Announcement

Collapse
No announcement yet.

OX AE / Business Mobility OXTenter and reverse proxy

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OX AE / Business Mobility OXTenter and reverse proxy

    First of all, I want to thank open-xchange for such a nice OXTender, that works so easy and well. When I compare it with the syncml OXTender, it's a differnce between night and day. But now I come to my question: Is it possible to setup a relieable reverse proxy for the Business Mobility OXTender? I was testing it with mod_proxy and squid for a couple of days. Here are my expierences:

    mod_proxy:

    > Sync works but after a couple of Heartbeat PING's the connection gets interrupted (mobile device wont sent pings anymore) and I see this error:

    [Wed Oct 28 16:13:44 2009] [error] [client xx.xx.xx.xx] (70007)The timeout specified has expired: proxy: error reading status line from remote server ox.server.com
    [Wed Oct 28 16:13:44 2009] [error] [client xx.xx.xx.xx] proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync

    > The access to the webinterface works perfectly.

    squid:

    > Same problem like on mod_proxy with this error:

    1256737142.153 248 xx.xx.xx.xx TCP_MISS/200 375 POST https://ox.server.com/Microsoft-Server-ActiveSync? - FIRST_UP_PARENT/xx.xx.xx.xx
    application/vnd.ms-sync.wbxml
    1256737145.445 1660 xx.xx.xx.xx TCP_MISS/503 686 POST https://ox.server.com/Microsoft-Server-ActiveSync? - FIRST_UP_PARENT/xx.xx.xx.xx
    text/html

    Here the status code changes from 200 (OK) to 503 (Service Unavailable).

    > Remote access to the webinterface works very well.

    I was searching the web for different solutions to get the ActiveSync proberbly working, but nothing really works relieable. Different solutions had other problems.

    Here is my current mod_proxy config:

    <VirtualHost xx.xx.xx.xx:443>
    DocumentRoot "/srv/ox6/htdocs"
    ServerName ox.server.com
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSL v2:+EXP:+eNULL
    SSLCertificateFile /etc/apache2/ssl.crt/cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl.key/private.key
    ProxyPreserveHost On
    ProxyPass / http://oxinternal.server.com/
    ProxyPassReverse / http://oxinternal.server.com/
    </VirtualHost>

    Some sites say to also have this in the config:

    SetEnv force-proxy-request-1.0 1
    SetEnv proxy-nokeepalive 1
    SetEnv proxy-initial-not-pooled 1

    But this completly disables the heartbeat pings.

    My current squid.conf looks like this:

    # extensions for Exchange RPC over HTTPS
    extension_methods RPC_IN_DATA RPC_OUT_DATA

    # here comes the relay configuration, xx.xx.xx.xx matches the ip of the reverse proxy
    https_port xx.xx.xx.xx:443 accel cert=/etc/apache2/ssl.crt/cert.pem key=/etc/apache2/ssl.key/private.key defaultsite=ox.server.com vhost

    # localhost has Apache running, xx.xx.xx.xx matches the internal ip of the ox-ae server
    cache_peer 127.0.0.1 parent 443 0 no-query no-digest originserver login=PASS ssl sslflags=DONT_VERIFY_PEER sslcert=/etc/apache2/ssl.crt/cer
    t.pem sslkey=/etc/apache2/ssl.key/private.key name=webServer
    cache_peer xx.xx.xx.xx parent 443 0 no-query no-digest originserver login=PASS front-end-https=on ssl sslflags=DONT_VERIFY_PEER sslcert=/e
    tc/apache2/ssl.crt/cert.pem sslkey=/etc/apache2/ssl.key/private.key name=exchangeServer

    acl EXCH dstdomain ox.server.com

    cache_peer_access exchangeServer allow EXCH
    cache_peer_access webServer deny EXCH
    never_direct allow EXCH

    # settings caching and logging - optional
    redirect_rewrites_host_header off
    cache_mem 32 MB
    maximum_object_size_in_memory 128 KB
    cache_log none
    cache_store_log none

    visible_hostname none
    deny_info TCP_RESET all

    # ACL - required
    acl all src 0.0.0.0/0.0.0.0
    acl to_local dst 127.0.0.1/32
    acl to_wsrv dst 192.168.1.6/32

    http_access allow EXCH
    http_access allow to_local
    http_access allow to_wsrv
    http_access deny all
    miss_access allow EXCH
    miss_access allow to_local
    miss_access allow to_wsrv
    miss_access deny all

    #logging
    access_log /var/log/squid/access.log squid
    emulate_httpd_log on


    My goal is, to let the OX AE in the internal network for security reasons:

    client => reverse proxy => | FIREWALL | => OX AE

  • #2
    The heartbeat pigs are TCP connections which are help open as long as possible, eithout sending any data over them. Look for settings for connection timeouts and try to raise or to disable them.

    Comment


    • #3
      Regardless which option I add to the mod_proxy constellation, I get those timeouts. There has been a Posting on zimbra forums with nearly the same issues I have: http://www.zimbra.com/forums/zimbra-...-not-work.html

      They suggest to add this:

      SetEnv force-proxy-request-1.0 1
      SetEnv proxy-nokeepalive 1

      But this will completly break the ActiveSync of the mobile device. Also setting the timeouts to a higher value doesn't solve the problem. My error is allways:

      (70007)The timeout specified has expired: proxy: error reading status line from remote server ox.server.tld
      proxy: Error reading from remote server returned by /Microsoft-Server-ActiveSync

      Do you have loadbalancers or reverse proxies some where running, and could suggest a config pattern!? I still don't want to have my OX AE inside the DMZ. For testing purposes I had the OX AE inside the DMZ, and the ActiveSync worked like expected.

      Comment


      • #4
        Hi,

        of course we have some configuration settings for loadbalancing via proxy_ajp but since you need a reverse proxy i guess these will not fit your needs.
        Have you already contacted the support or a partner to ask for a solution?

        Greetings

        Comment


        • #5
          Hello Martin,

          no I didn't do that yet. We have no partner, because we administrating the servers on our own. The mod_proxy thing worked very well with the OX5, with the config I got once from the OX Support Team. If you tell me, that I should write an email to the support staff, I'll do that. But maybe the config is also interresting for other customers, and we discuss it here.

          Comment


          • #6
            Hi,

            my configuration for a loadbalancer based on proxy_ajp looks like this:

            Code:
            <IfModule mod_proxy_ajp.c>
              ProxyRequests On
              ProxyVia On
            
              <Proxy *>
                Order deny,allow
                Allow from all
              </Proxy>
            
              <Proxy balancer://oxcluster>
                BalancerMember ajp://10.20.30.213:8009 smax=0 ttl=60 retry=5 loadfactor=50 route=OX-1
                BalancerMember ajp://10.20.30.215:8009 smax=0 ttl=60 retry=5 loadfactor=50 route=OX-2
              </Proxy>
            
              ProxyPass /ajax balancer://oxcluster/ajax stickysession=JSESSIONID
              ProxyPass /servlet balancer://oxcluster/servlet stickysession=JSESSIONID
              ProxyPass /axis2 balancer://oxcluster/axis2 stickysession=JSESSIONID
              ProxyPass /infostore balancer://oxcluster/infostore stickysession=JSESSIONID
              ProxyPass /publications balancer://oxcluster/publications stickysession=JSESSIONID
              ProxyPass /Microsoft-Server-ActiveSync balancer://oxcluster/Microsoft-Server-ActiveSync stickysession=JSESSIONID
            </IfModule>
            Not sure if this is what you need.

            Greetings

            Comment


            • #7
              Thanks for your fast reply and your configuration details! I changed my configuration now to:

              ProxyRequests On
              ProxyVia On

              ProxyPass / https://ox.server.tld/ smax=0 ttl=60 retry=5
              ProxyPassReverse / https://ox.server.tld/

              Blame Vodafone, they have UMTS problems atm, so I could not verify this config. But generally, is it possible to have a reverse proxy with mod_proxy to the OX AE. Or should I use mod_proxy_ajp instead?

              Comment


              • #8
                Mr. Braun, thank you alot! I just figured out, how to get it working. All connections from the reverse proxy are now forwarded by AJP to the OX AE. Another mod_proxy rule will handle all other traffic. Im having this config now running for 60 minutes, and it didn't interrupt yet.

                Thanks again...

                Comment

                Working...
                X