You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joe Williams <jw...@ntegrated.net> on 2013/05/10 18:18:12 UTC
[users@httpd] Apache2 reverse Proxy for MS Lync
Looking for a little help from the community on an issue between Apache2 and MS Lync, if anyone has similar experience using these two in conjunction with each other It would be very helpful, thanks in advance for any responses!
Information I can give on the problem follows:
I am having an issue getting mobility clients to connect via my debian/apache2 reverse proxy to Lync front end server. From the
information i have been able to gather the communication is coming in through the reverse proxy, traversing the reverse Proxy and
talking to the Front end server. I am unsure why the client is still failing to connect. there is a message in the error.log about
error reading status from the frontend server, but im not sure what could be causing this. Mobility clients are working internally
on the wireless network.
SSL certificates are installed and I am getting no certificate errors, SANS are as follows on Proxy:
sip.externaldomain.com
edge.externaldomain.com
lyncdiscover.externaldomain.com
using sip.externaldomain.com as a single record/IP for all external web services on the LYNC topology using different ports SIP
access - 5061, web conferencing - 444, A/V service - 443. The Lync Server External web site has bindings on 8080, and 4443 for its
services, hence the translation in the revproxy from 443 to 4443.
Any help here would be greatly appreciated, any information i left out and may be needed please let me know.
Due to licensing contraints, this is my only option for a reverse proxy and i need to get it working.
------------------/etc/hosts----------------------------------------------
user@revProxy:/etc/apache2/sites-enabled# more /etc/hosts
127.0.0.1 localhost
45.x.x.x revProxy
10.255.255.201 pool1.internaldomain.net
10.255.255.202 rdc1.internaldomain.net
------------------ports.conf----------------------------------------------
user@revProxy:/etc/apache2# more ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz
NameVirtualHost *:80
Listen 80
Listen 8080
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
Listen 4443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
Listen 4443
</IfModule>
----------------httpd.conf------------------------------------------------
user@revProxy:/etc/apache2# more httpd.conf
servername sip.externaldomain.com
RewriteEngine On
---------------CERTS------------------------------------------------------
user@revProxy:/etc/apache2/ssl# ls -a
. .. gd_bundle.crt server.crt server.key sip.externaldomain.com.crt sip_asilighting_com.key
user@revProxy:/etc/apache2/ssl#
---------------mods-enabled-----------------------------------------------
user@revProxy:/etc/apache2/mods-enabled# ls -a
. authz_default.load cgid.conf env.load proxy_connect.load setenvif.conf
.. authz_groupfile.load cgid.load mime.conf proxy_http.load setenvif.load
alias.conf authz_host.load deflate.conf mime.load proxy.load ssl.conf
alias.load authz_user.load deflate.load negotiation.conf reqtimeout.conf ssl.load
auth_basic.load autoindex.conf dir.conf negotiation.load reqtimeout.load status.conf
authn_file.load autoindex.load dir.load proxy.conf rewrite.load status.load
---------------proxy.conf-------------------------------------------------
user@revProxy:/etc/apache2/mods-enabled# more proxy.conf
<IfModule mod_proxy.c>
# If you want to use apache2 as a forward proxy, uncomment the
# 'ProxyRequests On' line and the <Proxy *> block below.
# WARNING: Be careful to restrict access inside the <Proxy *> block.
# Open proxy servers are dangerous both to your network and to the
# Internet at large.
#
# If you only want to use apache2 as a reverse proxy/gateway in
# front of some web application server, you DON'T need
# 'ProxyRequests On'.
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia Full
</IfModule>
------------default sites-available--------------------------------------
user@revProxy:/etc/apache2/sites-enabled# more 000-default
<VirtualHost *:80>
ServerAdmin techs@ntegrated.net
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
ProxyPass / http://10.255.255.201:8080/
ProxyPassReverse / http://10.255.255.201:8080/
</VirtualHost>
user@revProxy:/etc/apache2/sites-available#
------------ssl sites-available------------------------------------------
user@revProxy:/etc/apache2/sites-available# more ssl
<VirtualHost *:443>
ServerAdmin techs@ntegrated.net
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/sip.externaldomain.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/sip_externaldomain_com.key
SSLCACertificateFile /etc/apache2/ssl/gd_bundle.crt
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
SSLProxyEngine on
ProxyPreserveHost on
KeepAlive On
ProxyReceiveBufferSize 4096
ProxyPass / https://10.255.255.201:4443/ KeepAlive=on
ProxyPassReverse / https://10.255.255.201:4443/ KeepAlive=on
</VirtualHost>
user@revProxy:/etc/apache2/sites-available#
------------tcpdump on reverse proxy-------------------------------------
user@revProxy:/etc/apache2# tcpdump host pool1.internaldomain.net -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:33:19.721404 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [S], seq 3517822634, win 5840, options [mss
1460,sackOK,TS val 446937203 ecr 0,nop,wscale 5], length 0
09:33:19.722131 ARP, Request who-has 10.255.255.199 tell pool1.internaldomain.net, length 28
09:33:19.722144 ARP, Reply 10.255.255.199 is-at 00:15:5d:be:ef:19 (oui Unknown), length 28
09:33:19.722632 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [S.], seq 4120004647, ack 3517822635, win 8192,
options [mss 1460,nop,wscale 8,sackOK,TS val 256236882 ecr 446937203], length 0
09:33:19.722790 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [.], ack 1, win 183, options [nop,nop,TS val
446937203 ecr 256236882], length 0
09:33:19.724608 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [P.], seq 1:106, ack 1, win 183, options [nop,nop,TS
val 446937204 ecr 256236882], length 105
09:33:19.726403 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [.], seq 1:1449, ack 106, win 514, options
[nop,nop,TS val 256236882 ecr 446937204], length 1448
09:33:19.726441 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [.], ack 1449, win 147, options [nop,nop,TS val
446937204 ecr 256236882], length 0
09:33:19.726487 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [P.], seq 1449:2212, ack 106, win 514, options
[nop,nop,TS val 256236882 ecr 446937204], length 763
09:33:19.726629 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [.], ack 2212, win 124, options [nop,nop,TS val
446937204 ecr 256236882], length 0
09:33:19.728425 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [P.], seq 106:432, ack 2212, win 147, options
[nop,nop,TS val 446937205 ecr 256236882], length 326
09:33:19.742156 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [P.], seq 2212:2271, ack 432, win 513, options
[nop,nop,TS val 256236883 ecr 446937205], length 59
09:33:19.742993 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [P.], seq 432:1138, ack 2271, win 147, options
[nop,nop,TS val 446937208 ecr 256236883], length 706
09:33:19.753135 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [P.], seq 2271:3092, ack 1138, win 510, options
[nop,nop,TS val 256236885 ecr 446937208], length 821
09:33:19.791124 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [.], ack 3092, win 147, options [nop,nop,TS val
446937221 ecr 256236885], length 0
09:34:33.142535 IP pool1.internaldomain.net.netbios-dgm > 10.255.255.255.netbios-dgm: NBT UDP PACKET(138)
09:34:57.974985 ARP, Request who-has pool1.internaldomain.net tell 10.255.255.200, length 28
09:35:26.029433 ARP, Request who-has 10.255.255.199 tell pool1.internaldomain.net, length 28
09:35:26.029455 ARP, Reply 10.255.255.199 is-at 00:15:5d:be:ef:19 (oui Unknown), length 28
09:35:26.030280 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [R.], seq 3092, ack 1138, win 0, length 0
09:37:31.938572 ARP, Request who-has rdc1.internaldomain.net tell pool1.internaldomain.net, length 28
09:37:31.940084 ARP, Request who-has pool1.internaldomain.net tell rdc1.internaldomain.net, length 28
09:38:29.628788 ARP, Request who-has 10.255.255.200 tell pool1.internaldomain.net, length 28
09:38:29.628821 ARP, Request who-has pool1.internaldomain.net tell 10.255.255.200, length 28
^C
24 packets captured
24 packets received by filter
0 packets dropped by kernel
user@revProxy:/etc/apache2#
-----------------access.log----------------------------------------------
98.x.x.x - - [10/May/2013:06:02:29 -0500] "GET /?sipuri=pwalsh@externaldomain.com HTTP/1.1" 200 4836 "-" "OC/15.0.4481.1000 (Micro
soft Lync)"
98.x.x.x - - [10/May/2013:06:02:29 -0500] "GET /?sipuri=pwalsh@externaldomain.com HTTP/1.1" 403 1519 "-" "OC/15.0.4481.1000 (Micro
soft Lync)"
70.x.x.x - - [10/May/2013:09:33:19 -0500] "GET /?sipuri=sip:jrall@externaldomain.com HTTP/1.1" 200 4789 "-" "ACOMO"
user@revProxy:/etc/apache2#
-----------------error.log-----------------------------------------------
[Wed May 10 09:33:19 2013] [error] [client 70.x.x.x] (104)Connection reset by peer: proxy: error reading status line from remot
e server 10.255.255.201:4443
[Wed May 10 09:33:19 2013] [error] [client 70.x.x.x] proxy: Error reading from remote server returned by /
----------------IIS logfile----------------------------------------------
user@revProxy:/etc/apache2/mods-enabled# ls -a
. authz_default.load cgid.conf env.load proxy_connect.load setenvif.conf
.. authz_groupfile.load cgid.load mime.conf proxy_http.load setenvif.load
alias.conf authz_host.load deflate.conf mime.load proxy.load ssl.conf
alias.load authz_user.load deflate.load negotiation.conf reqtimeout.conf ssl.load
auth_basic.load autoindex.conf dir.conf negotiation.load reqtimeout.load status.conf
authn_file.load autoindex.load dir.load proxy.conf rewrite.load status.load
Thanks,
[cid:image001.png@01CDC0EB.89A6A5E0]
Joe Williams
Ntegrated Solutions<http://www.ntegrated.net/>
Noc Engineer
214-432-3600 ext 314 Office
214-432-3601 fax
jwilliams@ntegrated.net<ma...@ntegrated.net>
www.ntegrated.net<http://www.ntegrated.net/>