Configuring Ubuntu Server as a Firewall and Reverse Proxy for OWA 2007 Configuration Guide



Similar documents
Create a virtual machine at your assigned virtual server. Use the following specs

Best Practices in Hardening Apache Services under Linux

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Enterprise SSL Support

Installing Dspace 1.8 on Ubuntu 12.04

ViMP 3.0. SSL Configuration in Apache 2.2. Author: ViMP GmbH

SecuritySpy Setting Up SecuritySpy Over SSL

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Building a Penetration Testing Virtual Computer Laboratory

User s guide. APACHE SSL Linux. Using non-qualified certificates with APACHE SSL Linux. version 1.3 UNIZETO TECHNOLOGIES S.A.

How to Create, Setup, and Configure an Ubuntu Router with a Transparent Proxy.

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

INUVIKA TECHNICAL GUIDE

SI455 Advanced Computer Networking. Lab2: Adding DNS and Servers (v1.0) Due 6 Feb by start of class

Security Workshop. Apache + SSL exercises in Ubuntu. 1 Install apache2 and enable SSL 2. 2 Generate a Local Certificate 2

How to: Install an SSL certificate

Exercises: FreeBSD: Apache and SSL: SANOG VI IP Services Workshop

Implementing a Weblogic Architecture with High Availability

CDH installation & Application Test Report

Setting Up CAS with Ofbiz 5

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

ISERink Installation Guide

HOWTO. Configure Nginx for SSL with DoD CAC Authentication on CentOS 6.3. Joshua Penton Geocent, LLC

VMware Identity Manager Connector Installation and Configuration

Installing an SSL certificate on the InfoVaultz Cloud Appliance

Linux Terminal Server Project

HOWTO: Set up a Vyatta device with ThreatSTOP in bridge mode

Creating a DUO MFA Service in AWS

Dell Proximity Printing Solution. Installation Guide

PROXY SETUP WITH IIS USING URL REWRITE, APPLICATION REQUEST ROUTING AND WEB FARM FRAMEWORK OR APACHE HTTP SERVER FOR EMC DOCUMENTUM EROOM

Integrating Apache Web Server with Tomcat Application Server

Apache HTTP Server. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

HP SDN VM and Ubuntu Setup

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Installing Virtual Coordinator (VC) in Linux Systems that use RPM (Red Hat, Fedora, CentOS) Document # 15807A1-103 Date: Aug 06, 2012

HOWTO: Set up a Vyatta device with ThreatSTOP in router mode

Ciphermail Gateway Separate Front-end and Back-end Configuration Guide

User Guide. Cloud Gateway Software Device

SETTING UP A LAMP SERVER REMOTELY

Basic Firewall Lab. Lab Objectives. Configuration

Apache Server Implementation Guide

Deploying F5 to Replace Microsoft TMG or ISA Server

Install and configure a Debian based UniFi controller

Rally Installation Guide

Virtual Managment Appliance Setup Guide

F-Secure Internet Gatekeeper Virtual Appliance

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

Creating Certificate Authorities and self-signed SSL certificates

Syncplicity On-Premise Storage Connector

Setting Up SSL on IIS6 for MEGA Advisor

Virtual Web Appliance Setup Guide

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

Information Security Training. Assignment 1 Networking

Procedure to Create and Duplicate Master LiveUSB Stick

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

NEFSIS DEDICATED SERVER

Virtual Appliance Setup Guide

Apache Security with SSL Using Ubuntu

SSL Installing your new Certificate

A Guide to New Features in Propalms OneGate 4.0

Cloud.com CloudStack Community Edition 2.1 Beta Installation Guide

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with Oracle Application Server 10g

EventTracker Windows syslog User Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Introduction to Mobile Access Gateway Installation

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server

Scenarios for Setting Up SSL Certificates for View

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Appendix B Lab Setup Guide

CO Web Server Administration and Security. By: Szymon Machajewski

Deploying Windows Streaming Media Servers NLB Cluster and metasan

PHD Virtual Backup for Hyper-V

How to setup HTTP & HTTPS Load balancer for Mediator

Operating System Installation Guidelines

Install an SSL Certificate onto SilverStream. Sender Recipient Attached FIles Pages Date. Development Internal/External None 5 6/16/08

insync Installation Guide

Installing and Configuring vcloud Connector

Online Backup Client User Manual

LifeSize Control TM Deployment Guide

Obtaining SSL Certificates for VMware View Servers

OnCommand Performance Manager 1.1

ichair Manual Matthieu Finiasz and Thomas Baignères written around Christmas Introduction - What is ichair? 2

Configuring Security Features of Session Recording

ODP REGIONAL NODE DEPLOYMENT QUICK GUIDE FOR TRAININGS

CYAN SECURE WEB APPLIANCE. User interface manual

Installing and Configuring vcenter Multi-Hypervisor Manager

CycleServer Grid Engine Support Install Guide. version 1.25

BlackBerry Enterprise Service 10. Version: Configuration Guide

Sun Java System Web Server 6.1 Using Self-Signed OpenSSL Certificate. Brent Wagner, Seeds of Genius October 2007

INUVIKA OVD VIRTUAL DESKTOP ENTERPRISE

Active Directory Management. Agent Deployment Guide

Setup a Virtual Host/Website

Thinspace deskcloud. Quick Start Guide

How To Install An Org Vm Server On A Virtual Box On An Ubuntu (Orchestra) On A Windows Box On A Microsoft Zephyrus (Orroster) 2.5 (Orner)

A technical whitepaper describing steps to setup a Private Cloud using the Eucalyptus Private Cloud Software and Xen hypervisor.

Acano solution. Virtualized Deployment R1.1 Installation Guide. Acano. February B

Kerio Operator. Getting Started Guide

Transcription:

Configuring Ubuntu Server as a Firewall and Reverse Proxy for OWA 2007 Configuration Guide Author: Andy Grogan Version 1.0 Location: http://www.telnetport25.com

Contents Introduction... 3 Key Objectives:... 4 Beyond Scope:... 4 Requirements:... 4 Software:... 4 Pre-requisites:... 5 Remove the Default SSL certificate from the Exchange Client Access Server:... 5 Set the Internal URL for the /OWA directory on your Client Access Server:... 5 Configuring the Ubuntu Server Installation and Configuring Apache 2.10.11... 7 Download Ubuntu Server 8.10 ISO:... 7 Configure you VMWARE guest machine Recommended Configuration:... 7 Connect to the Server using the VMWARE Console and perform the following actions:... 7 Install open-ssh server - to allow Putty Access (optional):... 7 Download putty this will allow command line access to the Linux Box from your Windows machine:... 7 Install a GCC Compatible C compiler on your Linux Box:... 8 Update the Installation - Configure IP Settings & Download Required Applications:... 8 Update the Ubuntu installation with the latest updates... 8 Configure a static IP address for the server... 8 Configure DNS Settings... 9 Download the required Applications for Reverse Proxying OWA... 10 Creating the Apache Security Accounts and Groups:... 10 Creating the Apache and OpenSSL Instance:... 10 View installed modules (optional):... 11 Configuring OPENSSL and the Apache httpd.conf file for OWA Proxying:... 11 Lock down the Apache Directories:... 13 Configure Apache to start automatically:... 13 Enable and Configure the UFW (Uncomplicated Firewall) in Ubuntu:... 14 2

Introduction The purpose of this guide is to demonstrate how you can use standard Ubuntu Server installation as a pseudo replacements for a Firewall or ISA server within your Exchange 2007 environment. One of the reasons as to why you might consider this configuration is cost obviously if you are a smaller enterprise you might have enough money for an installation of Exchange but not enough to buy suitable grade Firewall or indeed Microsoft ISA server. An example configuration where you don t have a hardware based Firewall solution or access to ISA server could look like the following: The above configuration is one example and perhaps the best demonstration of how you can use the information in this guide to save money, but it is not be a recommended one as you are sacrificing a significant layer of security the next example depicts a much better solution which costs slightly more (as there is a Hardware Firewall placed between the Ubuntu installation and the Internet) but achieves a more robust installation this guide will focus around this example. 3

Ubuntu server (8.10) has been chosen for this guide as it represents one of the most secure Linux variants it has an excellent support matrix, with regular security updates whilst also boasting a huge support community (forums, software and the like) which really know the product. If you are (like me) not used to Linux or for that matter Ubuntu via the available support it is really easy to run your installation. Key Objectives: To provide you with an installation which will make your Exchange enabled web services available to outside your company at minimal cost, without sacrificing to much in the way of security. We accomplish this by: Using Ubuntu Server (Free Linux Based Distro) which is secure by design Not installing any form of GUI Not enabling any of the normal accounts within Ubuntu (for example root) and not installing services which are not required Configuring the firewall within Ubuntu in a locked down state Configuring the service accounts for Apache as non privileged I also wish to provide an example configuration which can be expanded upon after completion it is in no way shape or form feature complete it is designed to get a basic system working. Beyond Scope: All of the below has been worked though in a test lab and works as described before being published. I must stress that I am not a Linux expert and indeed perhaps there are other tweaks and which could be added into the method which would arrive at a more rounded solution. As mentioned above this is designed to give people ideas. This is also designed as a small scale solution in the case of large enterprises I would still go with ISA Server. Requirements: Software: VMWARE Server this paper is based around creating an Ubuntu instance in VMWARE Ubuntu Server Download specified later on in the document Apache 2.2.11 OpenSSL 0.098j Exchange Server 2007 installation 4

Pre-requisites: In order to make proceed there are a few prerequisites that you should have in place before you begin: IP Address for your Ubuntu Server which is located on your private LAN A DNS Entry (FQDN) for your Ubuntu server this will become the new address for OWA within your environment An Installation of Ubuntu Server in VMWARE which conforms to the specifications given in this document. Remove the Default SSL certificate from the Exchange Client Access Server: This might seem like an odd step but, remember we will be proxying via the Ubuntu box therefore the SSL needs to be located there. Maintaining an SSL certificate on the CAS causes issues between the Apache instance and the IIS instance. In order to remove the SSL instance on the CAS open the Internet Services Manager Expand the Default Web Site and locate the OWA directory. Right click on it, and from the context menu that appears choose Properties. From the dialog that appears choose the Directory Security tab from the Secure Communications area click on the Edit button from the dialog box that appears un-tick the Require Secure Channel (SSL) check box and then click OK You should repeat this for the Microsoft-Server-ActiveSync directory within IIS. Set the Internal URL for the /OWA directory on your Client Access Server: On your Client Access Server open the Exchange Management Shell [ START->Programs->Microsoft Exchange Server 2007->Exchange Management Shell ] and type in the following command: Set-owaVirtualDirectory id <Name of CAS>\OWA (Default Web Site) internalurl http://<client Access Server FQDN> Create a DNS entry for the Ubuntu Reverse Proxy: In a typical configuration many companies will configure a DNS entry (FQDN) for their Client Access server which serves as the OWA / Active Sync / HTTP URL for example http://owa.mycompany.com/owa In this configuration you will need to ensure that the FQDN points to the IP address of the Ubuntu server for example: Ubuntu Reverse Proxy: 10.x.x.1 OWA (or Web Services URL) = Equals owa.mycompany.com pointing to the IP address 10.x.x.1 5

The Client Access Server(s) will have an automatic FQDN when the server joined the domain this will be used within the HTTPD.conf file for Apache this will become clearer later just bear in mind that the main OWA URL should point at the Ubuntu box. 6

Configuring the Ubuntu Server Installation and Configuring Apache 2.10.11 Remember that Ubuntu is a Linux Distro therefore the commands that are specified are CASE SENSTIVE and should be typed as provided each command that is presented is a single command and should be followed by the <Enter> key (unless otherwise stipulated). Download Ubuntu Server 8.10 ISO: Download URL: http://ubuntu.positive-internet.com/releases/intrepid/ubuntu-8.10- server-i386.iso Ubuntu Edition: Ubuntu 8.10 server Computer Platform: i386 Download Location: http://ubuntu.positive-internet.com/releases/ Configure you VMWARE guest machine Recommended Configuration: The actual configuration and installation of Ubuntu within VMWARE is beyond the scope of this document, however the following is a recommended VM configuration that can be used. System Disk = 5 GB RAM = 1024 CPU = 1 Networking = suit you needs you need at least one interface bridged to the host Connect to the Server using the VMWARE Console and perform the following actions: Install open-ssh server - to allow Putty Access (optional): sudo apt-get install openssh-server Download putty this will allow command line access to the Linux Box from your Windows machine: http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe 7

When you have downloaded Putty to your local machine open it up and configure an SSH connection to the IP Address of the Ubuntu VMWARE server that you have installed Putty is a very simple to use application and should be self explanatory. Install a GCC Compatible C compiler on your Linux Box: Open Putty Session to your Linux Box logon and type the following command: sudo apt-get install build-essential Update the Installation - Configure IP Settings & Download Required Applications: Either using Putty or the VMWARE console, Logon to your server in this section we will complete the following: a. Update the Ubuntu installation with the latest updates b. Configure a static IP address for the server c. Configure DNS Settings d. Download the required Applications for Reverse Proxying OWA Update the Ubuntu installation with the latest updates At the comment line type in the following commands: sudo apt-get update sudo apt-get upgrade Configure a static IP address for the server From either your Putty session or your VMWARE console perform the following: sudo nano /etc/network/interfaces Provide your escalation password (this will be the password your created during the installation of Ubuntu) the NANO text editor will open change the following: # The primary network interface auto eth0 iface eth0 inet dhcp To the following within the file: auto eth0 8

iface eth0 inet static address <your desired IP> netmask <Correct Netmask> network <Network> broadcast <The Broadcast address for your network> gateway <default gateway> Therefore an example configuration file would be: #The primary network interface auto eth0 iface eth0 inet static address 172.31.253.134 netmask 255.255.255.192 network 172.31.253.0 broadcast 172.31.253.255 gateway 172.31.253.129 When you are happy with your changes save the file (by holding down the CTRL + X you will be prompted to save your changes choose yes and then hit the Enter key.) You will be returned to the console type the following command: sudo /etc/init.d/networking restart Configure DNS Settings From your Terminal window type in the following command: sudo nano /etc/resolv.conf You will be presented with a file which contains the domain information that was obtained from DHCP this might be correct if your DHCP server is part of the Active Directory Infrastructure that supports your Exchange Servers however if it is not you will need to change the entries for Domain, Search and nameserver The important part is ensuring that the nameserver is the DNS server which contains the address of your Client Access Server. If you edit the file ensure that you save it using the method explained above. 9

Download the required Applications for Reverse Proxying OWA The key components needed to reverse proxy OWA are Apache Server and Open SSL the versions that this article is based around are 2.2.11 for Apache and 0.9.8j for OpenSSL. Via your putty session change to your users home directory by using the following commands: cd /home/<yourusername>/ - for example cd /home/andy mkdir Documents cd Documents To download Apache type in the following command: wget http://mirror.fubra.com/ftp.apache.org/httpd/httpd- 2.2.11.tar.gz This will download Apache archive to your Documents directory. When Apache has downloaded type in the following: wget http://www.openssl.org/source/openssl-0.9.8j.tar.gz This will download OpenSSL to your documents directory. Creating the Apache Security Accounts and Groups: From within the your Putty Session (or VMWARE Console Session) enter in the following commands: sudo groupadd apchewww sudo useradd -g apchewww SYSapache2 Creating the Apache and OpenSSL Instance: From your Putty Session (or VMWARE console session) enter in the following commands: To Install OpenSSL (Required to be present prior to installing Apache otherwise the SSL mod in Apache will not install from the make file): cd /home/ your user name /Documents/ tar -zxvf openssl-0.9.7e.tar.gz cd openssl-0.9.7e sudo./config --prefix=/usr/local sudo make 10

sudo make install To install Apache: cd /home/ your user name /Documents/ tar -xzf httpd-2.2.11.tar.gz cd /home/ your user name /Documents/httpd-2.2.11 sudo./configure --prefix=/usr/local/apache2 --enable-so - enable-proxy -enable-headers -enable-ssl --with-included-apr sudo make sudo make install View installed modules (optional): After you have completed the steps in the previous section it is a good idea to check that the correct modules have been installed in order to do this enter the following command in your Putty Window: /usr/local/apache2/bin/apachectl l You should be presented with the following list (highlighted cells are the selected compiled in modules): core.c mod_auth_bas ic.c mod_proxy.c prefork.c mod_negotiat ion.c mod_authn_file.c mod_include. mod_proxy_conne http_core.c mod_dir.c c ct.c mod_authn_defaul mod_filter.c mod_proxy_ftp.c mod_mime.c mod_actions. t.c c mod_authz_host.c mod_log_conf mod_proxy_http. mod_status. mod_userdir. ig.c c c c mod_authz_groupf mod_env.c mod_proxy_ajp.c mod_autoind mod_alias.c ile.c ex.c mod_authz_user.c mod_headers. mod_proxy_balan mod_asis.c mod_so.c c cer.c mod_authz_defaul mod_setenvif mod_ssl.c mod_cgi.c t.c.c Configuring OPENSSL and the Apache httpd.conf file for OWA Proxying: The SSL portion of this article is based upon: http://www.tc.umn.edu/~brams006/selfsign.html Using your Putty Editor enter in the following commands: sudo mkdir /usr/local/apache2/ssl cd /usr/local/apache2/ssl 11

During the execution of the following commands you will be prompted for the usual details that you could expect when generating an SSL CSR remember that one of the key inputs for your is the Friendly Name this MUST match the DNS name for the Linux Host - not the DNS name for the Exchange CAS server. You will also be asked to create a private key for the certificate you should make a note of this key and store it in a safe place. sudo openssl genrsa -des3 -out server.key 1024 sudo openssl req -new -key server.key -out server.csr sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt (this is all one command) sudo openssl rsa -in server.key -out server.key.insecure sudo mv server.key server.key.secure sudo mv server.key.insecure server.key You have now created an SSL certificate to work with your Apache installation we now need to configure the Apache instance on your server: From within your Putty session run the following command: sudo nano /usr/local/apache2/conf/httpd.conf The NANO Text Editor will open with the default Apache2 configuration file clear the contents of this file (this can be accomplished by pressing CTRL + K which will clear line by line) and replace it with the following (you can past into the NANO window): NOTE: Configuration Parameters contained within the <> need to be customised to your own personal configuration you DO NOT need to provide the <> ServerRoot "/usr/local/apache2" ServerAdmin <your contact e-mail address> ServerName <The full DNS FQDN of the Linux Server> DocumentRoot "/usr/local/apache2/htdocs" ServerSignature Off ServerTokens Prod Listen 443 User SYSapache2 Group apchewww RequestHeader set Front-End-Https "On" SSLEngine On SSLCertificateFile /usr/local/apache2/ssl/server.crt SSLCertificateKeyFile /usr/local/apache2/ssl/server.key 12

ProxyRequests off ProxyPass /owa http://<the FQDN to your CAS Server>/owa ProxyPassReverse /owa http:// <the FQDN to your CAS Server>/owa ProxyPass / Microsoft-Server-ActiveSync http://<the FQDN to your CAS Server>/ Microsoft-Server-ActiveSync ProxyPassReverse / Microsoft-Server-ActiveSync http:// <the FQDN to your CAS Server>/ Microsoft-Server-ActiveSync Redirect permanent / https:// <the FQDN to your Linux Server>/owa Options None <Directory /> Order Deny,Allow Deny from all Options None AllowOverride None </Directory> DirectoryIndex index.html When you have finished configuring the file save it (using CTRL+X). Lock down the Apache Directories: From your Putty Session - type in the following commands: sudo chown -R SYSapache2:apchewww /usr/local/apache2/htdocs sudo chmod -R 750 /usr/local/apache2/htdocs/ Configure Apache to start automatically: As we have compiled the Apache source rather than using a precompiled version, by default Apache will not be configured to start when the O/S boots in order to ensure that the HTTP service starts complete the following: sudo apt-get install sysv-rc-conf sudo cp /usr/local/apache2/bin/apachectl /etc/init.d sudo chmod 755 /etc/init.d/apachectl sudo sysv-rc-conf 13

You will then be presented with a screen which allows you to configure the services boot order (similar to the Services MMC in Windows configure the apachectl service to look like the following (to check the run levels use the directional keys and press the space bar to check them: Enable and Configure the UFW (Uncomplicated Firewall) in Ubuntu: From within either your Putty Session or the VMWARE console type in the following commands: sudo ufw enable sudo ufw logging on sudo ufw default deny sudo ufw allow 443 sudo ufw allow from <first address> port 22 to <end address> port 22 The above commands will enable the Firewall, turn on logging, configure the default access policy to deny (or drop packets), allow 443 traffic and configure access for ssh from a specific address range. In order to complete our Firewall configuration we have one final Hardening task and that is to disable ICMP (or ping) replies to the server in order to do this type the following into your command Window: sudo nano /etc/ufw/before.rules The nano will open the before.rules file find the following line and comment it out using a hash (#): -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT When you have done this save the file you will be returned to your Terminal Window to commit the changes that you have made to the UFW type in the following commands: sudo ufw disable sudo ufw enable 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information