Comments on: Apache ReverseProxy for OWA

By: FNC

FNC — Tue, 13 Sep 2011 07:38:00 +0000

Thank you, you saved me lots of work!!!

By: 公開懺悔日記 » ApachでActive Syncのリバースプロキシ

公開懺悔日記 » ApachでActive Syncのリバースプロキシ — Fri, 01 Jul 2011 20:58:19 +0000

[...] 参考は「Apache ReverseProxy for OWA」今回の仕様は「OWA(Outlook Web App)」と「ActiveSync」を通すこと。 [...]

By: necoro

necoro — Tue, 03 May 2011 17:59:29 +0000

This config has been working great for us, for years. Only recently have we had a need for the EWS functionality – and found that didn’t work by default.

A lot of head-scratching and staring at tcpdump output, I found that if your IIS server is set to use NTLM auth for the EWS site, it will not work through the reverse proxy. The NTML protocol is such that the IIS server will reject the client’s response because its inbound connection (i.e. from your Apache server) doesn’t match up with the client’s information in the NTLM message.

The easy solution is to use Basic auth instead in IIS. Keep the proxy https end to end and you won’t expose plaintext passwords. Done.

By: Kevin Pendleton

Kevin Pendleton — Thu, 26 Aug 2010 16:31:42 +0000

No problem, good luck!

By: Mike

Mike — Thu, 26 Aug 2010 16:22:55 +0000

Awesome. thanks a bunch for this post and your help. I have been struggling with our reverse proxy for a while now, but am close to finishing it up now. This helped a lot!

By: Mike

Mike — Thu, 26 Aug 2010 16:21:39 +0000

oops. the blog dropped some of my text, I meant to say why is it not configured as a Location…

By: Kevin Pendleton

Kevin Pendleton — Thu, 26 Aug 2010 16:03:22 +0000

Sorry, Mike, I should have thought about this when you asked your last question, but I did move all of this to Apache 2.2 over a year ago and /owa is in a Location tag now. We do SSL offloading on the load balancers and have moved all the Blackberry devices to a BES server, so here is the full webmail (OWA) config:


        ServerName      webmail.domain.com

        DocumentRoot /data/sites/webmail
        ErrorLog logs/webmail_error_log
        CustomLog logs/webmail_access_log combined

        SSLProxyEngine on
        RequestHeader set Front-End-Https "On"

        RedirectMatch permanent /$ https://webmail.domain.com/owa/
        RedirectMatch permanent /owa$ https://webmail.domain.com/owa/

        # Need to allow activesync pings for push technology
        # Set to 15 minutes
        ProxyTimeout 900

        # Needed for smartphones
        
        ProxyPass https://internalserveraddress/Microsoft-Server-ActiveSync
        ProxyPassReverse https://internalserveraddress/Microsoft-Server-ActiveSync
        

        # Actual Proxy for OWA (web browser based mail)
        
        ProxyPass https://internalserveraddress/owa
        ProxyPassReverse https://internalserveraddress/owa

By: Mike

Mike — Thu, 26 Aug 2010 15:44:38 +0000

Kevin- one other question. Do you remember why /owa is not configured as a ? Does it make any difference if you set it up as a location, or leave it on it’s own as you have here?

By: Kevin Pendleton

Kevin Pendleton — Thu, 19 Aug 2010 15:04:32 +0000

Mike – I think this was built for Apache 2.0, but should work fine for 2.2 as well.

By: Mike

Mike — Wed, 18 Aug 2010 14:54:57 +0000

@Timothy Oefelein-
Not sure if you are still struggling with your BlackBerry setup, but this is good to know for anyone reading this. You can get BlackBerry Enterprise Server Express for free now. It’s a much better setup, it gives you a lot more control over the devices than using BIS. There are some limitations in the free version but it’s well worth the time to set it up.