Uwc behind a reverse proxy asks for internal urls

Similar Messages

• Is Reverse Proxy required for Hybrid deployment

  Hi everyone,
  We plan to deploy a new infrastructure on prem attached to O365.
  The aim of this deployment is to create lync meeting on the on prem FE server which will be accessible by O365 Lync users. (FI: these meetings will be created on prem because the customer wants to cascade Lync conference with his Polycom video conferencing
  infrastructure).
  Some users are homed on-premises and some users are homed online, but the all users share the same SIP domain. Is Reverse Proxy on prem will be required for O365 users to join meetings created on the on-premise FE or the O365 architecture
  can handle it?
  The only functionality needed is meeting (not mobility). I saw this (https://social.technet.microsoft.com/Forums/en-US/cf4f63f9-355f-475b-8148-608633adfe86/is-reverse-proxy-necessary-for-lync-hybrid-deployment?forum=lyncdeploy) but the functionality asked
  are different.
  Many thanks for your help.
  Thomas

  You'll need a reverse proxy on premises to publish the external web services FQDN of your on-premises front end pool.  Meet will use this behind the scenes regardless of where it's pointing.  If you're hybrid, the DNS URLs should typically point
  to your on-premises deployment however anyway:
  https://technet.microsoft.com/en-us/library/jj205403%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Logging Client-IP on IWC behind a reverse proxy

  I've a Convergence 2 configuration where IWC is contacted through a reverse proxy. The reverse proxy sets Client-IP header.
  I'ld like to log that Client-IP information in IWC log.
  Is this possible?
  Regards.

  Dear Expert,
  Can i know how do you config the reserve proxy to work with the uwc?
  my network topology is:
  machine A: uwc (https://port:443) and MEM (https://port 80) (both are running SSL)
  machine B: Messaging Server (MTA and store)
  machine C: ldap and Identity server
  the login page is https://commexp/uwc , after login, it divide to two main session.
  Mail tab - https://commexp:80
  Other tab - https://commexp/uwc
  How can i set the reverse proxy for this configuration?
  And which proxy are you using?
  Thanks a lot!
  Regards,
  Angus
  had the same problem, fix was -
  >
  >
  in Uwcauth.properties changes
  uwcauth.identity.login.url=http://bason.blah.com:81/am
  server/UI/Login
  AMconfig.properties changes
  com.sun.identity.server.fqdnMap[bason.blah.com]=bason.
  blah.com
  with the hostname (bason.blah.com) being the *uwc
  server* with reverse proxy on it
  for some fun have a look at the url you are directed
  too - in particular the parameters on the url...
  can anyone say "SECURITY HOLE"?

• SWF verification behind a reverse proxy cache

  Hi!
  If I place an set of FMS servers behind some reverse proxy caches, will I get problem with SWF verification if the cache layer caches the .f4m meta data file with the SWF verification data? Is there any documented best practice on the requirements to build large scale deployment with security enabled?
  best regards
  Johan Acevbedo

  Hello Johan,
  Is in your case drm is embedded inside the f4m??
  HLS-VOD
  Set the TTL for your f4m to max equal to an interval at which you are expecting the swf hashes to update.
  For example, if you expect, you may add/remove swf hashes at interval of say 1 hr, then set the TTL for the f4m as say 50 min (10 min taken as allowed error in your estimation of swf hash update).
  You may set HttpStreamingF4MMaxAge under hds-vod (if that is hds vod case) as per your required TTL. Most proxy cashes should ideally respect the TTL dictated by origin response an should re-request the f4m after that period.
  HDS-LIVE
  Otherwise if this is hds-live case, then I don't think drm is embedded into the f4m. Just verify. Drm is a serperate request. In that case, you can set TTL on drm (HttpStreamingDrmmetaMaxAge) request also under hls-live in httpd.conf.
  Read more about these configs http://help.adobe.com/en_US/flashmediaserver/devguide/WSd391de4d9c7bd609a95b3f112a373a7115 -7fff.html#WSae20eaa80bf612516499f756131e06fb583-7fff
  You can also set the drm update interval time in the recording section of the  application.xml as per your need. Read more about the config at http://help.adobe.com/en_US/flashmediaserver/devguide/WSd391de4d9c7bd609a95b3f112a373a7115 -7fff.html#WSc1a546382286f18f-4a910076130ddc59d17-7ffe . Config setting will only update drm on the disk. But you will still have to set the proper TTL in Apache httpd.conf for the request of the DRM to be sent by the proxy to the origin to fetch it.
  -Nitin

• Reverse Proxy Filter for EP7?

  Hi! on
  https://websmp208.sap-ag.de/nw-ep-how-to,
  we notice an article called:
  "How to… Configure the Reverse Proxy Filter for SAP Enterprise Portal 6.0 SP2"
  Did anyone use the method there to resolve their problems?
  If so, would you please share your experience?
  We have a question about what code should be put in the web.xml.
  Points guaranteed. Thanks!

  It appears that the Light Portal Framework in EP 7.0 uses FQDN in the anchors (<A>) on the pages it sends back to the Client Browser (not relative URI's).
  This could be a configuration setting somewhere that I missed, however, I would expect the Light Framework to be the best at making sure links are relative.
  I would like to explore all options, from making our Reverse Proxy Server handle the filtering to making sure Portal sends back a valid link.
  If the Reverse Proxy Filter is not available in EP 7.0, what can I do to replace it's functionality?
  Mike

• I have downloaded tv episodes directly onto the ipod now they will not play ipod keeps asking for a url?

  I have downloaded tv episodes directly onto the ipod from the Itunes store. They sync & show on the ipod but will not play; the ipod keeps showing a message asking for the URL? Anyone able to help me? Kind thanks, Alexx

  Hello bradesparza,
  Thanks for using Apple Support Communities.
  For more information on this, take a look at:
  Some of my iTunes Store purchases won't play
  http://support.apple.com/kb/ht1325
  Best of luck,
  Mario

• Apache reverse proxy setting for access to Backend

  Hi experts,
  we have set up apache reverse proxy to make available our NW portal (and SRM functions)over the internet.
  Our settings look something like this:
  ProxyRequests Off
  <VirtualHost *:80>
       ServerName myportal.portalhosto.com
       ProxyPreserveHost On
       ProxyPass /irj/ http://myportal.portalhost.com:53200/irj/
       ProxyPass /webdynpro/ http://myportal.postalhost.com:53200/webdynpro/
       ProxyPassReverse /irj/  http://myportal.portalhost.com:53200/irj/
       ProxyPassReverse /webdynpro/  http://myportal.portalhost.com:53200/webdynpro/
       ErrorLog logs/myportal.portalhost.com-error.log
       CustomLog logs/myportal.portalhost.com-custom.log combined
  RewriteEngine On
       RewriteRule ^/sap/(.*)$ http://mybackend.backendhost.com:8020/sap/$1 [P,NC]
  </VirtualHost>
  Problem:
  when we access the portal from the internal network(either by using the internal URL or external URL) things work fine.
  But we access the portal from internet, we are able to login to the portal and acess all webdynpro Java related applications.But when we try to acess the BSP/WD abap application running on a backend SRM system, we get 'host not found' message with the INTERNAL url of the SRM backend application displayed.
  Do we need to expose the SRM backend to the outside world via reverse proxy as well?If yes,how?Do we need to change the system definitions in portal for that?
  Any help in resolving this would be greatly appreciated.
  regards,
  Kiran

  Hi,
  Do we need to expose the SRM backend to the outside world via reverse proxy as well?If yes,how?Do we need to change the system definitions in portal for that?
  Yes , you have to expose your backend system using reverse proxy ...
  When user access the portal and when he clicks on BSP/WD , the URL get re-directed to backend system.
  But , as your backend system is not expose on internet , you get an error as host not found.
  So, to solve your problem you have to expose your backend system on internet. It is in general pratice to expose on internet.
  Thanks
  Anil

• Wrong cert on reverse proxy setup for exchange

  i have arr setup, i have runt he setup command as per the recommended sheet
  ARRConfig config –cert “path
  to the certificate file” –hostnames “host
  names for Exchange Server”–targetserver
  “server name of Exchange Server”
  and this has worked and mail is accessable, the problem is that the cert is not matching for some reason
  so i have a cert for remote.domain.co.uk and i have one for mail.domain.co.uk, i used the mail cert for the reverse proxy, i see it bound to the site BUT when i access the remote site i get the remote.domain.co.uk cert as presented, its as if the mail one
  is being over ridden and i dont know were
  any advise?

  In the Exchange Shell can you run,
  Get-ExchangeCertificate | select CertificateDomains, Services | FL
  This should tell us if the cert is bound correctly on the Exchange Server.
  In the Essentials Server, in IIS, do you have a Exchange Proxy website created?
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• Reverse Proxy Planning for Exchange 2013

  Hi,
  We are planning Exchange 2010 to Exchange 2013 datacentre migration for 18000 users and all the Exchange planning is done. Now we are looking at planning of Reverse Proxy solution. We will be publishing different URLs for OWA, ActiveSync and Outlook Anywhere.
  UAG has been finalized by the organization. I don't find any document or links which suggests the planning of Reverse proxy for Exchange. Can you please let us know the sizing of UAG with respect to Exchange 2013. Thanks.

  Hi 
  Sizing as far i know there is no sizing document for UAG 
  But Minimum you need to have UAG 2010 SP3 to work with Exchange 2013
  You can see the support boundaries for UAG below technet
  http://technet.microsoft.com/en-us/library/ee522953.aspx
  Note : UAG requires each user to have a CAL
  You can also try 2012 R2 web application proxy . This does reverse proxy without the need of CAL's.
  You can give it a try if you wish to go with web app proxy and you can see below 
  http://technet.microsoft.com/en-us/library/dn383650.aspx
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish
  (MVP)

• Reverse proxy setup for EBS R12.1.1

  We have an external DMZ server configured for oracle ebs r12.1.1. The URL is http://testerp.mydomain.com:8003.
  Can you please provide a link that shows step by step setup of Reverse proxy for the above URL to access the application.
  I already have the metalink notes that says about DMZ setup for oracle ebs. I actually am looking for step by step setup for the reverse proxy using oracle application server 10g. Please help. Thanks.

  Roy, I have already gone through that document, it is actually showing how to install and configure webcache 10g for oracle ebs r12.
  It also says the features that oracle applicaiton server web cache provides like,
  •Load Balance
  •Reverse Proxy
  •Failover and Surge Protection to minimize downtime
  •Personalize Attributes for Caching
  BUT IT IS NOT MENTIONING HOW TO CONFIGURE THE 'REVERSE PROXY' FOR THE ORACLE EBS EXTERNAL APPLICATION SERVER ON DMZ.

• Configuring Reverse Proxy Nginx for Messenger

  We have updated to Messenger 3.0 and are looking to use the Mobile apps. We have a reserve proxy Nginx which we use for WebAccess and have tried to configure this for Messenger.
  When I try to connect using a Mobile app (from the Internet) I can see a connection been made in the Messenger Agent logs and then get a failed to connect error:
  10:36:12 B70 SPL Login failed [0xD130]: ::xxx.xxx.xxx.xxx - An invalid tag was discovered
  My question is
  Has anyone used nginx to reverse proxy Messenger successfully and if so how?
  And if not, what configuration have they used?
  Thanks in advance

  johngallagher,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://www.novell.com/support and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Forums Team
  http://forums.novell.com

• Lion PAC proxy asking for authentication reapeatedly

  Hello, Can some bro help with this problem which never happens with the same PAC proxy on Snow Leopard, like title says, Lion (10.7.2) frequently pops up the dialog asking for the authentication for the proxy server.

  Do not use the suggestion to unload the notification center.  That does not fix the problem.
  This post provides the correct solution.
  Usually a proxy authentication dialog allows the user the option to 'allow once' or 'always' etc, and to save the proxy login details to the user's login keychain.
  But under both 10.8 and in particular 10.9 whenever a proxy is in use, the user gets bombarded with multiple recurrent proxy authentication dialogs without any save options and without any identifier.
  Using the terminal command nettop, I discovered that the offending dialogs come from system processes, most notably syncdefaultsd.  (How to do this at the end of the post)
  The problem is that syncdefaultsd is not keychain aware. It needs access to the user's proxy settings at regular intervals, but can't get them from the user's login keychain. It's proxy request dialog does not have the option to save the details to the user's keychain, and worse still does not identify syncdefaultsd as the requesting process. Even if you open your login keychain to allow any application access to your proxy, syncdefaultsd will still keep asking for your proxy details.
  The solution is to ensure that you have working proxy settings saved in the *system* keychain, not just your personal login keychain.
  So when you next get one of these dialogs:
  1. Note the server name that is requesting authentication, the port (usually 8080) and if it is an http or https request. Typically it will be something in the form https://someproxyserver.someorganization.com:8080
  2. See if you already have an entry for that server in your login keychain. If not, make one manually, (being sure to enter the whole thing as per the example above with the :8080 at the end). Typically that there needs to be two separate keychain entries per proxy server, one for http and a second for https, though syncdefaultsd only uses https.
  3. Once you have login keychain entries for the proxy server, double-click them and ensure that under Access all applications are allowed, and that your user name is saved.
  4. Now for the fun bit. Option-drag and drop these entries into your system keychain. Click on the system keychain, and confirm that they are there, and that all the settings are exactly right.
  For good measure, do a shift-restart then a normal restart.
  You should now get no more annoying dialogs for that particular proxy server. If your proxy server has more than one alias, or if you have several, then whenever you get a new unidentified dialog, repeat the above.
  I discovered it using the terminal command nettop, typing into the terminal:
  nettop -m tcp
  This lists all active network processes. If you quit all apps you should still see quite a few network processes. If you see syncdefaultsd, wait for it to go away, or kill it via the Activity Monitor. If you haven't done the fix as above, and you open Safari, you'll see syncdefaultsd open shortly after Safari, and the annoying dialog immediately appears. After the fix is implemented, the dialogs don't appear when syncdefaultsd tries to start up.
  Hope this helps someone, and that Apple fixes it in 10.9.1
  Cheers
  Chris.

• Reverse Proxy issue for domain name

  Hi All,
  We are in process of implementing reverse proxy to the SAP Portal and web dispatcher.
  We given all rewrite rules accordingly, The public IP also resolves the domain name also.
  Our domain is etender-aai.aero.
  When we given rewrite rule with the public IP reverse proxy is working fine.
  But when we given etender-aai.aero in rewrite rule its not working.
  Please help me in this.
  Thanks & Regards,
  Sreekanth

  Hi,
  If you want help, you'll have to explain clearly what is your configuration and what you want to achieve.
  I'm sorry to tell you that I absolutely did not nderstand anything about your problem....
  Do you try to publish your SAP Portal externally on the internet ?
  Do you use the web dispatcher as a reverse proxy ? or do you add an other reverse proxy (like Apache) in front of the web dispatcher ?
  Regards,
  Olivier

• How do I use Sun Web Server 7.0u1 reverse proxy to change public URLs?

  Some of our installations use the Sun Web Server 7.0 (update 1, usually)
  for hosting some of the public resource and reverse-proxying other parts
  of the URI namespace from other backend servers (content, application
  and other types of servers).
  So far every type of backend server served a unique part of the namespace
  and there was no collision of names, and the backend resources were
  published in a one-to-one manner. That is, a backend resource like, say,
  http://appserver:8080/content/page.html would be published in the internet
  as http://www.publicsite.com/content/page.html
  I was recently asked to research whether we can rename some parts of
  the public URI namespace, to publish some or all resources as, say,
  http://www.publicsite.com/data/page.html while using the same backend
  resources.
  Another quest, possibly related in solution, was to make a tidy url for the
  first page the user opens of the site. That is, in the current solution when
  a visitor types the url "www.publicsite.com" in his or her browser, our web
  server returns an HTTP-302 redirect to the actual first page URL, so the
  browser sends a second request (and changes the URL in its location bar).
  One customer said that it is not "tidy". They don't want the URL to change
  right upon first rendering the page. They want the root page to be rendered
  instantly i the first HTTP request.
  So far I found that I can't solve these problems. I believe these problems
  share a solution because it relies on ability to control the actual URI strings
  requested by Sun Web Server from backend servers.
  Some details follow, now:
  It seems that the reverse proxy (Service fn="service-passthrough") takes
  only the $uri value which was originally requested by the browser. I didn't
  yet manage to override this value while processing a request, not even if
  I "restart" a request. Turning the error log up to "finest" I see that even
  when making the "service-passthrough" operation, the Sun Web Server
  still remembers that the request was for "/test" (in my test case below);
  it does indeed ask the backend server for an URI "/test" and that fails.
  [04/Mar/2009:21:45:34] finest (25095) www.publicsite.com: for host xx.xx.xx.83
  trying to GET /content/MainPage.html while trying to GET /test, func_exec reports:
  fn="service-passthrough" rewrite-host="true" rewrite-location="true"
  servers="http://10.16.2.127:8080" Directive="Service" DaemonPool="2b1348"
  returned 0 (REQ_PROCEED)My obj.conf file currently has simple clauses like this:
  # this causes /content/* to be taken from another (backend) server
  NameTrans fn="assign-name" from="/content" name="content-test" nostat="/content"
  # this causes requests to site root to be HTTP-redirected to a certain page URI
  <If $uri =~ '^/$'>
      NameTrans fn="redirect"
          url="http://www.publicsite.com/content/MainPage.html"
  </If>
  <Object name="content-test">
  ### This maps http://public/content/* to http://10.16.2.127:8080/content/*
  ### Somehow the desired solution should instead map http://public/data/* to http://10.16.2.127:8080/content/*
      Service fn="service-passthrough" rewrite-host="true" rewrite-location="true" servers="http://10.16.2.127:8080"
      Service fn="set-variable" set-srvhdrs="host=www.publicsite.com:80"
  </Object>
  I have also tried "restart"ing the request like this:
      NameTrans fn="restart" uri="/data"or desperately trying to set the new request uri like this:
      Service fn="set-variable"  uri="/magnoliaPublic/Main.html"Thanks for any ideas (including a statement whether this can be done at all
  in some version of Sun Web Server 7.0 or its opensourced siblings) ;)
  //Jim

  Some of our installations use the Sun Web Server 7.0 (update 1, usually)please plan on installing the latest service pack - 7.0 Update 4. these updates addresses potentially critical bug fixes.
  I was recently asked to research whether we can rename some parts of
  the public URI namespace, to publish some or all resources as, say,
  http://www.publicsite.com/data/page.html while using the same backend
  resources.> now, if all the resources are under say /data, then how will you know which pages need to be sent to which back end resources. i guess, you probably meant to check for /data/page.html should go to <back-end>/content/page.html
  yes, you could do something like
  - edit your corresponding obj.conf (<hostname>-obj.conf or obj.conf depending on your configuration)
  <Object name=¨default¨>
  <If $uri = ¨/page/¨>
  #move this nametrans SAF (for map directive - which is for reverse proxy within <if> clause)
  NameTrans.. fn=map
  </If
  </Object>
  and you could do https-<hostname>/bin/reconfig (dynamic reconfiguration) to check out if this is what you wanted. also, you might want to move config/server.xml <log-level> to finest and do your configuration . this way, you would get enough information on what is going on within your server logs.
  finally,when you are satisfied, you might have to run the following command to make your manual change into admin config repository.
  <install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname>
  <install-root>/bin/wadm deploy-config --user=admin <hostname>
  you might want to check out this for more info on how you could use <if> else condition to handle your requirement.
  http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
  finally, you might want to refer to this doc - which explains on ws7 request processing overview. this should provide you with some pointers as to what these different directives mean
  http://docs.sun.com/app/docs/doc/820-6599/gbysz?a=view
  >
  One customer said that it is not "tidy". They don't want the URL to change
  right upon first rendering the page. They want the root page to be rendered
  instantly i the first HTTP request.
  please check out the rewrite / restart SAF. this should help you.
  http://docs.sun.com/app/docs/doc/820-6599/gdada?a=view
  pl. understand that - like with more web servers - ordering of directives is very important within obj.conf. so, you might want to make sure that you verify the obj.conf directive ordering is what you want it to do..
  It seems that the reverse proxy (Service fn="service-passthrough") takes
  only the $uri value which was originally requested by the browser. I didn't
  yet manage to override this value while processing a request, not even if
  I "restart" a request. Turning the error log up to "finest" I see that even
  when making the "service-passthrough" operation, the Sun Web Server
  still remembers that the request was for "/test" (in my test case below);
  it does indeed ask the backend server for an URI "/test" and that fails.
  now, you are in the totally wrong direction. web server 7 includes a highly integrated reverse proxy solution compared to 6.1. unlike 6.1, you don´t have to download a separate plugin . however, you will need to manually migrate your 6.1 based reverse proxy settings into 7.0. please check out this blog link on how to set up a reverse proxy
  http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
  feel free to post to us if you need any futher help
  you are probably better off - starting fresh
  - install ws7u4
  - use gui or CLI to create a reverse proxy and map one on one - say content
  http://docs.sun.com/app/docs/doc/820-6601/create-reverse-proxy-1?a=view
  if you don´t plan on using ws7 integrated web container (ability to process jsp/servlet), then you could disable java support as well. this should reduce your server memory footprint
  <install-root>/bin/wadm disable-java user=admin config=<hostname>
  <install-root>/bin/wadm create-reverse-proxy user=admin uri-prefix=/content server=<http://your back end server/ config=<hostname> --vs=<hostname>
  <install-root>/bin/wadm deploy-config --user=admin <hostname>
  now, you can check out the regular express processing and <if> syntax from our docs and try it out within <https-<hostname>/config/<hostname>-obj.conf> file and restart the server. pl. note that once you disable java, ws7 admin server creates <vs>-obj.conf and you need to edit this file and not default obj.conf for your changes to be read by server.
  >
  I have also tried "restart"ing the request like this:
  NameTrans fn="restart" uri="/data"
  ordering is very important here... you need to do this some thing like
  <Object name=default>
  <If not $restarted>
  NameTrans fn=restart uri from=/¨ uri=/foo.
  </If>

• ITS620  behind Apache Reverse Proxy : POST data (only) gives error for IAC

  Hi all ,
  we are proxying EP6 and ITS620 through Apache 2.0.59 . All portal and most ESS ITS Iviews display correctly . All GET method/display ITS Iviews display correctly BUT as soon as we try to change some info in an ESS Iview (e.g Change Work Address (POST method) the Proxy errors out .
  Here is the httpd.conf :
  RewriteRule ^/sap/(.*) https://<itshost>:8443/sap/$1 [P,NC,L]
  RewriteRule ^/scripts/(.*) https://<itshost>:8443/scripts/$1 [P,NC,L]
  ProxyPass           /scripts https://<itshost>:8443/scripts
  ProxyPass           /sap https://<itshost>:8443/sap
  ProxyPassReverse    /sap https://<itshost>:8443/sap
  ProxyPassReverse    /scripts https://<itshost>:8443/scripts
  When we hit POST a long URL of the form
  /scripts/wgate/zpzxx/~flNlc3Npb249VFM0OlNBUE5UVDAxOjAwMDEuMDAwMS5lMDgyMTU3NS5hM2RhJn5odHRwX2NvbnRlbnRfY2hhcnNldD1pc28tODg1OS0xJn5TdGF0ZT0yODY5Mi4wMDEuMDIuMDI=
  (with some POST data)
  is sent to ITS ...ITS receives it OK but Apache immediately errors .
  Has anyone seen this behaviour before either with POSTS or ESS IAC Iviews through Apache ?
  Regards
  Daniel

  I found the answer myself... Use ProxyPreserveHost on with internal hostnames (not IP's):
          ProxyPass / http://macserver.home/
          ProxyPassReverse / http://macserver.home/
          ProxyPreserveHost on