[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] OWA 2000 behind https security server
Dear all, We want to set up the following: ______ https _____ http _________ |Client|--------->|FW1|-------->|OWA 200| ~~~~~ ~~~~~ ~~~~~~~~ The client accesses an Outlook Web Access 2000 server as a virtual server on the firewall ( http://firewall.bla.com/owa <http://firewall.bla.com/owa> maps to http://intranet-name/ <http://intranet-name/> ) How ever, the OWA server passes some URLS back which are in the form of http://firewall.bla.com/exchange <http://firewall.bla.com/exchange> . This would terminate the encrypted connection and will not work in our configuration. We found a MS knowledge base article which describes this: http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP?LN=EN-US <http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP?LN=EN-US &SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=E XCH2K> &SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=E XCH2K CAUSE This problem is caused because the back-end server sometimes needs to send the client URLs to items, such as when the OWA client retrieves a list of messages in the inbox. When the client uses SSL to connect to the front-end server, the front-end server terminates the SSL connection and HTTP traffic between the front-end server and back-end server is in clear text. The front-end server notifies the back-end server that SSL was used so that when returning URLs, the back-end uses https:// instead of http://. The front-end server notifies the back-end server that SSL was used by passing in this HTTP header with each request: Front-End-Https: On When the back-end server receives this header in a request, it sends back https:// URLs instead of http:// when it responds. When there is a separate server between the client and front-end that terminates the SSL connection, it needs to be able to add this header to notify the front-end server that SSL was used so that the front-end can in turn notify the back-end. RESOLUTION To resolve this problem, configure the proxy server to add the following header on upstream requests when OWA SSL requests are received: Front-End-Https: On If the server cannot add this header, then you can also configure that server to re-initiate SSL between itself and the front-end. Although there is a performance hit for this, it ensures that the front-end server adds the header when it proxies the requests to the back-end server. Is there a way to add the mentioned header to the stream? Regards, Frank Breedijk ICT Security Officer T: +31 20 88 78 113 F: +31 20 88 78 101 M: +31 6 29 007 623 E: [email protected] http://www.interxion.com/ <http://www.interxion.com/> Interxion HeadQuarters BV Gyroscoopweg 144 1042 AZ Amsterdam The Netherlands where the internet lives ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|