Re: A Good Reverse Proxy Product

[David Glosser <david_glosser () yahoo com>]

How about an SSL VPN device... Aventail, Juniper, or even ISA server, etc.?  

Still place the OWA box in the DMZ, but don't allow direct access to it, only through the VPN...

Also should consider an IDS/IPS or web application firewall in addition to this. 







----- Original Message ----
> From: Aiko Barz <aiko () deepco de>
> To: Paul Guibord <pguibord () thenailcogroup com>
> Cc: security-basics () securityfocus com
> Sent: Friday, May 2, 2008 8:11:16 AM
> Subject: Re: A Good Reverse Proxy Product
>
> On Wed, Apr 30, 2008 at 02:43:22PM -0400, Paul Guibord wrote:
> > Greetings to all,
> >
> > We have a new MS Exchange server and the administrator wants to provide remote 
> Outlook Web Access access to it from the internet.
> > As opposed to having a direct outside to inside translation to it I was told 
> that we could put a reverse proxy server in the DMZ and then provide a DMZ to 
> inside translation form there.
> > First of all does this sound like the safest approach and if so can anyone 
> provide the name of a good stable/secure reverse proxy product.
>
> Hi,
>
> I used Apache and Squid as a Reverse Proxy for OWA and RPC over HTTPs.
>
> Just a warning: You cannot use Apache as a Reverse Proxy for RPC over
> HTTPs anymore, because current versions are more strict and M$ is lying
> abount the HTTP "Content-Length": Outlook says, that the request has the
> content-length of 1GB. The Apache is waiting for the whole request: Dead
> lock. Outlook never intended to really send 1GB...
> https://issues.apache.org/bugzilla/show_bug.cgi?id=40029
>
> If you want to use RPC over HTTPs with squid and Debian Stable, you need
> to know, that the default package is not build with SSL support. You
> need to get the Debian Source package and enable SSL support. (Just one
> line.)
>
> So long,
>     Aiko
> -- 
> :wq ✉