Mark's Blog

de arte technologiæ
  • Tech Related (en)
  • my musings (de)
  • About Me

Apache behind IIS – URL Rewrite and ARR as reverse proxy

Posted by mark on 2009-01-11, 22:01 under technology related

man-of-straw

Just some days ago I’ve written about my problems proxying IIS by Apache, having ultimately used Squid. Having Squid in front of Exchange has worked for OWA, but users using Outlook to connect Exchange have been asked for their credentials over and over again. In other words, “Outlook does not stop asking for username and password”. (It should only ask every start.)

Therefore I’ve changed Apache to listen on another port for SSL (here 8443) and have let IIS/Exchange use port 443 exclusively. ISA would have changed that issue, but it was overhead as I’ve written.

But, you can to reverse proxy with IIS 7!  These are the prerequisites:

  1. Microsoft URL Rewrite Module for IIS 7.0 (download, guide)
  2. Microsoft Application Request Routing for IIS 7 (download, guide)

Install them with administrative privileges in that order (restart required).

So, given my Apache does listen on port 8443 for SSL and IIS with Exchange is exposed to the Internet, I had to setup reverse proxy / rewriting by these steps:

  1. Make sure your external addresses resolve internally to the local server of yours and not to the public IP: 
    dig +short svn.hurrikane.de
# 192.168.1.6 is the local address of Apache, and desired
# 63.208.196.101 is external which would be bad here

    You can achieve that manipulation internal DNS entries.

    svn.hurrikane.de
srv1.hurrikane.de # CNAME, reroute that internally
  2. Add following two rewrite rules:
    fig-2-step-1
    then hit “Add Rules”, “Blank rule”; name it “not exchange”,
    (*Do not use catchalls like this! Always explicitely enumerate your domain names here, or your proxy might get abused. The following is meant as quick-start example only!*)
    fig-2-step-3
    then, as you will disable redirections for OWA, make sure this rule will be the last; create it named “exchange”:
    fig-2-step-4
    The point is, by the first rule you do the generic rewrite to Apache, with “action URL” including {HTTP_HOST} whenever it is not the name of your Exchange server. Else, after redirection for OWA no further rewrite has to happen.
  3. Disable default HTTP Redirects, especially these for OWA or else the rules won’t work correctly.
    fig-3-step-1fig-3-step-2
  4. Optionally, instruct ARR to preserve host for reverse proxying. This is not needed here but you will forget about that later, creating server farms. Run that command: 
    %windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true

In case you need further support you can consult Microsoft’s forums about Application Request Routing. The more sophisticated instructions will require you to setup a server farm for proxying, what did not work with Apache as part of it. But rewriting does sufficiently do the job.

Voila!

Tags: apache, exchange, IIS, regexp, Squid

1 Comment so far

  1. EXCH - Exchange 2007 und externe Mitarbeiter - MCSEboard.de MCSE Forum on July 17th, 2009

    [...] [...]

Posting your comment.

  • Subscribe in a reader
    or get notified by email

    Add to Technorati Favorites

    Follow me on Twitter

  •  

    January 2009
    M T W T F S S
    « Dec   Feb »
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  

  • Tags

    apache exchange IIS regexp Squid

Copyright © 2008-2012 W-Mark Kubacki
WordPress Theme . Design

2008789101112
2009123456789101112
2010123456789101112
2011123456789101112
2012123456789