cancel
Showing results for 
Search instead for 
Did you mean: 
fmeyer
Level 7

Web Gateway as reverse proxy for Outlook's RPC over HTTPS (Exchange-Proxy) and Outlook Web Access

Hi guys,

i used this document (https://community.mcafee.com/docs/DOC-5205) to set up a reverse proxy.

The setup was easy and in the first time it worked as expected.

But with 300 Outlook clients using the reverse proxy as Exchange Proxy (rpc over https) the problems began: Outlook said it was disconnected from the Exchange server and connected again - every 30 seconds.

In the charts i see some peaks of 2500 HTTPS requests per minute.

Do you have any idea, why the disconnects could appear? We have a squid proxy with the same funtion - this works without problems.

The other problem is, that when we do a SSL-Scan of this traffic - Outlook is completely unable to connect to the Exchange server. In the access log i see these errors:

[10/Oct/2013:13:36:48 +0200] "" client-address 0 "RPC_IN_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook:6002 HTTP/1.1" "Business" "Minimal Risk" "" 0 478 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:49 +0200] "" client-address 500 "RPC_OUT_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook.siv.de:6004 HTTP/1.1" "Business" "Minimal Risk" "" 2715 488 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:49 +0200] "" client-address 0 "RPC_IN_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook.siv.de:6004 HTTP/1.1" "Business" "Minimal Risk" "" 0 485 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:51 +0200] "" client-address 500 "RPC_OUT_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook:6004 HTTP/1.1" "Business" "Minimal Risk" "" 2715 481 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:51 +0200] "" client-address 0 "RPC_IN_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook:6004 HTTP/1.1" "Business" "Minimal Risk" "" 0 478 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:52 +0200] "" client-address 500 "RPC_OUT_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook.siv.de:6002 HTTP/1.1" "Business" "Minimal Risk" "" 2715 488 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:52 +0200] "" client-address 0 "RPC_IN_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook.siv.de:6002 HTTP/1.1" "Business" "Minimal Risk" "" 0 485 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:53 +0200] "" client-address 500 "RPC_OUT_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook:6002 HTTP/1.1" "Business" "Minimal Risk" "" 2715 481 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:53 +0200] "" client-address 0 "RPC_IN_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook:6002 HTTP/1.1" "Business" "Minimal Risk" "" 0 478 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:54 +0200] "" client-address 500 "RPC_OUT_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook.siv.de:6004 HTTP/1.1" "Business" "Minimal Risk" "" 2715 488 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:54 +0200] "" client-address 0 "RPC_IN_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook.siv.de:6004 HTTP/1.1" "Business" "Minimal Risk" "" 0 485 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:56 +0200] "" client-address 500 "RPC_OUT_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook:6004 HTTP/1.1" "Business" "Minimal Risk" "" 2715 481 "MSRPC" "" "0" ""

[10/Oct/2013:13:36:56 +0200] "" client-address 0 "RPC_IN_DATA https://EXCHANGE-SERVER-ADDRESS/rpc/rpcproxy.dll?outlook:6004 HTTP/1.1" "Business" "Minimal Risk" "" 0 478 "MSRPC" "" "0" ""

Any idea could be helpful.

Thank you!

0 Kudos
4 Replies
McAfee Employee

Re: Web Gateway as reverse proxy for Outlook's RPC over HTTPS (Exchange-Proxy) and Outlook Web Access

Hi,

I assume, that MWG would stop the connection at a certain point of time, whereas TMG for example might have kept the session open for longer. However, I know that other have already successfull used MWG as reverse proxy for OWA, wheras the might not have used it for RPC. Hope anybody else can help.

Otherwise, you might want to contact support.

Michael

0 Kudos
btlyric
Level 12

Re: Web Gateway as reverse proxy for Outlook's RPC over HTTPS (Exchange-Proxy) and Outlook Web Access

IIRC, the Outlook RPC over SSL is incompatible with SSL Decryption on the proxy.

0 Kudos
fmeyer
Level 7

Re: Web Gateway as reverse proxy for Outlook's RPC over HTTPS (Exchange-Proxy) and Outlook Web Access

Hi btlyric,

you remeber correctly. But I disabled the SSL Decryption and the problem still persists.

May be the number of open files is too high, when so many clients try to connect? Is there a supported way to increase it?

Otherwise I have to contact support.

0 Kudos
vivekb
Level 7

Re: Web Gateway as reverse proxy for Outlook's RPC over HTTPS (Exchange-Proxy) and Outlook Web Access

Hi guys,

As per above discussion, note that we have included a new rule set to exclude RPC scanning, but still facing same problem as described  by fmeyer.

Outlook Anywhere does not work as expected as it disconnects while attaching email attachement of size as from 3MB.

Grateful to advise any possible solution.

Thanking you.

Vivek

0 Kudos