Hello all,

I need to publish an Exchange Server 2013 (OWA, EWS) on one server, remote desktop via ssl gateway (rdweb gateway) on another server and an sstp vpn (windows ssl vpn) on a third server, all behind a simple router with one public ip address and port forwarding enabled to forward port 443 to an nginx installation running on a debian linux box. I have a wildcard SSL certificate (*.mydomain.com) installed on nginx and want to address the respective services via different hostnames (e.g. owa.mydomain.com, rdp.mydomain.com, vpn.mydomain.com).

I had exactly this scenario running over years using Microsoft's Forefront Threat Management Gateway, but for some well known reasons I want and need to get rid of this no longer supported software solution from Microsoft and want to switch to an IPfire firewall in Front with an nginx reveres proxy behind.

Even after longer internet research I did not found enough information to proof if it is possible and how to do it. Is it possible to share this single public ip address and port using nginx to publish all those different services? I tried to publish different web-applications (regular https) using different hostnames, no problem.
But i failed publishing RDP over SSL and/or SSTP. I even could not pass RDP over SSL alone through nginx or SSTP alone - only HTTPS web applications (e.g. Exchange OWA) worked without any issue.

I would be very happy if anyone could tell me
a) if the required scenario can be fulfilled using nginx
b) how to configure nginx to achieve publishing for RDP over SSL and (RDWeb Gateway) and VPN over SSL (SSTP)

All help would be very appreciated!
Thanks very much!

For RDP you need streaming, ea. vpn example:

# load balance your vpn servers

worker_processes 2;
error_log logs/error.log;

events {
worker_connections 16384;
}

# http {
# ... your usual http block ...
# } # http end

stream {
error_log logs/stream_error_openvpn.log;

upstream backend {
hash $remote_addr consistent;
server 192.168.99.3:8443;
server 192.168.99.4:8443;
server 192.168.99.5:8443;
}

server {
listen 443 so_keepalive=on;
proxy_connect_timeout 300s;
proxy_timeout 300s;
proxy_pass backend;
}

}

You can't mix stream ports with http(s) ports so you're going to need to route more then 1 port.
See also http://nginx.org/en/docs/stream/ngx_stream_ssl_module.html
And with this version http://nginx-win.ecsds.eu/ you can do it all on Windows.

---
nginx for Windows http://nginx-win.ecsds.eu/

Now I tried first experiments but I get an error message:

nginx: [emerg] unknown directive "stream" in /etc/nginx/sites-enabled/...

here is the configuration file I tried:

========================================================

stream {
error_log /var/log/nginx/rdp-ssl-error.log;
access_log /var/log/nginx/rdp-ssl-access.log;

upstream backend {
hash $remote_addr consistent;
server 192.168.0.1:443;
}

server {
listen 443 so_keepalive=on;
server_name rdp.test.local;
proxy_connect_timeout 300s;
proxy_timeout 300s;
proxy_pass backend;
}
}

========================================================

Is there anything wrong in my config file or is my nginx installation wrong (installed on debian 8.1.0 x64 via "apt-get install nginx") ?

You need at least nginx v1.8 when stream was added. 1.9.4 would be better since some stream issues have been resolved.

---
nginx for Windows http://nginx-win.ecsds.eu/

Hello,

Starting nginx stil results in an error, output of "journalctl -xn" displays following message:

nginx: [emerg] "stream" directive is not allowed here in /etc/nginx/sites-enabled/rdp...


Output of "nginx -v" is as follows:

nginx version: nginx/1.9.5


So the version seems to be OK. Do you have any other idea? Is there anything wrong with my configuration?

THX!

andreas27 Wrote:
-------------------------------------------------------
> nginx: [emerg] "stream" directive is not allowed here in
> /etc/nginx/sites-enabled/rdp...

Stream is a separate block AFTER your normal http {} block, see my example above.

events {}
http {}
stream {}

---
nginx for Windows http://nginx-win.ecsds.eu/

After some more experiments I got streaming running for RDP and SSTP, I could even publish both services when they run on the same backend. But no other https publishing e.g. for Exchange OWA / EWS is possible as listener for port 443 is already in use.

So I have to answer my own question with NO, it is not possible to implement my target scenario using nginx. How sad.

Anyway thanks for all your support.

andreas27 Wrote:
-------------------------------------------------------
> But no other https publishing e.g. for Exchange OWA / EWS is possible
> as listener for port 443 is already in use.
>
> So I have to answer my own question with NO, it is not possible to
> implement my target scenario using nginx. How sad.

I already stated "You can't mix stream ports with http(s) ports so you're going to need to route more then 1 port."
Just add another port forward to for example 8443 for rdp streaming.

---
nginx for Windows http://nginx-win.ecsds.eu/