Barracuda CloudGen Firewall

Example - Reverse Proxy for Exchange Services

https://campus.barracuda.com/doc/43847211/

The reverse proxy redirects incoming requests from Microsoft Exchange Server services to clients
without providing the origin details. This example configuration shows how to configure a reverse
proxy for the following Microsoft Exchange services:

Autodiscover
ActiveSync
Outlook Web Access
RPC

The example setup uses the following server and service settings:

Server/Service Settings
• FQDN: mailserver.company.com
Exchange Server
• Internal IP Address: 192.168.0.206
• FQDN: No DNS record is available.
HTTP Proxy Service
• External IP Address: 62.99.0.221
•
Internal DNS Server
Internal IP Address: 192.168.0.239

In this article:

System Requirements

Microsoft Exchange Server 2010 SP3

Before You Begin

Create a HTTP Proxy service on the Barracuda NG Firewall as described in How to Configure
Services. Enable the service, choose a descriptive Service Name (e.g., RPX) and enter a brief
description (e.g., HTTP Proxy + the location of the customer).
Ensure that the local firewall rule set allows inbound HTTP/S traffic on listening port 443. For the
inbound host firewall rule named OP-SRV-PX, edit the Service setting to include HTTP+S. For
more information on configuring host firewall rules, see Host Firewall.

Example - Reverse Proxy for Exchange Services 1/5

Barracuda CloudGen Firewall

For some changes to take effect, it might be necessary to stop and restart the squid
process on the Barracuda NG Firewall.
To prevent DNS issues with internal/external domain resolution, use IP addresses instead
of DNS names in the reverse proxy settings.

Step 1. Configure the Proxy Service

Configure the HTTP Proxy service in reverse proxy mode.

Step 1.1 Add the External IP Address of the HTTP Proxy

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual
server > Assigned Services > HTTP-Proxy > Service Properties.
2. Click Lock.
3. From the Service Availability list, select Explicit.
4. In the Explicit Service IPs table, add 62.99.0.221.
5. Click Send Changes and Activate.

Step 1.2. Configure the Proxy Settings

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual
server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
2. From the Configuration Mode menu, select Switch to Advanced View.
3. Click Lock.
4. Enter the admin proxy email address in the Contact Mail field.
5. In the Visible Hostname field, enter the hostname, e.g.: rpx.company.com
6. Select Reverse Proxy as the Proxy Mode.
7. In the left menu, select IP Configuration.
8. In the Networking Settings section, specify the following details:
TCP Listening Port – Enter 80.
TCP Outgoing Address – Select Dynamic.
UDP Incoming Address – Select First-IP.
UDP Outgoing Address – Select First-IP.
DNS Server IP addresses – Add 192.168.0.239.
9. Click Send Changes and Activate.

Step 2. Configure Access Control Settings

Create ACL entries for all Exchange services that must access the Barracuda NG Firewall and for
the source IP address range. Then configure the settings for access priority.

Example - Reverse Proxy for Exchange Services 2/5

Barracuda CloudGen Firewall

Step 2.1. Configure ACL Entries

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual
server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
2. From the Configuration Mode menu, select Switch to Advanced View.
3. In the left menu, select Access Control.
4. Click Lock.
5. From the Default Access list, select Deny.
6. Create an ACL entry for the Exchange URLs:
1. In the ACL Entries section, click the plus sign (+).
2. Enter a name for the list (e.g., ExchangeURLs), select URL from the drop down menu
and click OK.
3. In the URL Extensions table, add the following entries. IP Addresses or FQDNs.
https://62.99.0.221/owa/*
https://62.99.0.221/rpc/*
https://62.99.0.221/Autodiscover/*
https://62.99.0.221/Microsoft-Server-ActiveSync/*
4. Click OK.
7. Create an ACL entry for the source IP range:
1. In the ACL Entries section, click the plus sign (+).
2. Enter a name for the list (e.g., World), select Source IP from the drop down menu and
click OK.
3. From the IP Configuration list, select Rangemode.
4. In the IP Ranges section, enter:
From: 0.0.0.0
To: 255.255.255.255
5. Click OK.

Step 2.2. Configure ACL Policies

1. Create an ACL policy to allow the ACL entries that you created.
1. In the Access Control Policies section, click the plus sign (+).
2. Enter a name for the policy (e.g., ACCE00) and click OK.
3. In the ACL Priority field, enter 10.
4. From the Action list, select Allow.
5. In the ACL Entries section, click the plus sign (+)and then select the following entries:
ExchangeURLs
World
6. Click OK.
2. Create an ACL policy with a lower priority that denies the World ACL entry that you created.
1. In the Access Control Policies section, click the plus sign (+).
2. Enter a name for the policy, (e.g., ACCE01) and click OK.
3. In the ACL Priority field, enter 99.
4. From the Action list, select Deny.
5. In the ACL Entries section, click the plus sign (+) and then select World.
6. Click OK.

Example - Reverse Proxy for Exchange Services 3/5

Barracuda CloudGen Firewall

3. Click Send Changes and Activate.

Step 3. Configure the Reverse Proxy Settings

Enable SSL encryption, specify the back-end web site, and map the addresses of the Exchange
services.

Step 3.1. Configure the Reverse Proxy Settings

1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual
server > Assigned Services > HTTP-Proxy > HTTP Proxy Settings.
2. In the left menu, select Reverse Proxy Settings.
3. From the Configuration Mode menu, select Switch to Advanced View.
4. Click Lock.
5. In the Backend Web Site field, enter 62.99.0.221 or the FQDN.
6. From the Use SSL list, select Yes.
7. In the SSL Listening Port field, enter 443.
8. Import the SSL Certificate and the SSL Private Key.
The certificate must contain the Name (*.company.com) and SubAltName
(DNS:owa.company.com).
9. In the Backend IP Addresses section, click the plus sign (+) and then enter 192.168.0.206.
10. From the Round Robin and Domain-based Virtual Host lists, select no.

Step 3.2. Configure Domain to Backend Mapping

Map the domains of the Exchange services to the backend web site.

Complete the following steps for each Exchange service:

1. In the Domain to Backend Mapping section, click the plus sign (+).
2. Enter the name of the Exchange service that you are mapping (e.g., Autodiscover ) and
click OK.
3. From the Mapping Type list, select Url-Regex.
4. In the Url-Regex field, enter the domain of the Exchange service that you are mapping:
Exchange Service Domain
Autodiscover https://62.99.0.221/Autodiscover
ActiveSync https://62.99.0.221/Microsoft-Server-ActiveSync
Outlook Web Access https://62.99.0.221/owa
RPC https://62.99.0.221/rpc
5. From the Backend list, select 192.168.0.206 and click OK.
6. Click Send Changes and Activate.

Example - Reverse Proxy for Exchange Services 4/5

Barracuda CloudGen Firewall

© Barracuda Networks Inc., 2023 The information contained within this document is confidential and proprietary to Barracuda Networks Inc. No
portion of this document may be copied, distributed, publicized or used for other than internal documentary purposes without the written consent of
an official representative of Barracuda Networks Inc. All specifications are subject to change without notice. Barracuda Networks Inc. assumes no
responsibility for any inaccuracies in this document. Barracuda Networks Inc. reserves the right to change, modify, transfer, or otherwise revise this
publication without notice.

Example - Reverse Proxy for Exchange Services 5/5