Can't access OWA, OA and ActiveSync

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't access OWA, OA and ActiveSync

wld75
Hi All,

Business Objective
Outside users (users travelling) should be able to access their email
through NGINX and it should redirect the connection to my Internal Exchange
server for authentication and access:
1. OWA
2. Outlook Anyway
3. ActiveSync


My environment info:
Client email access through External Proxy server is mail.example.com, IP
223.153.119.18.
External DNS A record for mail.example.com point to IP 223.153.119.18

Internal Exchange server is EX-01.example.com with internal IP 10.10.10.11
Internal DNS A record for mail.example.com point to 10.10.10.11

So, if you noticed, all the outside user's email client will look for
mail.example.com with external IP 223.153.119.18.


Problem:
From outside my office, i used my laptop to test.

1. Open browser, https://mail.example.com/owa
Authentication is pop up and i entered my credentials but it keep failing.

2. Outlook Anywhere got the pop up for authentication but it still keep
failing too.

Remark: Remember mail.example.com i entered in my browse will point to my
external ip 223.153.119.18





Hope ny looking at my below nginx config file, the NGINX or the Exchange
expert can spot my mistake.




Below is my NGINX config:
worker_processes  1;

events {
    worker_connections  1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request"
'
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  www.example.com;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        access_log  logs/www.access.log  main;
        error_log  logs/www.error.log;
    }


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

    server {
        listen 443 ssl;
        server_name     mail.example.com      autodiscover.example.com;

        ssl_certificate /etc/ssl/certs/mail.example.com.crt;
        ssl_certificate_key     /etc/ssl/private/mail.example.com.rsa;
        ssl_session_timeout     5m;

        client_max_body_size    3G;
        tcp_nodelay     on;

        proxy_request_buffering off;
        proxy_http_version      1.1;
        proxy_read_timeout      360;
        proxy_pass_header       Date;
        proxy_pass_header       Server;
        proxy_pass_header       Authorization;
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For
$proxy_add_x_forwarded_for;
        proxy_pass_request_headers      on;
        proxy_set_header        Accept-Encoding "";
        proxy_buffering off;
        proxy_set_header        Connection "Keep-Alive";

        location / {
                #return 301 https://$host$request_uri;
                #return 301 https://ex-01.esuria.local/owa;
                #return 301 https://10.10.11.11/owa;
                return 301 https://mail.example.com/owa;
        }

        location ~* ^/owa {
                proxy_pass      https://EX-01.example.com;
        }

        location ~* ^/Microsoft-Server-ActiveSync {
                proxy_pass      https://EX-01.example.com;
        }

        location ~* ^/rpc {
                proxy_pass      https://EX-01.example.com;
        }

        location ~* ^/ews {
                proxy_pass      https://EX-01.example.com;
        }

        location ~* ^/autodiscover {
                proxy_pass      https://EX-01.example.com;
        }

        access_log      /usr/local/nginx/logs/mail.access.log   main;
        error_log       /usr/local/nginx/logs/mail.error.log;
    }
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,281555,281555#msg-281555

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Can't access OWA, OA and ActiveSync

Francis Daly
On Mon, Oct 08, 2018 at 11:58:38PM -0400, alisampras wrote:

Hi there,

I have not tried putting anything to do with Exchange behind nginx, so I do not
have any tested-config for you.

However...

> Business Objective
> Outside users (users travelling) should be able to access their email
> through NGINX and it should redirect the connection to my Internal Exchange
> server for authentication and access:
> 1. OWA
> 2. Outlook Anyway
> 3. ActiveSync

When I do a Google search for "nginx owa", among the first few results I get are

https://docs.nginx.com/nginx/deployment-guides/microsoft-exchange-load-balancing-nginx-plus/

https://www.reddit.com/r/sysadmin/comments/6wq3rj/nginx_reverse_proxy_to_exchange/

https://gist.github.com/taddev/7275873

The general impression I get from reading those is that, for this to work,
it depends significantly on the versions of Exchange and friends, and
on the configuration of Exchange and friends.

Generally: RPC is bad; NTLM authentication is bad; many other things
are good.

It does appear that there are some versions and configurations of Exchange
and friends that stock-nginx will not successfully reverse-proxy; if you
must use some of those, then you may be much happier using a different
product to do the reverse-proxying.

Both "haproxy" and "nginx plus" appear to have some reports of being
made to work.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx