httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Williams <jwilli...@ntegrated.net>
Subject [users@httpd] Apache2 reverse Proxy for MS Lync
Date Fri, 10 May 2013 16:18:12 GMT
Looking for a little help from the community on an issue between Apache2 and MS Lync, if anyone
has similar experience using these two in conjunction with each other It would be very helpful,
thanks in advance for any responses!

Information I can give on the problem follows:

I am having an issue getting mobility clients to connect via my debian/apache2 reverse proxy
to Lync front end server. From the
information i have been able to gather the communication is coming in through the reverse
proxy, traversing the reverse Proxy and
talking to the Front end server. I am unsure why the client is still failing to connect. there
is a  message in the error.log about
error reading status from the frontend server, but im not sure what could be causing this.
Mobility clients are working internally
on the wireless network.

SSL certificates are installed and I am getting no certificate errors, SANS are as follows
on Proxy:

sip.externaldomain.com
edge.externaldomain.com
lyncdiscover.externaldomain.com

using sip.externaldomain.com as a single record/IP for all external web services on the LYNC
topology using different ports SIP
access - 5061, web conferencing - 444, A/V service - 443. The Lync Server External web site
has bindings on 8080, and 4443 for its
services, hence the translation in the revproxy from 443 to 4443.

Any help here would be greatly appreciated, any information i left out and may be needed please
let me know.


Due to licensing contraints, this is my only option for a reverse proxy and i need to get
it working.




------------------/etc/hosts----------------------------------------------

user@revProxy:/etc/apache2/sites-enabled# more /etc/hosts
127.0.0.1       localhost
45.x.x.x   revProxy
10.255.255.201  pool1.internaldomain.net
10.255.255.202  rdc1.internaldomain.net



------------------ports.conf----------------------------------------------

user@revProxy:/etc/apache2# more ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80
Listen 8080

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
    Listen 4443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
    Listen 4443

</IfModule>



----------------httpd.conf------------------------------------------------

user@revProxy:/etc/apache2# more httpd.conf
servername sip.externaldomain.com
RewriteEngine On



---------------CERTS------------------------------------------------------


user@revProxy:/etc/apache2/ssl# ls -a
.  ..  gd_bundle.crt  server.crt  server.key  sip.externaldomain.com.crt  sip_asilighting_com.key
user@revProxy:/etc/apache2/ssl#

---------------mods-enabled-----------------------------------------------

user@revProxy:/etc/apache2/mods-enabled# ls -a
.                authz_default.load    cgid.conf     env.load          proxy_connect.load
 setenvif.conf
..               authz_groupfile.load  cgid.load     mime.conf         proxy_http.load   
 setenvif.load
alias.conf       authz_host.load       deflate.conf  mime.load         proxy.load        
 ssl.conf
alias.load       authz_user.load       deflate.load  negotiation.conf  reqtimeout.conf   
 ssl.load
auth_basic.load  autoindex.conf        dir.conf      negotiation.load  reqtimeout.load   
 status.conf
authn_file.load  autoindex.load        dir.load      proxy.conf        rewrite.load      
 status.load



---------------proxy.conf-------------------------------------------------

user@revProxy:/etc/apache2/mods-enabled# more proxy.conf
<IfModule mod_proxy.c>

# If you want to use apache2 as a forward proxy, uncomment the
# 'ProxyRequests On' line and the <Proxy *> block below.
# WARNING: Be careful to restrict access inside the <Proxy *> block.
# Open proxy servers are dangerous both to your network and to the
# Internet at large.
#
# If you only want to use apache2 as a reverse proxy/gateway in
# front of some web application server, you DON'T need
# 'ProxyRequests On'.

ProxyRequests Off

<Proxy *>
        Order deny,allow
        Allow from all
</Proxy>

# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
ProxyVia Full

</IfModule>


------------default sites-available--------------------------------------

user@revProxy:/etc/apache2/sites-enabled# more 000-default
<VirtualHost *:80>
        ServerAdmin techs@ntegrated.net

        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined

                ProxyPass / http://10.255.255.201:8080/
                ProxyPassReverse / http://10.255.255.201:8080/

</VirtualHost>


user@revProxy:/etc/apache2/sites-available#



------------ssl sites-available------------------------------------------

user@revProxy:/etc/apache2/sites-available# more ssl


<VirtualHost *:443>
        ServerAdmin techs@ntegrated.net

        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/sip.externaldomain.com.crt
        SSLCertificateKeyFile /etc/apache2/ssl/sip_externaldomain_com.key
        SSLCACertificateFile /etc/apache2/ssl/gd_bundle.crt

        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined

                SSLProxyEngine on
                ProxyPreserveHost on
                KeepAlive On
                ProxyReceiveBufferSize 4096
                ProxyPass / https://10.255.255.201:4443/ KeepAlive=on
                ProxyPassReverse / https://10.255.255.201:4443/ KeepAlive=on

</VirtualHost>

user@revProxy:/etc/apache2/sites-available#


------------tcpdump on reverse proxy-------------------------------------

user@revProxy:/etc/apache2# tcpdump host pool1.internaldomain.net -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:33:19.721404 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [S], seq
3517822634, win 5840, options [mss
1460,sackOK,TS val 446937203 ecr 0,nop,wscale 5], length 0
09:33:19.722131 ARP, Request who-has 10.255.255.199 tell pool1.internaldomain.net, length
28
09:33:19.722144 ARP, Reply 10.255.255.199 is-at 00:15:5d:be:ef:19 (oui Unknown), length 28
09:33:19.722632 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [S.], seq
4120004647, ack 3517822635, win 8192,
options [mss 1460,nop,wscale 8,sackOK,TS val 256236882 ecr 446937203], length 0
09:33:19.722790 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [.], ack
1, win 183, options [nop,nop,TS val
446937203 ecr 256236882], length 0
09:33:19.724608 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [P.], seq
1:106, ack 1, win 183, options [nop,nop,TS
val 446937204 ecr 256236882], length 105
09:33:19.726403 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [.], seq
1:1449, ack 106, win 514, options
[nop,nop,TS val 256236882 ecr 446937204], length 1448
09:33:19.726441 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [.], ack
1449, win 147, options [nop,nop,TS val
446937204 ecr 256236882], length 0
09:33:19.726487 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [P.], seq
1449:2212, ack 106, win 514, options
[nop,nop,TS val 256236882 ecr 446937204], length 763
09:33:19.726629 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [.], ack
2212, win 124, options [nop,nop,TS val
446937204 ecr 256236882], length 0
09:33:19.728425 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [P.], seq
106:432, ack 2212, win 147, options
[nop,nop,TS val 446937205 ecr 256236882], length 326
09:33:19.742156 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [P.], seq
2212:2271, ack 432, win 513, options
[nop,nop,TS val 256236883 ecr 446937205], length 59
09:33:19.742993 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [P.], seq
432:1138, ack 2271, win 147, options
[nop,nop,TS val 446937208 ecr 256236883], length 706
09:33:19.753135 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [P.], seq
2271:3092, ack 1138, win 510, options
[nop,nop,TS val 256236885 ecr 446937208], length 821
09:33:19.791124 IP 10.255.255.199.49575 > pool1.internaldomain.net.4443: Flags [.], ack
3092, win 147, options [nop,nop,TS val
446937221 ecr 256236885], length 0
09:34:33.142535 IP pool1.internaldomain.net.netbios-dgm > 10.255.255.255.netbios-dgm: NBT
UDP PACKET(138)
09:34:57.974985 ARP, Request who-has pool1.internaldomain.net tell 10.255.255.200, length
28
09:35:26.029433 ARP, Request who-has 10.255.255.199 tell pool1.internaldomain.net, length
28
09:35:26.029455 ARP, Reply 10.255.255.199 is-at 00:15:5d:be:ef:19 (oui Unknown), length 28
09:35:26.030280 IP pool1.internaldomain.net.4443 > 10.255.255.199.49575: Flags [R.], seq
3092, ack 1138, win 0, length 0
09:37:31.938572 ARP, Request who-has rdc1.internaldomain.net tell pool1.internaldomain.net,
length 28
09:37:31.940084 ARP, Request who-has pool1.internaldomain.net tell rdc1.internaldomain.net,
length 28
09:38:29.628788 ARP, Request who-has 10.255.255.200 tell pool1.internaldomain.net, length
28
09:38:29.628821 ARP, Request who-has pool1.internaldomain.net tell 10.255.255.200, length
28
^C
24 packets captured
24 packets received by filter
0 packets dropped by kernel
user@revProxy:/etc/apache2#


-----------------access.log----------------------------------------------

98.x.x.x - - [10/May/2013:06:02:29 -0500] "GET /?sipuri=pwalsh@externaldomain.com HTTP/1.1"
200 4836 "-" "OC/15.0.4481.1000 (Micro
soft Lync)"
98.x.x.x - - [10/May/2013:06:02:29 -0500] "GET /?sipuri=pwalsh@externaldomain.com HTTP/1.1"
403 1519 "-" "OC/15.0.4481.1000 (Micro
soft Lync)"
70.x.x.x - - [10/May/2013:09:33:19 -0500] "GET /?sipuri=sip:jrall@externaldomain.com HTTP/1.1"
200 4789 "-" "ACOMO"
user@revProxy:/etc/apache2#



-----------------error.log-----------------------------------------------



[Wed May 10 09:33:19 2013] [error] [client 70.x.x.x] (104)Connection reset by peer: proxy:
error reading status line from remot
e server 10.255.255.201:4443
[Wed May 10 09:33:19 2013] [error] [client 70.x.x.x] proxy: Error reading from remote server
returned by /





----------------IIS logfile----------------------------------------------


user@revProxy:/etc/apache2/mods-enabled# ls -a
.                authz_default.load    cgid.conf     env.load          proxy_connect.load
 setenvif.conf
..               authz_groupfile.load  cgid.load     mime.conf         proxy_http.load   
 setenvif.load
alias.conf       authz_host.load       deflate.conf  mime.load         proxy.load        
 ssl.conf
alias.load       authz_user.load       deflate.load  negotiation.conf  reqtimeout.conf   
 ssl.load
auth_basic.load  autoindex.conf        dir.conf      negotiation.load  reqtimeout.load   
 status.conf
authn_file.load  autoindex.load        dir.load      proxy.conf        rewrite.load      
 status.load


Thanks,




[cid:image001.png@01CDC0EB.89A6A5E0]
Joe Williams
Ntegrated Solutions<http://www.ntegrated.net/>
Noc Engineer
214-432-3600 ext 314 Office
214-432-3601 fax
jwilliams@ntegrated.net<mailto:jwilliams@ntegrated.net>
www.ntegrated.net<http://www.ntegrated.net/>


Mime
View raw message