How To Configure The Reverse Proxy For Exchange Services
How To Configure The Reverse Proxy For Exchange Services
Configure the reverse proxy to redirect incoming requests from Microsoft Exchange Server services to
clients, without providing the origin details.
The steps in this article provide example settings to configure a reverse proxy for the following
Microsoft Exchange services:
Autodiscover
ActiveSync
Outlook Web Access
RPC
The following example server and service settings are also used:
In this article:
System Requirements
Barracuda NG Firewall version 5.4.2 (or 5.4.1 with Hotfix 521) or later
Microsoft Exchange Server 2010 SP3
Verify that an HTTP Proxy service has been created on the Barracuda NG Firewall, as described
in How to Create a Service.
Ensure that the local firewall rule set allows inbound HTTP/S traffic on listening port 443. For the
inbound host firewall rule named OP-SRV-PX, edit the Service setting to include HTTP+S. For
more information on configuring host firewall rules, see How to Edit the Local Firewall Ruleset.
For some changes to take effect, it might be necessary to stop and restart the squid
process on the Barracuda NG Firewall.
To prevent DNS issues with internal/external domain resolution, use IP addresses instead
of DNS names in the reverse proxy settings.
Enable and configure the HTTP Proxy service in reverse proxy mode.
1. Open the HTTP Proxy Settings page (Config > Full Config > Virtual Servers > your
virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings).
2. Click Lock.
3. In the Basic Settings section, specify the following settings:
Contact Mail – Enter the admin proxy email address.
Visible Hostname – Enter rpx.company.com.
Proxy Mode – Select Reverse Proxy.
4. From the Configuration menu in the left pane, select IP Configuration.
5. From the Configuration Mode menu in the left pane, select Advanced View.
6. Specify these settings:
TCP Listening Port – Enter 443.
TCP Outgoing Address – Select Dynamic.
UDP Incoming Address – Select First-IP.
UDP Outgoing Address – Select First-IP.
DNS Server IP A ddresses – Add 192.168.0.239.
7. Click Send Changes, and then click Activate.
Create ACL entries for all Exchange services that must access the Barracuda NG Firewall and for
the source IP address range. Then configure the settings for access priority.
1. Open the HTTP Proxy Settings page (Config > Full Config > Virtual Servers > your
virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings ).
2. From the Configuration Mode menu in the left pane, verify that Advanced View is selected.
3. From the Configuration menu in the left pane, select Access Control.
4. Click Lock.
5. From the Default Access list, select Deny.
6. Create an ACL entry for the Exchange URLs.
1. In the ACL Entries section, click the plus sign (+).
2. In the window that appears, enter a name for the list (e.g., ExchangeURLs), select URL,
and then click OK.
3. In the URL Extensions section, click the plus sign (+) and then add the following entries.
IP Addresses or FQDNs.
https://62.99.0.221/owa/*
https://62.99.0.221/rpc/*
https://62.99.0.221/Autodiscover/*
https://62.99.0.221/Microsoft-Server-ActiveSync/*
4. Click OK.
7. Create an ACL entry for the source IP range:
1. In the ACL Entries section, click the plus sign (+).
2. In the window that appears, enter a name for the list (e.g., World), select Source IP, and
then click OK.
3. From the IP Configuration list, select Rangemode.
4. In the IP Ranges section, enter:
From: 0.0.0.0
To: 255.255.255.255
5. Click OK.
8. Click Send Changes, and then click Activate.
1. Create an ACL policy to allow the ACL entries that you created.
1. In the Access Control Policies section, click the plus sign (+).
2. In the window that appears, enter a name for the policy (e.g., ACCE00), and then
click OK.
3. In the ACL Priority field, enter 10.
4. From the Action list, select Allow.
5. In the ACL Entries section, click the plus sign (+)and then select the following entries:
ExchangeURLs
World
6. Click OK.
2. Create an ACL policy with a lower priority that denies the World ACL entry that you created.
1. In the Access Control Policies section, click the plus sign (+).
2. In the window that appears, enter a name for the policy, (e.g., ACCE01), and then
click OK.
3. In the ACL Priority field, enter 99.
4. From the Action list, select Deny.
5. In the ACL Entries section, click the plus sign (+) and then select World.
6. Click OK.
3. Click Send Changes, and then click Activate.
Enable SSL encryption, specify the back-end web site, and map the addresses of the Exchange
services.
1. Open the HTTP Proxy Settings page (Config > Full Config > Virtual Servers > your
virtual server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings).
2. From the Configuration menu in the left pane, select Reverse Proxy Settings.
3. From the Configuration Mode menu in the left pane, verify that Advanced View is selected.
4. Click Lock.
5. In the Backend Web Site field, enter 62.99.0.221 or the FQDN.
6. From the Use SSL list, select Yes.
7. In the SSL Listening Port field, enter 443.
8. Import the SSL Certificate and the SSL Private Key.
The certificate must contain the Name ( *.company.com) and SubAltName
(DNS:owa.company.com).
9. In the Backend IP Addresses section, click the plus sign (+) and then enter 192.168.0.206.
10. From the Round Robin and Domain-based Virtual Host lists, select no.
Map the domains of the Exchange services to the back-end web site.
1. In the Domain to Backend Mapping section, click the plus sign (+).
2. In the window that appears, enter the name of the Exchange service that you are mapping
(e.g., Autodiscover ) and then click OK.
© Barracuda Networks Inc., 2023 The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No
portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of
an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no
responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this
publication without notice.