Solved SharePoint reverse proxy replacement for MS ForeFront UAG

thwr

I want to replace a ForeFront UAG for a bunch of reasons.

Requirements / Environment:

• Authenticating reverse proxy in DMZ
• Must be able to authenticate against AD/LDAP or RADIUS
• Need some basic login form (want to avoid auth popups, need to provide instructions on the login page)
• NTLM would be a big plus
• Kerberos isn't possible, because non-domain machines need access
• FOSS preferred

I've looked into Apache with mod_auth_form, which works ok, but I can't seem to pass credentials to the next hop using mod_proxy.

nginx is unable to, unless you get the Plus-subscription. Squid can just do pass-through, AFAIK.

I know Big-IP directly supports Sharepoint "publishing", but I want to avoid to spend money for this.

Sophos UTM might be an option, it also officially supports SharePoint publishing. But I haven't found any software only version like the one you can get for home use. I'm also not sure about pricing.

MS WAP is something I want to avoid if possible: I would need to buy WinSrv2012r2 user CALs and at least 3 standard licenses: 2 VMs per lic x 3 hosts, next I would need to deploy WAP and ADFS on dedicated VMs and so on. Like shooting a bird with a cruise missile.

Any chance to get Apache running? Other ideas?

jt1001001

I think I posted this before? We are converting our Forefront TMG servers to Kemp for both load balancing and reverse proxy for Lync/S4B. They support Sharepoint and offer both hardware and virtual appliances. They have a free version and paid versions as well, supports AD Auth and I think NTLM. I'm not yet a direct part of the project so I haven't deep dived into it yet.
https://kemptechnologies.com/load-balancer-sizing-sharepoint/
https://kemptechnologies.com/loadmaster-family-virtual-server-load-balancers-application-delivery-controllers/
Here is the free offering:
https://kemptechnologies.com/blog/announcing-new-free-loadmaster-application-load-balancer/

thwr

@jt1001001 said in SharePoint reverse proxy replacement for MS ForeFront UAG:

I think I posted this before? We are converting our Forefront TMG servers to Kemp for both load balancing and reverse proxy for Lync/S4B. They support Sharepoint and offer both hardware and virtual appliances. They have a free version and paid versions as well, supports AD Auth and I think NTLM. I'm not yet a direct part of the project so I haven't deep dived into it yet.
https://kemptechnologies.com/load-balancer-sizing-sharepoint/
https://kemptechnologies.com/loadmaster-family-virtual-server-load-balancers-application-delivery-controllers/
Here is the free offering:
https://kemptechnologies.com/blog/announcing-new-free-loadmaster-application-load-balancer/

You did, sorry, should have mentioned the old thread. The old one was more about my trunks which refused to work without any changes (conf, net, updates etc).

I didn't notice that there is a free version of Kemp, will have a look. Thank you.

thwr

Just had a look at the price list found here: http://www.kernelsoftware.com/products/catalog/kemp.html

This is definitely premium. Is anyone from Kemp around here at ML?

scottalanmiller

@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:

Just had a look at the price list found here: http://www.kernelsoftware.com/products/catalog/kemp.html

This is definitely premium. Is anyone from Kemp around here at ML?

Don't believe so.

thwr

@scottalanmiller said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:

Just had a look at the price list found here: http://www.kernelsoftware.com/products/catalog/kemp.html

This is definitely premium. Is anyone from Kemp around here at ML?

Don't believe so.

Thing is: the free version is limited to 20 MBit/s throughput. That could be OK, but I don't want to spend like 5-10k for the next step.

JaredBusch

@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@scottalanmiller said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:

Just had a look at the price list found here: http://www.kernelsoftware.com/products/catalog/kemp.html

This is definitely premium. Is anyone from Kemp around here at ML?

Don't believe so.

Thing is: the free version is limited to 20 MBit/s throughput. That could be OK, but I don't want to spend like 5-10k for the next step.

Does Kemp proxy Exchange 2013? I can live with 20mbps for Exchange.

jt1001001

I saw some items on load balancing for Exchange. I will see if my team lead here has a good tech contact at Kemp and see if they can join the community.

thwr

@jt1001001 said in SharePoint reverse proxy replacement for MS ForeFront UAG:

I saw some items on load balancing for Exchange. I will see if my team lead here has a good tech contact at Kemp and see if they can join the community.

Awesome, thanks.

I do not have many users, but they are uploading lots of large documents every once in a while. 20 MBit/s would be perfectly fine for Exchange, like @JaredBusch said, but not in my case.

jt1001001

The one contact we have is a sales guy, don't think I want him joining over here. Probably you would be looking at the VLM-200 which we got a quote for $1800 US direct from Kemp, plus whatever it was for maintenance.

Dashrender

How are you accessing SharePoint without user CALs?

thwr

@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:

How are you accessing SharePoint without user CALs?

I have plenty of CALs, but they are for Srv2008R2 (+SharePoint 2010 and a SQL Server Core Edition). Microsofts WAP requires 2012R2 or newer.

thwr

@jt1001001 said in SharePoint reverse proxy replacement for MS ForeFront UAG:

The one contact we have is a sales guy, don't think I want him joining over here. Probably you would be looking at the VLM-200 which we got a quote for $1800 US direct from Kemp, plus whatever it was for maintenance.

Ok, thx for asking.

thwr

Deployed the free KEMP LoadMaster virtual appliance today, works pretty well.

There are some issues with permitted groups in the SSO settings, probably related to caching or session variables/cookies. What I didn't find was a way to upload a separated CA chain cert, guess I need to build a cert with a full chain included.

Another issue is related to Kerberos. You need to setup an AD user that holds the appliances FQDN in the NT username field - doesn't fit in my case, because my FQDN alone is 17 chars and the field can just hold 20 chars for historic reasons. Fallback was using basic auth against SP, which is not great but OK because my SP is internally and externally on SSL only.

I'll try this setup for a few weeks, the restricted bandwidth could just be enough. Thx @jt1001001

Dashrender

Are you splitting your internet connection so that only traffic for the SP are going through the proxy?

thwr

@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:

Are you splitting your internet connection so that only traffic for the SP are going through the proxy?

Splitting? SP is on one of the local nets, the proxy in a DMZ with a IP in my public subnet

Dashrender

@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:

Are you splitting your internet connection so that only traffic for the SP are going through the proxy?

Splitting? SP is on one of the local nets, the proxy in a DMZ with a IP in my public subnet

So this new thing you put into place filters/proxies the whole network to the internet?

thwr

@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:

Are you splitting your internet connection so that only traffic for the SP are going through the proxy?

Splitting? SP is on one of the local nets, the proxy in a DMZ with a IP in my public subnet

So this new thing you put into place filters/proxies the whole network to the internet?

Just inbound traffic to SP. Outbound is something different. Think of that like on-site hosting in a completely separated network

thwr

@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@thwr said in SharePoint reverse proxy replacement for MS ForeFront UAG:

@Dashrender said in SharePoint reverse proxy replacement for MS ForeFront UAG:

Are you splitting your internet connection so that only traffic for the SP are going through the proxy?

Splitting? SP is on one of the local nets, the proxy in a DMZ with a IP in my public subnet

So this new thing you put into place filters/proxies the whole network to the internet?

Just inbound traffic to SP. Outbound is something different. Think of that like on-site hosting in a completely separated network

Or maybe like this: A reverse UTM. I'm not protecting any internal clients from malicious traffic, I'm protecting my SharePoint frontend servers. Filtering/IPS (SNORT) will be in place soon, yes.

JaredBusch

@thwr or anyone else that has used Kemp.

Have any of you tried to work with Let's Encrypt here? Their forums seem unhelpful. The unit has to decrypt and reencrypt the traffic in order to process the headers at L7.

It is easy enough to load my cert into the unit, but I do not want to have to do it manually every 2 months.