Wednesday, July 28, 2010

Moving to KVM and a tunnel digger

After years with Xen and VMware. I finally start use KVM in production. In lack of GUI, but give me different approach on problem solving. I am embarrassed of how little I wrote recently. This will be changed!

Here is one of my lastest "hack" for tunnel out (a.k.a. reverse proxy) exchange owa & active sync from protected DMZ to internet with ssh, pound and stunnel.


Let's illustrate an exchange server is locked in corporate firewall. Use https for webmail, follow the best practice. How can a user access it from Internet, if the corporate doesn't want spend money on some RSA token or VPN solution? Also many phone device today doesn't support VPN good enough.

This setup is very cheap. You need a public server with a public IP address. Public server listen on port 443. Decrypt and Encrypt the exchange traffic and send though SSH tunnel (or any encrypted tunnel will do) to exchange server.

In step 1, we create an encrypted tunnel. Imagine 10.10.10.10:443 is remote forwarded to 1.1.1.1 on localhost port 4443. SSH command for doing that is:
ssh username@1.1.1.1 -R 4443:10.10.10.10:443
Now we use stunnel as client to decrypt it.
#example stunnel config
[client]
client = yes
accept=localhost:4442
connect=localhost:4443

In step 3, we use pound for protect the exchange as reverse proxy
# example pound.cfg
User "nobody"
Group "nobody"
Alive 60
Timeout 3601
User "nobody"
Group "nobody"
ListenHTTPS
Address 193.111.107.174
Port 443
Cert "/etc/owa.pem"
Client 60
xHTTP 4
RewriteLocation 2
RewriteDestination 1
AddHeader "Front-End-Https: on"
Service
BackEnd
Address localhost
Port 4442
End
End
End

Notice couple things there. Timeout value is 3601 is for Microsoft active sync to keep-alive. Create or buy a certificate in webmail.pem. Make sure you have all CA chains cert in same pem file.

Now on step 3, when an user open https://1.1.1.1/exchange. Pound will respond and forward HTTP request to local port 4442 if SSL handshake is fine. Protect Exchange server itself. When request come to stunnel, time to act as client instead and eventually the request ends up on exchange server.

The reason I created this solution is because couple things.
  1. Exchange 2010 not supported by some firewall with reverse proxy function (yet)
  2. iPhone iOS4 does not like go through some firewall with revers proxy
  3. Some firewall cuts the connection for a https session after 300 seconds. Which is a battery killer for microsoft-active-sync
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)