Squid Reverse Proxy For Outlook Web Access

Official Guide


Configuring Squid as an accelerator/SSL offload for Outlook Web Access
Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.


Configuring Squid as an accelerator/SSL offload for Outlook Web Access
OWA works but ActiveSync fails
See also
Squid can be easily used to provide SSL acceleration services for Outlook Web Access. It can also speak SSL to the backend Exchange server. Later versions of Squid-2.6 support all the methods used by WebDAV by default. Please consider upgrading to at least the latest Squid-2.6 STABLE release before attempting this.

The example situation involves a single Outlook Web Access server and a single Squid server. The following information is required:

The IP of the Squid server (ip_of_squid)
The 'public' domain used for Outlook Web Access (owa_domain_name)
The IP of the Outlook Web Access server (ip_of_owa_server)

This configuration MUST appear at the top of squid.conf above any other forward-proxy configuration (http_access etc). Otherwise the standard proxy access rules block some people viewing the accelerated site.
Please note that the https_port and cache_peer lines may wrap in your browser!

https_port ip_of_squid:443 accel cert=/path/to/certificate/ defaultsite=owa_domain_name

cache_peer ip_of_owa_server parent 80 0 no-query originserver login=PASS front-end-https=on name=owaServer

acl OWA dstdomain owa_domain_name
cache_peer_access owaServer allow OWA
never_direct allow OWA

  1. lock down access to only query the OWA server!

http_access allow OWA
http_access deny all
miss_access allow OWA
miss_access deny all
If the connection to the OWA server requires SSL then the cache_peer line should be changed appropriately:

cache_peer ip_of_owa_server parent 443 0 no-query originserver login=PASS ssl sslcert=/path/to/client-certificate name=owaServer
an apparent bug in Squid-3.1 means that https_port may also need to use the connection-auth=off option for now.
OWA works but ActiveSync fails
Windows Phone says "Connection error. Try again later." and current status shows "Unable to connect. Retrying."


The device sending Expect: 100-continue HTTP/1.1 headers, but being unable to retry correctly when presented with the 417 response.

Squid-2.7 and Squid-3.1 offer the ignore_expect_100 directive to skip the 417 and wait for the client to resume. There are potential DoS side effects to its use, please avoid unless you must.
Squid-3.2 supports the HTTP/1.1 feature these clients depend on. This problem will not occur there.
See also
http://support.microsoft.com/?scid=kb%3Ben-us%3B327800&x=17&y=16 - "How to configure SSL Offloading for Outlook Web Access in Exchange 2000 Server and in Exchange Server 2003"
Thanks to Tuukka Laurikainen <moc.acitamrebi|neniakirual.t#moc.acitamrebi|neniakirual.t> for providing the background information for this article.

Squid Reverse Proxy for OWA and RPC over HTTPS

Thursday, September 13, 2012 09:43

This method was tested on Debian 5.0 Lenny in SBS 2003 and Server 2003 environments.

Why use Squid?

It is free in most ways (GPL) – M$ ISA is not free
Apache can’t do RPC Reverse Proxying (yet?)
The Basics

Install Lenny using the net install disc with internet access available, when it prompts for what type of installation, you only need the base package. You can add the “Desktop Environment”, but I haven’t tested adding any other functions at base install. Installing the Desktop is not recommended as it will create overhead (if you let it start on boot).

Make sure that you set up the apt repositories to use the http and ftp resources before you try apt-get. (Uncomment the lines in “/etc/apt/sources.list”)

OWA and/or RPC should be tested and working before you try the proxy.

The certificate on the external interface of your Proxy machine needs to be signed by a recognized CA or RPC will not work properly (and you should do this anyway). The Certificates between the Exchange server and the Proxy do not need to be signed by a recognized CA (for it to work). I used an inexpensive cert from GoDaddy (~$30) for the working example.

This method uses TWO certificates. RPC/Browser -> SSL -> proxy – SSL -> Exchange

Update apt, install OpenSSL

As root, update the local apt database.

#apt-get update

Now, install OpenSSL and essential ssl development libraries.

#aptitude install build-essential openssl libssl-dev

You shouldn’t have to do this, but you can also make sure g++ is installed (this is a compiler).

#apt-get install g++

Installing Squid

Go to http://squid-cache.org and download the 3.0 Stable version in tar.gz format.

Move the file to a directory that you can remember the path to, in this document, I’m going to download to the /home/exampleuser/ directory because I have access to that directory without being root.

I will assume that you can download and move the file without instruction.

NOTE: While Squid is in the apt repository, the apt installer will not enable SSL support; this is why we are compiling from source. Please note this also means you will not be able to update Squid using the apt repositories.

Once the file is downloaded, open a console and login as root, change directory to where we downloaded Squid and unpack the tar.

  1. cd /home/exampleuser/
  1. tar xvfz squid-3.0.STABLE16.tar.gz

NOTE: “squid-3.0.STABLE16” is the name of the current Squid 3 stable release, yours may be a different number, so make sure to use the file name of your file, don’t assume it is still 16.

Now, lets get to the compiling, first we will change directories “cd”, then we will configure, compile, and install Squid.

  1. cd /home/exampleuser/squid-3.0.STABLE16
  1. ./configure –enable-ssl –with-openssl=/usr/include/openssl/
  1. make
  1. make install

After the Install, you will need to create the squid cache.

  1. /usr/local/squid/sbin/squid –z

Squid Configuration

Replace the text in squid.conf with the below template. (Use whatever editor you want, nano is just easiest for newbies).

  1. nano /usr/local/squid/etc/squid.conf

Squid.conf Template - items in Green are specific to your environment and need to be assigned:

visible_hostname owa.examplecompany.net
extension_methods RPC_IN_DATA RPC_OUT_DATA

https_port 443 cert=/path/to/external/cert

key=/path/to/external/cert.key defaultsite=external.owa.domain.name

cache_peer ip.address.of.exchange parent 443 0 no-query originserver login=PASS

ssl sslflags=DONT_VERIFY_PEER sslcert=/path/to/exchange/cert.crt sslkey=/path/to/exchange/certkey.pem name=owaServer

acl OWA dstdomain external.owa.domain.name

cache_peer_access owaServer allow OWA

never_direct allow OWA

http_access allow OWA

http_access deny all

miss_access allow OWA

miss_access deny all

Certificate Notes

Getting the certificates organized and prepared is sometimes the most daunting part of the setup.

For the internet-facing certificate, you will need to get a certificate from a certificate authority. I used GoDaddy. If they ask you what type of server you want it for, choose “Apache”.Make sure the “Simple Name” is the same as the external web address to access the OWA server, in our case it is “owa.examplecompany.net”.

After you order it from GoDaddy and initiate the process per their directions, you will get to a point where it asks you to paste your certificate request.

Generate the request on the proxy server.

  1. mkdir /usr/local/squid/certs/
  1. cd /usr/local/squid/certs/
  1. openssl genrsa –des3 –out owa.examplecompany.net.key 1024
  1. openssl req –new –key owa.examplecompany.net.key –out owa.examplecompany.net.csr

Copy the contents of owa.examplecompany.net.csr to the request form.

Once you get the certificate files from the CA, you will most likely get a bundle or intermediate cert and the public cert.

You will need to add gd_bundle.crt to the owa.examplecompany.net.crt. First, backup the owa.examplecompany.crt file, then we will append it with gd_bundle.crt.

  1. cp /usr/local/squid/certs/owa.examplecompany.net.crt /usr/local/squid/certs/certsexampleuser/owa.examplecompany.net.backup
  1. cat /usr/local/squid/certs/gd_bundle.crt » /usr/local/squid/certs/owa.examplecompany.net.crt

For the exchange server communication, you can use a self-signed certificate.

If you generate a self-signed certificate on your Exchange server, you can export it as a PFX and use openssl on your proxy to convert it into the usable format. First, move the PFX file to the proxy (this example assumes it is in “/usr/local/squid/certs/”.

  1. cd /usr/local/squid/certs/
  1. openssl pkcs12 –in exchangecert.pfx –nocerts –out exchange.key
  1. openssl rsa –in exchange.key –out nopassexchange.key
  1. openssl pkcs12 –in exchangecert.pfx –nokeys –out exchange.crt

Now you have the key and the crt; move these to the path that you specify in the squid.conf file.

Final Notes:

You have to forward the 443 traffic from your router to the proxy for this to work, and you have to make sure that 443 traffic is being allowed to your proxy. This involves iptables, which I will not get into.

I tested in the live environment before changing the forwarding on my router by changing my local hosts file to forward owa.examplecompany.net to the local address of the proxy. This worked fine for OWA testing.

Also, you should either set the ip address on the proxy or create a reservation for its MAC on your DHCP server.

References/Bibliography/Special Thanks:

The Squid Cache Project – http://www.squid-cache.org

The Debian Project - http://www.debian.org

Owen Campbell – http://www.tanti.org.uk/index.php/blogs/owencampbell/3-tech/3-proxy

Squid Cache Wiki – http://wiki.squid-cache.org/ConfigExamples/Reverse/OutlookWebAccess

Laurent Brichet - http://www.brichet.be/how-to-setup-a-reverse-proxy-server-over-ssl-squid-debian