0% found this document useful (0 votes)

31 views6 pages

How To Configure The Reverse Proxy For Exchange Services

This document provides instructions for configuring a reverse proxy on a Barracuda CloudGen Firewall for Microsoft Exchange services like Autodiscover, ActiveSync, Outlook Web Access, and RPC. It involves creating an HTTP proxy service, setting access control lists and policies to allow access to Exchange URLs and IP ranges, enabling SSL encryption on the proxy, and mapping Exchange domains to the backend Exchange server IP address. The configuration protects the Exchange server by redirecting incoming requests without exposing its origin details.

Uploaded by

Andre Gas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

31 views6 pages

How To Configure The Reverse Proxy For Exchange Services

Uploaded by

Andre Gas

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 6

Barracuda CloudGen Firewall

How to Conﬁgure the Reverse Proxy for Exchange Services

https://campus.barracuda.com/doc/39823795/

Conﬁgure the reverse proxy to redirect incoming requests from Microsoft Exchange Server services to
clients, without providing the origin details.

The steps in this article provide example settings to conﬁgure a reverse proxy for the following
Microsoft Exchange services:

Autodiscover
ActiveSync
Outlook Web Access
RPC

The following example server and service settings are also used:

Server or Service Settings

• FQDN: mailserver.company.com
Exchange Server
• Internal IP Address: 192.168.0.206
• FQDN: No DNS record is available.
HTTP Proxy Service
• External IP Address: 62.99.0.221
Internal DNS Server • Internal IP Address: 192.168.0.239

In this article:

System Requirements

Barracuda NG Firewall version 5.4.2 (or 5.4.1 with Hotﬁx 521) or later
Microsoft Exchange Server 2010 SP3

Before You Begin

Verify that an HTTP Proxy service has been created on the Barracuda NG Firewall, as described
in How to Create a Service.
Ensure that the local firewall rule set allows inbound HTTP/S traffic on listening port 443. For the
inbound host firewall rule named OP-SRV-PX, edit the Service setting to include HTTP+S. For
more information on configuring host firewall rules, see How to Edit the Local Firewall Ruleset.

How to Conﬁgure the Reverse Proxy for Exchange Services 1/6

Barracuda CloudGen Firewall

For some changes to take eﬀect, it might be necessary to stop and restart the squid
process on the Barracuda NG Firewall.
To prevent DNS issues with internal/external domain resolution, use IP addresses instead
of DNS names in the reverse proxy settings.

Step 1. Conﬁgure the Proxy Service

Enable and conﬁgure the HTTP Proxy service in reverse proxy mode.

Step 1.1 Conﬁgure the Service Properties

1. Log into the Barracuda NG Firewall.

2. Open the Service Properties page for the HTTP Proxy service (Conﬁg > Full
Conﬁg > Virtual Servers > your virtual server > Assigned Services > HTTP-Proxy >
Service Properties).
3. Click Lock.
4. Specify these settings:
Enable Service – Select yes.
Service Name – Enter a descriptive name (e.g., RPX).
Description – Enter a brief description (e.g., HTTP Proxy + the location of the
customer).
Service Availability – Select Explicit.
Explicit Service IPs – Add 62.99.0.221.
5. Click Send Changes, and then click Activate.

Step 1.2. Conﬁgure the Proxy Settings

1. Open the HTTP Proxy Settings page (Config > Full Config > Virtual Servers > your
virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings).
2. Click Lock.
3. In the Basic Settings section, specify the following settings:
Contact Mail – Enter the admin proxy email address.
Visible Hostname – Enter rpx.company.com.
Proxy Mode – Select Reverse Proxy.
4. From the Configuration menu in the left pane, select IP Configuration.
5. From the Configuration Mode menu in the left pane, select Advanced View.
6. Specify these settings:
TCP Listening Port – Enter 443.
TCP Outgoing Address – Select Dynamic.
UDP Incoming Address – Select First-IP.
UDP Outgoing Address – Select First-IP.
DNS Server IP A ddresses – Add 192.168.0.239.
7. Click Send Changes, and then click Activate.

How to Conﬁgure the Reverse Proxy for Exchange Services 2/6

Barracuda CloudGen Firewall

Step 2. Conﬁgure Access Control Settings

Create ACL entries for all Exchange services that must access the Barracuda NG Firewall and for
the source IP address range. Then conﬁgure the settings for access priority.

Step 2.1. Conﬁgure ACL Entries

1. Open the HTTP Proxy Settings page (Config > Full Config > Virtual Servers > your
virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings ).
2. From the Configuration Mode menu in the left pane, verify that Advanced View is selected.
3. From the Configuration menu in the left pane, select Access Control.
4. Click Lock.
5. From the Default Access list, select Deny.
6. Create an ACL entry for the Exchange URLs.
1. In the ACL Entries section, click the plus sign (+).
2. In the window that appears, enter a name for the list (e.g., ExchangeURLs), select URL,
and then click OK.
3. In the URL Extensions section, click the plus sign (+) and then add the following entries.
IP Addresses or FQDNs.
https://62.99.0.221/owa/*
https://62.99.0.221/rpc/*
https://62.99.0.221/Autodiscover/*
https://62.99.0.221/Microsoft-Server-ActiveSync/*
4. Click OK.
7. Create an ACL entry for the source IP range:
1. In the ACL Entries section, click the plus sign (+).
2. In the window that appears, enter a name for the list (e.g., World), select Source IP, and
then click OK.
3. From the IP Configuration list, select Rangemode.
4. In the IP Ranges section, enter:
From: 0.0.0.0
To: 255.255.255.255
5. Click OK.
8. Click Send Changes, and then click Activate.

Step 2.2. Conﬁgure ACL Policies

1. Create an ACL policy to allow the ACL entries that you created.
1. In the Access Control Policies section, click the plus sign (+).
2. In the window that appears, enter a name for the policy (e.g., ACCE00), and then
click OK.
3. In the ACL Priority ﬁeld, enter 10.
4. From the Action list, select Allow.
5. In the ACL Entries section, click the plus sign (+)and then select the following entries:

How to Conﬁgure the Reverse Proxy for Exchange Services 3/6

Barracuda CloudGen Firewall

ExchangeURLs
World
6. Click OK.
2. Create an ACL policy with a lower priority that denies the World ACL entry that you created.
1. In the Access Control Policies section, click the plus sign (+).
2. In the window that appears, enter a name for the policy, (e.g., ACCE01), and then
click OK.
3. In the ACL Priority ﬁeld, enter 99.
4. From the Action list, select Deny.
5. In the ACL Entries section, click the plus sign (+) and then select World.
6. Click OK.
3. Click Send Changes, and then click Activate.

Step 3. Conﬁgure the Reverse Proxy Settings

Enable SSL encryption, specify the back-end web site, and map the addresses of the Exchange
services.

Step 3.1. Conﬁgure the Reverse Proxy Settings

1. Open the HTTP Proxy Settings page (Config > Full Config > Virtual Servers > your
virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings).
2. From the Configuration menu in the left pane, select Reverse Proxy Settings.
3. From the Configuration Mode menu in the left pane, verify that Advanced View is selected.
4. Click Lock.
5. In the Backend Web Site field, enter 62.99.0.221 or the FQDN.
6. From the Use SSL list, select Yes.
7. In the SSL Listening Port field, enter 443.
8. Import the SSL Certificate and the SSL Private Key.
The certificate must contain the Name ( *.company.com) and SubAltName
(DNS:owa.company.com).
9. In the Backend IP Addresses section, click the plus sign (+) and then enter 192.168.0.206.
10. From the Round Robin and Domain-based Virtual Host lists, select no.

Step 3.2. Conﬁgure Domain to Back-end Mapping

Map the domains of the Exchange services to the back-end web site.

Complete the following steps for each Exchange service:

1. In the Domain to Backend Mapping section, click the plus sign (+).
2. In the window that appears, enter the name of the Exchange service that you are mapping
(e.g., Autodiscover ) and then click OK.

How to Conﬁgure the Reverse Proxy for Exchange Services 4/6

Barracuda CloudGen Firewall

3. From the Mapping Type list, select Url-Regex.

4. In the SSL Listening Port ﬁeld, enter the domain of the Exchange service that you are
mapping:
Exchange Service Domain
Autodiscover https://62.99.0.221/Autodiscover
ActiveSync https://62.99.0.221/Microsoft-Server-ActiveSync
Outlook Web Access https://62.99.0.221/owa
RPC https://62.99.0.221/rpc
5. From the Backend list, select 192.168.0.206 and then click OK.
6. Click Send Changes, and then click Activate.

How to Conﬁgure the Reverse Proxy for Exchange Services 5/6

Barracuda CloudGen Firewall

© Barracuda Networks Inc., 2023 The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No
portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of
an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no
responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this
publication without notice.