Tweet
First of all, I want to thank open-xchange for such a nice OXTender, that works so easy and well. When I compare it with the syncml OXTender, it's a differnce between night and day. But now I come to my question: Is it possible to setup a relieable reverse proxy for the Business Mobility OXTender? I was testing it with mod_proxy and squid for a couple of days. Here are my expierences:
mod_proxy:
> Sync works but after a couple of Heartbeat PING's the connection gets interrupted (mobile device wont sent pings anymore) and I see this error:
[Wed Oct 28 16:13:44 2009] [error] [client xx.xx.xx.xx] (70007)The timeout specified has expired: proxy: error reading status line from remote server ox.server.com
[Wed Oct 28 16:13:44 2009] [error] [client xx.xx.xx.xx] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync
> The access to the webinterface works perfectly.
squid:
> Same problem like on mod_proxy with this error:
1256737142.153 248 xx.xx.xx.xx TCP_MISS/200 375 POST https://ox.server.com/Microsoft-Server-ActiveSync? - FIRST_UP_PARENT/xx.xx.xx.xx
application/vnd.ms-sync.wbxml
1256737145.445 1660 xx.xx.xx.xx TCP_MISS/503 686 POST https://ox.server.com/Microsoft-Server-ActiveSync? - FIRST_UP_PARENT/xx.xx.xx.xx
text/html
Here the status code changes from 200 (OK) to 503 (Service Unavailable).
> Remote access to the webinterface works very well.
I was searching the web for different solutions to get the ActiveSync proberbly working, but nothing really works relieable. Different solutions had other problems.
Here is my current mod_proxy config:
<VirtualHost xx.xx.xx.xx:443>
DocumentRoot "/srv/ox6/htdocs"
ServerName ox.server.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl.key/private.key
ProxyPreserveHost On
ProxyPass / http://oxinternal.server.com/
ProxyPassReverse / http://oxinternal.server.com/
</VirtualHost>
Some sites say to also have this in the config:
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
But this completly disables the heartbeat pings.
My current squid.conf looks like this:
# extensions for Exchange RPC over HTTPS
extension_methods RPC_IN_DATA RPC_OUT_DATA
# here comes the relay configuration, xx.xx.xx.xx matches the ip of the reverse proxy
https_port xx.xx.xx.xx:443 accel cert=/etc/apache2/ssl.crt/cert.pem key=/etc/apache2/ssl.key/private.key defaultsite=ox.server.com vhost
# localhost has Apache running, xx.xx.xx.xx matches the internal ip of the ox-ae server
cache_peer 127.0.0.1 parent 443 0 no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/apache2/ssl.crt/cer
t.pem sslkey=/etc/apache2/ssl.key/private.key name=webServer
cache_peer xx.xx.xx.xx parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER sslcert=/e
tc/apache2/ssl.crt/cert.pem sslkey=/etc/apache2/ssl.key/private.key name=exchangeServer
acl EXCH dstdomain ox.server.com
cache_peer_access exchangeServer allow EXCH
cache_peer_access webServer deny EXCH
never_direct allow EXCH
# settings caching and logging - optional
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
cache_log none
cache_store_log none
visible_hostname none
deny_info TCP_RESET all
# ACL - required
acl all src 0.0.0.0/0.0.0.0
acl to_local dst 127.0.0.1/32
acl to_wsrv dst 192.168.1.6/32
http_access allow EXCH
http_access allow to_local
http_access allow to_wsrv
http_access deny all
miss_access allow EXCH
miss_access allow to_local
miss_access allow to_wsrv
miss_access deny all
#logging
access_log /var/log/squid/access.log squid
emulate_httpd_log on
My goal is, to let the OX AE in the internal network for security reasons:
client => reverse proxy => | FIREWALL | => OX AE
mod_proxy:
> Sync works but after a couple of Heartbeat PING's the connection gets interrupted (mobile device wont sent pings anymore) and I see this error:
[Wed Oct 28 16:13:44 2009] [error] [client xx.xx.xx.xx] (70007)The timeout specified has expired: proxy: error reading status line from remote server ox.server.com
[Wed Oct 28 16:13:44 2009] [error] [client xx.xx.xx.xx] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync
> The access to the webinterface works perfectly.
squid:
> Same problem like on mod_proxy with this error:
1256737142.153 248 xx.xx.xx.xx TCP_MISS/200 375 POST https://ox.server.com/Microsoft-Server-ActiveSync? - FIRST_UP_PARENT/xx.xx.xx.xx
application/vnd.ms-sync.wbxml
1256737145.445 1660 xx.xx.xx.xx TCP_MISS/503 686 POST https://ox.server.com/Microsoft-Server-ActiveSync? - FIRST_UP_PARENT/xx.xx.xx.xx
text/html
Here the status code changes from 200 (OK) to 503 (Service Unavailable).
> Remote access to the webinterface works very well.
I was searching the web for different solutions to get the ActiveSync proberbly working, but nothing really works relieable. Different solutions had other problems.
Here is my current mod_proxy config:
<VirtualHost xx.xx.xx.xx:443>
DocumentRoot "/srv/ox6/htdocs"
ServerName ox.server.com
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl.crt/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl.key/private.key
ProxyPreserveHost On
ProxyPass / http://oxinternal.server.com/
ProxyPassReverse / http://oxinternal.server.com/
</VirtualHost>
Some sites say to also have this in the config:
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SetEnv proxy-initial-not-pooled 1
But this completly disables the heartbeat pings.
My current squid.conf looks like this:
# extensions for Exchange RPC over HTTPS
extension_methods RPC_IN_DATA RPC_OUT_DATA
# here comes the relay configuration, xx.xx.xx.xx matches the ip of the reverse proxy
https_port xx.xx.xx.xx:443 accel cert=/etc/apache2/ssl.crt/cert.pem key=/etc/apache2/ssl.key/private.key defaultsite=ox.server.com vhost
# localhost has Apache running, xx.xx.xx.xx matches the internal ip of the ox-ae server
cache_peer 127.0.0.1 parent 443 0 no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/apache2/ssl.crt/cer
t.pem sslkey=/etc/apache2/ssl.key/private.key name=webServer
cache_peer xx.xx.xx.xx parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER sslcert=/e
tc/apache2/ssl.crt/cert.pem sslkey=/etc/apache2/ssl.key/private.key name=exchangeServer
acl EXCH dstdomain ox.server.com
cache_peer_access exchangeServer allow EXCH
cache_peer_access webServer deny EXCH
never_direct allow EXCH
# settings caching and logging - optional
redirect_rewrites_host_header off
cache_mem 32 MB
maximum_object_size_in_memory 128 KB
cache_log none
cache_store_log none
visible_hostname none
deny_info TCP_RESET all
# ACL - required
acl all src 0.0.0.0/0.0.0.0
acl to_local dst 127.0.0.1/32
acl to_wsrv dst 192.168.1.6/32
http_access allow EXCH
http_access allow to_local
http_access allow to_wsrv
http_access deny all
miss_access allow EXCH
miss_access allow to_local
miss_access allow to_wsrv
miss_access deny all
#logging
access_log /var/log/squid/access.log squid
emulate_httpd_log on
My goal is, to let the OX AE in the internal network for security reasons:
client => reverse proxy => | FIREWALL | => OX AE
Comment