Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
295 views

Proxy Outlook 2010 webmail


I'm looking for some assistance with NAM and Outlook 2010.
Specifically my Outlook Admin recently asked if I could proxy OWA /
Webmail. He would like to perform some testing without the complexity
of any NAM authentication / SSO. I figured such a request would be
rather easy. But alas I've been proven wrong.

I stood up a multi honed proxy service on NAM for our Dev OWA server. I
placed a host file entry on my machine to point to the newly created URL
(lets call it test-owa.test.com. Then using both IE and Firefox I
attempted to go to https://test-owa.test.com/ Unfortunately I found
that when I hit the NAM hosted URL I received a 301 response which then
sends me directly to the OWA server bypassing Access Manager. Thus it
would appear that the rewriter isn't functioning in this configuration
which makes no sense to me.

Any thoughts / suggestions would be greatly appreciated.

-Jeff


Here is what I did and didn't do to setup the proxy service:

URLS:
https://test-owa.test.com/owa/auth/logon.aspx

PLACED A HOST FILE ENTRY ON MY WORKSTATION:
10.115.11.101 test-owa.test.com test-owa

ON NAM:
1. Created a *Proxy Service Name* of test-owa
2. Specified *Published DNS Name* of test-owa.test.com (note that this
isn’t in DNS at this point but placed on my workstation using a host
file entry)
3. Specified *Multi-Homing Type* of domain based, not that it was added
to a list of other working proxy services
4. Specified *Web Server IP Address* using the IP address pointing to
the Exchange /OWA server I’m trying to test
5. Specified *Host Header* as “Web Server Host Name”
6. Specified *Web Server Host Name* using the host name that corresponds
with the IP address from item 4 above.

MODIFIED THE PROXY SERVICE BY SETTING UP THE FOLLOWING ADDITIONAL
CONFIGURATION:

SETUP PROTECTED RESOURCES:
Created a protected resource called root, with a path of /*. There are
no authentication policies, injection policies, etc associated with
this.

SETUP HTML REWRITING:
Make a new word rewriter and move it to the top of the list, it should
have the following settings:
• in the “Variable or Attribute Name to Search for Is” section, specify
value and formvalue
• Select Rewrite Inbound Query String Data.
• Select Rewrite Inbound Post Data.
• Select Rewrite Inbound Headers.
• Make sure that Enable Rewrite Actions remains selected.

Finally worth noting, although my DEV Access Manager config is using SSL
/ port 443 for both the login URL and the ESP URL, I did not change the
default configuration for this new proxy service from port 80 to 443.
So my tests would have involved the LAG talking to the web server via
port 80. As I mentioned the new proxy service host name isn’t in DNS
but my login and ESP URLs are.

Additionally my version of NAM is 3.1 sp4 using a combined admin console
/ IDP server, and a separate LAG.

DOCUMENTATION USED:
section 2.5.4: http://tinyurl.com/abzfjg4


--
jeschaff
------------------------------------------------------------------------
jeschaff's Profile: https://forums.netiq.com/member.php?userid=400
View this thread: https://forums.netiq.com/showthread.php?t=46227

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Proxy Outlook 2010 webmail

jeschaff wrote:

>
> I'm looking for some assistance with NAM and Outlook 2010.
> Specifically my Outlook Admin recently asked if I could proxy OWA /
> Webmail. He would like to perform some testing without the complexity
> of any NAM authentication / SSO. I figured such a request would be
> rather easy. But alas I've been proven wrong.
>
> I stood up a multi honed proxy service on NAM for our Dev OWA server.
> I placed a host file entry on my machine to point to the newly
> created URL (lets call it test-owa.test.com. Then using both IE and
> Firefox I attempted to go to https://test-owa.test.com/
> Unfortunately I found that when I hit the NAM hosted URL I received a
> 301 response which then sends me directly to the OWA server bypassing
> Access Manager. Thus it would appear that the rewriter isn't
> functioning in this configuration which makes no sense to me.
>
> Any thoughts / suggestions would be greatly appreciated.


So where is the redirect to? Did you put the real DNS name of your OWA
server in the host header field? Generally you wouldn't a rewriter
police if you only want to rewrite host names as NAM is smart enough to
do that itself.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Proxy Outlook 2010 webmail


edmaa;222476 Wrote:
>
>
> So where is the redirect to? Did you put the real DNS name of your OWA
> server in the host header field? Generally you wouldn't a rewriter
> police if you only want to rewrite host names as NAM is smart enough to
> do that itself.
>
> --
> Cheers,
> Edward


To answer your questions
1. the 301 redirect is to the exchange server
2. for the reverse proxy config, and more specifically the host header.
I tried two things. First I tried the Forward Received Host Name. When
that didn't work I tried Web Server Host Name, and specified the actual
resolvable DNS host name of the exchange server exchange-dev.test.com
3. Your statement about not generally needing a rewriter defined is my
understanding of NAM as well. I thought it was smart enough to do all
the rewrites, so I didn't specify anything more then was defined in the
directions at:
http://tinyurl.com/d7psuk2

In short... the first call from my browser goes to the NAM hosted URL:
https://test-owa.test.com

I then immediately receive a 301 response, that redirects me back to the
actual Outlook web server, bypassing Access Manager. So now I receive
the OWA login page from the outlook web server and can actually login.
The problem is that I'm no longer going through Access Manager at this
point, which is why I stated that I believe the rewriter doesn't appear
to be working as expected. A long story short I'm probably missing
something simple, or doing something stupid. I just can't seem to
figure it out at the moment.

-Jeff


Here is what I see at the browser (exported from http watch):

METHOD | RESULT | TYPE | URL
page title:
https://exchange-dev/owa/auth/logon.aspx?url=https://exchange-dev/owa/&reason=0
GET | 301 | Redirect to https://exchange-dev/owa |
https://test-owa.test.com/
GET | 301 | Redirect to /owa/ | https://exchange-dev/owa
GET | 302 | Redirect to
https://exchange-dev/owa/auth/logon.aspx?url=https://exchange-dev/owa/&reason=0
| https://exchange-dev/owa/
GET | 200 | html |
https://exchange-dev/owa/auth/logon.aspx?url=https://exchange-dev/owa/&reason=0
GET | 200 | css |
https://exchange-dev/owa/14.2.328.5/themes/resources/logon.css
GET | 200 | css |
https://exchange-dev/owa/14.2.328.5/themes/resources/owafont.css
GET | 200 | javascript |
https://exchange-dev/owa/14.2.328.5/scripts/premium/flogon.js
Page title: Outlook Web App
GET | 200 | html |
https://exchange-dev/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fexchange-dev%2fowa%2f
GET | (Cache) | css |
https://exchange-dev/owa/14.2.328.5/themes/resources/logon.css
GET | (Cache) | css |
https://exchange-dev/owa/14.2.328.5/themes/resources/owafont.css
GET | (Cache) | javascript |
https://exchange-dev/owa/14.2.328.5/scripts/premium/flogon.js
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgntopl.gif
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgntopr.gif
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgnexlogo.gif
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgnbotl.gif
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgntopm.gif
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgnleft.gif
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgnbotr.gif
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgnright.gif
GET | (Cache) | gif |
https://exchange-dev/owa/14.2.328.5/themes/resources/lgnbotm.gif


--
jeschaff
------------------------------------------------------------------------
jeschaff's Profile: https://forums.netiq.com/member.php?userid=400
View this thread: https://forums.netiq.com/showthread.php?t=46227

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Proxy Outlook 2010 webmail

jeschaff wrote:

>
> edmaa;222476 Wrote:
> >
> >
> > So where is the redirect to? Did you put the real DNS name of your
> > OWA server in the host header field? Generally you wouldn't a
> > rewriter police if you only want to rewrite host names as NAM is
> > smart enough to do that itself.
> >
> > --
> > Cheers,
> > Edward

>
> To answer your questions
> 1. the 301 redirect is to the exchange server
> 2. for the reverse proxy config, and more specifically the host
> header. I tried two things. First I tried the Forward Received Host
> Name. When that didn't work I tried Web Server Host Name, and
> specified the actual resolvable DNS host name of the exchange server
> exchange-dev.test.com 3. Your statement about not generally needing
> a rewriter defined is my understanding of NAM as well. I thought it
> was smart enough to do all the rewrites, so I didn't specify anything
> more then was defined in the directions at:
> http://tinyurl.com/d7psuk2
>
> In short... the first call from my browser goes to the NAM hosted
> url: https://test-owa.test.com
>
> I then immediately receive a 301 response, that redirects me back to
> the actual Outlook web server, bypassing Access Manager. So now I
> receive the OWA login page from the outlook web server and can
> actually login. The problem is that I'm no longer going through
> Access Manager at this point, which is why I stated that I believe
> the rewriter doesn't appear to be working as expected. A long story
> short I'm probably missing something simple, or doing something
> stupid. I just can't seem to figure it out at the moment.
>
> -Jeff
>
>
> Here is what I see at the browser (exported from http watch):
>
> METHOD | RESULT | TYPE | URL
> page title:
> https://exchange-dev/owa/auth/logon.aspx?url=https://exchange-dev/owa/
> &reason=0 GET | 301 | Redirect to https://exchange-dev/owa |


What if you create a proxy for the URL you get the 301 to? Have you
tried that? That way OWA can't really throw a redirect as its using the
same fqdn.

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Proxy Outlook 2010 webmail


Was this ever resolved? I have the same setup and same problem, except
I am using NAM 4 sp1. The rewriter does not appear to be working, which
prevents SSO.
Thanks
Russ


--
oyarsa
------------------------------------------------------------------------
oyarsa's Profile: https://forums.netiq.com/member.php?userid=193
View this thread: https://forums.netiq.com/showthread.php?t=46227

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Proxy Outlook 2010 webmail

oyarsa wrote:

>
> Was this ever resolved? I have the same setup and same problem,
> except I am using NAM 4 sp1. The rewriter does not appear to be
> working, which prevents SSO.


The original poster never reported back unfortunately. Do you have the
exact same issue? If not, maybe start a new thread and supply logs
while apache is in debug (/etc/init.d/novell-apache2 restart debug).
The log file is /var/log/novell-apache2/error_log





--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Proxy Outlook 2010 webmail


The resolution of this issue for me was to add an additional DNS name.
I am using domain-based rather than path-based multi-homing. The
httpheaders log on the MAG showed the return from OWA as
myowaserver.com:1234. It seems like this should have matched on the
rule to rewrite the web server host name of myowaserver.com, but it
didn't. When I added an additional DNS of https://myowaserver.com:1234,
everything worked.
Thanks
Russ


--
oyarsa
------------------------------------------------------------------------
oyarsa's Profile: https://forums.netiq.com/member.php?userid=193
View this thread: https://forums.netiq.com/showthread.php?t=46227

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.