I've posted a couple of threads before and haven't gotten any real feedback.

Using Apache (on Fedora 16 now) as a front end (reverse proxy) to Exchange 2007 and a config that worked on Fedora 8 I get an SSL error because Apache doesn't trust the self-signed cert from Exchange.

If I change the reverse proxy to not use SSL between it and Exchange I get farther but every page comes back in the browser address bar missing "https://". If I manually place it in front of the returned address I can get the pages until the one after the login.

Both of these issues were the same when previously trying Fedora 14.

What I am looking for is:

1) How to import (I can export from Exchange) the self-signed certificate so that it doesn't conflict with Apache's self-signed certificate for the WAN side.

2) Instead. Get the returned addresses to the browsers to be properly formatted.

I would prefer #1 as it keeps a tighter network but am also not sure if #2 still won't be necessary once past #1.

Thanks.


ProxyReceiveBufferSize 1024


#Exchange

<VirtualHost *:443>
# DocumentRoot /var/www/html/

RequestHeader set Front-End-Https "On"

RewriteEngine On

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLEngine On
SSLProxyEngine On
SSLProxyVerify Optional

SetEnv HTTPS_PORT 443

ExpiresActive On
ExpiresDefault "access plus 300 seconds"

# UserDir /var/www/html/

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPreserveHost On
ProxyBadHeader StartBody
ProxyVia On

#OWA % character in email subject fix
# RewriteMap percentsubject int:escape
# RewriteCond $1 ^/owa/.*\%.*$
# RewriteRule (/owa/.*) ${percentsubject:$1} [P]

RewriteRule ^/owa$ owa/ [R]

<Location /owa>
ProxyPass http://exchange.public.org/owa
ProxyPassReverse http://exchange.public.org/owa
SSLRequireSSL

# Rewrite the WWW-Authenticate header to strip out Windows Integrated
# Authentication (NTLM) and only use Basic-Auth
SetEnvIf User-Agent ".*MSIE.*" value
SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
Header Always Unset WWW-Authenticate
Header Always Add WWW-Authenticate "Basic realm=www.public.org"
</Location>

<Location /OAB>
ProxyPass http://exchange.public.org/OAB
ProxyPassReverse http://exchange.public.org/OAB
SSLRequireSSL

# Rewrite the WWW-Authenticate header to strip out Windows Integrated
# Authentication (NTLM) and only use Basic-Auth
SetEnvIf User-Agent ".*MSIE.*" value
SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
Header Always Unset WWW-Authenticate
Header Always Add WWW-Authenticate "Basic realm=www.public.org"
</Location>

<Location /rpc>
ProxyPass http://exchange.public.org/rpc
ProxyPassReverse http://exchange.public.org/rpc
SSLRequireSSL

# Rewrite the WWW-Authenticate header to strip out Windows Integrated
# Authentication (NTLM) and only use Basic-Auth
SetEnvIf User-Agent ".*MSIE.*" value
SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
Header Always Unset WWW-Authenticate
Header Always Add WWW-Authenticate "Basic realm=www.public.org"
</Location>

<Location /ecp>
ProxyPass http://exchange.public.org/ecp
ProxyPassReverse http://exchange.public.org/ecp
SSLRequireSSL

# Rewrite the WWW-Authenticate header to strip out Windows Integrated
# Authentication (NTLM) and only use Basic-Auth
SetEnvIf User-Agent ".*MSIE.*" value
SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
Header Always Unset WWW-Authenticate
Header Always Add WWW-Authenticate "Basic realm=www.public.org"
</Location>

<Location /RpcWithCert>
ProxyPass http://exchange.public.org/RpcWithCert
ProxyPassReverse http://exchange.public.org/RpcWithCert
SSLRequireSSL

# Rewrite the WWW-Authenticate header to strip out Windows Integrated
# Authentication (NTLM) and only use Basic-Auth
SetEnvIf User-Agent ".*MSIE.*" value
SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
Header Always Unset WWW-Authenticate
Header Always Add WWW-Authenticate "Basic realm=www.public.org"
</Location>

# Enables Windows Mobile ActiveSync
<Location /Microsoft-Server-ActiveSync>
ProxyPass http://exchange.public.org/Microsoft-Server-ActiveSync
ProxyPassReverse http://exchange.public.org/Microsoft-Server-ActiveSync
SSLRequireSSL

# Rewrite the WWW-Authenticate header to strip out Windows Integrated
# Authentication (NTLM) and only use Basic-Auth
SetEnvIf User-Agent ".*MSIE.*" value
SetEnvIf User-Agent ".*MSIE.*" BrowserMSIE
Header Always Unset WWW-Authenticate
Header Always Add WWW-Authenticate "Basic realm=www.public.org"
</Location>

</VirtualHost>
#/Exchange

Greetingz!

1) Please use "code" tags around outputs ( [code] & [/code] )
2) Having problems with a Self-Signed Cert? Why not setup a quick Certificate Authority for your domain? (Assuming it's not public-facing, else try CAcert)
It's quick, free (as in $$ and as in 'libre'), and it'll address a whole lot of other problems you have with SSL down the road.

xeleema, First, for some reason the board didn't email me that you had responded, so sorry for the delay.

Second, oops, didn't see the [code] tags button.

Third, the only problem I am having is finding the correct procedure to import the Exchange's self signed certificate so that Apache will trust the Exchange server as a client to the reverse proxy. That or at least getting Apache to return web pages so that the browsers continue to use HTTPS:// rather than dropping them and back to HTTP://