Reverse-Proxy for Exchange 2003

26 May 2015

I know that nobody should use Microsoft Exchange 2003 anymore. But there are still some 2003s out there. I wanted to create a reverse-proxy for such an exchange-server on linux to have at least a better encryption, when some problems appeared:

MS RPC over HTTP breaks the HTTP-Standard

I tried to create a reverse-proxy using apache2. Since Microsofts’s RPC-OVER-HTTP breakes the HTTP-Standard(which would make a webserver more insecure), apache does not support it. Other services like Outlook-Webaccess work, even with apache2.


Haproxy is a nice proxy which runs perfectly under linux.

This is my haproxy.cfg:

        log /dev/log local0
        log /dev/log local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        ssl-default-bind-options no-sslv3

        log global
        mode http
        option httplog
# option dontlognull
        timeout connect 5000
        timeout client 50000
        timeout server 50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend exchange-ssl
        mode tcp
        bind ssl crt /etc/ssl/webmail/haproxy.pem
        reqadd X-Forwarded-Proto:\ https
        option tcplog
        default_backend exchange_backend

backend exchange_backend
        mode tcp
        server server1 maxconn 1024 check ssl verify none
        stick on src
        stick-table type ip size 10240k expire 240m
        option httpchk HEAD / HTTP/1.0
        option redispatch
        option abortonclose
        option httpclose
        option forwardfor
        cookie JSESSIONID prefix

frontend rpc-front
        bind :135,:60200,:60201
        mode tcp
        maxconn 40000
        default_backend rpc-server

backend rcp-server
 stick-table type ip size 10240k expire 60m
 stick on src
 option redispatch
 option abortonclose
 balance leastconn
 server EXCH01 weight 1 check port 135 inter 2000 rise 2 fall 3 on-marked-down shutdown-sessions

Exchange Registry

Even with haproxy, it didn't work. It was pretty difficult to find the cause, but in the end I found it. I just changed the right registry key on the exchange-server:


I just had to add my full-qualified-domain-name of the mailservers public domain here:

[ Linux  Sysadmin  Microsoft  Proxy  haproxy  ]
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 Unported License.

Copyright 2015-present Hoti