I hope one of y'all is out there and can help. I am trying to replace ISA server with squid. I have followed every guide I can find to make this work (Exchange 2007 behind squid). I have tried multiple versions of squid, multiple versions of Linux, multiple versions of squid.conf, etc (I have tried the ones at http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess and http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc ).
I can't get it to work. I can more or less get into OWA (it gives me a funky log in screen that looks different than via the way it worked with ISA) ) but http over RPC just asks for the password over and over and over. If I bypass squid, and sent the 443 straight to the Exchange server, it works fine.
There are so many variables it is frustrating and I want to duplicate a site someone has working. Can anyone help?
Questions:
1. What did you do about the certificates? I have a SAN Certificate and exported it from the exchange server and have put it in the appropriate lines in squid.conf. Some of the guides mention multiple certificates (one being a client and one being a server) but some guides shows all of them being the same one "/root/ssl/www.domain.com.crt key=/root/ssl/www.domain.com.key" - how and where did you get your certificate (I.E. did you export it from IIS in Exchange?)? I only have one certificate.
2. What is the deal on something called "Intermediate Certificates"?
3. On your Outlook clients, under "logon network security" do you have them set for "negotiate authentication", "Kerberos password authentication" or "password authentication (NTLM)"?
4. On your Outlook clients, under "proxy authentication settings" do you have them set for "basic authentication" or "NTLM authentication"?
5. I come from the Windows world and I have not done diddly squat with apache on the squid server. I just let it build the default. Is that OK? Do I need to do anything with apache?
6. I have the main firewall in the building forwarding all the 443 packets to the squid/apache server and nothing else (I.E. the squid/apache server does not face the internet...its gets packets forwarded to it from the firewall). Do you have any other ports hitting your squid server?
My squid is below.do you see anything wrong (it is using squid 3.1 on Fedora 12 and has the "connection-auth=off" added and the "extension_methods RPC_IN_DATA RPC_OUT_DATA" dropped )?
# extensions for Exchange RPC over HTTPS
# I dropped this line for squid 3.1??
# extension_methods RPC_IN_DATA RPC_OUT_DATA
# squid server is 10.0.1.135
# Exchange server is 10.0.1.101
# our external domain is ourexternaldomain.com
# here comes the relay configuration
# here comes the relay configuration
# I added connection-auth=off for squid version 3.1
https_port 10.0.1.135:443 connection-auth=off accel cert=/certifs/temp/cert.pem key=/certifs/temp/server.key defaultsite=ourexternaldomain.com vhost
cache_peer 127.0.0.1 parent 443 0 no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/certifs/temp/cert.pem sslkey=/certifs/temp/server.key name=webServer
cache_peer 10.0.1.101 parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER sslcert=/certifs/temp/cert.pem sslkey=/certifs/temp/server.key name=exchangeServer
# List of acceptable URLs to send to the Exchange server
acl exch_url url_regex -i ourexternaldomain.com/exchange
acl exch_url url_regex -i ourexternaldomain.com/exchweb
acl exch_url url_regex -i ourexternaldomain.com/public
acl exch_url url_regex -i ourexternaldomain.com/iisadmpwd
acl exch_url url_regex -i ourexternaldomain.com/oma
acl exch_url url_regex -i ourexternaldomain.com/microsoft-server-activesync
acl exch_url url_regex -i ourexternaldomain.com/rpc
acl exch_url url_regex -i ourexternaldomain.com/rpcwithcert
acl exch_url url_regex -i ourexternaldomain.com/exadmin
acl exch_url url_regex -i ourexternaldomain.com/owa
acl exch_url url_regex -i ourexternaldomain.com/autodiscover
acl exch_url url_regex -i ourexternaldomain.com/oab
acl exch_url url_regex -i ourexternaldomain.com/ews
# Send the Exchange URLs to the Exchange server
cache_peer_access exchangeServer allow exch_url
# Send everything else to the webserver
cache_peer_access webServer deny exch_url
# This is to protect ourselves
never_direct allow exch_url
#acl chunked dstdomain owa.ourexternaldomain.com
#header_access Accept-Encoding deny chunked
#acl EXCH dstdomain owa.ourexternaldomain.com
#cache_peer_access exchangeServer allow EXCH
#cache_peer_access webServer deny EXCH
#never_direct allow EXCH
# settings caching and logging optional
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
#cache_log none
#cache_store_log none
#access_log /var/log/squid/access.log squid
acl all src
acl to_local dst 127.0.0.1/32
acl to_wsrv dst 10.0.1.135/32
# Allow everyone through, internal and external connections
http_access allow all
miss_access allow all
http_port 3128
hierarchy_stoplist cgi-bin ?
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl to_localhost dst ::1/128
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
#-------------------------------------------------------------------------------end-----------------------------------
Thanks a million!
Arch
Received on Thu Jan 28 2010 - 11:49:13 MST
This archive was generated by hypermail 2.2.0 : Mon Feb 01 2010 - 12:00:05 MST