Reverse Proxy and OWA
Hi,
Setup:
3 CAS servers - Exchange 2010
1 IIS ARR reverse proxy
I followed these two
1 2 write-ups on how to setup Exchange 2010 OWA to use IIS ARR as a reverse proxy. The problem I'm having is
when all three servers are online in the server farm OWA doesn't work properly. You can log in fine, but it appears to not load fully and you can't click on anything (eg Calendar, emails, forward, reply, etc). If I were to take all the servers offline except
for one (doesn't matter which one), OWA functions normally.
Since some users also access OWA internally I have configured IIS on each CAS server to redirect to HTTPS and the OWA virtual directoy. I don't think this is causing the problem, but I thought I should mention it.
I followed the articles exactly. I'm not sure what could be causing the problem.
Thanks
Hi,
According to your description, there may be some problem on the configuration of your IIS ARR.
Thus, let’s troubleshoot ARR using Failed Request Tracing Rules to find the root cause.
For the detail steps, please refer to the following article:
http://www.iis.net/learn/troubleshoot/using-failed-request-tracing/using-failed-request-tracing-rules-to-troubleshoot-application-request-routing-arr
And we can also check if the URL rewrite rules are working as expected:
For more steps, please refer to the partition named Verifying if the above rules are working as expected in the reference below:
http://blogs.technet.com/b/exchange/archive/2013/08/05/part-3-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
Thanks,
Angela
Angela Shi
TechNet Community Support
Similar Messages
-
OHS Webtier 11.1.1.5 reverse proxy to OWA
Hi,
I am trying to create a reverse proxy to OWA (Microsoft Exchange) https but to no avail.
As you can see the code below:
<Location /owa>
ProxyPass https://10.6.145.64/owa
ProxyPassReverse https://10.6.145.64/owa
#Redirect / https://10.6.145.64/
</Location>
Redirect is working but Reverse proxy is not working. Are there any additionals code needed to make it works?
I am actually setting up SSO for OWA but I have no idea how to configure this part. :(
Please help."And what is it about the ip it's pointing to in the opmn log. "216.8.179.25,6700: BIND (Cannot assign requested address)"?
The IP 216.8.179.25 is probably some internal address that is found when it was unable to find the 127.0.0.1 loopback.
Could be this address is found through the virtualization platform (which usually installs some network adapters on the system) - if you are using virtualization, otherwise
you have to check with you network administrators, and see if they can make something the IP you were getting.
"But i am not sure as to why / how this has happenned."
We had the same problems (were using DHCP) - with 11.1.1.2 no problems. With a patch to 11.1.1.5 it broke down - I think it is a bug in OPMN (the 11.1.1.5 version).
But to be sure it is a bug, you better check with Oracle Support, maybe they can shed a light on this. There are no known issues mentioned in the 11.1.1.5 release notes
- http://docs.oracle.com/cd/E21764_01/doc.1111/e14770/partpage3.htm#sthref17 -
Sun Web Server Reverse Proxy and Weblogic HTTP to HTTPS redirection
Hi,
I am currently testing reverse-proxy from SJSW 7.0 update 5 to Weblogic server but I have encountered an issue.
I have configured a context root to be forwarded to weblogic:
Web Server: www.server.com
URI: /path
Reverse Proxy URL: wlserver:9000
When I access https://www.server.com/path, I am getting the correct page. The issue is, the weblogic server is configured to redirect HTTP access to HTTPS, i.e., when I access http://www.server.com/path, it should be redirected to https://www.server.com/path. However, that is not the case. What happens is that I am being redirected instead to https://www.server.com/.
If I don't use reverse proxy, that is, if I use the libproxy.so from weblogic, I get the correct redirection.
Would appreciate it very much if someone can help me troubleshoot this issue.
Thanks in advance!
Edited by: agent_orange on Jul 29, 2010 2:30 AM
Edited by: agent_orange on Jul 29, 2010 2:31 AMI am not sure, how you have configured your reverse proxy since you didn't attach / refer your current configuration file. this is how I would do it..
- create a new configuration (using web server 7 admin gui , within configuration wizard, disable java option if you plan to use web server 7 only for reverse proxy)
- select this new configuration and go to reverse proxy and try to reverse proxy / to the origin server.
that is all it should need.
your obj.conf or <hostname>-obj.conf depending on your configuration should look like following snippet
<Object name="default">
AuthTrans..
NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
</object>
<Object name="reverse-proxy-/">
Route fn=....
Service ..
</Object>
this is all you should need..
However, if you wanted to add complexity to your configuration, you could do some thing like
<Object name="default">
Auth..
<If defined $security>
NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
</If>
</Object>
<Object name="reverse-proxy-/">
Route...
</Object> -
Reverse Proxy and Load Balancer for SMP 2.3 and Agentry Application
Hi Expert,
I'm putting in place a mobile solution composed by SMP 2.3 SPS 4 and SAP ECC 6.0. In the SMP 2.3 I created the agentry server and I have deployed my agentry application.
My SMP/Agentry infrastructure is composed by two servers therefore I need a load balancer for balance the load into the several servers. Furthermore I need to use a reverse proxy in my DMZ zone.
Based on what indicated in the SAP note "1904213 - SAP Mobile Platform Server Release Information" the Apache Reverse Proxy is not supported for Agentry clients. Agentry uses nginx for Reverse Proxy.
I also found the following document How-to-Guide for Reverse Proxy and Load Balancing in SAP Mobile Platform 3.x that explain how to set-up a reverse proxy and load balancer with nginx and apache.
Both the SAP note and the HOW to document are refereed to SMP 3.0 and not to SMP 2.3.
I would know if the NGINX must be used also for SMP 2.3.
Any suggestion/information is appreciated.
Thanks in advance
g.Please see Agentry Network Landscapes
-
Apache reverse proxy and SSL termination
Hi Guru's
Can anyone tell me, how to do SSL termination at apache reverse proxy. I am using apache reverse proxy for accesing portal from internet. Apache is configured for SSL and portal is NON SSL.
I am using header variable login module in portal. i wanted to terminate SSL at apache reverse proxy and then all traffic after that should be clear text.
should i maitain any property. is there any documentation for it.
Please help me
TomThe majority of the work here is around configuring your Web Dispatcher and Apache Reverse proxy. The work on the portal is straight forward enabling of SSL.
You can follow http://help.sap.com/saphelp_nw2004s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm for setting this up.
what level I need to configure SSL and how do I proceed in both scenarios?
Your question itself says where you need SSL. SSL is required where ever you need HTTPS communication.
how do I proceed in both scenarios?
From a portal perspective, the configuration should remain the same.
Do I have to install SSL at portal, web dispatcher or at Apache level?
SSL needs to be configured at all the 3 levels if you are looking at end to end SSL implementation.
See the following for possible SSL implementation options:
http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
https://cw.sdn.sap.com/cw/docs/DOC-115509
Will SSL termination work for scenario 2?
Yes this should work - see http://help.sap.com/saphelp_nw2004s/helpdata/en/36/fd39eacf4cde4a8fe32d7f29b3db16/frameset.htm
However in case of SSL Termination, the request to your portal from the web dispatcher will be sent as HTTP.
I would recommend you to take a step by step (backward approach).
First, enable SSL on your portal and make sure it works - going directly to the server.
Then, you can introduce the Web Dispatcher - and test if every thing works going through the web dispatcher.
Finally - you can test the end to end flow - with your Reverse proxy involved.
- Shanti -
Need in depth knowledge about Certficate request and install for Reverse proxy and CAS role
Hi,
I have few confusions about Exchange 2010/13 certificate request and install. As per my understanding best practise is to assign public CA certificate to Reverse proxy and Local CA certificate to CAS servers but need to know that what should be the format
of certificate request? Do we need to order public certificate just for mail.domain.com and add SAN for other web services URLs and is it required to add CAS array and server names to this certificate ? In what case we will add server names and what will happen
if we don't add in it ? How the outlook clients connecting from internet will be using this certificate? I have very limited knowledge in certificates and it always pisses me off. Please help me with explanations and articles. I tried to google and gone through
many articles but didn't get a fair idea. Thanks in advacnce. :)Hi,
Here are my answers you can refer to:
1. Use the New-ExchangeCertificate cmdlet to generate a new certificate request:
New-Exchangecertificate -domainname mail.domain.com, autodiscover.domain.com -generaterequest:$true -keysize 1024 -path "c:\Certificates\xxxx.req” -privatekeyexportable:$true –subjectname "c=US o=domain.com, CN=server.domain.com"
2. CAS array name doesn’t need to be added in the certificate:
http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx
3. It depends on the situation that you configured to add the server name.
4. Outlook clients use certificate for authentication.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Web Dispatcher - Reverse Proxy and Load Balancing
I'm finding limited docs on Web Dispatcher with regard to reverse proxy and load balancing. Are you aware of some recent presentations or docs in this area? The info on help.sap.com is not what I'm looking for.
Thanks.Hi,
best thing is that you look at your scenarios and test the web dispatcher against each of it, like:
- SSL
- Portal only
- Web Dynpro ABAP / Java
- BSP
- Different backend systems like SRM, MDM
- Several backends with 1 Web Dispatcher
After getting a list of use cases that you can test quite easily (installation of Web Dispatcher is done fast and can be done on a local PC), you can contact SAP Support and ask them about the specific problems and questions you encountered. This way, you'll get the official answer, sometimes they will even inform you about "secret" parameters and options.
As of the reverse proxy functionality: there are several version of Web Dispatcher available that differ from the functionality offered. The latest version - 7.2 - is the one that offers the most, i.e. allows you to create rewrite rules like Apache.
SAP Note 908097 - SAP Web Dispatcher: Released releases and applying patches
br,
Tobias -
Reverse proxy and iWS 6.1 SP2?
Hey all,
i have 2 questions.
Can i use reverse proxy (and pass proxy) with iWS 6.1 SP2?
How must i configure the webserver to use this?
I need the following thing:
Client called https://server111.de/XXXXTruePassApp/ ---> Proxy get Data from https://server222.de/XXXXTruePassAppProxy/
Under Apache looks like that with mod_proxy:
ProxyPass /eCaSSTruePassApp/ https://server222.de/XXXXTruePassAppProxy/
ProxyPassReverse /eCaSSTruePassApp/ https://server222.de/XXXXTruePassAppProxy/
Thanks for help.
Greets Chmeee-deChmeee-de, I really don't think you should be using Sun ONE Web Server 6.1SP2. That version has known security vulnerabilities. Please consider applying the latest service pack, 6.1SP7.
Have you downloaded the Reverse Proxy Plugin? Have you tried reading the Reverse Proxy Plugin release notes? The release notes for Reverse Proxy Plugin 6.1SP7 are at http://docs.sun.com/app/docs/doc/820-0262/6nc0vpnc2?a=view.
Once you have the plugin installed and have edited the magnus.conf configuration file according to the release notes, you can add the following line immediately below the <Object name="default"> line in the obj.conf configuration file:NameTrans fn="assign-name" from="/XXXXTruePassApp/*" name="XXXXTruePassApp"This line indicates that requests for /XXXXTruePassApp/* should be serviced by an object named XXXXTruePassApp.
You can then create an object named XXXXTruePassApp by adding the following to the bottom of the obj.conf configuration file:<Object name="XXXXTruePassApp">
Service fn="service-passthrough" servers="https://server222.de"
</Object> -
Arrowpoint Cookies, Reverse Proxy and Multiplexed Client Requests
Hi,
I have a reverse proxy which is performing SSL offload and making backend connections to two web servers. Between the reverse proxy and the two webservers, a CSS is in place to load balance between the web servers. There is a requirement for session stickiness on the web servers and since client IP details are lost through the reverse proxy I have used the arrowpoint-cookie method to load balance connections.
However, the reverse proxy seems to make only a handful of connections to the servers compared to the number incoming client connections and we have noticed that stickiness is broken. Now, I would assume this is correct if arrowpoint-cookie makes a load balancing based on the first HTTP get in a tcp stream and not on a per transaction basis AND our reverse proxy is multiplexing client requests. However, I can not convince myself of how the arrowpoint-cookie method actually works.
I wondered if anyone had any insight on this or had experienced similar issues with arrowpoint cookies?Hi Gilles,
I have implemented this today, and we are still seeing issues with requests hitting the wrong server.
A bit more info, the reverse proxy is an AXG Web Aopplication Firewall. I have been looking at this and am considering disabling connection re-use on here.
However I am also wondering if this might be to do with the flow timeout multiplier I am using which is 5 (80 seconds). Perhaps this is too low?
Thanks, David. -
Reverse Proxy for OWA ActiveSync ?
Hi there,
I'm looking for some solution to handle OWA publishing with some reverse proxy
function on the firewall. No Web Proxy on DMZ. No TMG and no directly NAT to the inside Exchange.
I have managed to do WebSSL with external portal and SSO on the ASA for Webmail access. ActiveSync (e.g. Ipad) isn't working through that kind of portal.
Any suggestions? Cut-Passthrough? Or who is facing the same issue, with TMG been discontinued? Fortigate and Sophos mentioned to handle reverse proxy.
How about Cisco?
Kind regards,
Norbert
Sent from Cisco Technical Support iPhone AppOnly by NAT/PAT to a reverse proxy (Citrix Netscaler) in the DMZ.
Several installation are done with fortigate.
http://www.boll.ch/fortinet/assets/TMGtoFortinet-Howto.pdf
Norbert -
With Arun Kumar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
Example question topics include:
SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
Basic configuration of IdPs
Interaction between IdPs and Cisco WMS
Difference between the cloud client implementation and Cisco WMS
Meeting access behavior in a split-horizon network topology with SSO
How to enable public access to Cisco WMS
Cisco WMS ELM operations
Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
Remember to use the rating system to let Arun know if you have received an adequate response.
Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Mobile Service,
CWMS and Jabber integrations:
http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
then move to section: Add Cisco WebEx Meetings Server to a Profile
Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
Attached CWMS - AFDS integration doc.
Please let me know if any furhter question.
Thanks, Arun -
Single Reverse Proxy and multiple Office Web App Servers
Hi all,
I have recently installed a new office web apps server pool in my new location and configured it in my Lync topology as well.
I have a single Reverse Proxy (IIS ARR). Inside my Reverse Proxy I have created a new web farm for my new web apps server. The configuration of old web apps server. I have copied the settings from my old web app's web
farm in IIS including its Inbound rule regular expression.
Now when I try to upload a powerpoint as an external guest hoping to hit my new web apps server, my reverse proxy tries to hit my old office web apps server and no traffic is sent from reverse proxy to new web apps.
my reverse proxy shows the health of the new farm as healthy.
should the inbound rules be different for these farms in reverse proxy?
Any suggestions are welcomed.
Thanks,Hi,
In addition to Luca's comment in order to determine if the farm is actually working correctly in the first instance, did you disable or remove the old server farm?
Can you also confirm that there are no static routes in place on the IIS ARR box?
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries. -
IIS Reverse Proxy and Basic Authentication
Hi,
we've currently put a WebAS 6.40 serving a BSP Application in our Appl-DMZ. For the access via Web the IIS Reverse Proxy is used, which works fine as long as you use a service for which a user is provided (in SICF). But if you don't provide a user in the service (in order to debug the BSP Application) you have to authenticate yourself using Basic Authentication (Browser Popup) which does not work (the popup returns and returns ...)
I' ve browsed the forums and it seems that the IIS Reverse Proxy does not support (the forwarding) of Basic Authentication "requests".
So my question, does someone exactly know if the IIS Reverse proxy supports Basic Authentication or not ?
Thanks,
MarkusHello Markus,
1. have you checked out Alon Weinstein's Weblog <a href="/people/sap.user72/blog/2005/02/23/the-reverse-proxy-series--part-2-iis-as-a-reverse-proxy">The Reverse Proxy Series -- Part 2: IIS as a reverse-proxy</a>?
2. Is the IIS a must? Can you give Apache or SAP Web Dispatcher a try. Prakash Singh wrote a Weblog <a href="/people/prakash.singh4/blog/2005/08/16/how-to-setup-webdispatcher-to-load-balance-portal-in-a-clustered-environment">How to setup webdispatcher to load balance portal in a clustered environment</a>.
Regards
Gregor -
Define Reverse Proxy and Deffered Authentication Schema
Hi Experts,
Can some one help me with the Definition for "*Reverse Proxy in OAM*" and "Deffered Authentication Schema (*DAS*) in Directory server". And please quote one example for understanding.......
Thanks in Advance.
Sandy
Edited by: sandyb4u on Oct 11, 2010 1:34 AMHello Markus,
1. have you checked out Alon Weinstein's Weblog <a href="/people/sap.user72/blog/2005/02/23/the-reverse-proxy-series--part-2-iis-as-a-reverse-proxy">The Reverse Proxy Series -- Part 2: IIS as a reverse-proxy</a>?
2. Is the IIS a must? Can you give Apache or SAP Web Dispatcher a try. Prakash Singh wrote a Weblog <a href="/people/prakash.singh4/blog/2005/08/16/how-to-setup-webdispatcher-to-load-balance-portal-in-a-clustered-environment">How to setup webdispatcher to load balance portal in a clustered environment</a>.
Regards
Gregor -
Reverse proxy and logs in Proxy Server 3.6SP2
Hello ALL!
I am using Cache server as a reverse proxy. I setup it for one internal server. It works great.
Now I am trying to use Virtual Multihosting. So I made mappings as required:
host1.domain.com -> int1.domain.com
host2.domain.com -> int2.domain.com
It works.
But server logs requests for all servers into one file. I need to have separate log for each virtual host.
I've made templates like
http://host1.domain.com.*
http://int1.domain.com.*
http://host2.domain.com.*
http://int2.domain.com.*
and setup log for each.
None is working. Only "entire server" logs.
Please help me separate logs.Yes, it is possible. You have two options:
1. Use the same virtual server class for both virtual servers and use the <Client> tag to specify urlhost-specific configuration.
2. Use a separate virtual server class (with a separate obj.conf file) for each virtual server.
With option 1, part of your obj.conf file might look like the following:<Client urlhost="www.server1.com">
NameTrans fn="assign-name" from="/app1(|*)" name="passthrough"
</Client>With option 2, you would configure the Reverse Proxy Plugin in only one of the two obj.conf files.
Maybe you are looking for
-
Azure Scheduler Job Timeouts and Retries?
We have a WEBAPI running outside of Azure and want to schedule one of the methods with Azure. It loads data from SharePoint Online into an SQL database on-Prem. It can take 15 minutes to complete. I'm doing a GET call to the URI, but it reports i
-
IPod Classic will not play newly downloaded songs
Ok, I recently downloaded some new MP3's (from a 3rd party site, mp3fiesta.com) into iTunes. The songs play perfectly on iTunes and they also have no issue playing on my iPhone 16. On the other hand, they refuse to play on my iPod classic 160. I use
-
When I tried to go back through and do it again, it gives me and error that says that my serial number has already been registered to the uptodate program and it wont allow me to continue any further. Is there a place I can go in my computer to find
-
Hello, I am new to SQL, Oracle, and Oracle Text and need to use Oracle Text to index about 2GB of files (located on the filesystem), each of which contain multiple documents. These documents are all in SGML format with the relevant data I need being
-
Ipod touch stopped working on my docks
I got the new update a few days again and today when try to play my music throw the tv and the docks, it does not work. i have reset at and still nothing. so one help me