It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Example - Reverse Proxy for Exchange Services

  • Last updated on

The reverse proxy redirects incoming requests from Microsoft Exchange Server services to clients without providing the origin details. This example configuration shows how to configure a reverse proxy for the following Microsoft Exchange services:

  • Autodiscover
  • ActiveSync
  • Outlook Web Access
  • RPC

The example setup uses the following server and service settings:

Server/Service Settings
Exchange Server
  • FQDN: mailserver.company.com
  • Internal IP Address: 192.168.0.206
HTTP Proxy Service
  • FQDN: No DNS record is available.
  • External IP Address: 62.99.0.221
Internal DNS Server
  • Internal IP Address: 192.168.0.239

System Requirements

  • Microsoft Exchange Server 2010 SP3

Before You Begin

  • Create a HTTP Proxy service on the Barracuda CloudGen Firewall as described in How to Configure Services. Enable the service, choose a descriptive Service Name (e.g., RPX) and enter a brief description (e.g., HTTP Proxy + the location of the customer ).
  • Ensure that the matching host access rule allows inbound HTTP/S traffic on port 443. For the inbound host firewall rule named OP-SRV-PX, edit the Service setting to include HTTP+S. For more information on configuring host firewall rules, see Host Firewall.
  • For some changes to take effect, it might be necessary to stop and restart the squid process on the Barracuda CloudGen Firewall.
  • To prevent DNS issues with internal/external domain resolution, use IP addresses instead of DNS names in the reverse proxy settings.

Step 1. Configure the Proxy Service

Configure the HTTP Proxy service in reverse proxy mode.

Step 1.1 Add the External IP Address of the HTTP Proxy
  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > HTTP-Proxy > Service Properties.
  2. Click Lock.
  3. From the Service Availability list, select Explicit.
  4. In the Explicit Service IPs table, add  62.99.0.221.
  5. Click Send Changes and Activate.
Step 1.2. Configure the Proxy Settings
  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
  2. From the Configuration Mode menu, select Switch to Advanced View.
  3. Click Lock.
  4. Enter the admin proxy email address in the Contact Mail field.
  5. In the Visible Hostname field, enter the hostname, e.g.: rpx.company.com
  6. Select Reverse Proxy as the Proxy Mode.

  7. In the left menu, select IP Configuration.
  8. In the Networking Settings section, specify the following details:
    • TCP Listening Port – Enter 443.
    • TCP Outgoing Address – Select Dynamic.
    • UDP Incoming Address – Select First-IP.
    • UDP Outgoing Address – Select First-IP.
    • DNS Server IP a ddresses – Add 192.168.0.239.
  9. Click Send Changes and Activate.

Step 2. Configure Access Control Settings

Create ACL entries for all Exchange services that must access the Barracuda CloudGen Firewall and for the source IP address range. Then configure the settings for access priority.

Step 2.1. Configure ACL Entries
  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
  2. From the Configuration Mode menu, select Switch to Advanced View.
  3. In the left menu, select Access Control.
  4. Click Lock.
  5. From the Default Access list, select Deny.
  6. Create an ACL entry for the Exchange URLs:
    1. In the ACL Entries section, click the plus sign (+).
    2. Enter a name for the list (e.g., ExchangeURLs), select URL from the drop down menu and click OK.
    3. In the URL Extensions table, add the following entries. IP Addresses or FQDNs.
      • https://62.99.0.221/owa/*
      • https://62.99.0.221/rpc/*
      • https://62.99.0.221/Autodiscover/*
      • https://62.99.0.221/Microsoft-Server-ActiveSync/*
    4. Click OK.
  7. Create an ACL entry for the source IP range:
    1. In the ACL Entries section, click the plus sign (+).
    2. E nter a name for the list (e.g.,World), select Source IP from the drop down menu and click OK.
    3. From the IP Configuration list, select Rangemode.
    4. In the IP Ranges section, enter:
      • From: 0.0.0.0
      • To: 255.255.255.255
    5. Click OK.
Step 2.2. Configure ACL Policies
  1. Create an ACL policy to allow the ACL entries that you created.
    1. In the Access Control Policies section, click the plus sign (+).
    2. Enter a name for the policy (e.g.,  ACCE00) and click OK.
    3. In the ACL Priority field, enter 10.
    4. From the Action list, select Allow.
    5. In the ACL Entries section, click the plus sign ( + )and then select the following entries:
      • ExchangeURLs
      • World
    6. Click OK.
  2. Create an ACL policy with a lower priority that denies the World ACL entry that you created.
    1. In the Access Control Policies section, click the plus sign (+).
    2. Enter a name for the policy, (e.g., ACCE01) and click OK.
    3. In the ACL Priority field, enter 99.
    4. From the Action list, select Deny.
    5. In the  ACL Entries section, click the plus sign (+) and then select World.
    6. Click OK.
  3. Click Send Changes and Activate .

Step 3. Configure the Reverse Proxy Settings

Enable SSL encryption, specify the back-end web site, and map the addresses of the Exchange services.

Step 3.1. Configure the Reverse Proxy Settings
  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
  2. In the left menu, select Reverse Proxy Settings.
  3. From the Configuration Mode menu, select Switch to Advanced View.
  4. Click Lock.
  5. In the Backend Web Site field, enter   62.99.0.221 or the FQDN.
  6. From the Use SSL list, select Yes.
  7. In the SSL Listening Port field, enter443.
  8. Import the SSL Certificate and the SSL Private Key.

    The certificate must contain the Name (*.company.com) and SubAltName (DNS:owa.company.com).
  9. In the Backend IP Addresses section, click the plus sign ( + ) and then enter 192.168.0.206.
  10. From the Round Robin and Domain-based Virtual Host lists, select no.
Step 3.2. Configure Domain to Backend Mapping

Map the domains of the Exchange services to the backend web site.

Complete the following steps for each Exchange service:

  1. In the Domain to Backend Mapping section, click the plus sign (+).
  2. Enter the name of the Exchange service that you are mapping (e.g., Autodiscover) and click OK.
  3. From the Mapping Type list, select Url-Regex.
  4. In the Url-Regex field, enter the domain of the Exchange service that you are mapping:

    Exchange Service Domain
    Autodiscover https://62.99.0.221/Autodiscover
    ActiveSync https://62.99.0.221/Microsoft-Server-ActiveSync
    Outlook Web Access https://62.99.0.221/owa
    RPC https://62.99.0.221/rpc
  5. From the Backend list, select 192.168.0.206 and click OK.
  6. Click Send Changes and Activate.