[squid-users] Squid 3.4.1 as a reverse Proxy for Exchange 2016 - Problems with Exchange Active Sync

Philipp Fischer pfischer at outlook.de
Wed Feb 10 14:40:11 UTC 2016 

Hi,

i´m trying to get squid working as reverse Proxy for Exchange 2016.

Actually  it works quite smooth for OWA but fails again and again when trying to connecto to the EAS Site of my Exchange.

>From the IIS-Logs of the mailserver i can see 401 replys two or three times and then squid sends the user credentials which results in a 200 message.

When using EAS the connect (from Exchange remote connectivty analyzer) connects to the autodiscover site first – which produces about three 401´s and then to the eas-site – again about two or three 401´s.

Most times after the 5th 401 reply (not authenticated) squid cuts off the Connection – is there any way to push squid to do more retries after a 401 error?

Here´s my IIS-Log:

2016-02-10 13:18:56 10.89.5.3 OPTIONS /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=PBUQLXUG4EOZTNG08F3BGG&cafeReqId=f7e3c699-96b5-4e79-8a54-03334a9fe7fe; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 0 0 78

2016-02-10 13:18:56 10.89.5.3 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=LBQ9QZKE0YCFS3BZUOYG&cafeReqId=392f5e78-5272-4ed1-a062-c1706e341dbf; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 0 0 0

2016-02-10 13:19:04 10.89.5.3 POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=XTSRHRKWV0ETDZKCRLXO6W&cafeReqId=684a8948-eeb9-401f-a9bf-61d2581f138f; 443 DOMAIN\test 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 200 0 0 7515

2016-02-10 13:19:05 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=POVVU5U8Z0SDIKZWQEPRNA&cafeReqId=109adc1a-93f9-4491-aadc-b615e5b7c36a; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 0

Line 390924: 2016-02-10 13:19:07 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=YDXPIAVIDEYCERPKPSRQ&cafeReqId=402020a7-2bd9-4540-9050-b6dd9e34a136; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 124

Line 390929: 2016-02-10 13:19:07 10.89.5.3 OPTIONS /Microsoft-Server-ActiveSync/default.eas &CorrelationID=<empty>;&ClientId=PTIZMVB6NUOH1AJ1MGWWA&cafeReqId=2b329cfa-a318-4102-bb5c-3a7652e84d5d; 443 DOMAIN\test 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 200 0 0 390

Line 390934: 2016-02-10 13:19:07 10.89.5.3 POST /Microsoft-Server-ActiveSync/default.eas Cmd=FolderSync&User=test&DeviceId=1797657923&DeviceType=TestActiveSyncConnectivity&CorrelationID=<empty>;&ClientId=QC284CQDGK2JMD9TA6X6G&cafeReqId=d9ceafa7-9767-4552-bb34-2444c6435a10; 443 - 10.89.5.248 Microsoft-Server-ActiveSync/12.0+(TestExchangeConnectivity.com) - 401 2 5 0

And here´s my Squid.conf:

# This file is automatically generated by pfSense
# Do not edit manually !

icp_port 0
dns_v4_first on
pid_filename /var/run/squid/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_default_language en
icon_directory /usr/pbi/squid-amd64/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin at localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log none
netdb_filename /var/squid/logs/netdb.state
pinger_enable on
pinger_program /usr/pbi/squid-amd64/local/libexec/squid/pinger

logfile_rotate 10
debug_options rotate=10
shutdown_lifetime 3 seconds
forwarded_for on
uri_whitespace strip

acl dynamic urlpath_regex cgi-bin \?
cache deny dynamic

cache_mem 64 MB
maximum_object_size_in_memory 256 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
minimum_object_size 0 KB
maximum_object_size 4 MB
cache_dir ufs /var/squid/cache 100 16 256
offline_mode off
cache_swap_low 90
cache_swap_high 95
cache allow all
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:    1440  20%  10080
refresh_pattern ^gopher:  1440  0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
refresh_pattern .    0  20%  4320


#Remote proxies


# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 8080   1025-65535 
acl sslports port 443 563 8080 

# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object

acl purge method PURGE
acl connect method CONNECT

# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
http_access allow manager localhost

http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost

request_body_max_size 0 KB
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow allsrc

# Reverse Proxy settings
http_port 10.0.0.3:80 accel defaultsite=mail.DOMAIN.de vhost
https_port 10.0.0.3:443 accel cert=/usr/pbi/squid-amd64/local/etc/squid/56b21e54ee18f.crt key=/usr/pbi/squid-amd64/local/etc/squid/56b21e54ee18f.key  defaultsite=mail.DOMAIN.de vhost
cache_peer 10.89.5.3 parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_1_pfs
cache_peer 10.89.5.3 parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_1_pfs
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/owa.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/exchange.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/public.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/exchweb.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/ecp.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/OAB.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/Microsoft-Server-ActiveSync.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/rpc/rpcproxy.dll.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/rpcwithcert/rpcproxy.dll.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/mapi.*$
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/EWS.*$
acl OWA_URI_pfs url_regex -i ^http://mail.DOMAIN.de/AutoDiscover/AutoDiscover.xml
acl OWA_URI_pfs url_regex -i ^https://mail.DOMAIN.de/AutoDiscover/AutoDiscover.xml
acl OWA_URI_pfs url_regex -i ^http://autodiscover.DOMAIN.de/AutoDiscover/AutoDiscover.xml
acl OWA_URI_pfs url_regex -i ^https://autodiscover.DOMAIN.de/AutoDiscover/AutoDiscover.xml
cache_peer_access OWA_HOST_443_1_pfs allow OWA_URI_pfs
cache_peer_access OWA_HOST_80_1_pfs allow OWA_URI_pfs
cache_peer_access OWA_HOST_443_1_pfs deny allsrc
cache_peer_access OWA_HOST_80_1_pfs deny allsrc
never_direct allow OWA_URI_pfs
http_access allow OWA_URI_pfs


# Custom options before auth


# Setup allowed ACLs
# Default block all to be sure
http_access deny allsrc

I also tried to Change the squid.conf to a example config from the faq´s – which had the same effect as described above.

Any ideas anybody?

Thx for your help in advance…

Greetings,
Philipp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160210/becc8b5a/attachment.html>

More information about the squid-users mailing list