Configuring Debian+Apache as an OWA Reverse Proxy in DMZ
If we have an Exchange installation and we want to publish OWA abroad, we should never open the ports directly to our Exchange, for this there are proxies located in the DMZ that will present us with our OWA. In this case we are going to set up a Reverse Proxy with DEBIAN and APACHE.
To do this, we start from the fact that we have a debian installed in our DMZ with the port 443 of the WAN pointing at it and allowing the port to pass through 443 from our server to the LAN's Exchange CAS.
We updated our Debian server
# apt-get update
# apt-get upgrade
We installed Apache
# apt-get install apache2 apache2-mpm-prefork
We activate the required modules
# A2Enmod Proxy
# a2enmod proxy_http
# A2Enmod Headers
# a2enmod rewrite
# a2enmod ssl
We restart Apache
# /etc/init.d/apache2 restart
We create the directories for the certificates
# mkdir /etc/apache2/ssl.crt
# mkdir /etc/apache2/ssl.key
We export the certificate from our Exchange server to pfx. Right-click on the certificate and Export Certificate.
We give it a route and a name, And we put a password on it and enter it into our Linux with WinSCP for example.
We convert our pfx to plain text
# openSSL PKCS12 -in mail.pfx -out correo.txt -nodes
We edit the correo.txt file and we will see the RSA PRIVATE KEY and CERTIFICATE.
We store them independently in 2 Email.crt file and correo.key
We move the certificate to your directory
# mv correo.crt /etc/apache2/ssl.crt
Move the rsa key to your directory
# mv correo.key mkdir /etc/apache2/ssl.key
We create the owa folder, aunque sera ficticia solo para la configuración pero no la usaremos.
# mkdir /var/www/owa
Creamos y editamos el fichero owa
# vim /etc/apache2/sites-available/owa
Introducimos la siguiente configuración para actuar como proxy:
NameVirtualHost *:80
<VirtualHost *:80>
ServerName correo.tundra-it.com
ServerAdmin in**@co****.cOm
DocumentRoot /var/www/owa
DirectoryIndex index.htm index.html
RedirectMatch ^/$ https://correo.tundra-it.com/owa
RedirectMatch ^/owa$ https://correo.tundra-it.com/owa
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerName correo.tundra-it.com
ServerAdmin in**@co****.cOm
DocumentRoot /var/www/owa
DirectoryIndex index.htm index.html
# Set up SSL to work with this host
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl.crt/correo.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/correo.key
# Redirect to ‘/owa’ from ‘/’
RedirectMatch ^/$ /owa
RewriteEngine On
# Fix a problem when ‘%’ symbols are in the subject line of OWA email
# (the email subject is used in the web query)
RewriteMap percentsubject int:escape
RewriteCond $1 ^/owa/.*%.*$
RewriteRule (/owa/.*) ${percentsubject:$1} [P]
RequestHeader set Front-End-Https “On”
ProxyRequests Off
ProxyPreserveHost On
ProxyVia On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
#Reverse Proxy para OWA
ProxyPass /owa https://correo.tundra-it.com/owa
ProxyPassReverse /owa https://correo.tundra-it.com/owa
ProxyPass /exchweb https://correo.tundra-it.com/exchweb
ProxyPassReverse /exchweb https://correo.tundra-it.com/exchweb
ProxyPass /public https://correo.tundra-it.com/public
ProxyPassReverse /public https://correo.tundra-it.com/public
ProxyPass /iisadmpwd https://correo.tundra-it.com/iisadmpwd
ProxyPassReverse /iisadmpwd https://correo.tundra-it.com/iisadmpwd
ProxyPass /oma https://correo.tundra-it.com/oma
ProxyPassReverse /oma https://correo.tundra-it.com/oma
ProxyPass /Microsoft-Server-ActiveSync https://correo.tundra-it.com/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://correo.tundra-it.com/Microsoft-Server-ActiveSync
ErrorLog /var/log/apache2/mailus-ssl-error_log
CustomLog /var/log/apache2/mailus-ssl-access_log common
</VirtualHost>
Activamos el sitio OWA
# a2ensite owa
Para no permitir el trafico DNS de la DMZ a los DNS de la LAN, We enter the name of the local site in the hosts file
# ECHO 192.168.169.231 correo.tundra-it.com >> /etc/hosts
We restart the Apacahe
# /etc/init.d/apache2 restart
We enter from the outside
