[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] RE: [fw1-wizards] OWA 2000 behind https security server
Dan, The problem is not with the exchange part, this is handled by CheckPoint. The problem lies in the fact that we use a front end server. In the new OWA2000 setup, both the backend and the frontend server generate URL's which contain abusolute links in the form of: http://server/exchange/... if the frontend server is listening on port 443 (https) the urls are prefixed with https:// iso http://. However, if you use FW-1 as a reverse proxy the URL's need to be in the form of https:// but the communication with the front end server is on port 80 (http). You can force OWA2000 into using https:// links by setting the headers FRONT-END-HTTPS: on, but I do not know if I can do that via FW-1. Regards, Frank > -----Original Message----- > From: Newcomb, Dan [mailto:[email protected]] > Sent: Friday, 03 August, 2001 14:29 > To: Frank Breedijk > Subject: RE: [fw1-wizards] OWA 2000 behind https security server > > > Frank, > We tried doing something similar to this with no luck. The /exchange > portion is put in at the time install of OWA. We tried making some > modifications in the exchange directory and was able to get > the mod version > of directory however, we couldn't get the upload > functionality of OWA to > wrok then. > > Dan > -----Original Message----- > From: Frank Breedijk > To: [email protected]; > [email protected] > Cc: Johan Pater (E-mail); Ton van Rijswijk; Walter de Neve > Sent: 7/31/01 7:54 AM > Subject: [fw1-wizards] OWA 2000 behind https security server > > Dear all, > > > We want to set up the following: > > ______ https _____ http _________ > |Client|--------->|FW1|-------->|OWA 200| > ~~~~~ ~~~~~ ~~~~~~~~ > > The client accesses an Outlook Web Access 2000 server as a virtual > server on the firewall ( http://firewall.bla.com/owa > <http://firewall.bla.com/owa> maps to http://intranet-name/ > <http://intranet-name/> ) > > How ever, the OWA server passes some URLS back which are in > the form of > http://firewall.bla.com/exchange <http://firewall.bla.com/exchange> . > > This would terminate the encrypted connection and will not work in our > configuration. > > We found a MS knowledge base article which describes this: > > http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP > ?LN=EN-US > <http://support.microsoft.com/support/kb/articles/Q260/7/72.AS > P?LN=EN-US > &SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_ > SRCH&SPR=E > XCH2K> > &SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_ > SRCH&SPR=E > XCH2K > > > CAUSE > > > This problem is caused because the back-end server sometimes needs to > send the client URLs to items, such as when the OWA client retrieves a > list of messages in the inbox. When the client uses SSL to connect to > the front-end server, the front-end server terminates the SSL > connection > and HTTP traffic between the front-end server and back-end > server is in > clear text. The front-end server notifies the back-end server that SSL > was used so that when returning URLs, the back-end uses https:// instead of http://. The front-end server notifies the back-end server that SSL was used by passing in this HTTP header with each request: Front-End-Https: On When the back-end server receives this header in a request, it sends back https:// URLs instead of http:// when it responds. When there is a separate server between the client and front-end that terminates the SSL connection, it needs to be able to add this header to notify the front-end server that SSL was used so that the front-end can in turn notify the back-end. RESOLUTION To resolve this problem, configure the proxy server to add the following header on upstream requests when OWA SSL requests are received: Front-End-Https: On If the server cannot add this header, then you can also configure that server to re-initiate SSL between itself and the front-end. Although there is a performance hit for this, it ensures that the front-end server adds the header when it proxies the requests to the back-end server. Is there a way to add the mentioned header to the stream? Regards, Frank Breedijk ICT Security Officer T: +31 20 88 78 113 F: +31 20 88 78 101 M: +31 6 29 007 623 E: [email protected] http://www.interxion.com/ <http://www.interxion.com/> Interxion HeadQuarters BV Gyroscoopweg 144 1042 AZ Amsterdam The Netherlands where the internet lives --------------------------------------------------------------------- FireWall-1 Wizards Mailing List (http://www.phoneboy.com/wizards/) To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|