Not sure comment (except for the actual /owa proxy of course) and everything appears to be working fine =)

    Posted November 24, 2008, 1:08 am

  6. Kevin Pendleton says:

    Looking back at this post with a little more experience under my belt, I’m going to add some comments.

    * The exchange directory appears to be in all lower-case, as does autodiscover
    * I can confirm that the bottom directories really are not needed (unless you are using RPC over HTTPS)
    * The only directories I can see that you really need are:
    (case sensitive)
    /owa
    /EWS
    /Microsoft-Server-ActiveSync
    /autodiscover
    /exchange

    Posted November 24, 2008, 10:08 am

  7. Jim says:

    EWS isn’t working for me. Internally, I have no problems accessing ews, but through apache reverse proxy, I get 401 errors.

    Thanks for the rest though.

    Posted December 22, 2008, 9:35 am

  8. Kevin Pendleton says:

    Since a 401 error just means that you are unauthorized, I would guess that there is just something not quite right with your testing. Are you using a BIS account and pointing it to your URL and you see in your log the 401 or are you just hitting it with a web browser?

    If you are testing it through BIS, do you have your account information, including AD domain setup correctly? I don’t have a BlackBerry, so I couldn’t tell you the right way to set it up, but I know some people didn’t get it right the first time. How were you able to test it successfully internally?

    Posted December 22, 2008, 10:09 pm

Leave a reply