The reverse proxy redirects incoming requests from Microsoft Exchange Server services to clients without providing the origin details. This example configuration shows how to configure a reverse proxy for the following Microsoft Exchange services:
- Autodiscover
- ActiveSync
- Outlook Web Access
- RPC
The example setup uses the following server and service settings:
Server/Service | Settings |
---|---|
Exchange Server |
|
HTTP Proxy Service |
|
Internal DNS Server |
|
System Requirements
- Microsoft Exchange Server 2010 SP3
Before You Begin
- Create an HTTP Proxy service on the Barracuda CloudGen Firewall as described in How to Assign Services. Enable the service, choose a descriptive Service Name (e.g.,
RPX
), and enter a brief description (e.g.,HTTP Proxy + the location of the customer
). - Ensure that the matching host access rule allows inbound HTTP/S traffic on port 443. For the inbound host firewall rule named OP-SRV-PX, edit the Service setting to include HTTP+S. For more information on configuring host firewall rules, see Host Firewall.
Step 1. Configure the Proxy Service
Configure the HTTP Proxy service in reverse proxy mode. For reverse proxy to work, virus scanning must be disabled.
Step 1.1 Add the External IP Address of the HTTP Proxy
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > Service Properties.
- Click Lock.
- From the Listening IP list, select Explicit.
- In the Explicit IPs table, add
62.99.0.221
. - Click Send Changes and Activate.
Step 1.2. Configure the Proxy Settings
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
- From the Configuration Mode menu, select Switch to Advanced View.
- Click Lock.
- Enter the admin proxy email address in the Contact E-mail field.
- In the Visible Hostname field, enter the hostname, e.g.:
rpx.company.com
Select ReverseProxy as the Proxy Mode.
- In the left menu, select IP Configuration.
- In the Networking Settings section, specify the following details:
- TCP Listening Port – Enter
443
. - TCP Outgoing Address – Select Dynamic.
- UDP Incoming Address – Select First-IP.
- UDP Outgoing Address – Select First-IP.
- DNS Server IP addresses – Add
192.168.0.239
.
- TCP Listening Port – Enter
- From the Configuration menu on the left, select Malware Protection.
- To disable virus scanning, select No from the Enable Virus Scanning list.
- Click Send Changes and Activate.
Step 2. Configure Access Control Settings
Create ACL entries for all Exchange services that must access the Barracuda CloudGen Firewall and for the source IP address range. Then, configure the settings for access priority.
Step 2.1. Configure ACL Entries
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
- From the Configuration Mode menu, select Switch to Advanced View.
- In the left menu, select Access Control.
- Click Lock.
- From the Default Access list, select Deny.
- Create an ACL entry for the Exchange URLs:
- In the ACL Entries section, click the plus sign (+).
- Enter a name for the list (e.g.,
ExchangeURLs
), select URL from the drop-down menu, and click OK. In the URL Extensions table, add the following entries. IP Addresses or FQDNs.
https://62.99.0.221/owa/*
https://62.99.0.221/rpc/*
https://62.99.0.221/Autodiscover/*
https://62.99.0.221/Microsoft-Server-ActiveSync*
https://mailserver.company.com/owa/*
https://mailserver.company.com/rpc/*
https://mailserver.company.com/Autodiscover/*
https://mailserver.company.com/Microsoft-Server-ActiveSync*
- Click OK.
- (Optional) Create an ACL entry for URL path extensions:
- In the ACL Entries section, click the plus sign (+).
- Enter a name for the list (e.g.,
URLPathExtensions
), select URL Path from the drop-down menu, and click OK. - In the URL Path Extensions table, add values that should be looked up in the URL path following the hostname or IP address. You can add regular expressions, words, or word patterns. For example: add the word
example
to look for 'example' in http://www.tldomain.com/example/domain/index.html - Click OK.
- Create an ACL entry for the source IP range:
- In the ACL Entries section, click the plus sign (+).
- Enter a name for the list (e.g.,
World
), select Source IP from the drop-down menu, and click OK. - From the IP Configuration list, select Rangemode.
- In the IP Ranges section, enter:
- From:
0.0.0.0
- To:
255.255.255.255
- From:
- Click OK.
- Click Send Changes and Activate.
Step 2.2. Configure ACL Policies
- Create an ACL policy to allow the ACL entries that you created.
- In the Access Control Policies section, click the plus sign (+).
- Enter a name for the policy (e.g.,
ACCE00
) and click OK. - In the ACL Priority field, enter
10
. - From the Action list, select Allow.
- In the ACL Entries section, click the plus sign ( + ) and then select the following entries:
- ExchangeURLs
- World
- Click OK.
- Create an ACL policy with a lower priority that denies the World ACL entry that you created.
- In the Access Control Policies section, click the plus sign (+).
- Enter a name for the policy, (e.g.,
ACCE01
) and click OK. - In the ACL Priority field, enter
99
. - From the Action list, select Deny.
- In the ACL Entries section, click the plus sign (+) and then select World.
- Click OK.
- Click Send Changes and Activate.
Step 3. Configure the Reverse Proxy Settings
Enable TLS/SSL encryption, specify the back-end website, and map the addresses of the Exchange services.
Step 3.1. Configure the Reverse Proxy Settings
- Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
- In the left menu, select Reverse Proxy Settings.
- From the Configuration Mode menu, select Switch to Advanced View.
- Click Lock.
- In the Backend Web Site field, enter
62.99.0.221
or the FQDN. - From the Use SSL/TLS list, select Yes.
- In the SSL/TLS Listening Port field, enter
443
. Import the Certificate and the Private Key.
- In the Backend IP Addresses section, click the plus sign ( + ) and then enter
192.168.0.206
. - From the Round Robin and Pass Login to Backend lists, select No.
Step 3.2. Configure Domain to Backend Mapping
Map the domains of the Exchange services to the backend website.
Complete the following steps for each Exchange service:
- In the Domain to Backend Mapping section, click the plus sign (+).
- Enter the name of the Exchange service that you are mapping (e.g.,
Autodiscover
) and click OK. - From the Mapping Type list, select Url-Regex.
In the Url-Regex field, enter the domain of the Exchange service that you are mapping:
Exchange Service Domain Autodiscover https://62.99.0.221/Autodiscover
ActiveSync https://62.99.0.221/Microsoft-Server-ActiveSync
Outlook Web Access https://62.99.0.221/owa
RPC https://62.99.0.221/rpc
- From the Backend list, select
192.168.0.206
and click OK. - Click Send Changes and Activate.
In case you have a public FQDN and an official public certificate, you must configure domain to backend-mapping using FQDNs. IP addresses are optional:
Complete the following steps for each Exchange service:
- In the Domain to Backend Mapping section, click the plus sign (+).
- Enter the name of the Exchange service that you are mapping (e.g.,
Autodiscover-URL
) and click OK. - From the Mapping Type list, select Url-Regex.
In the Url-Regex field, enter the domain of the Exchange service that you are mapping:
Exchange Service Domain Autodiscover https://mailserver.company.com/Autodiscover
ActiveSync https://mailserver.company.com/Microsoft-Server-ActiveSync
Outlook Web Access https://mailserver.company.com/owa
RPC https://mailserver.company.com/rpc
- From the Backend list, select
192.168.0.206
and click OK. - Click Send Changes and Activate.