Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW1] RE: [fw1-wizards] OWA 2000 behind https security server

To: "Newcomb, Dan" <[email protected]>
Subject: [FW1] RE: [fw1-wizards] OWA 2000 behind https security server
From: "Frank Breedijk" <[email protected]>
Date: Mon, 6 Aug 2001 08:58:12 +0200
Cc: "Fw-1-Mailinglist (E-mail)" <[email protected]>, "Fw1wizards (E-mail)" <[email protected]>
Sender: [email protected]
Thread-index: AcEcGCf0VdqPuXczSquEFYZ5yTyzLAAEAYnw
Thread-topic: [fw1-wizards] OWA 2000 behind https security server

Dan,

The problem is not with the exchange part, this is handled by
CheckPoint. The problem lies in the fact that we use a front end server.
In the new OWA2000 setup, both the backend and the frontend server
generate URL's which contain abusolute links in the form of:
http://server/exchange/... if the frontend server is listening on port
443 (https) the urls are prefixed with https:// iso http://.  However,
if you use FW-1 as a reverse proxy the URL's need to be in the form of
https:// but the communication with the front end server is on port 80
(http).

You can force OWA2000 into using https:// links by setting the headers
FRONT-END-HTTPS: on, but I do not know if I can do that via FW-1.

Regards,
Frank

> -----Original Message-----
> From: Newcomb, Dan [mailto:[email protected]]
> Sent: Friday, 03 August, 2001 14:29
> To: Frank Breedijk
> Subject: RE: [fw1-wizards] OWA 2000 behind https security server
> 
> 
> Frank,
>  We tried doing something similar to this with no luck.  The /exchange
> portion is put in at the time install of OWA.  We tried making some
> modifications in the exchange directory and was able to get 
> the mod version
> of directory however, we couldn't get the upload 
> functionality of OWA to
> wrok then.
> 
> Dan
> -----Original Message-----
> From: Frank Breedijk
> To: [email protected];
> [email protected]
> Cc: Johan Pater (E-mail); Ton van Rijswijk; Walter de Neve
> Sent: 7/31/01 7:54 AM
> Subject: [fw1-wizards] OWA 2000 behind https security server
> 
> Dear all,
> 
>  
> We want to set up the following:
>  
> ______  https _____  http  _________
> |Client|--------->|FW1|-------->|OWA 200|
> ~~~~~          ~~~~~         ~~~~~~~~
>  
> The client accesses an Outlook Web Access 2000 server as a virtual
> server on the firewall ( http://firewall.bla.com/owa
> <http://firewall.bla.com/owa>  maps to http://intranet-name/
> <http://intranet-name/> )
>  
> How ever, the OWA server passes some URLS back which are in 
> the form of
> http://firewall.bla.com/exchange <http://firewall.bla.com/exchange> .
>  
> This would terminate the encrypted connection and will not work in our
> configuration.
>  
> We found a MS knowledge base article which describes this:
>  
> http://support.microsoft.com/support/kb/articles/Q260/7/72.ASP
> ?LN=EN-US
> <http://support.microsoft.com/support/kb/articles/Q260/7/72.AS
> P?LN=EN-US
> &SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_
> SRCH&SPR=E
> XCH2K>
> &SD=gn&FR=0&qry=OWA%20front-end-https&rnk=1&src=DHCS_MSPSS_gn_
> SRCH&SPR=E
> XCH2K
>  
> 
> CAUSE
> 
> 
> This problem is caused because the back-end server sometimes needs to
> send the client URLs to items, such as when the OWA client retrieves a
> list of messages in the inbox. When the client uses SSL to connect to
> the front-end server, the front-end server terminates the SSL 
> connection
> and HTTP traffic between the front-end server and back-end 
> server is in
> clear text. The front-end server notifies the back-end server that SSL
> was used so that when returning URLs, the back-end uses 
https:// instead
of http://. The front-end server notifies the back-end server that SSL
was used by passing in this HTTP header with each request: 


Front-End-Https: On 

When the back-end server receives this header in a request, it sends
back https:// URLs instead of http:// when it responds. When there is a
separate server between the client and front-end that terminates the SSL
connection, it needs to be able to add this header to notify the
front-end server that SSL was used so that the front-end can in turn
notify the back-end. 



RESOLUTION


To resolve this problem, configure the proxy server to add the following
header on upstream requests when OWA SSL requests are received: 


Front-End-Https: On 

If the server cannot add this header, then you can also configure that
server to re-initiate SSL between itself and the front-end. Although
there is a performance hit for this, it ensures that the front-end
server adds the header when it proxies the requests to the back-end
server. 

 
 
Is there a way to add the mentioned header to the stream?
 
Regards, 
Frank Breedijk
ICT Security Officer

T: +31 20 88 78 113
F: +31 20 88 78 101
M: +31 6 29 007 623
E: [email protected]
http://www.interxion.com/ <http://www.interxion.com/> 

Interxion HeadQuarters BV
Gyroscoopweg 144
1042 AZ  Amsterdam
The Netherlands

where the internet lives  


---------------------------------------------------------------------
FireWall-1 Wizards Mailing List (http://www.phoneboy.com/wizards/)
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] CVP Products
Next by Date: RE: [FW1] What is wong with this mailinglist!!!!
Previous by thread: AW: [FW1] CheckPoint 4.1 SP3 on Windows 2000 and static NAT... No go...
Next by thread: RE: [FW1] What is wong with this mailinglist!!!!
Index(es):
- Date
- Thread