Re: [squid-users] using squid as reverse proxy to connect to exchange 2010 owa

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 08 Jul 2011 16:34:03 +1200

On 08/07/11 01:25, Sidnei Moreira wrote:
> hi,
> i have searched the archive for a case like mine and could not find
> any help, so i would like to post my actual issue.
>
> i have an exchange 2010 server, configured to respond with a
> self-signed certificate to internal computers on our lan.
> i have a public certificate from a trusted CA, which does not include
> my internal domain, and for a couple of reasons i can't add this local
> internal domain to that public certificate.
>
> so whenever an internal outlook client tries to connect internally,
> exchange keeps saying that the certificates are not the same.
> on the external side, i can't connect to the OWA site without popping
> up the 'site is not trusted' message on the browser.
>
> i read about squid reverse proxy feature, which receive connections
> from the outside world using a public trusted certif. and pass it on
> to exchange server.
> i guess this could solve my problem, as i would not need to add the
> public certificate to the exchange server, but only to the squid
> server.

It solves your problem in a similar way that turning certificate
validation OFF will also do. With a great reduction in security.

I think you want to make exchange accept your self-signing CA used to
sign the internal domains. Such that it trusts clients contacting it
with internal certificates.

>
> from the wiki page i copied the following configuration into my
> squid.conf file, and adapted it. I am using squid version 3.0.STABLE1

Please don't. 3.0.STABEL1 has an enormously long list of bugs and
security vulnerabilities. If you must use 3.0 at all please be sure it
is the final release of that series.

Also be aware that recent releases of MS software are starting to
require HTTP/1.1 features more.

>
> ########################## START OF REVERSE PROXY CONFIG
> SOURCE: http://wiki.squid-cache.org/ConfigExamples/Reverse/ExchangeRpc
> ##########
> extension_methods RPC_IN_DATA RPC_OUT_DATA
> https_port<my-squid-server-internal-ip>:443
> cert=/var/crt/my-public-domain-trusted-certificate.p7s
> defaultsite=my-public-domain.com
> cache_peer<my-exchange-server-internal-ip> parent 443 0 no-query
> originserver login=PASS ssl
> sslcert=/var/crt/my-self-signed-exchange-certificate.pfx
> name=exchangeServer
>
> acl EXCH dstdomain .rpc_domain_name
> cache_peer_access exchangeServer allow EXCH
> cache_peer_access exchangeServer deny all
> never_direct allow EXCH
> http_access allow EXCH
> http_access deny all
> miss_access allow EXCH
> miss_access deny all
> ########################## END OF REVERSE PROXY CONFIG
>
> but, i am getting this error when restarting squid:
>
> 2011/07/07 08:39:18| parseConfigFile: 'squid.conf' line 90
> unrecognized: 'https_port<my-squid-server-internal-ip>:443
> cert=/var/crt/my-public-domain-trusted-certificate.p7s
> defaultsite=my-public-domain.com'
> 2011/07/07 08:39:18| parse_peer: token='ssl'
> FATAL: Bungled squid.conf line 91: cache_peer
> <my-exchange-server-internal-ip> parent 443 0 no-query originserver
> login=PASS ssl sslcert=/var/crt/my-self-signed-exchange-certificate.pfx
> name=exchangeServer
> Squid Cache (Version 3.0.STABLE1): Terminated abnormally.

3.0.STABLE1 is too old to support the 'ssl' parameter.

Squid also does not support the proprietary PFX format. Convert it to
the PEM format instead.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.14
   Beta testers wanted for 3.2.0.9
Received on Fri Jul 08 2011 - 04:34:46 MDT

This archive was generated by hypermail 2.2.0 : Fri Jul 08 2011 - 12:00:02 MDT