www.LenGoldenstein.com

In many environments, putting an Exchange 2007 front-end server directly on the Internet is not a desired configuration – either because of technical limitations or security concerns.  One solution is to have an Apache HTTP server on the network perimeter to act as a reverse proxy to an internally located Exchange 2007 server.  The following example is an Apache configuration to:

• Redirect browsers from http://webmail.domain.com/ to the secure https://webmail.domain.com/
• Redirect from the root of https://webmail.domain.com to https://webmail.domain.com/exchange – you may wish to redirect to /owa if you use a pure Exchange 2007 environment.
• Any requests to the https://webmail.domain.com/* will be dynamically tunneled through Apache’s reverse proxy to the internal Exchange system and served back to the client.

The main advantage of the below configuration is that using the ReWriteRule directive with the [P] parameter (Proxy), we can avoid having many individual ProxyPass and ProxyPassReverse directives for each of the Exchange 2007 virtual directories.  Nice, clean, simple.

ProxyRequests Off
<VirtualHost webmail.domain.com:80>
  ServerAdmin hostmaster@domain.com
  ServerName webmail.domain.com
  #ErrorLog /var/log/apache2/webmail.domain.com-error_log
  #CustomLog /var/log/apache2/webmail.domain.com-access_log combined

  ProxyPreserveHost On
  RewriteEngine on
  # Redirect http traffic to https
  RewriteRule ^/(.*)$         https://webmail.domain.com/$1 [L,R]
</VirtualHost>

<VirtualHost webmail.domain.com:443>
  ServerAdmin hostmaster@domain.com
  ServerName webmail.domain.com:443
  #ErrorLog /var/log/apache2/webmail.domain.com-ssl_error_log
  #TransferLog /var/log/apache2/webmail.domain.com-ssl_access_log
  #CustomLog /var/log/apache2/webmail.domain.com-ssl_request_log ssl_combined

  SSLEngine on
  SSLProxyEngine On
  RequestHeader set Front-End-Https "On"
  ProxyPreserveHost On
  RewriteEngine on
  CacheDisable *

  # Rewrite the WWW-Authenticate header to strip out Windows Integrated
  # Authentication (NTLM) and only use Basic-Auth
  SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE
  Header unset WWW-Authenticate
  Header add WWW-Authenticate "Basic realm=webmail.domain.com"  

  # Redirect / to /exchange
  RewriteRule ^/$             https://webmail.domain.com/exchange/ [R]

  # Reverse proxy all requests to the internal Exchange 2007 server
  RewriteRule ^/(.*)          https://exchange.domain.internal/$1 [P]

  SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:RC4-MD5:+HIGH:+MEDIUM:+SSLv3:+SSLv2
  SSLCertificateFile /etc/apache2/ssl.crt/webmail.domain.com.crt
  SSLCertificateKeyFile /etc/apache2/ssl.key/webmail.domain.com.key

  SetEnvIf User-Agent ".*MSIE.*"    \
  nokeepalive ssl-unclean-shutdown  \
  downgrade-1.0 force-response-1.0
</VirtualHost>

One of the newest features of Outlook 2007SP1 combined with Exchange 2007 is the ability for Outlook to automatically configure itself to an Exchange 2007 server.  The main benefit is for remote users to use Outlook on the Internet as if it was connected on the LAN – this is called Outlook Anywhere or Outlook RPC over HTTP.  This is very easily accomplished by having a specific DNS record available for the domain.

Unfortunately most documentation provided uses the assumption that you are serving DNS from a Microsoft DNS server – good try Microsoft.  There is an easy way to serve the same record from BIND under Linux/UNIX.  Create the DNS record as follows:

_autodiscover._tcp.domain.com. SRV 0 0 443 webmail.domain.com.

Where ‘webmail’ specifies the external address of the Exchange 2007 server.

To test the Autodiscover feature of Outlook 2007SP1, start Outlook and while holding the Control key, right-click the Outlook icon and there will be an option to “Test E-Mail Autoconfiguration”.