Problems with Exchange 2010 and NginX reverse proxy
-
I recently setup ownCloud at a client and now that it is all working and data is moved I wanted to serve it up outside the LAN.
I setup an NginX proxy on CentOS 7 easily enough, but everytime I point the port-forward rules to the proxy, I lose access to OWA and apparently OA because Outlook cannot connect either.
Very few users access Exchange outside the office on anything beside their phones and those devices are currently still pulling data somehow.
I am completely lost on how to get this to work. Been on Google for a few hours now.
Taking a break and will be back at this in an hour or so.
This is one of the errors see, but the iPhones are sitll pulling data.
2015/12/09 16:39:13 [error] 8195#0: *4108 upstream timed out (110: Connection timed out) while reading response header from upstream, client: 166.175.186.217, server: remote.domain.com, request: "POST /Microsoft-Server-ActiveSync?User=username&DeviceId=FIE5P6M7793VB1K5ASN0B29QM8&DeviceType=iPhone&Cmd=Ping HTTP/1.1", upstream: "https://10.202.1.14:443/Microsoft-Server-ActiveSync?User=username&DeviceId=FIE5P6M7793VB1K5ASN0B29QM8&DeviceType=iPhone&Cmd=Ping", host: "remote.domain.com"OWA looks like this:
# /var/log/nginx/owa-ssl-access.log XXX.XXX.XXX.199 - - [09/Dec/2015:16:54:41 -0600] "GET /owa/ HTTP/1.1" 502 172 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0"# /var/log/nginx/owa-ssl-error.log 2015/12/09 16:54:41 [error] 8195#0: *5288 upstream prematurely closed connection while reading response header from upstream, client: XXX.XXX.XXX.XXX, server: remote.domain.com, request: "GET /owa/ HTTP/1.1", upstream: "https://10.202.1.14:443/owa/", host: "remote.domain.com"https://i.imgur.com/Hni6gV5.jpg
Here is the config. I have tried a basic config with almost none of the extra locations and option all the way up to this full config.
# /etc/nginx/conf.d/remote.domain.com.conf server { listen 80; server_name remote.domain.com autodiscover.domain.com; return 301 https://$host$request_uri; } server { listen 443; ssl on; ssl_certificate /etc/ssl/remote.domain.com-unified.crt; ssl_certificate_key /etc/ssl/remote.domain.com.key; ssl_session_timeout 5m; server_name remote.domain.com autodiscover.domain.com; # Set global proxy settings proxy_http_version 1.1; proxy_connect_timeout 360; proxy_read_timeout 360; proxy_pass_request_headers on; proxy_pass_header Date; proxy_pass_header Server; proxy_pass_header Authorization; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Accept-Encoding ""; location / { proxy_pass https://10.202.1.14; } location ~* ^/owa { proxy_pass https://10.202.1.14; } location ~* ^/ecp { proxy_pass https://10.202.1.14; } location ~* ^/rpc { proxy_pass https://10.202.1.14; } location ~* ^/ews { proxy_pass https://10.202.1.14; } location ~* ^/exchweb { proxy_pass https://10.202.1.14; } location ~* ^/public { proxy_pass https://10.202.1.14; } location ~* ^/exchange { proxy_pass https://10.202.1.14; } location ~* ^/Microsoft-Server-ActiveSync { proxy_set_header X-Forwarded-Proto https; proxy_pass https://10.202.1.14; } location ~* ^/autodiscover { proxy_pass https://10.202.1.14; } error_log /var/log/nginx/owa-ssl-error.log; access_log /var/log/nginx/owa-ssl-access.log; } -
Nice... I'm interest in getting rid of my old ISA server... NGINX should be good.
-
This is f[moderated] up.
OWA (HTTP 502) and Outlook 2013 (HTTP 401) on my PC will not connect.
Outlook 2016 on my MacBook connects perfectly.
-
@JaredBusch said:
This is f[moderated] up.
OWA (HTTP 502) and Outlook 2013 (HTTP 401) on my PC will not connect.
Outlook 2016 on my MacBook connects perfectly.
What browser?
-
@Dashrender said:
@JaredBusch said:
This is f[moderated] up.
OWA (HTTP 502) and Outlook 2013 (HTTP 401) on my PC will not connect.
Outlook 2016 on my MacBook connects perfectly.
What browser?
All
-
Does OWA work on the MAC?
-
-
At this point I think I will just add another of the IP addressed the client owns to their router and put owncloud there behind the proxy and then any new things can use that too.
-
What are you protecting exchange with?
-
Just found this post.
http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/I will certainly be trying this out with a client that has Exchange 2013.
I also found this
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx -
@Dashrender said:
What are you protecting exchange with?
Missed following up on this question. This client uses Google Message Security that was migrated in from Postini.
-
@JaredBusch said:
Just found this post.
http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/I will certainly be trying this out with a client that has Exchange 2013.
I also found this
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspxDid this end up working for you
-
@wirestyle22 said:
@JaredBusch said:
Just found this post.
http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/I will certainly be trying this out with a client that has Exchange 2013.
I also found this
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspxDid this end up working for you
Not using them. As I just stated, I just found them and will try it out.
-
Have you run the remote connectivity analyzer?
https://testconnectivity.microsoft.com/ -
@nadnerB said:
Have you run the remote connectivity analyzer?
https://testconnectivity.microsoft.com/Umm, why?
I am not having any connectivity issues. The problem with a proxy and Exchange is how Exchange handles ActiveSync and OutlookAnywhere. These are well known issues that are well documented when you try to implement a proxy.
-
Whoops, I misread part of your OP. Never mind.
-
I have a new solution to try maybe tomorrow.
http://blog.adamjoshuasmith.com/deploying-exchange-2016-behind-nginx-free/ -
no one has tried to get nginx-extras into a mainstream or alternate repo, so I may roll a Debian proxy just because. I hate to mix OS like this, though. Keeps things simpler when everything is the same OS, no technical reasoning.
-
So before I go and spin up an Ubuntu 17.04 VM, does anyone know of any methods to get the stuff that
nginx-extrasadds on Debian to a Fedora based install? -
@JaredBusch said in Problems with Exchange 2010 and NginX reverse proxy:
So before I go and spin up an Ubuntu 17.04 VM, does anyone know of any methods to get the stuff that
nginx-extrasadds on Debian to a Fedora based install?Other then compiling it from source? I don't think so.
