Man möchte seinen Exchange Server sicher nicht ungefiltert ins Netz stellen, um ActiveSync, den Outlook Web Client oder EWS Dienste für mobile Mitarbeiter zur Verfügung zu stellen. Eine Möglichkeit das etwas sicherer hin zu bekommen und eine anständige Crypto zu etablieren, ist einen Apache Reverse Proxy davor zu beteiben. Hier eine Beispielkonfiguration:
Zunächst sind einige Apache Module zu aktivieren und Apache neu zu laden:
sudo a2enmod proxy rewrite headers sudo service apache reload
<VirtualHost *:443> ServerName <your FQDN> ServerAlias <your FQDN> ServerAdmin admin@yourdomain.tld Header set X-Frame-Options SAMEORIGIN Header set Strict-Transport-Security "max-age=63072000; includeSubDomains" Header set X-Content-Type-Options: nosniff Header set Server Apache Header unset X-AspNet-Version Header unset X-OWA-Version Header unset X-Powered-By RequestHeader unset Expect early SetEnvIf User-Agent ".*MSIE.*" value BrowserMSIE Header unset WWW-Authenticate Header add WWW-Authenticate "Basic realm=<your_exchange_server_fqdn>" ProxyRequests Off ProxyPreserveHost On SSLProxyEngine On # owa ProxyPass /owa https://<your_exchange_server_fqdn>/owa ProxyPassReverse /owa https://<your_exchange_server_fqdn>/owa ProxyPass /OWA https://<your_exchange_server_fqdn>/OWA ProxyPassReverse /OWA https://<your_exchange_server_fqdn>/OWA ProxyPass /Owa https://<your_exchange_server_fqdn>/Owa ProxyPassReverse /Owa https://<your_exchange_server_fqdn>/Owa # Einstellungen um per OWA das Kennwort zu aendern ProxyPass /iisadmpwd https://<your_exchange_server_fqdn>/iisadmpwd ProxyPassReverse /iisadmpwd https://<your_exchange_server_fqdn>/iisadmpwd # ecp ProxyPass /ecp https://<your_exchange_server_fqdn>/ecp ProxyPassReverse /ecp https://<your_exchange_server_fqdn>/ecp ProxyPass /ECP https://<your_exchange_server_fqdn>/ECP ProxyPassReverse /ECP https://<your_exchange_server_fqdn>/ECP ProxyPass /Ecp https://<your_exchange_server_fqdn>/Ecp ProxyPassReverse /Ecp https://<your_exchange_server_fqdn>/Ecp # ews -> Exchange Web Services ProxyPass /ews https://<your_exchange_server_fqdn>/ews ProxyPassReverse /ews https://<your_exchange_server_fqdn>/ews ProxyPass /EWS https://<your_exchange_server_fqdn>/EWS ProxyPassReverse /EWS https://<your_exchange_server_fqdn>/EWS ProxyPass /Ews https://<your_exchange_server_fqdn>/Ews ProxyPassReverse /Ews https://<your_exchange_server_fqdn>/Ews ProxyPass /exchange https://<your_exchange_server_fqdn>/exchange ProxyPassReverse /exchange https://<your_exchange_server_fqdn>/exchange ProxyPass /Exchange https://<your_exchange_server_fqdn>/Exchange ProxyPassReverse /Exchange https://<your_exchange_server_fqdn>/Exchange ProxyPass /exchweb https://<your_exchange_server_fqdn>/exchweb ProxyPassReverse /exchweb https://<your_exchange_server_fqdn>/exchweb ProxyPass /public https://<your_exchange_server_fqdn>/public ProxyPassReverse /public https://<your_exchange_server_fqdn>/public # Microsoft-Server-ActiveSync ProxyPass /Microsoft-Server-ActiveSync https://<your_exchange_server_fqdn>/Microsoft-Server-ActiveSync connectiontimeout=600 ProxyPassReverse /Microsoft-Server-ActiveSync https://<your_exchange_server_fqdn>/Microsoft-Server-ActiveSync # AutoDiscover -> Autodiscover for non-AD integrated Clients (Mac, eg.) ProxyPass /autodiscover https://<your_exchange_server_fqdn>/autodiscover ProxyPassReverse /autodiscover https://<your_exchange_server_fqdn>/autodiscover ProxyPass /Autodiscover https://<your_exchange_server_fqdn>/Autodiscover ProxyPassReverse /Autodiscover https://<your_exchange_server_fqdn>/Autodiscover ProxyPass /AutoDiscover https://<your_exchange_server_fqdn>/AutoDiscover ProxyPassReverse /AutoDiscover https://<your_exchange_server_fqdn>/AutoDiscover DocumentRoot /var/www/html/ <Directory /> Order deny,allow Allow from all </Directory> <Proxy *> SetEnv proxy-nokeepalive 1 SetEnv force-proxy-request-1.0 1 Order deny,allow Allow from all </Proxy> SSLEngine On SSLCompression off SSLInsecureRenegotiation off SSLProtocol +TLSv1.2 SSLCertificateFile /etc/apache2/SSLCert.pem SSLCACertificateFile /etc/apache2/ca.pem SSLCertificateChainFile /etc/apache2/sub.class1.server.sha2.ca.pem SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLHonorCipherOrder on SSLCipherSuite AES256+EECDH:AES256+EDH Header set Strict-Transport-Security "max-age=63072000; includeSubDomains" Header set X-Frame-Options DENY Header set X-Content-Type-Options nosniff Header set X-Frame-Options SAMEORIGIN SSLCompression off SSLUseStapling on BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 #MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Das ganze hat noch zwei sehr nette Nebeneffekte:
Erstens ist es sehr einfach kaputte Crypto Standards zu deaktivieren (innerhalb von Windows ist das ein einziger Graus IMHO).
Zweitens lassen sich so auch Webapplikationen die auf verschiedenen Webservern laufen hinter NAT zugänglich machen. Und ein SSL Offloading hat man dann, bei Bedarf auch gleich noch mit realisiert.
Beispiel:
... ProxyPass /Webapp http://<your_other_webserver.fqdn>/Webapp ProxyPassReverse /WebDesk http://<your_other_webserver.fqdn>/Webapp ...
Ein Test mit Qualys SSL Test Tool fördert dann folgendes Ergebnis zu Tage.
