The Network Manager at Westminster School presents solutions to sticky problems...

Tuesday, 16 April 2013

RPC over HTTP with Apache's mod_proxy

Well, let us get the bad news over and done with. Unless you revert to 2.0.53 or earlier, you can forget proxying RPC over HTTP with Apache web server.

Why is this?

Apache prefetches the entire body before establishing a connection. This mitigates a serious smuggling exploit that is detailed here:

Microsoft's idiosyncratic implementation of RPC over HTTP establishes two connections, RPC_DATA_IN and RPC_DATA_OUT, in order to send data between the Outlook Client and the Exchange Server, or between the Remote Desktop Client and Desktop Gateway. The problem is that the client sends a minuscule amount of data over the RPC_DATA_IN connection, somewhere in the region of 100 bytes. This is not enough to trigger a connection in the Apache implementation of HTTP/1.1

While not strictly forbidden in the RFC, it does mean that allowing the connection creates an insecure environment. Consequently no amount of begging is going to make Apache developers change their minds. To make matters worse, Microsoft in their protocol publication, have applied their right to enforce patents on the use of their protocol. Game over.

So if you are looking for RPC over HTTP, you will have to stay with Microsoft, who, in their infinite wisdom, have apparently ditched their very successful ISA/TMG product without a replacement. Either that or not use Microsoft products in future. We may well tell our users that Outlook Anywhere is no longer an option rather than punch holes in our firewalls to allow what is by design an insecure protocol.

No comments:

Post a Comment