Shoretel iPhone Reverse Proxy Server

This guide is for a Linux beginner, as I had to go through and modify the ShoreTel guide to work with Apache2.  This setup works great, and even passes through AD authentication from the ShoreTel app.

What you will need:

  • Ubuntu Server 12.10 (I provisioned a VM with 2 CPU, 2gb RAM, 12gb HD)
  • Public DNS Record and Public IP (And NAT on firewall to internal IP)
  • Internal DNS Record (if you have wifi)
  • iPhone with Communicator App installed

Download Ubuntu Server 12.10 http://www.ubuntu.com/download/server

      • Install the server going through the basic prompts
      • If you can install the server on a network that has DHCP, the install process should be easier, since you will need to download various components during setup
      • When prompted for a name, give the FQDN (ex. shoretelproxy.domainname.com)
      • When prompted to install additional components, highlight the OpenSSL server and LAMP server options, then press enter to proceed

Once your server is ready, set a static IP address

      • Type sudoedit /etc/network/interfaces (You will be prompted for your user password)
      • Under “auto eth0”, change “iface eth0 inet dhcp” to “iface eth0 inet static” and add IP information to be formatted like this:

# The primary network interface
auto eth0
iface eth0 inet static
address x.x.x.x
netmask 255.255.255.0
network x.x.x.0
broadcast x.x.x.255
gateway x.x.x.1
dns-nameservers x.x.x.x x.x.x.x
dns-search yourdomain.com

      • Press Ctrl + O then Enter to save the configuration.  Press Ctrl + X to exit
      • Apply the network changes by typing: sudo ifdown eth0 and then sudo ifup eth0
      • If clients will be accessing the reverse proxy from the internal network, make sure to create an internal DNS record pointing to the static IP

Before we continue, let’s update the Ubuntu server

      • Type: sudo apt-get update
      • Type: sudo apt-get upgrade
      • Type: sudo apt-get dist-upgrade

Next, load the additional modules needed for apache2

      • Type: sudo a2enmod ssl
      • Type: sudo a2enmod rewrite
      • Type: sudo a2enmod proxy
      • Type: sudo a2enmod proxy_http
      • Type: sudo a2enmod proxy_connect
      • Restart apache2 with: sudo service apache2 restart

Now create directories to store the SSL cert

      • Type: sudo mkdir /etc/apache2/ssl
      • Type: sudo mkdir /etc/apache2/ssl/certs
      • Type: sudo mkdir /etc/apache2/ssl/private
      • Type: cd /etc/apache2/ssl to change your working directory

To create my CSR, I used DigiCert’s OpenSSL wizard here: https://www.digicert.com/easy-csr/openssl.htm

      • Type sudo and then paste the results and press enter
      • You should now have a csr file you can view
      • Type “ls” and press enter to view the files in your directory
      • Move the private key: sudo mv servername_domain_com.key /etc/apache2/ssl/private/
      • View the csr by entering: cat servername_domain_com.csr
      • Copy and paste that output into your SSL cert provider form

Once you receive the download for your .crt files, you will need to transfer them to your server

      • Download and install free ftp software (like Filezilla or WinSCP) on your PC
      • FTP to your server IP with your username and password on port 22
      • Browse to your user directory (/home/username) and drop and drag your CA.crt and server.crt files
      • Back on the Ubuntu server, we will move the files to the correct location
      • Type: sudo mv /home/username/filename.crt /etc/apache2/ssl/certs for both crt files

You need to tell Apache to listen on your reverse proxy port (5501)

      • Type: sudoedit /etc/apache2/ports.conf
      • Under “Listen 80”, add the following:

NameVirtualHost *:5501
Listen 5501

      • Type Ctrl + O, press enter to save and then Ctrl + X to exit

Next, create a new site to use for the reverse proxy

      • Type: sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/proxy
      • Type: sudoedit /etc/apache2/sites-available/proxy
      • Edit your config to look like this:

<VirtualHost *:5501>
ServerAdmin webmaster@localhost
ServerName servername.domain.com

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None

</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine On
SSLProxyEngine On

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/apache2/ssl/certs/server_domain_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/server_domain_com.key
SSLCACertificateFile /etc/apache2/ssl/certs/CAfile.crt

RewriteRule ^/theme/(.+)$ /director2/theme/$1 [P]
RewriteRule ^/yui_2.7.0/(.+)$ /director2/yui_2.7.0/$1 [P]
RewriteRule ^/js/(.+)$ /director2/js/$1 [P]

ProxyPass /authenticate/ http://ShoretelDirectorIP/
ProxyPassReverse /authenticate/ http:// ShoretelDirectorIP /

ProxyPass /cas/ http:// ShoretelDirectorIP:5447/
ProxyPassReverse /cas/ http:// ShoretelDirectorIP:5447/

ProxyPass /director2/ http:// ShoretelDirectorIP:5449/
ProxyPassReverse /director2/ http:// ShoretelDirectorIP:5449/

</VirtualHost>

      • Make sure to save and then exit the file

Now enable your new proxy site

      • Type: sudo a2ensite proxy
      • Restart apache: sudo service apache2 restart

Now you should be able to start the iPhone app, enter the public DNS name, and enable the proxy on port 5501

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s