2ajon20%8 Zimbra Proxy Manvatinsialing, Configuring, Disabling the Zibra Prony = Zim Tech Center
Zimbra Proxy Manual:Installing , Configuring, Disabling the Zimbra
Proxy
1. Zimbra Tech Center
2. Centified
3. Zimbra Proxy Manual:Installing , Configuring, Disabling the Zimbra Proxy
Zimbra Proxy: Installing , Configuring, Disabling the Zimbra Proxy
= This article is a Work in Progress, and may be unfinished or missing sections,
General Proxy Overview
Overview And Planning | Installing , Configuring, Disabling |Zimbra Proxy Related _| Troubleshooting
For Zimbra Proxy the Zimbra Proxy CLI Commands Zimbra Proxy
Advanced Topics
Configuration And Template | Advanced Proxy Miscellaneous Zimbra Proxy Manual: Adding
Files And Proxy Related Configuration Examples 700%. Additional Reverse Proxy To
‘Variables via CLI Ps Zimbra Proxy
Things To Review First
Prerequisite Variables To Check First
zimbraPublieServiceHostname zimbraPublieServiceProtocol and zimbraPublicServieePort
* Needs more details, incomplete right now.
In order for the change password link, calendar launching in separate window, and other various funetionality to
work correctly - meaning, to use the proxy instead of mailbox server, the following LDAP attributes have to be set
to the proxy values:
= zimbraPublicServiceHostname(Name to be used in public API such as REST or SOAP proxy) - proxy
hostname
= zimbraPublicServiceProtocol(Protocol to be used in public API such as REST or SOAP proxy) - proxy
protocol (http or https)
= zimbraPublicServicePort(Port to be used in public API such as REST or SOAP proxy) - proxy port
zimbraVirtualHostname
* Needs more details, incomplete right now.
vimbra_auth_always_send_refer
psi zimora.comiwik'Zimbra_Proxy_Marual Insaling__Configuing, Disabling. the_Zimbra, Proxy w2a10212018 Zimbra Proxy Manualnstaling, Configuring, Disabing the Zimbra Proxy Zimbra Tech Center
The zmlocaleonfig key zimbra_auth_always_send_refer is now obsolete. Its been replaced by LDAP attribute
zimbraMailReferMode. Now with a full-fledged reverse proxy, users do not need to be redirected. The LDAP
attribute zimbraMailReferMode is used directly by the Nginx reverse proxy.
zmtlsetl
* Needs more details, incomplete right now.
zmtisetl sets the zimbraMailMode , this is different than the zimbraReverseProxyMailMode .
ntlsctl help
Usage: /opt/zinora/bin/zmtisctl [nixed|both|http|https [redirect]
zmprov desc -2 zinbratiai Mode
j2inbratad Mode
Whether to run HTTP on HITPS or both/aixed node on redirect node. See
also related attributes zinbrattailPort and zinbrata!1ssiPort
type + coum
E value : hetpynttps,both,mixed, redirect
callback : LocalBing
amutable : false
cardinality + single
requiredin =
optionalTa : globalcontig, server
Flags + serverinherited
defaults +
id : 308
requiresRestart =
eprecatessince =
% amprov dese -2 zinbraReverseProxylaslMode
[BinbraReverseProxyiai Mode
whether to run proxy in HTTP, HTTPS, both, mixed, or redirect node.
See also relates attributes zinbrataileroxyPort and
zinbratas SSLProxyPort
i type + coum
valve | httpjnttps,bothymixed, redirect
callback +
immutable : false
cardinality + single
requiredin =
‘optionalTa : globalcontig, server
Flags : serverinherited
defaults +
id: 685
requiresRestart + nginxprexy
since + 5.0.7
eprecatessince
8.5 server install:
's anprov ge “zehostrane’ | grep MailMode
f2inbratas Mode: hetp=
;rinbeaReverse®roxyai Mode: https
psi zimora.comiwik'Zimbra_Proxy_Marual Insaling__Configuing, Disabling. the_Zimbra, Proxy an2810272018 Zima Proxy Manuatlnstaling , Configuring, Disabling the Zimbra Proxy - Zimbra Tech Center
‘The New WebApp Services In ZCS 8.5 and zm_auth_token
Source: From admin guide draft under 'Configur Zimbra HTTP Proxy’
* Needs more details, incomplete right now
Note - <> [From Admin Guide Draft]
New ZCS Deployment
Single ZCS Server Environment
* Needs more details, incomplete right now.
= Note, for ZCS 8.7 - proxy will be required even for single ZCS deployments.
= Require proxy & memcached nodes exist prior to upgrading to ZCS 8.7
= https://bugzilla.zimbra.com/show_bug.cgi?id-96920
Multi-Server ZCS Environment
* Needs more details, incomplete right now.
Adding Zimbra Proxy Services To Existing Non-Proxy Environments
via ZCS Installer [Recommended Method]
Using New Servers
Source: http://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy#Using_new_servers
Here you are installing the proxy on a brand new server and having all your existing mailbox servers being
accessed through the proxy on this new server. Simply use the installer script (install.sh) and select the proxy and
memcached packages ('Y' by default with ZCS 8.5+, just need to hit enter). This will ask you for LDAP
hostname/password, Bind password for nginx Idap user which you need to provide (do 'zmlocaleonfig -s
ginx_password’ on the host running Idap to get this) and then the Zimbra Proxy configuration menu would
layed which would look like this
Proxy configuration
Enable PoP/INAP Proxy: TRUE.
IMAP server port: na
IAP server SSL port 7393
IAP proxy port: 1s
IMAP SSL_proxy port: 393
POP server port? me
PoP server SSL port: 7998,
POP proxy port 108
POP SSL proxy port: 995
Bind password for nginx dap user: set
Enable HT79[3] Proxy TRUE
Web server HTTP port: 080
Web server HTTPS! port: 2403
ATP proxy port ae
AITPS: proxy port: aa
Proxy Server ode: https
psi zimbra.comivik'Zimbra_Proxy_Marual Insaling__ Configuring, Disabling. the_Zimbra, Proxy2810212018 Zima Proxy Manuatlnstaling , Configuring, Disabling the Zimbra Proxy - Zimbra Tech Center
If you need to change any of these intentionally, you can do that now by selecting the corresponding config item
from the menu (say for eg. to disable POP/IMAP proxy, select '2' from the above menu). Otherwise, just proceed
with all the defaults and you would have the proxy+memcached installed on this new server. Now, to have all the
mailbox servers use the proxy, simply set the zimbraMailReferMode to reverse-proxied on each mailbox server and
restart mailboxd to have all the traffic go through the proxy.
Using Existing Servers
* Needs more details, incomplete right now.
Adding Zimbra Proxy Services To Existing Non-Proxy Environments
via CLI [Advanced Method]
Using New Servers
Using Existing Servers
Source: http://wviki.zimbra.com/wiki/Enabling_Zimbra_Proxy#Using_existing_servers
Assuming you are running a 8.0 or earlier version ZCS with no proxy/memeached, zimbraMailMode as https and
now want to upgrade to 8.5+ along with adding proxy & memcached, you need to follow the following steps
Start 8.5+ installer (install.sh script)
Do you wish to upgrade? [Y] y
Install zimbra-memeached [N] y
Install zimbra-proxy [N] y
After install is done, enable web/mail proxy, and set the proxy mode and ports:
ind "both" are valid modes
= Iflocalconfig key 'zimbra_require_interprocess_security’ is set, Only "https"
/zinbra/bexee/2mproxyconfig-e -w -0 -2 8880:80:8443:443 -x -H “znhostnane
= Else if ‘zimbra_require_interprocess_security’ is unset, Only "http" and "both" are valid modes
/ninbra/libexec/2mproxycontig,-@ -w -0 -2 8080:60:8443:443 -x chttp/both> -M “zmhostnane’
= Set the mail proxy ports
jpt/zinbra/Libexec/zmproxyconfig -e -m -0 -L 7243:143:7993:993 -p 7118:110:7895:995 -4 “zmhostnare”
‘Now, to have all the mailbox servers use the proxy, simply set the zimbraMailReferMode to reverse-proxied on
each mailbox server and restart mailboxd to have all the traffic go through the proxy. Do a 'zmcontrol restart’ on
this node and you should be up and running.
psi zimora.comiwik'Zimbra_Proxy_Marual Insaling__Configuing, Disabling. the_Zimbra, Proxy an2ajon20%8 Zimbra Proxy Manvatinsialing, Configuring, Disabling the Zibra Prony = Zim Tech Center
Manually Modifying Zimbra Proxy Services And Related Variables via
CLI
Source:
http://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy'fManually Modifying Proxy_.26 related_Variables_via_CLI
Simple Command With Defaults
Source: http://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy#Simple_Command_With_Defaults
The zmproxyconfig command can be run with limited arguments if the command defaults are acceptable. Run
Jopt'zimbrallibexec/zmproxyconfig to view all the argument options and the usage
Protocol Requirements Including HTTPS Redirect
Source:
http://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy‘Protocol_Requirements_Including HTTPS_Redireet
HTTP proxy can support protocol modes for HTTP or HTTPS only, both HTTP and HTTPS, mixed HTTP and
HTTPS or HTTPS redirect from HTTP. Redirect is a popular configuration. This configuration must be made to the
Proxy servers.
= HTTPS redirect from HTTP
lenprov ms proxy.server.nane zimbraReverseProxyMailiode redirect
= HTTP and HTTPS (support both)
= HTTP only
enprov ms proxy.server.nane zinbrafeverseProxyMailMode
= “mixed” will cause only authentication to be sent over HTTPS
lemprov ns proxy.server.nane zinbraReverseProxyMailMoce mixed
Documents & Sharing - The zimbraPublicService variables
Source: http:/wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy#Documents_26_ Sharing
psi zimora.comiwik'Zimbra_Proxy_Marual Insaling__Configuing, Disabling. the_Zimbra, Proxy co2a10212018 Zimbra Proxy Manualnstaling, Configuring, Disabing the Zimbra Proxy Zimbra Tech Center
It is important to consider access to documents (Briefcase) and shares when setting up HTTP proxy. A publicly
reachable address must be configured to be used for the REST and SOAP proxy interfaces otherwise components
requiring access to these interfaces will fail. Calendar sharing is an example of one component. Set
zimbraPublicServiceHostname, zimbraPublicServiceProtocol, and zimbraPublicServicePort when applicable.
These values are usually not required without proxy sinee the REST and SOAP proxy interfaces take the value of
the Zimbra mailbox service hostname by default. These attributes can be set globally to be inherited by all domains
or per domain.
Set zimbraPublicServiceHostname to the value of the host that will be used in the URL for access to the HTTP.
proxy.
= This command sets mail.domain.com as the public hostname to be used for access to all domains in the
Zimbra directory
prov ncf zinbraPublicServicedostnane mail.domain.con
= This command sets mail.domaina.com as the public hostname to be used for access to domaina.com domain:
prov md donaina.con zinbraPublicServicetiostnane mall. domain
= Set zimbraPublicServiceProtocol to hutp or https depending on the protocol requirements for HTTP proxy:
prev nd donsina.con zinbraPublicServiceProtocel https
= Set zimbraPublicServicePort to the value that corresponds to the HTTP proxy port used in the URL (optional
if standard ports 80 or 443 are used for proxy listeners):
prov nd donsina.con zinbraPublicServicePort 443
Disabling Zimbra Proxy
Completely Disable Proxy In Single ZCS Server Environment
Completely Disable Proxy In Multi-Server ZCS Environment
Disable POP/IMAP Proxy In Single ZCS Server Environment
Source: http://wiki.zimbra.com/wiki/Ajcody-Proxy-
Notes#Need_To_Disable_Pop.2Flmap_Proxy_And_Use_POP.2FIMAP_Normally
‘show
Sometimes, people install/setup proxy services on their single ZCS server and they don't need them. Hei
you would disable the proxy stuff and get imap/pop working over the default ports.
a anprov -1 gs “znhostnane” | grep -4 port
st the ports, then set variables to port @:
prey ns “zthostname™ zinbrainapProxyaindPort @
prev mz “zehostname” rinbraznapsSLProxyBincPort @
prov ms ~zehostname™ zinbraPopsProxysindPort @
psi zimbra.comiwik'Zimbra_Proxy_Marual Insaling__ Configuring, Disabling. the_Zimbra, Proxy co2810212018 Zima Proxy Manuatlnstaling , Configuring, Disabling the Zimbra Proxy - Zimbra Tech Center
fenprov ms “zshostrane’ zinbraPop3sSLProxyBindPort @ E
en, set the non “Proxy” ports to the desired standard ports
*anhostnane™ zinbratnapBindPort 143
awnostrane’ zinbeamapSsStBindPort 993
zehostrane’ zinbraPop3BindPort 118
zenostrane’ zinbraPop3ssisindPort 995
prov ms “2ehostname™ -rinbraServicetnabled mencached
prov ms “zmhostname” ~rimbraServicernabled smapproxy
rproxyctl stop
mmencachedetl stop
nailboxdct top
inal Iboxdet start
Disable Web [Mail] Proxy In Single ZCS Server Environment
Source: hitp://wiki.zimbra.com/wiki/Ajeody-Proxy-
Notes#Need_To_Disable_Pop.2Flmap_Proxy_And_Use_POP.2FIMAP_Normally
Sometimes, people install/setup proxy services on their single ZCS server and they don't need them. Here's how
you would disable the proxy stuff and get imap/pop working over the default ports.
prov =1 gs “znhostnane™ | grep -1 port
tthe ports, then set variables to port &:
prey ns “zthostnane™ zinbraviailProxyPort @
annostrane’ 2inbraMadlSsiProxyPort @
‘the non “Proxy” ports to the desired standard ports
anhostrane’ zinbraMailPort 80
Pro ms “zehostrane™ zinbraMailssLPort 993
18 conplete
prov ms “2ehostname” -zinbraServiceénabled mencached
Retrieved from "https://wiki.zimbra.com/index.php?
title=Zimbra_Proxy_Manual:Installing_, Configuring, Disabling_the_Zimbra_Proxy&oldid=62005"
Categories: ZCS 8.5 | Certified | WorkInProgress | Author:Ajcody
psi zimora.comiwik'Zimbra_Proxy_Marual Insaling__Configuing, Disabling. the_Zimbra, Proxy 7