Outlook Web Access: Dividere Front-end da Back-end

Hardware & Software utilizzati:

Server con installato Windows 2000 server e Microsoft Exchange 5.5 e
Outlook Web Access che gestisce le caselle di posta di tutti gli utenti
della rete.
Server Pentium II 300 MHz con installato Slackware.

Disinstallo apache mysql php openssl e scarico i seguenti sorgenti:

[mysql-standard-4.1.14-pc-linux-gnu-i686-glibc23.tar.gz]
openssl-0.9.7h.tar.gz
openssh
php-4.4.0.tar.gz
httpd-2.0.54.tar.gz

X installare openssl:
./config shared
make
make test
make install

X installare openssh:
./configure
make
make install

X installare httpd2+php+mysql:
httpd2:
./configure –enable-so –enable-cgi –enable-info –enable-rewrite –enable-speling –enable-usertrack –enable-deflate  –enable-ssl –enable-mime-magic –enable-ext-filter –enable-proxy –enable-proxy-connect –enable-proxy-ftp –enable-proxy-http –enable-modules=all
make
make install

cd ../php-NN
./configure –with-apxs2=/usr/local/apache2/bin/apxs –with-mysql=/usr/local/mysql
make
make install

A questo punto creo un certificato self-signed x iis
come descritto nel seguente link:
http://dejavu.mu.nu/archives/080563.php

che riporto di seguito:

######################################################################################################
May 10, 2005
Self-Signed IIS SSL Certificates using OpenSSL

Self-Signed IIS SSL Certificates using OpenSSL

This tutorial assumes that you have a Linux box with OpenSSL installed,and that you want to create a self-signed certificate for IIS5.0

1. Set up your CA (you only have to do this once)
ON THE LINUX BOX…
* Create a private key

openssl genrsa -des3 -out CA.key 1024

(You’ll need to supply a passphrase. DON’T FORGET THIS!!)

* Set this to read-only for root for security

chmod 400 CA.key

* Create the CA certificate

openssl req -new -key CA.key -x509 -days 1095 -out CA.crt

(Provide appropriate responses to the prompts…for Common Name, you might want to use something like “OurCompany CA”)

* Set the certificate to read-only for root for security

chmod 400 CA.crt

2. Obtain a CSR
ON THE IIS BOX…
* Open the Internet Manager
* Select the site for which you want to create a key
* Right-click and choose Properties
* Select the “Directory Security” tab
* Click the “Server Certificate” button
* Follow the prompts to create a CSR
* Save your CSR, then transfer it to the Linux box for further processing. (For the following steps, we’ll refer to your CSR as “new.csr”)

3. Sign the CSR
ON THE LINUX BOX…
* Sign the CSR (all of this on one line)

openssl x509 -req -days 365 -in new.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out new.crt

* Transfer the new.crt file back to the IIS box

4. Install self-signed certificate
ON THE IIS BOX…
* Open the Internet Manager
* Select the site to install the key
* Right-click and choose properties
* Select the “Directory Security” tab
* Click the “Server Certificate” button
* Specify that you want to complete the pending request
* Select the .crt file that you just transferred

That’s it!

Now…here’s the updated info, with special thanks to David MacKenzie:David’s comments: I found your instructions for creating a self-signed cert for IIS using OpenSSL invaluable–thanks! (I found them by google.) There’s one subtlety I’d like to suggest you add to them. If the IIS server is Outlook Web Access for an Exchange server, then installing the SSL cert breaks Public Folders administration from the Exchange System Manager MMC console. ESM complains that the cert isn’t connected to a recognized authority, and if you fix that, it complains that the system name is wrong. After more googling, I found an answer that worked for me, shown below as additional steps for your check list. I’m using Windows 2000 SP3 and Exchange 2000 SP3.

1. If the IIS server is running Outlook Web Access for Exchange, make ourselves recognized as a CA
ON THE IIS BOX…
* Open Internet Explorer
* Tools>Internet Options
* Content tab
* Certificates
* Import
* Next
* Browse
* Files of type: X.509 Certificate (*.cer, *.crt)
* Select CA.crt
* Open
* Next
* Next
* Finish
2. If the IIS server is running Outlook Web Access for Exchange, fix Public Folders management for the Exchange Server Manager
ON THE IIS BOX…
* Open Internet Services Manager
* Right-click on exchange>Default Web Site>Exadmin
* Properties
* Directory Security tab
* Secure communications Edit
* Uncheck Require secure channel (SSL)
* OK
* OK
Posted by MoMo at May 10, 2005 11:32 AM

##################################################################################################

A questo punto iis disporrà di un certificato e quindi potrà comunicare in https

Iniziamo a configurare apache2 per funzionare come proxy
(fruttando il mod_proxy)

Prima di tutto occorre creare un certificato per il server apache come segue:
[ripresa dal sito:
http://www.vanemery.com/Linux/Apache/apache-SSL.html
]


###################################################################################################

Step 1: Setup your own CA (Certificate Authority)

In order to run a secure (SSL/TLS encrypted) web server, you have to have a private key and a certificate for the server. For a commercial web site, you will probably want to purchase a certificate signed by a well-known root CA. For Intranet or special-purpose uses like this, you can be your own CA. This is done with the OpenSSL tools.

Here, we will make a private CA key and a private CA X.509 certificate. We will also make a directory for the certs and keys:

[root]# mkdir /root/CA
[root]# chmod 0770 /root/CA
[root]# cd /root/CA

[root]# openssl genrsa -des3 -out my-ca.key 2048
Generating RSA private key, 2048 bit long modulus
……………………………………………..+++
……………………………………………+++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:

[root]# openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:Kentucky
Locality Name (eg, city) [Newbury]:Fayette County
Organization Name (eg, company) [My Company Ltd]:VanEmery.Com
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, your name or your server’s hostname) []:VanEmery.Com CA
Email Address []:hostmaster@vanemery.com

[root]# openssl x509 -in my-ca.crt -text -noout

Notes:  The first OpenSSL command makes the key. The second command makes the X.509 certificate with a 10-year lifetime. The third command lets you view the completed certificate. Make sure that you keep the password in a safe place, you will need this every time you sign another certificate! You will probably also want to make backups of the cert and key and lock them in a safe place.

Step 2: Make a key and a certificate for the web server:

Now, we have to make an X.509 certificate and corresponding private key for the web server. Rather than creating a certificate directly, we will create a key and a certificate request, then “sign” the certificate request with the CA key we made in Step 1. You can make keys for multiple web servers this way. One thing to note is that SSL/TLS private keys for web servers need to be either 512 or 1024 bits. Any other key size may be incompatible with certain browsers.

[root]# openssl genrsa -des3 -out mars-server.key 1024
Generating RSA private key, 1024 bit long modulus
….++++++
.++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password – Enter PEM pass phrase:

You could also create a private key without file encryption:

[root]# openssl genrsa -out mars-server.key 1024

[root]# openssl req -new -key mars-server.key -out mars-server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taipei County
Locality Name (eg, city) [Newbury]:Nankang
Organization Name (eg, company) [My Company Ltd]:VanEmery.Com
Organizational Unit Name (eg, section) []:Web Services
Common Name (eg, your name or your server’s hostname) []:mars.vanemery.com <=== This must be the real FQDN of your server!!!
Email Address []:hostmaster@vanemery.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# openssl x509 -req -in mars-server.csr -out mars-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650
Signature ok
subject=/C=TW/ST=Taipei County/L=Nankang/O=VanEmery.Com/OU=Web Services/CN=mars.vanemery.com/Email=hostmaster@vanemery.com
Getting CA Private Key
Enter PEM pass phrase:

[root]# openssl x509 -in mars-server.crt -text -noout

Make sure that your server name is the same as the FQDN that your clients will use when connecting to your site. Also, let’s get in the habit of protecting our keys with appropriate permissions:

[root]# chmod 0400 *.key

Now, we need to move the new keys and certs into the proper directories in the /etc/httpd hierarchy:

[root]# cp mars-server.crt /etc/httpd/conf/ssl.crt
[root]# cp mars-server.key /etc/httpd/conf/ssl.key
[root]# cp my-ca.crt /etc/httpd/conf/ssl.crt

######################################################################################################

La documentazione l’ho trovata nel seguente link:
http://www.sikurezza.org/ml/03_04/msg00041.html

che riporto di seguito per comodità

#####################################################################################################

How to make Apache working with OWA (OutLook web access), using mod_proxy.

Table of Content:

1. The purpose of the document
2. What we need
3. Configuration
4. TroubleShooting.

1. PURPOSE OF THE DOCUMENT

Sometimes someone ask us to make possible to access his e-mail account from
Internet. In best cases we can use a simple and powerful web-mail, but in
worst cases we MUST use OWA, AKA Outlook Web Access.

The problem is twice:

1) Using Exchange server 5.5 or 2000 in normal edition we can’t separate OWA
from the Exchange Machine.
2) Using OWA, we MUST use IIS that we know suxXXs in security.

So, to avoid these problems we can use Apache mod_proxy to:

 + Separate services to a FrontEnd <-> BackEnd scenario
 + Putting IIS in a DMZ and make that most attacks were made to the
front-end Apache (that is better).

The purpose of this document is how to install and, of course, make work
Apache mod_proxy to make possible to access OWA trought IIS.

The scenario we’ll be:

Client —-> Apache (mod_proxy) <——> IIS-Exchange

2. WHAT WE NEED

Naturally we need:

  + A Working Exchange 2000/5.5 installation
  + A Working IIS + SSL maximum patchlevel with OWA correctly installed on
the same Exchange machine
  + A working ApacheII with SSL and mod_proxy support on another Machine

3. Configuration

Ok, let’s go.

The configuration to make all these work is quite simple, but include a
work-around. OWA infact return FQDN urls to the client; so we must make that
the client always think to connect to the apache, and the Apache always
think to connect to the IIS server for the same domain name! Better
explanation will be parsing configuration files 🙂

For security reasons we’ll configure all using SSL connections, so there
will be a Secure Connection between Client and Apache, and between Apache
and IIS, so no data go on the net unencrypted.
This is important thing because as Microsoft says in Q29661 Article, only
Basic Authentication is possible between front-end back-end, also if
front-end is IIS and not Apache. By the way… using Integrated Windows
Authentication with ourconfiguration will make IE not work 🙂

We can configure our wonderful apache server machine. I suggest to use the
httpd’ latest version.
Naturally we assume that the reader has any experiences with Virtual Hosts,
normal and SSL Based, for further information please read Apache
documentation.

For firts we assume that the scenario is you have a public or private
domain, (Ex. owa.myexistentdomain.com) so in your DNS you must translate
this domain to the Apache IP Address (could be public or private) .

After that you MUST put into the /etc/hosts file of the apache machine this
string:

owa.myexistentdomain.com 192.168.0.1 # substitute this ip with the IIS-OWA
internal IP address.

we make this action to make possible the apache to understand and correctly
proxy the connection because OWA sends him the FQDN as the URL to contact!!!

So in your ssl.conf:

<VirtualHost privateip:443> #substitute this IP with the address resolved by
the dns for owa.myexistentdomain.com!!!

    SSLEngine on
    SSLProxyEngine on
    SSLProtocol +all
    SSLCipherSuite HIGH:MEDIUM

    SSLCertificateFile /apache/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /apache/conf/ssl.key/server.key

   <Files ~ “\.(cgi|shtml|phtml|php3?)$”>
    SSLOptions +StdEnvVars
   </Files>

    ServerAdmin root@xxxxxxxxxxxxxxxxxxxxxxxx
    ServerName owa.myexistentdomain.com:443

    <Location “/exchange”>

    ProxyPass https://owa.myexistentdomain.com/exchange
    ProxyPassReverse https://owa.myexistentdomain.com/exchange
    </Location>

    <Location “/exchweb”>
    ProxyPass https://owa.myexistentdomain.com/exchweb
    ProxyPassReverse https://owa.myexistentdomain.com/exchweb
    </Location>

    <Location “/public”>
    ProxyPass  https://owa.myexistentdomain.com/public
    ProxyPassReverse https://owa.myexistentdomain.com/public
    </Location>
#
    ErrorLog logs/owa_ssl_error
    CustomLog logs/owa_ssl_acces common
    CustomLog logs/ssl_owa_request_log \
          “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

    # mod_security Configuration

    SecFilterEngine On
#    SecAuditEngine On
#    SecAuditLog logs/audit_log
#    SecFilterScanPOST On
    SecFilterDefaultAction deny,log,status:409
      # Filters
      SecFilter “\.\./”
      SecFilter “<( |\n)*script”
      SecFilter “<(.|\n)+>”
      SecFilter “root.exe*”
      SecFilter “cmd.exe*”
      SecFilter “default.ida*”
      SecFilter “delete( |\n)+from”
      SecFilter “insert( |\n)+into”
      SecFilter “select( |\n)+from”

</VirtualHost>

Now, we can make a simple html or php page to put in htdocs/ that redirect
every single connection from the original site to the https:// one, a simple
php example here:

<?
header(“location: https://owa.myexistentdomain.com/“;);
?>

Now, after that we MUST correctly configure IIS to make he can response to a
connection made from the client from a different Domain Name.

So, take IIS Admin interface and put into the Virtual Domain in witch OWA
lives and into the:

Properties -> Web Site -> IP Address -> Advanced

Add the identity to the web server:

IP Address:       Put here the local ip address of the Exchange-IIS machine
TCP Port:         80 of course
Host Header Name: Here you must put owa.myexistentdomain.com

click OK and save 🙂

Naturally you must the identity also of the SSL identity in witch the port
is 443 and the ip is the same of the previus configuration (norma identity).

Click OK and save 🙂

Now, into the menu’:

Properties -> Web Site -> IP Address:

put the IP address of the IIS-Exchange machine.

now, a VERY important thing are:

+ tell IIS to refuse any NON-SSL Connection (search into “Directory
Security” and Edit certificate properties)
+ Disable Integrated Windows Authentication and Enable Basic one (search
into “Directory Security”).

Now we suggest to:

+ use IISLockdown utility to hardenize IIS configuration (is free avaiable
on microsoft site)
+ Use Apache mod_protection or mod_security to avoid attack (search
freshmeat for them)

Now all is working!!! Point our browser to
http://owa.myexistentdomain.com/exchange/ or
https://owa.myexistentdomain.com/exchange/ and go on!!!!

4. TroubleShooting.

For first thing I suggest to try different browsers instead of IE that is
buggy.
Doing this configuration I find out that forcing SSLv3 with HIGH encryption,
Netscape works but IE will NOT WORK saying the stupid error “Navigation
Cancelled” 😀 (thank you Mr. Bill… you make me happy).

After that try this:

+ Try to connect directly to IIS to ensure that is not an IIS or OWA problem
+ Pinging from a client owa.myexistentdomain.com I reach the apache IP
Address.
+ Pinging from The apache Server owa.myexistentdomain.com I reach the
Exchange-IIS IP Address.
+ Both Apache and IIS Certificates are valid and built on the
owa.myexistentdomain.com Common Name
+ Try to disable NTLM Auth, sometimes IE is more stupid that he would
appear.
+ Recontrol Apache and IIS Configuration

+ Try to sniff the traffic to manage what it is going on!!!!

Best Regards,

Federico ego_pfe@xxxxxxxxx

Credits: I must say thank to buzzzo, without him my lamerness would take
windward 😉

.