Configuring Nginx based, Reverse Proxy for OWA 
Notes before we begin
About Nginx:
Nginx (pronounced as "engine X") is a lightweight, high performance web server/reverse proxy and e-mail (IMAP/POP3) proxy created by Igor Sysoev for large Russian web company Rambler and kindly provided by open-source community. This server can be used as standalone HTTP-server and as Reverse Proxy server before some Apache or another “big” server like Microsoft IIS to reduce load to backend server by many concurrent HTTP-sessions. As standalone web server, Nginx can easily handle huge http-load on static files (images, html-pages, etc). You can find more about Nginx in the official English Wiki (http://wiki.nginx.org)
If you want to know what is reverse proxy, then read the introduction of my first article.
Nginx (pronounced as "engine X") is a lightweight, high performance web server/reverse proxy and e-mail (IMAP/POP3) proxy created by Igor Sysoev for large Russian web company Rambler and kindly provided by open-source community. This server can be used as standalone HTTP-server and as Reverse Proxy server before some Apache or another “big” server like Microsoft IIS to reduce load to backend server by many concurrent HTTP-sessions. As standalone web server, Nginx can easily handle huge http-load on static files (images, html-pages, etc). You can find more about Nginx in the official English Wiki (http://wiki.nginx.org)
If you want to know what is reverse proxy, then read the introduction of my first article.
Prerequisites
You will need Debian Linux installed. In this guide I’m using a clean install of Debian 5.0 (lenny).
You will need SSL Certificate in order this guide to work for you. You may also use a self signed certificate, but it is recommended to use trusted certificate in production environment. Read this article for more info.
You must run all commands in this guide with root privileges.
Make sure you have updated your packages repository, and upgraded to latest packages. In Debian type:
You will need SSL Certificate in order this guide to work for you. You may also use a self signed certificate, but it is recommended to use trusted certificate in production environment. Read this article for more info.
You must run all commands in this guide with root privileges.
Make sure you have updated your packages repository, and upgraded to latest packages. In Debian type:
# apt-get update
# apt-get upgrade
# apt-get dist-upgrade
For easier understanding I will use an example names for Exchange and Internet Domain Name for OWA:
Exchange Server: exchange.local
OWA Internet address: owa.planetit.ws
You will need to replace them to you real names.
This guide may also work on other Debian based distributions, like Ubuntu, Xandros, Mint, or Nexenta Core (an OpenSolaris based distribution with Debian package base).
Install Nginx, it's easy on Debian
# apt-get install nginx
Create directories for certificates:
# mkdir /etc/nginx/ssl.crt
# mkdir /etc/nginx/ssl.key
Make sure to:
- Copy your certificate file to: /etc/nginx/ssl.crt/
- Copy your certificate key file to: /etc/nginx/ssl.key/
Configure Nginx for OWA
Edit virtual host file for Nginx, this is the main configuration for our OWA reverse proxy:
# vi /etc/nginx/sites-available/owa
Paste the following configuration to the virtual host file, remember to replace example names with real names:
server {
listen 80;
server_name owa.planeit.ws;
# Redirect any HTTP request to HTTPS
rewrite ^(.*) https://owa.planetit.ws$1 permanent;
error_log /var/log/nginx/owa-error.log;
access_log /var/log/nginx/owa-access.log;
}
server {
listen 443;
server_name owa.planeit.ws;
# Redirect from "/" to "/owa" by default
rewrite ^/$ https://owa.planetit.ws/owa permanent;
# Enable SSL
ssl on;
ssl_certificate /etc/nginx/ssl.crt/owa-planetit-ws.crt;
ssl_certificate_key /etc/nginx/ssl.key/owa-planetit-ws.key;
ssl_session_timeout 5m;
# Set global proxy settings
proxy_read_timeout 360;
proxy_pass_header Date;
proxy_pass_header Server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location /owa { proxy_pass https://exchange.local/owa; }
location /Microsoft-Server-ActiveSync { proxy_pass https://exchange.local/Microsoft-Server-ActiveSync; }
error_log /var/log/nginx/owa-ssl-error.log;
access_log /var/log/nginx/owa-ssl-access.log;
}
I will not go through each of the configuration in this file, it is beyond this guide, in shortly this configuration tells Nginx forward all requests that come from “http://owa.planetit.ws” to Exchange server “exchange.local”. Also it is automatically redirects the entry requests from HTTP to HTTPS and from root “/” to “/owa”. Also all ActiveSync proxying were enabled in this configuration file. As a note, the above configuration works only with Exchange 2007 OWA. If you want it to work with Exchange 2003 OWA then:
Find:
location /owa { proxy_pass https://exchange.local/owa; }
Replace with:
location /exchange { proxy_pass https://exchange.local/exchange; }
location /exchweb { proxy_pass https://exchange.local/exchweb; }
location /public { proxy_pass https://exchange.local/public; }
After saving this file, you will need to enable this site:
# cd /etc/nginx/sites-enabled
# ln –s /etc/nginx/sites-available/owa owa
If you cannot resolve internal LAN Domain Names, then add a local Exchange name to “/etc/hosts” file:
# echo 192.168.0.16 exchange.local exchange >> /etc/hosts
Then, restart Nginx:
# invoke-rc.d nginx restart
Comments
Nov 20th 2009, by
Guest
I have changed the owa file to reflect my settings but when I try to start Nginx I get this error:
Restarting nginx: 2009/11/20 14:26:09 [emerg] 3484#0: invalid number of arguments in "proxy_set_header" directive in /etc/nginx/sites-enabled/owa:29
I have changed the owa file to reflect my settings but when I try to start Nginx I get this error:
Restarting nginx: 2009/11/20 14:26:09 [emerg] 3484#0: invalid number of arguments in "proxy_set_header" directive in /etc/nginx/sites-enabled/owa:29
Nov 25th 2009, by
alex
My mistake, to fix that issue:
change "proxy_set_header Date;" and "proxy_set_header Server;"
to "proxy_pass_header Date;" and "proxy_pass_header Server;"
Updated the article, to reflect the changes.
---
View my profile
My mistake, to fix that issue:
change "proxy_set_header Date;" and "proxy_set_header Server;"
to "proxy_pass_header Date;" and "proxy_pass_header Server;"
Updated the article, to reflect the changes.
---
View my profile
Dec 29th 2009, by
Guest
Thanks for providing this tutorial. I was able to setup a working reverse proxy to my Exchange Server with it. But I had to add the following:
proxy_set_header Accept-Encoding "";
Only with this setting it's working with my (german) SBS 2003. Without this setting I got some "Content Encoding"-Errors (that's what Firefox calls it).
Thanks for providing this tutorial. I was able to setup a working reverse proxy to my Exchange Server with it. But I had to add the following:
proxy_set_header Accept-Encoding "";
Only with this setting it's working with my (german) SBS 2003. Without this setting I got some "Content Encoding"-Errors (that's what Firefox calls it).
Jan 27th 2010, by
Guest
does it support active sync for Exchange 2003 / 2007 / 2010
does it support active sync for Exchange 2003 / 2007 / 2010
Jan 28th 2010, by
alex
I tested the config with 2003 & 2007 with NTLM turned off. Should work with 2010 also.
---
View my profile
Jan 27th 2010, by Guest
does it support active sync for Exchange 2003 / 2007 / 2010
I tested the config with 2003 & 2007 with NTLM turned off. Should work with 2010 also.
---
View my profile
Mar 26th 2010, by
Guest
Hi. I tried to run it with Exchange 2010, but ActiveSync and OA had problems with POST method for some reason... I tested it with https://www.testexchangeconnectivity.com/.
Of course NTLM was turned off.
Hi. I tried to run it with Exchange 2010, but ActiveSync and OA had problems with POST method for some reason... I tested it with https://www.testexchangeconnectivity.com/.
Of course NTLM was turned off.
Apr 5th 2010, by
Guest
Also with Exchange 2010, you'll need an additional entry for 'ecp'...
location /ecp { proxy_pass https://exchange.local/ecp; }
Also with Exchange 2010, you'll need an additional entry for 'ecp'...
location /ecp { proxy_pass https://exchange.local/ecp; }
Apr 24th 2010, by
Guest
will this work with a blackberry BIS?
MS/mac
will this work with a blackberry BIS?
MS/mac
Apr 29th 2010, by
Guest
did any body of you had problems with attachments larger than 2Mb? my connection is being dropped when attaching files 2Mb or larger
did any body of you had problems with attachments larger than 2Mb? my connection is being dropped when attaching files 2Mb or larger
May 29th 2010, by
Guest
Hi,
thanks for the HowTo. But does ngnix work also for Outlook Anywhere. If so, how?
thx
Hi,
thanks for the HowTo. But does ngnix work also for Outlook Anywhere. If so, how?
thx
May 29th 2010, by
alex
As far as I know Outlook anywhere (or RPC over HTTPS) requires NTLM to work properly. Unfortunately NGINX doesn't support NTLM yet...
---
View my profile
Hi,
thanks for the HowTo. But does ngnix work also for Outlook Anywhere. If so, how?
thx
As far as I know Outlook anywhere (or RPC over HTTPS) requires NTLM to work properly. Unfortunately NGINX doesn't support NTLM yet...
---
View my profile
May 29th 2010, by
Guest
Hi,
thx for your answer. But RPC over HTTPS supports basic authentication. I have tested it with
location ~* ^/Rpc { proxy_pass https://exchange.local/; }
but if I open the URL with my Browser i become an authentication, after i have me successful authorized i become an "502 Bad Gateway" Error. Has anyone a solution?
Hi,
thx for your answer. But RPC over HTTPS supports basic authentication. I have tested it with
location ~* ^/Rpc { proxy_pass https://exchange.local/; }
but if I open the URL with my Browser i become an authentication, after i have me successful authorized i become an "502 Bad Gateway" Error. Has anyone a solution?
Apr 20th 2011, by
Guest
Hi
I don't know what's wrong, i can't get nginx to do active sycn. the web outlook parts work find but i keep getting a "can't verify account" on my iphone when i try to active sycn. Active Sync is working since i can connect to the exchange server while i'm using the internal address but not the public address. If anyone can point me in the direction of even how to trouble shoot this issue, that would be great.
thanks
Hi
I don't know what's wrong, i can't get nginx to do active sycn. the web outlook parts work find but i keep getting a "can't verify account" on my iphone when i try to active sycn. Active Sync is working since i can connect to the exchange server while i'm using the internal address but not the public address. If anyone can point me in the direction of even how to trouble shoot this issue, that would be great.
thanks
Apr 22nd 2011, by
Guest
I setup the reverse proxy, tested it for owa and active sync. Both work! Unfortunately I can only get the active sync to work with android phone. Active sync fails with the Iphone. Anyone got the Iphone working with Nginx?
Raymond
I setup the reverse proxy, tested it for owa and active sync. Both work! Unfortunately I can only get the active sync to work with android phone. Active sync fails with the Iphone. Anyone got the Iphone working with Nginx?
Raymond
May 11th 2011, by
Guest
Hello,
Did anyone get ActiveSync working with all the mobile phones? We got the OWA piece working fine. The ActiveSync is the one that won't work. We see the connection on the iPhone and the Android phone, but they won't connect. the iPhone get's a 400, then a 200, but never retrieves any mail. The Android phone get's 200, but also don't retrieve mail.
Any help would be greatly appreciated. Thank you all.
Hello,
Did anyone get ActiveSync working with all the mobile phones? We got the OWA piece working fine. The ActiveSync is the one that won't work. We see the connection on the iPhone and the Android phone, but they won't connect. the iPhone get's a 400, then a 200, but never retrieves any mail. The Android phone get's 200, but also don't retrieve mail.
Any help would be greatly appreciated. Thank you all.
Sep 29th 2011, by
Guest
I managed to configure nginx and works fine in the LAN but putting it in the DMZ and try from outside I get browser error 504 Gateway Time-out. Any idea?
I thing is the echo 192.168.0.16 exchange.local exchange >> /etc/hosts can access over the DMZ. Thanks
I managed to configure nginx and works fine in the LAN but putting it in the DMZ and try from outside I get browser error 504 Gateway Time-out. Any idea?
I thing is the echo 192.168.0.16 exchange.local exchange >> /etc/hosts can access over the DMZ. Thanks
Oct 26th 2011, by
Guest
HI,
I tried both the above and Apache reverse proxy and both work except for one problem:
When I try and send mail from mu Apple iPhone to Exchange 2010 ActiveSync I get the following on the Exchange Server's IIS log:
SendMail&Log=V140_RpcC15_RpcL15_Erq1_S102_Error:InvalidWBXML
Anybody elso got this?
Thanks
HI,
I tried both the above and Apache reverse proxy and both work except for one problem:
When I try and send mail from mu Apple iPhone to Exchange 2010 ActiveSync I get the following on the Exchange Server's IIS log:
SendMail&Log=V140_RpcC15_RpcL15_Erq1_S102_Error:InvalidWBXML
Anybody elso got this?
Thanks