FUN WITH LINUX

Reverse-Proxy for Exchange 2003

26 May 2015

I know that nobody should use Microsoft Exchange 2003 anymore. But there are still some 2003s out there. I wanted to create a reverse-proxy for such an exchange-server on linux to have at least a better encryption, when some problems appeared:

MS RPC over HTTP breaks the HTTP-Standard

I tried to create a reverse-proxy using apache2. Since Microsofts’s RPC-OVER-HTTP breakes the HTTP-Standard(which would make a webserver more insecure), apache does not support it. Other services like Outlook-Webaccess work, even with apache2.

HAProxy

Haproxy is a nice proxy which runs perfectly under linux.

This is my haproxy.cfg:

global
        log /dev/log local0
        log /dev/log local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3

defaults
        log global
        mode http
        option httplog
# option dontlognull
        timeout connect 5000
        timeout client 50000
        timeout server 50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend exchange-ssl
        mode tcp
        bind 192.168.24.4:9443 ssl crt /etc/ssl/webmail/haproxy.pem
        reqadd X-Forwarded-Proto:\ https
        option tcplog
        default_backend exchange_backend

backend exchange_backend
        mode tcp
        server server1 192.168.0.6:443 maxconn 1024 check ssl verify none
        stick on src
        stick-table type ip size 10240k expire 240m
        option httpchk HEAD / HTTP/1.0
        option redispatch
        option abortonclose
        option httpclose
        option forwardfor
        cookie JSESSIONID prefix

frontend rpc-front
        bind :135,:60200,:60201
        mode tcp
        maxconn 40000
        default_backend rpc-server

backend rcp-server
 stick-table type ip size 10240k expire 60m
 stick on src
 option redispatch
 option abortonclose
 balance leastconn
 server EXCH01 192.168.0.6 weight 1 check port 135 inter 2000 rise 2 fall 3 on-marked-down shutdown-sessions

Exchange Registry

Even with haproxy, it didn't work. It was pretty difficult to find the cause, but in the end I found it. I just changed the right registry key on the exchange-server:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
"Enabled"=dword:00000001
"ValidPorts"=mailsrv:6001-6002;mailsrv.example.local:6001-6002;mailsrv:6004;mailsrv.example.local:6004"

I just had to add my full-qualified-domain-name of the mailservers public domain here:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy]
    "Enabled"=dword:00000001
    "ValidPorts"=webmail.example.com:6001-6002;mailsrv:6001-6002;mailsrv.example.local:6001-6002;mailsrv:6004;mailsrv.example.local:6004;webmail.example.com:6004"
[ Linux  Sysadmin  Microsoft  Proxy  haproxy  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti