Exchange: Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 8: | Line 8: | ||
Then in apache you need to create a new virtualhost: | Then in apache you need to create a new virtualhost: | ||
<pre> | <pre> | ||
<VirtualHost remote. | <VirtualHost remote.mydomain.com:443> | ||
ServerAdmin webmaster@localhost | ServerAdmin webmaster@localhost | ||
ServerName remote. | ServerName remote.mydomain.com | ||
ErrorLog ${APACHE_LOG_DIR}/error.log | ErrorLog ${APACHE_LOG_DIR}/error.log | ||
LogLevel warn | LogLevel warn | ||
Line 28: | Line 28: | ||
ProxyRequests Off | ProxyRequests Off | ||
ProxyPreserveHost On | ProxyPreserveHost On | ||
ProxyPass / https:// | ProxyPass / https://mydomain-ad.local/ | ||
ProxyPassReverse / https:// | ProxyPassReverse / https://mydomain-ad.local/ | ||
SetEnv force-proxy-request-1.0 1 | SetEnv force-proxy-request-1.0 1 | ||
SetEnv proxy-nokeepalive 1 | SetEnv proxy-nokeepalive 1 | ||
Line 74: | Line 74: | ||
[[Image:Test-outlook-autodiscover1.jpg]] | [[Image:Test-outlook-autodiscover1.jpg]] | ||
You can also check by surfing to https:// | You can also check by surfing to https://mydomain-ad.local/autodiscover/autodiscover.xml and seeing if you get a response. | ||
There is an external Microsoft test at https://www.testexchangeconnectivity.com/ where you want to turn on '''Ignore trust for SSL''' | |||
http://olivierbony.wordpress.com/tag/activesync/ |
Latest revision as of 19:30, 18 January 2017
Remote access to Outlook Web Access via Apache
You need to have mod_headers and all the mod_proxy things enabled. Also SSL needs to be enabled and a certificate needs to be generated. If you've changed your hostname this can be done using:
make-ssl-cert generate-default-snakeoil --force-overwrite
Then in apache you need to create a new virtualhost:
<VirtualHost remote.mydomain.com:443> ServerAdmin webmaster@localhost ServerName remote.mydomain.com ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown RewriteEngine On RewriteRule ^/$ /owa [R,L] RequestHeader set Front-End-Https "On" SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On ProxyPass / https://mydomain-ad.local/ ProxyPassReverse / https://mydomain-ad.local/ SetEnv force-proxy-request-1.0 1 SetEnv proxy-nokeepalive 1 </VirtualHost>
Autodiscover
Autodiscover is important.
You need to make sure you have an SRV record set in your DNS.
From Setting up autodiscover for SBS 2011
If you are using Exchange 2007 or Exchange 2010 (SBS or non-SBS) and are using a single-name certificate, this article is for you. When you migrate to SBS 2008 or SBS 2011 and you already have a domain name, you don’t need to use the built-in domain registration wizard that is included in the SBS setup process. This is well and good, but it has a downside worth knowing about. You probably didn’t know it, but something that Microsoft does when they set up your new domain name at the registrar is create a custom SRV record for your domain so that Autodiscover will work properly for external client auto-configuration. This is because you are using a single-name cert, which isn’t what Exchange 2007/2010 was designed to use. If you already have a domain name registered and are able to create your own DNS SRV records (some DNS hosts don’t allow SRV record creation), it would be a good idea to create an Autodiscover SRV record to make it easier for Outlook 2007/2010 clients to autoconfigure themselves for Outlook Anywhere (RPC-over-HTTPS) and ActiveSync. The details on how to set this record up are all in KB940881, but I’ll briefly summarize it here: 1. Get rid of any CNAME or A records for “autodiscover”, and any wildcard “*” records in the public DNS zone. This is a critical step, so don’t just drift past it. 2. Build the SRV record to look like this: Service: _autodiscover Protocol: _tcp Port Number: 443 Host: remote.smallbizco.net Weight and priority should normally both be set to zero. Why do you need to do this for Autodiscover to work? Well when you feed an Outlook client an email address, it tries to autoconfigure itself, and it does this by trying to contact a series of hosts as follows: - https://domainname.com/autodiscover/autodiscover.xml - https://autodiscover.domainname.com/autodiscover/autodiscover.xml - http://autodiscover.domainname.com/autodiscover/autodiscover.xml After failing these steps, it will look for an SRV record, and if you haven’t created one, there won’t be one. We’ll come back to this point shortly. Because your certificate is tied to a single name: remote.domainname.com, any https connection to the autodiscover URL will fail. If you want to create an A or CNAME record for ‘autodiscover’ that points to your server’s public IP and allow port 80 to your server, autodiscover will work, but you would then have allowed port 80 traffic to your server. An alternate option, still using SSL, is what this article is about. This method takes advantage of a feature that was added in Outlook 2007 SP1 that allows it to look for an SRV record and use the SRV record to find the “real” autodiscover host. In this case, the SRV record is pointing to remote.smallbizco.net, which is the name covered by the cert, so a secure connection to that server to get Autodiscover information will succeed. Got it? Great! BTW, if you have a single-name cert on a non-SBS Exchange 2007 or Exchange 2010 server, you still want to use an SRV record as described above, but there will be other changes you will need to make to your environment as well, primarily resetting the URLs on most of your Exchange virtual directories so that they all point to the name that is on your certificate. This is something that the SBS wizards take care of automagically.
Testing autodiscover
To check autodiscover services you can hold down ctrl whilst right clicking on the Outlook icon in the system tray and choosing "Test E-mail configuration"
You can also check by surfing to https://mydomain-ad.local/autodiscover/autodiscover.xml and seeing if you get a response.
There is an external Microsoft test at https://www.testexchangeconnectivity.com/ where you want to turn on Ignore trust for SSL