Apache ReverseProxy for OWA

Here’s how I was able to get ReverseProxy working on Apache to protect an Exchange 2007 OWA instance. You’ll note that in certain areas I have the same thing multiple times with slight changes in capitalization. Microsoft does not understand case sensitivity nor POSIX compliance. All of the following goes inside a VirtualHost, of course. Please note, this was figured out on my own without official documentation (since I couldn’t find any) and would love to hear if you found something else. We also are not running rpc over https, so I’m not sure if the rpc directories are correct.

<IfModule mod_proxy.c>
SSLProxyEngine on
RequestHeader set Front-End-Https “On”

# Proxy all of the sub-directories, otherwise go to /owa/
# You’ll notice that some of these subdirectories are spelled
# multiple ways – MS can’t give us a definitive answer…

# Fix trailing slash problem
RedirectMatch permanent /$ https://external.mail.server/owa/
RedirectMatch permanent /owa$ https://external.mail.server/owa/

# Needed for Blackberry Phones
<Location /EWS>
ProxyPass https://internal.mail.server/EWS
ProxyPassReverse https://internal.mail.server/EWS

# Enables legacy pre 2007 Exchange connections
<Location /exchange>
ProxyPass https://internal.mail.server/exchange
ProxyPassReverse https://internal.mail.server/exchange

<Location /Exchange>
ProxyPass https://internal.mail.server/Exchange
ProxyPassReverse https://internal.mail.server/Exchange

# Enables legacy pre 2007 Exchange connections
<Location /exchweb>
ProxyPass https://internal.mail.server/exchweb
ProxyPassReverse https://internal.mail.server/exchweb

<Location /Exchweb>
ProxyPass https://internal.mail.server/Exchweb
ProxyPassReverse https://internal.mail.server/Exchweb

# Enables Windows Mobile ActiveSync
<Location /Microsoft-Server-ActiveSync>
ProxyPass https://internal.mail.server/Microsoft-Server-ActiveSync
ProxyPassReverse https://internal.mail.server/Microsoft-Server-ActiveSync

# Something about AutoDiscover is important
<Location /Autodiscover>
ProxyPass https://internal.mail.server/Autodiscover
ProxyPassReverse https://internal.mail.server/Autodiscover

<Location /AutoDiscover>
ProxyPass https://internal.mail.server/AutoDiscover
ProxyPassReverse https://internal.mail.server/AutoDiscover

<Location /autodiscover>
ProxyPass https://internal.mail.server/autodiscover
ProxyPassReverse https://internal.mail.server/autodiscover

<Location /autoDiscover>
ProxyPass https://internal.mail.server/autoDiscover
ProxyPassReverse https://internal.mail.server/autoDiscover

# Not sure if we need the rest of these
<Location /OAB>
ProxyPass https://internal.mail.server/OAB
ProxyPassReverse https://internal.mail.server/OAB

<Location /public>
ProxyPass https://internal.mail.server/public
ProxyPassReverse https://internal.mail.server/public

<Location /Public>
ProxyPass https://internal.mail.server/Public
ProxyPassReverse https://internal.mail.server/Public

<Location /rpc>
ProxyPass https://internal.mail.server/rpc
ProxyPassReverse https://internal.mail.server/rpc

<Location /RPC>
ProxyPass https://internal.mail.server/RPC
ProxyPassReverse https://internal.mail.server/RPC

<Location /Rpc>
ProxyPass https://internal.mail.server/Rpc
ProxyPassReverse https://internal.mail.server/Rpc

<Location /rpcwithcert>
ProxyPass https://internal.mail.server/rpcwithcert
ProxyPassReverse https://internal.mail.server/rpcwithcert

<Location /RpcWithCert>
ProxyPass https://internal.mail.server/RpcWithCert
ProxyPassReverse https://internal.mail.server/RpcWithCert

<Location /UnifiedMessaging>
ProxyPass https://internal.mail.server/UnifiedMessaging
ProxyPassReverse https://internal.mail.server/UnifiedMessaging

<Location /unifiedmessaging>
ProxyPass https://internal.mail.server/unifiedmessaging
ProxyPassReverse https://internal.mail.server/unifiedmessaging

<Location /unifiedMessaging>
ProxyPass https://internal.mail.server/unifiedMessaging
ProxyPassReverse https://internal.mail.server/unifiedMessaging

# Really doubt we need this – should probably remove
<Location /aspnet_client>
ProxyPass https://internal.mail.server/aspnet_client
ProxyPassReverse https://internal.mail.server/aspnet_client

# Actual Proxy for OWA (web browser based mail)
ProxyPass /owa/ https://internal.mail.server/owa/
ProxyPassReverse /owa/ https://internal.mail.server/owa/

Sorry the formatting is a little messed up :(


  1. Indeed, many thanks for sharing.. this works great!

    Haven’t done extensive testing yet but for what its worth I deleted all of the rules at the end under the #Not sure comment (except for the actual /owa proxy of course) and everything appears to be working fine =)

  2. Looking back at this post with a little more experience under my belt, I’m going to add some comments.

    * The exchange directory appears to be in all lower-case, as does autodiscover
    * I can confirm that the bottom directories really are not needed (unless you are using RPC over HTTPS)
    * The only directories I can see that you really need are:
    (case sensitive)

  3. EWS isn’t working for me. Internally, I have no problems accessing ews, but through apache reverse proxy, I get 401 errors.

    Thanks for the rest though.

  4. Since a 401 error just means that you are unauthorized, I would guess that there is just something not quite right with your testing. Are you using a BIS account and pointing it to your URL and you see in your log the 401 or are you just hitting it with a web browser?

    If you are testing it through BIS, do you have your account information, including AD domain setup correctly? I don’t have a BlackBerry, so I couldn’t tell you the right way to set it up, but I know some people didn’t get it right the first time. How were you able to test it successfully internally?

  5. If anybody is still monitoring this thread, can you confirm whether or not this configuration works with Crackberries trying to access Exchange through OWA? I’m currently using Squid as my reverse proxy to OWA and it works just fine with Droids, Windows Mobile phones and regular web browsers. Blackberry claims that it’s an “unsupported” configuration though and refuses to help us get their phones working with it.

  6. I’m sorry I can’t really be of any help on this one. We migrated to a Blackberry Enterprise Server (BES) several years ago and shutdown access to BIS through OWA. I can tell you though that Windows Mobile, iPhones, etc. use OWA and Blackberries do not. They use the EWS subfolder, so verify that you have that one setup as well. The Blackberry user would then log in to their BIS account set up their Exchange email address pointing it to the OWA URL (not sure if you are supposed to have the /OWA at the end or not). Then the Blackberry servers hit your servers to send/receive email. HTH, good luck!

  7. Kevin- do you remember what version of Apache you used this config with? I’m getting ready to set up a new reverse proxy for my Exchange 2007. I want to make sure the apache build I use is compatible with your tested config. thanks again for posting this, it’s a huge help.

  8. @Timothy Oefelein-
    Not sure if you are still struggling with your BlackBerry setup, but this is good to know for anyone reading this. You can get BlackBerry Enterprise Server Express for free now. It’s a much better setup, it gives you a lot more control over the devices than using BIS. There are some limitations in the free version but it’s well worth the time to set it up.

  9. Kevin- one other question. Do you remember why /owa is not configured as a <Location /owa>? Does it make any difference if you set it up as a location, or leave it on it’s own as you have here?

  10. Sorry, Mike, I should have thought about this when you asked your last question, but I did move all of this to Apache 2.2 over a year ago and /owa is in a Location tag now. We do SSL offloading on the load balancers and have moved all the Blackberry devices to a BES server, so here is the full webmail (OWA) config:

    <VirtualHost *:80>
    ServerName webmail.domain.com

    DocumentRoot /data/sites/webmail
    ErrorLog logs/webmail_error_log
    CustomLog logs/webmail_access_log combined

    SSLProxyEngine on
    RequestHeader set Front-End-Https "On"

    RedirectMatch permanent /$ https://webmail.domain.com/owa/
    RedirectMatch permanent /owa$ https://webmail.domain.com/owa/

    # Need to allow activesync pings for push technology
    # Set to 15 minutes
    ProxyTimeout 900

    # Needed for smartphones
    <Location /Microsoft-Server-ActiveSync>
    ProxyPass https://internalserveraddress/Microsoft-Server-ActiveSync
    ProxyPassReverse https://internalserveraddress/Microsoft-Server-ActiveSync

    # Actual Proxy for OWA (web browser based mail)
    <Location /owa>
    ProxyPass https://internalserveraddress/owa
    ProxyPassReverse https://internalserveraddress/owa

  11. Awesome. thanks a bunch for this post and your help. I have been struggling with our reverse proxy for a while now, but am close to finishing it up now. This helped a lot!

  12. This config has been working great for us, for years. Only recently have we had a need for the EWS functionality – and found that didn’t work by default.

    A lot of head-scratching and staring at tcpdump output, I found that if your IIS server is set to use NTLM auth for the EWS site, it will not work through the reverse proxy. The NTML protocol is such that the IIS server will reject the client’s response because its inbound connection (i.e. from your Apache server) doesn’t match up with the client’s information in the NTLM message.

    The easy solution is to use Basic auth instead in IIS. Keep the proxy https end to end and you won’t expose plaintext passwords. Done.

Leave a comment

Your email address will not be published. Required fields are marked *