Outlook Web Access problems with Linux Firewall

Hello

I have a nasty problem, and i hope someone can help me.

In my company we have 20 win xp desktops with static IPs(192.168.1.x)
and
one Mail Server running Exchange with IP 192.168.1.100
They are connected with switches and at the front of all we have a
Linux Gateway that
has firewall capabilities using Iptables with 2 NICs.
This is the design

LAN------Switch-----Linux Gateway----ADSL Router------Internet
(192.168.1.X) (192.168.2.1) (200.X.X.X)


The internal eth1 interface of the Gateway has IP (192.168.1.102)
The external eth0 interface of the Gateway has IP (192.168.2.101)

In the router i have mapped all the ports to the Linux Gateway using
NAT,
so when somebody uses http://200.x.x.x the router redirects the
petition to
the Linux Gateway at port 80.
The Linux gateway also works as a web server using Apache (port 80).
The problem was that the mail server also uses port 80 for outlook Web
access.
Then my idea was to redirect petitions to port 8888 of the Linux
Gateway to Port 80 of the Mail Server(192.168.1.100) using Iptables and
the PREROUTING CHAIN.

That worked very well, people from the WAN can see the Apache Web
Server(Linux Gateway
running at internel IP 192.168.2.101:80) and the Outlook Web Access of
the mail server at
internal IP 192.168.1.100:80 through a redirection from
192.168.2.101:8888.

My problem is that when someone using a web browser from the WAN ,
types the address of the OWA, ie: http://200.x.x.x:8888/exchange they
get the OWA login screen,they put their username and password, and then
the outlook web access comes up, but with no inbox loaded..the frame of
the inbox and mails is not loaded..object request could not be found..
If i do this using http://192.168.1.100/exchange from the internal Lan
it works flawlessly..

any ideas?? is it a problem of the Linux firewall or with the exchange
mail server?

Thanks for your time

Oskar.

It's been a while but...if I remember correctly OWA has issues not
running on port 80 so I would redirect apache to port 8888 and leave
port 80 for owa...If this does'nt help then check with microsoft as I
am sure it is a known issue....

just checked with MS ...are you using https on that address? If not run
owa over https as it does not need port 80....then you should be
fine..on port 443

good luck
Oskar wrote:
> Hello
>
> I have a nasty problem, and i hope someone can help me.
>
> In my company we have 20 win xp desktops with static IPs(192.168.1.x)
> and
> one Mail Server running Exchange with IP 192.168.1.100
> They are connected with switches and at the front of all we have a
> Linux Gateway that
> has firewall capabilities using Iptables with 2 NICs.
> This is the design
>
> LAN------Switch-----Linux Gateway----ADSL Router------Internet
> (192.168.1.X) (192.168.2.1) (200.X.X.X)
>
>
> The internal eth1 interface of the Gateway has IP (192.168.1.102)
> The external eth0 interface of the Gateway has IP (192.168.2.101)
>
> In the router i have mapped all the ports to the Linux Gateway using
> NAT,
> so when somebody uses http://200.x.x.x the router redirects the
> petition to
> the Linux Gateway at port 80.
> The Linux gateway also works as a web server using Apache (port 80).
> The problem was that the mail server also uses port 80 for outlook Web
> access.
> Then my idea was to redirect petitions to port 8888 of the Linux
> Gateway to Port 80 of the Mail Server(192.168.1.100) using Iptables and
> the PREROUTING CHAIN.
>
> That worked very well, people from the WAN can see the Apache Web
> Server(Linux Gateway
> running at internel IP 192.168.2.101:80) and the Outlook Web Access of
> the mail server at
> internal IP 192.168.1.100:80 through a redirection from
> 192.168.2.101:8888.
>
> My problem is that when someone using a web browser from the WAN ,
> types the address of the OWA, ie: http://200.x.x.x:8888/exchange they
> get the OWA login screen,they put their username and password, and then
> the outlook web access comes up, but with no inbox loaded..the frame of
> the inbox and mails is not loaded..object request could not be found..
> If i do this using http://192.168.1.100/exchange from the internal Lan
> it works flawlessly..
>
> any ideas?? is it a problem of the Linux firewall or with the exchange
> mail server?
>
> Thanks for your time
>
> Oskar.

i dont use https because for that you need a certificate from a CA..i
want just
a simpler way to enable this..

i have searched the internet and there is some problems with WebDAV and
firewalls
or proxy servers..if you have another solution that would be great!

greetings oskar



Radge ha escrito:

> It's been a while but...if I remember correctly OWA has issues not
> running on port 80 so I would redirect apache to port 8888 and leave
> port 80 for owa...If this does'nt help then check with microsoft as I
> am sure it is a known issue....
>
> just checked with MS ...are you using https on that address? If not run
> owa over https as it does not need port 80....then you should be
> fine..on port 443
>
> good luck
> Oskar wrote:
> > Hello
> >
> > I have a nasty problem, and i hope someone can help me.
> >
> > In my company we have 20 win xp desktops with static IPs(192.168.1.x)
> > and
> > one Mail Server running Exchange with IP 192.168.1.100
> > They are connected with switches and at the front of all we have a
> > Linux Gateway that
> > has firewall capabilities using Iptables with 2 NICs.
> > This is the design
> >
> > LAN------Switch-----Linux Gateway----ADSL Router------Internet
> > (192.168.1.X) (192.168.2.1) (200.X.X.X)
> >
> >
> > The internal eth1 interface of the Gateway has IP (192.168.1.102)
> > The external eth0 interface of the Gateway has IP (192.168.2.101)
> >
> > In the router i have mapped all the ports to the Linux Gateway using
> > NAT,
> > so when somebody uses http://200.x.x.x the router redirects the
> > petition to
> > the Linux Gateway at port 80.
> > The Linux gateway also works as a web server using Apache (port 80).
> > The problem was that the mail server also uses port 80 for outlook Web
> > access.
> > Then my idea was to redirect petitions to port 8888 of the Linux
> > Gateway to Port 80 of the Mail Server(192.168.1.100) using Iptables and
> > the PREROUTING CHAIN.
> >
> > That worked very well, people from the WAN can see the Apache Web
> > Server(Linux Gateway
> > running at internel IP 192.168.2.101:80) and the Outlook Web Access of
> > the mail server at
> > internal IP 192.168.1.100:80 through a redirection from
> > 192.168.2.101:8888.
> >
> > My problem is that when someone using a web browser from the WAN ,
> > types the address of the OWA, ie: http://200.x.x.x:8888/exchange they
> > get the OWA login screen,they put their username and password, and then
> > the outlook web access comes up, but with no inbox loaded..the frame of
> > the inbox and mails is not loaded..object request could not be found..
> > If i do this using http://192.168.1.100/exchange from the internal Lan
> > it works flawlessly..
> >
> > any ideas?? is it a problem of the Linux firewall or with the exchange
> > mail server?
> >
> > Thanks for your time
> >
> > Oskar.

On 2006-02-28, Oskar <(E-Mail Removed)> wrote:
> Then my idea was to redirect petitions to port 8888 of the Linux
> Gateway to Port 80 of the Mail Server(192.168.1.100) using Iptables and
> the PREROUTING CHAIN.

The problem is that OWA put _full_ http URL in his own pages, so it
works fine from the inside but it's a mess from the outside. In my
previous company we solved the problem by using an Apache proxy
that was available from the outside (in a DMZ, but this point is
meaningless) and that also toke care of the https part.

See http://www.soft-land.org/articoli/exch if can helps you.

Davide

--
IBM's vision is apparently to make IBM hardware "scream with Microsoft
software" -- The Register
I have visions of screaming with (at and about) Microsoft software, too.
-- Joe Moore on alt.sysadmin.recovery

Thank you for your help

Looking at the site you gave me, i got some me ideas on how to solve
the problem..
The solution: using apache as a reverse proxy,BUT without SSL !!
I just enabled the mod_proxy and mod_http_proxy modules for apache
and i added this to my httpd.conf (based on the info you gave me

NameVirtualHost *
<VirtualHost *>
DocumentRoot /var/www/html/qalinux
ServerName qalinux.blogdns.net:80
</VirtualHost>

<VirtualHost *>
ServerName 0skar.homeunix.org:80
DocumentRoot /var/www/html
ProxyRequests off
ProxyPreserveHost On
<Location /exchange>
ProxyPass http://192.168.2.10/exchange
ProxyPassReverse http://192.168.2.10/exchange
</Location>
<Location /exchweb>
ProxyPass http://192.168.2.10/exchweb
ProxyPassReverse http://192.168.2.10/exchweb
</Location>
<Location /public>
ProxyPass http://192.168.2.10/public
ProxyPassReverse http://192.168.2.10/public
</Location>
</VirtualHost>

So i have to websites in my server, but when someone types
http://0skar.homeunix.org/exchange, then the apache reverse proxy comes
in action,
redirecting the petition to the Exchange server behind my Linux
Gateway..
also i had to edit 30_mod_proxy.conf to enable access permissions to
the site.
With these steps i finally get OWA working through a Linux based
Firewall Gateway from
the outside.

if anyone has trouble with a problem similar to mine, email me at
(E-Mail Removed)

Oskar Kossuth.


Davide Bianchi wrote:
> On 2006-02-28, Oskar <(E-Mail Removed)> wrote:
> > Then my idea was to redirect petitions to port 8888 of the Linux
> > Gateway to Port 80 of the Mail Server(192.168.1.100) using Iptables and
> > the PREROUTING CHAIN.
>
> The problem is that OWA put _full_ http URL in his own pages, so it
> works fine from the inside but it's a mess from the outside. In my
> previous company we solved the problem by using an Apache proxy
> that was available from the outside (in a DMZ, but this point is
> meaningless) and that also toke care of the https part.
>
> See http://www.soft-land.org/articoli/exch if can helps you.
>
> Davide
>
> --
> IBM's vision is apparently to make IBM hardware "scream with Microsoft
> software" -- The Register
> I have visions of screaming with (at and about) Microsoft software, too.
> -- Joe Moore on alt.sysadmin.recovery