9 Replies Latest reply: Dec 11, 2009 9:06 PM by Some Dude
Some Dude Level 1 Level 1 (55 points)
OK, I am getting an error in the Web log on the origin server that prevents me from getting the Mobile Access login page...here it is, this must be something simple, just can't figure it out...

Connection refused: proxy: HTTP: attempt to connect to 127.0.0.1:8171 (*) failed

Again, I can go directly to the www.mydomain.com hosted site from the Mobile access server's browser, so I know the website is up and responding, however, if I try to access it thru the reverse proxy, i get an error saying "Object not found" when the auto-redirect redirects me to:

https://www.mydomain.com/secureproxylogin.php?https://mobile.mydomain.com/

By the way, it's not a cert issue, my SSL certs are working fine on both the MAS and the origin server.

Help please? Thanks very much.

MacPro 2008 3.2GHz 8-core,32GB RAM,4x1TB in a hardware RAID5, Dual 8800GT's, Mac OS X (10.6.2), Snow Leopard Server
  • A  Level 1 Level 1 (35 points)
    You can ignore the log message about 127.0.0.1:8171; that's just the index.html page checking whether Podcast Producer is available.

    The actual problem may be misconfigured split DNS. If your origin server is named www.mydomain.com internally, it needs to have that same name externally as well. So the public DNS should have a record mapping www.mydomain.com to the IP address of your Mobile Access machine, and your internal private DNS should have a record mapping www.mydomain.com to the IP address of the origin server machine.
  • Some Dude Level 1 Level 1 (55 points)
    Hmmm, A, you may be on to something here. BUT! Here is the issue. If I change the www record externally to resolve to the public IP of my public Mobile Access Server, then how will the MAS know where 'www' is internally? The internal origin DNS is already set up for www pointing to 10.0.1.4, but the MAS is outside the firewall on a public IP. Hmmm, me thinks I might need a static route on the MAS machine so that it magically knows where 10.0.1.4 is. Umm, wait, no, that's not right...I'd really rather continue allowing the MAS server to use external DNS from the ISP for its resolver stack, which means it would never find the www internal server. Thoughts? And thank you by the way, you are helping for sure, which is quite nice of you.
  • Some Dude Level 1 Level 1 (55 points)
    By the way, i should have mentioned that the MAS device is currently pointing to external DNS for its network stack, and the www host currently resolves to the external interface on my firewall. The firewall then performs the NAT and sends that to 10.0.1.4. But I can easily change that, but that's what it is today.
  • A  Level 1 Level 1 (35 points)
    The supported Mobile Access configuration (for the web-based services, not Mail) requires split DNS, and specifically it requires that the resolver on your MA machine use your internal private DNS, not the public DNS.
  • Some Dude Level 1 Level 1 (55 points)
    Interesting, I did not know that. I knew split DNS was needed for web, ical and address book reverse proxying thru MAS, but I did not know that the MAS had to point to internal DNS for its own resolution. Since things are still not working, I will certainly try this, though it will require me to create a static route to the internal network on the DMZ-based Mini running the MAS. Now to figure out how to add a static route in Mac OSX. Thanks again kind sir, I hope to finally nail this Mobile Access thing soon. And then I'm gonna write a nice note to Apple about improving their documentation on major new features that they are very good at marketing, but not so good at actually showing real world usage details.
  • Some Dude Level 1 Level 1 (55 points)
    A, ok, I am now pointed at my internal DNS server for all DNS resolution from the DMZ-based Mobile Access Server. The problem now is that everything that is resolved, for instance www.mydomain.com, resolves to 10.x addresses, which the MAS in the DMZ can't reach. I have added a static route on MAS server, but still it can't reach the 10.x network. Any ideas? Thanks again for your help.
  • Some Dude Level 1 Level 1 (55 points)
    Realized I could be clearer here...

    www.mydomain.com in external dns points to the Mobile Access Server's IP (a public IP in my DMZ)

    www.mydomain.com in internal dns points to the origin SL server as it should (at 10.0.1.4)

    Also, the MAS device is now pointed to internal DNS for all resolution and i've updated the DNS server to allow it to perform recursive queries. The DNS part works fine now.

    The issue now is that when the MAS resolves 'www.mydomain.com' it returns the private 10.0.1.4 IP, and the MAS can't reach that network, so it fails. I added a static route on the MAS pointing to the external interface of the firewall for the 10.0.1.0/24 network, but for some reason still cannot get to the 10.0.1.0/24 network from the MAS. When adding the static route, I used the command:

    route add -net 10.0.1 -netmask 255.255.255.0 66.x.y.z

    The route was added succesfully, just doesn't allow me to get there. The firewall is an Airport Extreme base station btw, and the 66.x.y.z above is the external interface of the AEBS...i wonder if it is doing something funky to prevent connectivity there.

    Thanks again A, we are close, I can feel it.

    Message was edited by: Some Dude
  • Some Dude Level 1 Level 1 (55 points)
    A, any further ideas here? I'm really stuck without static route back to the 10.x network working. Reference earlier post. Thanks!
  • Some Dude Level 1 Level 1 (55 points)
    Sanity check here guys...

    If I choose not to proxy Web services on the Mobile Access Server, but only to proxy mail and maybe address book, what should occur when an outside user goes to https://mobile.mydomain.com? My understanding was that they would get the pretty Apple login screen regardless, but now I'm not so sure. I had thought that the user has to get that login screen regardless of protocol reverse proxied. I thought it was a portal login, that once authenticated, allowed you to get your mail, address book sync, etc.

    Do I have a basic misunderstanding of MAS here?

    Thanks.