But there is a cheap solution using Apache 2.0 and mod_ssl plus mod_proxy, this article explain step by step how to make a protection of OWA. Also we need a self-signed or valid certificate in PEM format for SSL encryption. In OWA there is no need https.

We stick some information, 192.168.0.100 is the Exchange Server called exchange.lan
192.168.0.50  is the proxy Apache accessible from internet at ip a.b.c.d. with external DNS resolved as  webmail.mydomain.com

Let’s start configure mod_ssl and mod_proxy on Apache web server, first we check if you have already installed this modules.
From command line put this command: a2enmod -l

The result will be similar to

actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user authn_dbm autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5 proxy headers proxy_http proxy_ftp proxy_connect

The goal is to obtain in list the following loaded modules: ssl, proxy, proxy_http, proxy_connect and headers

with command a2enmod -q ssl a2enmod -q proxy etc you add automatically the modules (usually this modules are provided with Apache package) as a load module when Apache webserver starts.

In SuSE Enterprise we have also changed the directive APACHE_SERVER_FLAGS with the parameters “SSL !NOSSL”. The directive can be changed within Yast -> System ->Config Editor, Network/WWW  or directly to \etc\sysconfig\apache2 file.

Now second step is made appropriate changes in Apache configuration, with virtual host.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

 
<pre lang="apache" line="1">
 
<IfDefine SSL>
<IfDefine !NOSSL>
 
<VirtualHost *:443>
 
DocumentRoot "/srv/www/htdocs"
ServerName webmail.mydomain.com
RequestHeader set Front-End-Https "On"
ProxyRequests Off
ProxyPreserveHost On
ServerAdmin support@mydomain.com
ErrorLog /var/log/apache2/webmailssl_error_log
TransferLog /var/log/apache2/webmailssl_access_log
CustomLog /var/log/apache2/ssl_request_log   ssl_combined
 
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
SSLCertificateFile /etc/apache2/ssl.crt/owaserver.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/owaserver.key
 
SetEnvIf User-Agent ".*MSIE.*" \
	 nokeepalive ssl-unclean-shutdown \
	 downgrade-1.0 force-response-1.0
 
<Location /exchange>
ProxyPass  http://webmail.mydomain.com/exchange
ProxyPassReverse http://webmail.mydomain.com/exchange
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SSLRequireSSL
</Location>
 
<Location /exchweb>
ProxyPass http://webmail.mydomain.com/exchweb
ProxyPassReverse http://webmail.mydomain.com/exchweb
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SSLRequireSSL
</Location>
 
<Location /public>
ProxyPass http://webmail.mydomain.com/public
ProxyPassReverse http://webmail.mydomain.com/public
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SSLRequireSSL
</Location>
 
</VirtualHost>                                  
 
</IfDefine>
</IfDefine>

ProxyPreserveHost pass the original host header supplied by client to the server (exchange)
RequestHeader force to use the https:// instead of http:// is required for terminated the request SSL tunnel at reverse proxy and using clear HTTP text between the proxy and OWA
SSLcertificate files (.crt and .key PEM format) require a certificate self-signed or buy from organizations because client authentication is passed in clear to OWA, and this is a best practice for encrypt authentication between client and proxy.

Now the directive most interesting:

 
<Location /exchange>
ProxyPass  http://webmail.mydomain.com/exchange
ProxyPassReverse http://webmail.mydomain.com/exchange
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
SSLRequireSSL
</Location>

for OWA we need to proxy /exchange /exchweb and /public.
With SetEnv force-proxy-request-1.0 and SetEnv proxy-nokeepalive you can bypass some troubles as reported on Apache documentation

[Protocol Adjustments]
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

For circumstances where you have a application server which doesn't
implement keepalives or HTTP/1.1 properly, there are 2 environment
variables which when set send a HTTP/1.0 with no keepalive. These are set
via the SetEnv directive.

Now we have only tell on proxy server where is webmail.mydomain.com. Open your /etc/hosts files and append at the end of file

192.168.0.100 webmail.mydomain.com

All is done, start your Apache webserver and connect (from outside) to your https://webmail.mydomain.com/exchange if all are ok you must see a popup requesting credentials.

Finally a little tricky, if you want redirect your users from http://mydomain.com to https://mydomain.com/exchange you can use into your virtual host directive this configuration. Simply change the RedirectMatch directive as your needs.

1
2
3
4
5
6
7
8
9
10
11
12

 
<VirtualHost *:80>
    ServerAdmin support@mydomain.com
    ServerName webmail.mydomain.com
    ErrorLog /var/log/apache2/webmail.error_log
    CustomLog /var/log/apache2/webmail.access_log combined
    ServerSignature On
 
    RedirectMatch permanent /$ https://webmail.mydomain.com/exchange
    RedirectMatch permanent (/.*) https://webmail.mydomain.com$1
 
</VirtualHost>