Re: [squid-users] Reverse and SSL cert

From: Jakob Curdes <jc_at_info-systems.de>
Date: Wed, 31 Mar 2010 23:59:31 +0200

> Is the certificate the same of exchange ?
> (if yes) The same certificate will installed on squid and on exchange?
> How to make the .pem certificate for squid?
>
You need to tell us more about your setup. Probably you want to
terminate a SSL connection on the reverse-proxy and forward the request
to an internal server that happens to run SSL. In this case the
certificate the the external client will get is the one configured in
the https_port directive. For the second SSL connection (presumably to
Exchange) you need a second certificate, which is defined in the
cache_peer directive. This cert is just used to identify squid the the
exchange server. Another problem arises: if we are talking about OWA or
RPCvia HTTP access to exchange, you need to make sure that the domain
for the requests is the same all the time, i.e. the external client is
requesting owa.domain.com which you are forwarding, say, to
exchange.company.local. You must make sure that the these two domains
map to one in DNS, otherwise the requests will fail. Plus the
certificates need to reflect this ... there are commercial certificates
where you can enter two different domain names into one cert.Look for
"Subject Alternative Names (SAN)" certificates. You can use such a cert
on squid and the exchange server.

Remark, not sure if it applies: If using Outlook as RPCvia HTTPS client,
you will have trouble with self-signed certs. Outlook does not display a
warning but just rejects the connection unless a self-signed cert has
been accepted into the certificate store of the operating system e.g. by
going through an IE certificate dialogue.

HTH,
Jakob Curdes
Received on Wed Mar 31 2010 - 21:59:54 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 12:00:05 MDT