Re: A Good Reverse Proxy Product

How about an SSL VPN device... Aventail, Juniper, or even ISA server, etc.?

Still place the OWA box in the DMZ, but don't allow direct access to it, only through the VPN...

Also should consider an IDS/IPS or web application firewall in addition to this.







----- Original Message ----
From: Aiko Barz <aiko@xxxxxxxxx>
To: Paul Guibord <pguibord@xxxxxxxxxxxxxxxxxx>
Cc: security-basics@xxxxxxxxxxxxxxxxx
Sent: Friday, May 2, 2008 8:11:16 AM
Subject: Re: A Good Reverse Proxy Product

On Wed, Apr 30, 2008 at 02:43:22PM -0400, Paul Guibord wrote:


Greetings to all,

We have a new MS Exchange server and the administrator wants to provide remote
Outlook Web Access access to it from the internet.
As opposed to having a direct outside to inside translation to it I was told
that we could put a reverse proxy server in the DMZ and then provide a DMZ to
inside translation form there.

First of all does this sound like the safest approach and if so can anyone
provide the name of a good stable/secure reverse proxy product.

Hi,

I used Apache and Squid as a Reverse Proxy for OWA and RPC over HTTPs.

Just a warning: You cannot use Apache as a Reverse Proxy for RPC over
HTTPs anymore, because current versions are more strict and M$ is lying
abount the HTTP "Content-Length": Outlook says, that the request has the
content-length of 1GB. The Apache is waiting for the whole request: Dead
lock. Outlook never intended to really send 1GB...
https://issues.apache.org/bugzilla/show_bug.cgi?id=40029

If you want to use RPC over HTTPs with squid and Debian Stable, you need
to know, that the default package is not build with SSL support. You
need to get the Debian Source package and enable SSL support. (Just one
line.)

So long,
Aiko
--
:wq ✉


Relevant Pages

  • Re: Front-End server question
    ... > between the servers ... > IPSec does nothing for the application layer of the solution. ... > in the DMZ to project the application. ... It would also terminate your external SSL ...
    (microsoft.public.exchange.design)
  • Re: Front-End server question
    ... > between the servers ... > IPSec does nothing for the application layer of the solution. ... > in the DMZ to project the application. ... It would also terminate your external SSL ...
    (microsoft.public.exchange.connectivity)
  • Re: Front-End server question
    ... > between the servers ... > IPSec does nothing for the application layer of the solution. ... > in the DMZ to project the application. ... It would also terminate your external SSL ...
    (microsoft.public.exchange.admin)
  • Re: Front-End server question
    ... > between the servers ... > IPSec does nothing for the application layer of the solution. ... > in the DMZ to project the application. ... It would also terminate your external SSL ...
    (microsoft.public.exchange.misc)
  • Re: need some documentation
    ... With a reverse proxy you would get it to rewrite any URLs you need. ... > We basically have set up another AD domain for Sharepoint External ... > again and that completely destroys my purpose of having a server in the dmz. ...
    (microsoft.public.sharepoint.portalserver)