Reverse Proxy to Exchange 2010

Dustin_Rowland · February 13, 2018, 4:22pm

I read a previous post about Exchange Reverse Proxy, but my issue is different I think.

At work we have 5 different HTTP(S) policies for different sites/services. I’m wanting to setup Caddy as an HTTP(S) reverse proxy for those sites so we can reclaim 4x external IPs for other work. I’ve got 2x of the sites working using the Proxy plugin without issues, but Exchange is a different bird. Using:

mail.externaldomain.com {
        log     /var/log/caddy/access.log
        errors  /var/log/caddy/errors.log
        proxy / https://mail1.internaldomain.com {
                transparent
        }
}

I am able to get access to the OWA, and that’s great. But when I use ExRCA to test ActiveSync or Outlook Connectivity I fail. The error is:

Testing the SSL certificate to make sure it's valid.
	The SSL certificate failed one or more certificate validation checks.
 	
	Test Steps

	The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.externaldomain.com on port 443.
	The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.

	Additional Details

		The SSL certificate failed validation for an unknown reason

My error log file doesn’t show any issues, and the access log just shows the OWA redirect (http 304)

Whitestrake · February 14, 2018, 12:33am

OWA issues redirects with Status 304 (Not Modified)? That seems odd.

I’m assuming if that’s the only transaction, the connection was initially made over HTTPS. If the request was successfully proxied to OWA, that means the certificate was definitely received by the client, because that needs to be negotiated before the request is sent to begin with. How else would the tool be checking for a certificate? Does it expect OWA to provide one rather than a TLS termination proxy?

JakeS · March 12, 2018, 3:45pm

I’m having the exact same issue with the Microsoft Connectivity Analyzer, cert failing validation for unknown reason.

Whitestrake · March 12, 2018, 11:59pm

Here’s what I don’t understand:

OWA can’t issue a response unless it receives a request (naturally)
Caddy can’t proxy the request to OWA unless it receives the request from the client
A client couldn’t make a proxy-able request of Caddy unless it connected over SSL…
A client can’t connect over SSL unless it receives the server’s SSL certificate

So how on earth did OWA issue a redirect while Microsoft somehow managed to NOT obtain the remote SSL certificate?

I’d advise looking further into Microsoft’s requirements, because if this behaviour is reproducible, the Microsoft Connectivity Analyzer obviously expects something they aren’t clearly communicating.

system · June 10, 2018, 11:59pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.