Setting reverse proxy

Hello Team,
We have running squirrel webmail on top of the qmail application...we are inphase of integerating the exchange 2010 on it...The users will be in both qmail and exchange....The question how should i set reverse proxy in cisco asa firewall to re-direct by
the webmail access from squirrel webmail to owa 2010 based upon the user location of mailbox on the application...
Most of the users are in qmail as of now and planned to migrate only ten user for testing it out...Got stucked on the webmail proxy and redirection between cross platform...
Exchange Queries

I would ask this question to CISCO as you will have to make the changes on the device.
You might want to open a thready in CISCO forum
https://supportforums.cisco.com/index.jspa
Gulab Prasad,
MCITP: Exchange Server 2010 | MCITP: Exchange Server 2007
MCITP: Lync Server 2010 | MCITP: Windows Server 2008
My Blog |
Z-Hire Employee Provisioning App
Skype: Exchange.Ranger

Similar Messages

Setting up of Proxy & Reverse Proxy

hi,
I read some pdf files available in SDN for setting up of proxy and reverse proxy. I installed Apache 2.0.54, as per the apache documentation I enabled proxy and it is working fine (forward proxy)
I used the following doc as a guide line to setup reverse proxy https://websmp105.sap-ag.de/~sapidb/012006153200000364562005E/APACHE_J2EE_V14.pdf
(Page 9 of the doc refers to 2.0.31 & above)
Instead of /b2b/ I kept /irj/portal
And Sec 5.(URL Rewriting) is totally confusing. I couldn't able to find AddModule, so I added the line 'AddModule mod_proxy.c' and 'AddModule mod_rewrite.c' in httpd.conf. And I don't know where to add 'RewriteEngine On'...
After making the above changes, my apache is not starting.
Please let me know how to configure proxy/reverse proxy. If you have a screen shot please send it to hpriyag @ yahoo (dot) com.
We are using NW'04 on win2003 server and planning to use Apache. We are ok with IIS too.
Haripriya

Praveen,
I have the following configuration in my httpd.conf
For Reverse Proxy
ProxyRequests off
ProxyPreserveHost On
<VirtualHost [IP:Port]>
 DocumentRoot [ Webserver doc root, eg "C:/.../htdocs" ]
 ServerName [ Domain Name eg www.domainA.com ]
 ErrorLog logs/[Domain].com-error_log
 CustomLog logs/[Domain].com-access_log common
 RewriteEngine On
 RewriteLog logs/[Host]_unsecured_rewrite.log
 RewriteLogLevel 9 [9 is verbose for prod I prefer 1]
 <Directory />
 Options None
 AllowOverride None
 </Directory>
 RewriteRule ^/(.*)$ http://[EP Host]:[Port]/$1/ [NC,P]
 ProxyPassReverse /irj http://[EP Host]:[Port]/
</VirtualHost>
I used Apache 2.0.54 on Win2K3.
Let me know if the above config doesn't work.
Cheers,
Chandra Ganne.

Unable to set session in Oracle Portal useing reverse proxy

I have deployed a reverse proxy (using Oracle HTTP Server) in front of a Oracle Portal Install (version 10.1.2.0.2). The steps followed to set this up came from the following documents:
Steps mentioned in Section 9.2 Configuring a Reverse Proxy for OracleAS Portal and OracleAS Single Sign-On for a reverse proxy on a Oracle HTTP Server.
http://download-west.oracle.com/docs/cd/B14099_15/core.1012/b13998/variants.htm#ASTED005
Also performed steps mentioned in -> Section 5.3.7 - Step 7: Enable Session Binding on OracleAS Web Cache of the Oracle® Application Server Portal Configuration Guide 10g Release 2 (10.1.2) -- B14037-03.
My current (example names shown only)setup details are as follows:
Reverse Proxy for SSO server (running on internal.oracle.com:7777): proxy.oracle.com:7777
Reverse Proxy for Portal server (running on internal.oracle.com:7778): proxy.oracle.com:7778
With the above steps completed, I can successfully use the http://proxy.oracle.com:7777/pls/orasso for login into SSO without any issues.
Users get authenticated successfully.
I can also use http://proxy.oracle.com:7778/pls/portal for viewing pages on the portal fine . All self referencing links have also been successfully modified to point to proxy.oracle.com:7778.
However, an attempt to login in the portal is not successful. Clicking on the 'Login' link successfully redirects to the SSO login page (http://proxy.oracle.com:7777/<login-page>). However, after successful authentication, the success page fails to show up and the user gets shown the initial login portal home page again.
There are no error messages shown on the screen.But it seems that user session is failing to be initiated/set correctly, as shown by the log file (in $PORTAL_ORACLE_HOME/j2ee/OC4J_Portal/application-deployments/portal/OC4J_Portal_default_island_1/application.log ):
06/11/21 16:49:31 portal: [module=RepositoryServlet, ecid=83928411196,1] Repository Gateway: LWUser: PUBLIC, Cookie: oracle.uix=0^^GMT+10:00;
portal=9.0.3+en-au+us+AUSTRALIA+22BC75924EEAD8A2E040007F010019F7+8DAC5E3559C95F5E0090A6F56FFA58192CB0F437CA57A9102A6394F1EB7FAB5DEE3BFA12C65
91C0C009B6......
06/11/21 16:49:31 portal: [module=RepositoryServlet, ecid=83928411196,1] ERROR: Repository Gateway error: Database Error: ORA=20001 ORA-20001:
Unable to obtain session information from the cookie. Please close your browser and reconnect.
ORA-06512: at "PORTAL.WPG_SESSION", line 149
ORA-06512: at line 22
Any help with this will be appreciated.
Thanks.

Hi Chris,
The begin of the expection stack gives you the reason:
06/11/03 09:13:59 java.sql.SQLException: The method 'setSavepoint' cant be called when a global transaction is active
The reason is, that either the whole global transaction must be commited or rollbacked.
I don't know your actual configuration, but between the methods begin() and commit()/rollback() of the UserTransaction instance, OC4J/OracleAS uses a global transaction (= XA transaction) in your configuration. The state of a global transactions is completely under the control of the application server and several restrictions must be considered. One of them is, that you can't use the method setSavePoint/. E.g. you can't also call the method setAutoCommit(true) in this state, or change the transaction isolation level via setTransactionIsolation(newLevel).
This is NOT a limitation of the OC4J/OracleAS but is true for ALL application servers.
P.S. I can successfully set savepoints and rollback to savepoints in weblogic 9.0This means, that WebLogic 9.0 doesn't use a global transaction in this case.
Because I don't know your configurations (Oracle and WebLogic) I can't say, why the behave different in this situation.
Best,
Manfred

After setting the reverse proxy, SSO doesn't work

Hi,
We are facing a problem after setting a reverse proxy. ITS&SSO is working fine for internal users but the problem is with the external users;ITS is working fine for external users but SSO is not working. Does anyone can help us out with this problem ? It is kind of urgent.
Thanks
Serkan

Eric,
Sorry for misunderstanding,
The domain for internal/external users are the same https://external.global.rexam.net/irj/portal
internal.global.rexam.net/irj/portal
But the ITS goes through:
bca.rexam.com

LiveCycle ES4 Reverse Proxy Set Up

We have LiveCycle ES4 SP1 configured and running on WebSphere v8.5 & Windows 2008 R2. We're primarily using the application for end user PDF conversion services at this point. However, 10% of our users are outside our networks and without a VPN. What is involved in setting up a reverse proxy service for the PDF conversion functionality? Is there any documentation available online that I can reference?
Thanks,
M.

Hi Seshu,
this is the <a href="http://rfc.net/rfc2616.html">HTTP 1.1 specification</a>.
In section 5.2, it reads: 5.2 The Resource Identified by a Request
 The exact resource identified by an Internet request is determined by
 examining both the Request-URI and the Host header field.
which means, that if the proxy asks for a different host, it actually asks for a different resource.
In addition Section 14.23 reads as follows:
14.23 Host
 The Host request-header field specifies the Internet host and port
 number of the resource being requested, as obtained from the original
 URI given by the user or referring resource (generally an HTTP URL,
 as described in section 3.2.2). The Host field value MUST represent
 the naming authority of the origin server or gateway given by the
 original URL. This allows the origin server or gateway to
 differentiate between internally-ambiguous URLs, such as the root "/"
 URL of a server for multiple host names on a single IP address.
 Host = "Host" ":" host [ ":" port ] ; Section 3.2.2
Kind regards,
Patrick

Apache reverse proxy setting for access to Backend

Hi experts,
we have set up apache reverse proxy to make available our NW portal (and SRM functions)over the internet.
Our settings look something like this:
ProxyRequests Off
<VirtualHost *:80>
 ServerName myportal.portalhosto.com
 ProxyPreserveHost On
 ProxyPass /irj/ http://myportal.portalhost.com:53200/irj/
 ProxyPass /webdynpro/ http://myportal.postalhost.com:53200/webdynpro/
 ProxyPassReverse /irj/ http://myportal.portalhost.com:53200/irj/
 ProxyPassReverse /webdynpro/ http://myportal.portalhost.com:53200/webdynpro/
 ErrorLog logs/myportal.portalhost.com-error.log
 CustomLog logs/myportal.portalhost.com-custom.log combined
RewriteEngine On
 RewriteRule ^/sap/(.*)$ http://mybackend.backendhost.com:8020/sap/$1 [P,NC]
</VirtualHost>
Problem:
when we access the portal from the internal network(either by using the internal URL or external URL) things work fine.
But we access the portal from internet, we are able to login to the portal and acess all webdynpro Java related applications.But when we try to acess the BSP/WD abap application running on a backend SRM system, we get 'host not found' message with the INTERNAL url of the SRM backend application displayed.
Do we need to expose the SRM backend to the outside world via reverse proxy as well?If yes,how?Do we need to change the system definitions in portal for that?
Any help in resolving this would be greatly appreciated.
regards,
Kiran

Hi,
Do we need to expose the SRM backend to the outside world via reverse proxy as well?If yes,how?Do we need to change the system definitions in portal for that?
Yes , you have to expose your backend system using reverse proxy ...
When user access the portal and when he clicks on BSP/WD , the URL get re-directed to backend system.
But , as your backend system is not expose on internet , you get an error as host not found.
So, to solve your problem you have to expose your backend system on internet. It is in general pratice to expose on internet.
Thanks
Anil

Problem on Setting up a Reverse Proxy on Web Proxy Server 4.0.1

After you setup a reverse proxy using Web Proxy Server 4.0.1, if you get the following error --
Proxy denies fulfilling the request
Your client is not allowed to access the requested object.You probably forget to add a regular mapping from: / to: http://http.site.com/. The information provided in 4.0.1 Administration guide is misleading. You will have to add it NOW manually. (Note: in 3.6 it will be added automaticly)
You will have to do the following step manually, what provided in the manual is misleading --
Sun Java� System Web Proxy Server 4 .0.1 Administration Guide 2005Q4
Chapter 14 Using a Reverse Proxy
"Setting up a Reverse Proxy"
5. To make the change, click OK.
Once you click the OK button, the proxy server adds one or more additional
mappings. To see the mappings, click the link called View/Edit Mappings.
Additional mappings would be in the following format:
from: /
to: http://http.site.com/

thanks, will verify and update the docs.
rahul.

Need help on Reverse proxy set up

Hi,
In our system land scape, we have ISA 2004 sever, SRM, cProject suite 3.10 and LAC.
Can any one explain me step by step procedure to set up a reverse proxy.
We dont want to expose internal domain names and host names to internet users.
We are able to access SRM application from external network with out any problem ( internal domain name is not displaying on title bar of IE explorer) by activating the link translator. On SRM application when we click on collabration bid link or Live acution link for access collabration application or live auction application which resides other than SRM server. These application window (IE explorer) exposing internal hostname and domain name on title bar of Internet explorer.
If some one can help me to resolve this problem, it would be a great help for us.
Thanks and regards
Seshu

Hi Seshu,
this is the <a href="http://rfc.net/rfc2616.html">HTTP 1.1 specification</a>.
In section 5.2, it reads: 5.2 The Resource Identified by a Request
 The exact resource identified by an Internet request is determined by
 examining both the Request-URI and the Host header field.
which means, that if the proxy asks for a different host, it actually asks for a different resource.
In addition Section 14.23 reads as follows:
14.23 Host
 The Host request-header field specifies the Internet host and port
 number of the resource being requested, as obtained from the original
 URI given by the user or referring resource (generally an HTTP URL,
 as described in section 3.2.2). The Host field value MUST represent
 the naming authority of the origin server or gateway given by the
 original URL. This allows the origin server or gateway to
 differentiate between internally-ambiguous URLs, such as the root "/"
 URL of a server for multiple host names on a single IP address.
 Host = "Host" ":" host [ ":" port ] ; Section 3.2.2
Kind regards,
Patrick

How to set 3rd Party Reverse Proxy for smp 3.0 ?

Hi am new to SMP 3.0 . Please help me out .

hi am fallowing the steps in SyBooks Online for reverse proxy settings.
I added the below proxy settings in Apache2.2\conf\httpd.conf .
Listen 8080
<VirtualHost *:8080>
 ServerName proxy-server
 ErrorLog "C:/Apache2.2/logs/error.log"
 TransferLog "C:/Apache2.2/logs/access.log"
 <Location />
 ProxyPass http://172.22.26.199:8080/
 ProxyPassReverse http://172.22.26.199:8080/
</Location>
 </VirtualHost>
After adding this proxy setting am unable to run apche server am getting error like "The requested operation has failed " . How to resolve this error ?

Setting apache reverse proxy for EP6SP2

Hi friends,
I want to set apache reverse proxy for EP6SP2. But after doing the following changes, it is showing the SAP J2EE Engine documentation page.
The following changes has been dont to httpd.conf:
NameVirtualHost 1.1.1.1:80
<VirtualHost 1.1.1.1:80>
ProxyRequests Off
ServerName ep6.xyz.com
ProxyPreserveHost On
proxyPass / http://ep6.xyz.com:50000/
proxyPassReverse / http://ep6.xyz.com:50000/
ErrorLog logs/base.80.error.log
CustomLog logs/base.80.custom.log common
</VirtualHost>
Help needed.
Regards,
Nilz

Hi,
I have a problem with my proxy:
ssl.conf.in like
ProxyPass /irj http://debmsu06.server.###.de:50300/irj
ProxyPassReverse /irj http://debmsu06.server.###.de:50300/irj
RewriteRule ^/$ /irj/portal [R]
If I use URL:
https://bebuyer.###.de/ goto https://bebuyer.###.de/irj/portal
but if I use
https://bebuyer.###.de/irj/
I get the info:
https://bebuyer.###.de/irj/HTTPS:/bebuyer.###.de:443/irj/index.html
What is happened? How I can redirect to /irj/portal?
Of course I can use
http://debmsu06.server.###.de:50300/irj/
Could you please give me some tips?
Best Thanks!
Heren Zhou

I set up a reverse proxy server but the DOJO and auto complete dont work

I set up a reverse proxy server but the DOJO and auto completer don't work . Am I missing a configuration on the proxy server ?

Well it would help if you can provide some more details on your configuration/setup.

Setting up a Reverse proxy on lion server

Can someone point an osx server newb like me to some documents/how to on setting up a reverse proxy on lion server. It appears apples docs online are still for SL
Many thanks
Stephen

Lion server is so frustrating. Good grief.
It broke my setup. So I tried to re-follow the instructions at http://www.bensoftware.com/securityspy/helpssl.html to setup a reverse proxy to wrap an otherwise insecure connection into an SSL connection.
I can get the SSL part working (connections to https://127.0.0.1 work) but it's not proxying. Per the instructions, I put the following two lines near the bottom of the httpd-ssl.conf file:
RewriteEngine On
RewriteRule ^/(.*) http://127.0.0.1:8000/$1 [P]
Just above </VirtualHost>
Instead of getting the proxy, I get the same regular SSL connection page displayed ("Hello world"). In other words, after getting the SSL stuff setup, adding these two lines didn't do anything. Any idea what I'm doing wrong?

How to set up reverse proxy to allow user access portal site from internet

Hi all,
I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
I am confused to which option to use. Also i went through the metalink document 270160.1
Please help me which option to choose to do this.
Thanks.

Hi Hozy,
May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
I appreciate your feedback.
Thanks
Krish

How do I use Sun Web Server 7.0u1 reverse proxy to change public URLs?

Some of our installations use the Sun Web Server 7.0 (update 1, usually)
for hosting some of the public resource and reverse-proxying other parts
of the URI namespace from other backend servers (content, application
and other types of servers).
So far every type of backend server served a unique part of the namespace
and there was no collision of names, and the backend resources were
published in a one-to-one manner. That is, a backend resource like, say,
http://appserver:8080/content/page.html would be published in the internet
as http://www.publicsite.com/content/page.html
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.
Another quest, possibly related in solution, was to make a tidy url for the
first page the user opens of the site. That is, in the current solution when
a visitor types the url "www.publicsite.com" in his or her browser, our web
server returns an HTTP-302 redirect to the actual first page URL, so the
browser sends a second request (and changes the URL in its location bar).
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
So far I found that I can't solve these problems. I believe these problems
share a solution because it relies on ability to control the actual URI strings
requested by Sun Web Server from backend servers.
Some details follow, now:
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
[04/Mar/2009:21:45:34] finest (25095) www.publicsite.com: for host xx.xx.xx.83
trying to GET /content/MainPage.html while trying to GET /test, func_exec reports:
fn="service-passthrough" rewrite-host="true" rewrite-location="true"
servers="http://10.16.2.127:8080" Directive="Service" DaemonPool="2b1348"
returned 0 (REQ_PROCEED)My obj.conf file currently has simple clauses like this:
# this causes /content/* to be taken from another (backend) server
NameTrans fn="assign-name" from="/content" name="content-test" nostat="/content"
# this causes requests to site root to be HTTP-redirected to a certain page URI
<If $uri =~ '^/$'>
 NameTrans fn="redirect"
 url="http://www.publicsite.com/content/MainPage.html"
</If>
<Object name="content-test">
### This maps http://public/content/* to http://10.16.2.127:8080/content/*
### Somehow the desired solution should instead map http://public/data/* to http://10.16.2.127:8080/content/*
 Service fn="service-passthrough" rewrite-host="true" rewrite-location="true" servers="http://10.16.2.127:8080"
 Service fn="set-variable" set-srvhdrs="host=www.publicsite.com:80"
</Object>
I have also tried "restart"ing the request like this:
 NameTrans fn="restart" uri="/data"or desperately trying to set the new request uri like this:
 Service fn="set-variable" uri="/magnoliaPublic/Main.html"Thanks for any ideas (including a statement whether this can be done at all
in some version of Sun Web Server 7.0 or its opensourced siblings) ;)
//Jim

Some of our installations use the Sun Web Server 7.0 (update 1, usually)please plan on installing the latest service pack - 7.0 Update 4. these updates addresses potentially critical bug fixes.
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.> now, if all the resources are under say /data, then how will you know which pages need to be sent to which back end resources. i guess, you probably meant to check for /data/page.html should go to <back-end>/content/page.html
yes, you could do something like
- edit your corresponding obj.conf (<hostname>-obj.conf or obj.conf depending on your configuration)
<Object name=¨default¨>
<If $uri = ¨/page/¨>
#move this nametrans SAF (for map directive - which is for reverse proxy within <if> clause)
NameTrans.. fn=map
</If
</Object>
and you could do https-<hostname>/bin/reconfig (dynamic reconfiguration) to check out if this is what you wanted. also, you might want to move config/server.xml <log-level> to finest and do your configuration . this way, you would get enough information on what is going on within your server logs.
finally,when you are satisfied, you might have to run the following command to make your manual change into admin config repository.
<install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
you might want to check out this for more info on how you could use <if> else condition to handle your requirement.
http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
finally, you might want to refer to this doc - which explains on ws7 request processing overview. this should provide you with some pointers as to what these different directives mean
http://docs.sun.com/app/docs/doc/820-6599/gbysz?a=view
>
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
please check out the rewrite / restart SAF. this should help you.
http://docs.sun.com/app/docs/doc/820-6599/gdada?a=view
pl. understand that - like with more web servers - ordering of directives is very important within obj.conf. so, you might want to make sure that you verify the obj.conf directive ordering is what you want it to do..
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
now, you are in the totally wrong direction. web server 7 includes a highly integrated reverse proxy solution compared to 6.1. unlike 6.1, you don´t have to download a separate plugin . however, you will need to manually migrate your 6.1 based reverse proxy settings into 7.0. please check out this blog link on how to set up a reverse proxy
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
feel free to post to us if you need any futher help
you are probably better off - starting fresh
- install ws7u4
- use gui or CLI to create a reverse proxy and map one on one - say content
http://docs.sun.com/app/docs/doc/820-6601/create-reverse-proxy-1?a=view
if you don´t plan on using ws7 integrated web container (ability to process jsp/servlet), then you could disable java support as well. this should reduce your server memory footprint
<install-root>/bin/wadm disable-java user=admin config=<hostname>
<install-root>/bin/wadm create-reverse-proxy user=admin uri-prefix=/content server=<http://your back end server/ config=<hostname> --vs=<hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
now, you can check out the regular express processing and <if> syntax from our docs and try it out within <https-<hostname>/config/<hostname>-obj.conf> file and restart the server. pl. note that once you disable java, ws7 admin server creates <vs>-obj.conf and you need to edit this file and not default obj.conf for your changes to be read by server.
>
I have also tried "restart"ing the request like this:
NameTrans fn="restart" uri="/data"
ordering is very important here... you need to do this some thing like
<Object name=default>
<If not $restarted>
NameTrans fn=restart uri from=/¨ uri=/foo.
</If>

Lync Reverse Proxy Alternatives

When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services.
TMG is way too expensive and complex for such a limited, simple use case.
I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
We decided to use Apache 2.2 on Windows Server 2008 R2.
Here's how we configured it:
Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy.
http://technet.microsoft.com/en-us/library/gg398069.aspx
Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server.
http://httpd.apache.org/download.cgi
We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
Use the Certificates MMC on your front end server to export the certificate and include the private key.
Transfer the resultant .pfx file to your reverse proxy server.
Use OpenSSL to convert your .pfx file to PEM:
openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes
Separate the private key from the certificate using notepad:
Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag.
Save that text to a new file named
yourcert.key.
Save
yourcert.pem, which should now only include the certificate.
Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
for storing the certificates.
Edit httpd.conf (typically in
C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
(See http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
for more information on each directive)
Uncomment the following lines, which will enable proxy and SSL:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Add the following lines to configure reverse proxy behavior:
#Be a reverse proxy, not a forward proxy
ProxyRequests Off
#Accept requests from any client to any URL
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
#Set the network buffer to improve throughput
ProxyReceiveBufferSize 4096
#Configure the Reverse Proxy to forward all requests to your front end server on 4443
ProxyPass / https://yourfrontend.domain.com:4443/
ProxyPassReverse / https://yourfrontend.domain.com:4443/
#Preserve Host Headers for Lync
ProxyPreserveHost On
Optionally, configure logging directives, bindings and server name.
Save and close httpd.conf
Edit httpd-ssl.conf (typically in conf\extra):
Configure the session cache:
Uncomment:
SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
Comment out:
SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
Locate the <VirtualHost _default_:443> tag and configure the following:
Add the following directive:
SSLProxyEngine On
Configure the path to your SSL Certificate saved in step 3-5 above:
SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
Configure the path to your private key saved in step 3-5 above:
SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
Optionally, configure logging directives.
Save and close httpd-ssl.conf
Restart the Apache2.2 service
Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
the reverse proxy to talk to the front end Lync server on 8080 and 4443.
From an external connection, test connectivity through the reverse proxy:
Test
https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
Test the Lync Web App by setting up an online meeting and following the URL to join the meeting.
You can force the use of the web app by appending ?sl= to the end of the meet.company.com link.
See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
Hope this information is helpful and saves some of you some money and trouble.
Please contact me if you need further clarification or see any mistakes in my notes.
Best regards,
Kenneth Walden
Enterprise Systems Supervisor
GSD&M
Austin, TX

I'd like to thank you for this article. We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product. Anyways, your
blog saved me a LOT of headache. I owe you big time.
AWESOME JOB.
-Greg
*****EDIT***
Decided to come back in there and post good information. We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting. The "DIALUP" url was working fine but the "MEETING" url was broken. On our WFE servers we were getting
the event error as below. Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON". Once we put that in there ALL was good.
Notice that the MEET portion was the only thing that was really broken. So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER. Look for
http://10.x.x.x/meet/ or soemthing in the event logs.
Log Name: Application
Source: ASP.NET 2.0.50727.0
Date: 11/16/2011 1:26:35 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: OneofMyInternalWFEservers.local
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/16/2011 1:26:35 PM
Event time (UTC): 11/16/2011 6:26:35 PM
Event ID: b2039ecd0a62482284030f62e1e639d8
Event sequence: 129
Event occurrence: 28
Event detail code: 0
Application information:
 Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
 Trust level: Full
 Application Virtual Path: /meet
 Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
 Machine name: MYWFE.local
Process information:
 Process ID: 14204
 Process name: w3wp.exe
 Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
 Exception type: HttpException
 Exception message: Server cannot append header after HTTP headers have been sent.
Request information:
 Request URL:
https://FQDN:4443/meet/MyName/456456
 User host address: gatewayIP
 User:
 Is authenticated: False
 Authentication Type:
 Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
 Thread ID: 7
 Thread account name: NT AUTHORITY\NETWORK SERVICE
 Is impersonating: False
 Stack trace: at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
 at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
 <Provider Name="ASP.NET 2.0.50727.0" />
 <EventID Qualifiers="32768">1309</EventID>
 <Level>3</Level>
 <Task>3</Task>
 <Keywords>0x80000000000000</Keywords>
 <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
 <EventRecordID>4483</EventRecordID>
 <Channel>Application</Channel>
 <Computer>XXXXXXXXXXXXXXXXXX</Computer>
 <Security />
</System>
<EventData>
 <Data>3005</Data>
 <Data>An unhandled exception has occurred.</Data>
 <Data>11/16/2011 1:26:35 PM</Data>
 <Data>11/16/2011 6:26:35 PM</Data>
 <Data>b2039ecd0a62482284030f62e1e639d8</Data>
 <Data>129</Data>
 <Data>28</Data>
 <Data>0</Data>
 <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
 <Data>Full</Data>
 <Data>/meet</Data>
 <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
 <Data>SNKXS300</Data>
 <Data>
 </Data>
 <Data>14204</Data>
 <Data>w3wp.exe</Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>HttpException</Data>
 <Data>Server cannot append header after HTTP headers have been sent.</Data>
 <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
 <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
 <Data>10.71.1.1</Data>
 <Data>
 </Data>
 <Data>False</Data>
 <Data>
 </Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>7</Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>False</Data>
 <Data> at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
 at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
</Data>
</EventData>
</Event>

Setting reverse proxy

Similar Messages

Maybe you are looking for