Non-ISA reverse proxy RRS feed

  • Question

  • Hi!

    I am having problems getting the webservices work for external users. We have an Apache reverse proxy deployed in the public network.

    It has a certificate issued from the same CA that we use also for issuing certificates of OCS servers. The server works also for some other directories as a reverse proxy, but the directory names dont collide. Here is a snippet of the config file regarding to the OCS:

    <Location /ABS/ext>
       ProxyPass https://OCS-INTERNAL-FQDN/ABS/ext
       ProxyPassReverse https://PROXY-EXTERNAL-FQDN/ABS/ext

    <Location /etc/place/null>
       ProxyPass https://OCS-INTERNAL-FQDN/etc/place/null
       ProxyPassReverse https://PROXY-EXTERNAL-FQDN/etc/place/null

    <Location /GroupExpansion/ext/service.asmx>
       ProxyPass https://OCS-INTERNAL-FQDN/GroupExpansion/ext/service.asmx
       ProxyPassReverse https://PROXY-EXTERNAL-FQDN/GroupExpansion/ext/service.asmx

    PS: Are these entries case-sensitive ??

    Typing manually into IE the 1st or 3rd entry from outside of our LAN, I get a login required dialog, but it doesnt accept my account data.

    Typing the 2nd entry, I am redirected to the URL of the internal OCS-FQDN, and of course it is not accessible from outside.

    The OCS IIS log shows error 401 entries, originated from the internal IP of PROXY, but no username is visible in the logs, compared to similar log entries related to successfull request of internal users.

    Where should I modify the settings to make it work?


    Friday, September 21, 2007 8:23 AM

All replies

  • Richard,


    Did you get this working?  I am planning on implementing a similar setup (Apache Reverse Proxy).  Is so, what did you do?





    Tuesday, October 30, 2007 4:32 PM
  • I am afraid, we weren't able to do that. Apache has a known problem regarding to authentication throug SSL.
    Wednesday, October 31, 2007 8:44 AM
  • Hi all,


    I have deployed the IIS Reverse Proxy (v1.6)  from SaltyPickle



    But I have to hack some code:


    Code Block

    public IHttpHandler GetHandler(HttpContext context, string requestType, String url, String pathTranslated) {

    //if (url.EndsWith("logon.aspx")) return System.Web.UI.PageParser.GetCompiledPageInstance(url, pathTranslated, context);

    return ReverseProxy;





    Code Block

    if (webResponse.StatusCode == HttpStatusCode.Unauthorized) {


    string realm = ProxyUtils.ParseRealm(webResponse.GetResponseHeader("WWW-AUTHENTICATE"));

    warn("Unauthorized...redirecting to logon page");

    frontEndResponse.Redirect(frontEndRequest.ApplicationPath + "/logon.aspx?Realm=" + context.Server.UrlEncode(realm) + "&ReturnUrl=" + context.Server.UrlEncode(frontEndRequest.Url.PathAndQuery));



    frontEndResponse.AppendHeader("WWW-AUTHENTICATE", webResponse.GetResponseHeader("WWW-AUTHENTICATE"));





    Then rebuild with build-release.cmd


    I've tested this only for AddressBook.


    For changing the External URL:

    1. Start - Run - Wbemtest.exe and click on OK
    2. Click on Connect
    3. Change namespace to root\cimv2
    4. Click on Connect
    5. Click on Query...
    6. Fill in : SELECT * FROM MSFT_SIPAddressBookSetting and click APPLY
    7. Double click the first result
    8. Click on ExternalURL and then on Edit Property
    9. Change the value to https://_externalURI_/ReverseProxy/Abs/Ext and click on Save Property



    Tuesday, November 6, 2007 10:29 AM
  • Richard,


    Maybe this has already been asked and answered, but I *just* finished setting this up using Apache 2.0 as the reverse proxy and I wanted to share my setup so that others may benefit.


    I am running Apache 2.0.63 with SSL on the same machine as my edge access server.


    As with almost an *nix file system software, case does matter.


    Here is a loose listing of my procedure.  Remember, I am a Window s engineer and this is my first venture into Apache...


    I hope this helps.  Our setup is working like a champ!  If someone needs complete step-by-step, I may have a document available as I will have to create a doc for our own records anyways.  I'm sure I can sanitize it and send it on your way if needed.



    Wednesday, May 14, 2008 4:46 PM
  • Dear dan.lepine,

    thank you for your post. As I am not an apache expert either, in our case the problem was solved with ISA. But I am sure, that dozens of others will find this confirmation useful! However, I would also greatly apreciate if you share your experince in a detailed form with us.

    I am not familiar with apache versions, and not sure if the authentication problem was because of an older version in our case. The proxypass and proxypassreverse section is very interesting: in other guides I saw that they are not the same internal address.
    Wednesday, May 14, 2008 5:21 PM
  • Dear Dan:


    It's so glad to see ur howto. but I got some problem with ssl.conf configuration.

    here is my problem:

    1. The Certificate file , how to set them up ?

    2. The Certificate type...I don't know how to reconize it.


    sorry for those question....I am a junior engineer.


    thx a lot!!




    Wednesday, July 16, 2008 10:38 AM
  • Here is the doc that I created for my records.  I hope that it will help shed some light...


    1.       Download and install Apache 2.2.8 w/SSL on the server you intend to use as the reverse proxy server.  In our case we installed it on the same server that will run OCS Edge services.

    2.       Configure the http.conf file located in <Install Path>\Apache Group\Apache2\conf

    a.       Change the listening port from 80 to some other port if you don’t plan on serving web content on that port.

                                                                   i.      Listen 8088

    b.      Uncomment the following lines to allow the modules to load.  Removing the # sign uncomments the line.

                                                                   i.      LoadModule proxy_module modules/mod_proxy.so

                                                                 ii.      LoadModule proxy_http_module modules/mod_proxy_http.so

                                                                iii.      LoadModule ssl_module modules/mod_ssl.so

    c.       Set the server admin value with an appropriate smtp address

                                                                   i.      ServerAdmin user@company.com

    d.      Set the hostname for the server.  This should match the DNS name used on the external certificate

                                                                   i.      ServerName hostname.domain.com:443

    e.      Set the conf file so that Apache will use the ssl.conf file if the ssl module is loaded.  This section is almost near the end of the conf file.

                                                                   i.      #

    # Bring in additional module-specific configurations


    <IfModule mod_ssl.c>

    Include conf/ssl.conf


    f.        Save the file and close.

    3.       Configure the ssl.conf file located in <Install Path>\Apache Group\Apache2\conf

    a.       Scroll to the bottom of the file, and right before the closing "VirtualHost" entry, paste the following lines of code.  Where is says “Server IP Add” enter in the IP address of your internal OCS Server or Farm.  You will need to make sure that the paths use the same case as the internal OCS server since Apache is case-sensitive.
















                                                                   i.      <IfModule mod_proxy.c>

                SSLProxyEngine on


    <Location ~ "/Abs" >

     ProxyPass https://Server IP Add/Abs

     ProxyPassReverse https://Server IP Add/Abs



    <Location /etc/place/null>

     ProxyPass https://Server IP Add/etc/place/null  ProxyPassReversehttps://Server IP Add/etc/place/null </Location>


    <Location /GroupExpansion/ext/service.asmx>

     ProxyPasshttps://Server IP Add/GroupExpansion/ext/service.asmx

     ProxyPassReverse https://Server IP Add/GroupExpansion/ext/service.asmx



    b.      Save the file and close.

    4.      Next, export the certificate you will use for the external site from the Windows store.

    a.       Run mmc.exe

      1. Click the 'Console' menu and then click 'Add/Remove Snap-in'.
      2. Click the 'Add' button and then choose the 'certificates' snap-in and click on 'Add'.
      3. Select 'Computer Account' then click 'Next'.
      4. Select 'Local Computer' and then click 'OK'.
      5. Click 'Close' and then click 'OK'.
      6. Expand the menu for 'Certificates' and click on the 'Personal' folder.
      7. Right click on the certificate that you want to export and select 'All tasks' -> 'Export'.
      8. A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.
    1. Run openssl.exe (located in <Install Path>\Apache Group\Apache2\bin) to extract the private key and the cert file.
      1. Export the private key file from the pfx file

                                                                   i.      openssl pkcs12 -in filename.pfx -nocerts -out key.pem

      1. Export the certificate file from the pfx file

                                                                   i.      openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

      1. This removes the passphrase from the private key so Apache won't prompt you for your passphase when it starts

                                                                   i.      openssl rsa -in key.pem -out server.key

    6.       There are now 3 new files. The names aren't important. The last two files will be the ones used (cert.pem and server.key).

    7.       Edit ssl.conf to point at the certificate files.

    a.       In the Server Certificate section, enter

                                                                   i.      SSLCertificateFile conf/cert.pem

    b.      In the Server Private Key section, enter

                                                                   i.      SSLCertificateKeyFile conf/server.key

    c.       Save and close the file.

    8.       By default, "net start apache" won't start it with SSL. To do that, the service must be edited with sc.exe, or by editing the registry.   The service just runs the command ....\bin\Apache.exe -k runservice, to that string, add "-DSSL" (Define "SSL"). The end result should be

    C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice DSSL

    …use the correct install path for Apache.


    Wednesday, July 16, 2008 3:00 PM
  • Hello Dan:

    Thank you so much .

    It's helpful !



    Sorry for bother you , AGAIN  Stick out tongue


    there still one thing I still can't figure out...

    which certificate that i should export ??

    1) The certificate for internal OCS ?

    2) Certificates for edge server ?

    I've try many times....but still fail...

    can't show the whiteboard and document....


    Thanks AGAIN!!!!




    Thursday, July 17, 2008 9:48 AM
  • Hi,

     a lot of time passed, since my last visit. But recently, the reverse proxy question popped up again.

    Question1) Apache 1.3.x is not OK?


    If you install Apache 2.x on the same machine, as OCS EDGE, you loose the possibility to use standard TCP port 443 for the reverse proxy functionality (if port 443 is already used by Access/webconf/AV roles) so you risk external clients not able to download the content, because corporate firewalls allow only TCP 80 and 443 outgoing traffic, if you use a non-standard port for this purpose, it may be blocked.

    Tuesday, January 27, 2009 4:07 PM
  • Just to correct some errors in the guide: you are referring to Apache version 2.2.8, but your guide reflects the situation with using Apache version 2.0.x


    Step1): there is no such http.conf, it should be httpd.conf instead

    and additionally, the <install path> entry is redundant, if you provide the \Apache Group\Apache2\... folder after it. It may confuse people.

    Step2e):there is no such ssl.conf file in /conf directory. What I found is located here: /conf/extra/httpd-ssl.conf, that file has most probably the content that you are referring to in the next steps.

    The file /conf/openssl.conf is not the one you need!

    Step3) the same, no ssl.conf is there.

    Step3a): I: are you sure the correct syntax is: ~ "/Abs" >

    you need to separate the Proxpass* and the https strings

    II: in Proxypass and Proxyreverse, shouldnt you use FQDN of the OCS server instead of IP?

    Step4) clarification: as you are hacking your edge server, you export the (already installed and used) trusted external cert, that you bought from a 3rd party CA (like Verisign), and configured on the edge's external interface.

    Step8): exe name is wrong, it should be httpd.exe



     Apache 2.2.11 seem to have a stupid bug, if you run it under 64 bit Windows 2008 (not sure, but windows 2003 should also be affected): the SSLSessionCache value is not decoded properly, because the default install path contains also the "Program Files (x86)" string. That stupid Apache wants to use this "x86" string as the value, instead of the factory default (512000) at the end of the line. Solution: change the install path of Apache 2.2.11 during the install to something similar, that does not include "()" characters, or edig the httpd-ssl.conf file and change the path to something like: c:/sslcache.log

    Wednesday, January 28, 2009 5:24 PM
  • Hello All,

    We are in the process of setting up our OCS and came across this.  We have tried several reverse proxy options to do the reverse proxy, but all of them has fail.  We came across this site and Just wondering if it's too late to ask for some help?


    • Edited by yackko Tuesday, July 28, 2009 5:54 PM word correction
    Tuesday, July 28, 2009 5:42 PM