Shoretel iPhone Reverse Proxy Server

This guide is for a Linux beginner, as I had to go through and modify the ShoreTel guide to work with Apache2.  This setup works great, and even passes through AD authentication from the ShoreTel app.

What you will need:

  • Ubuntu Server 12.10 (I provisioned a VM with 2 CPU, 2gb RAM, 12gb HD)
  • Public DNS Record and Public IP (And NAT on firewall to internal IP)
  • Internal DNS Record (for internal clients)
  • iPhone with Communicator App installed

Download Ubuntu Server 12.10 - http://www.ubuntu.com/download/server

  • Install the server going through the basic prompts
  • If you can install the server on a network that has DHCP, the install process should be easier, since you will need to download various components during setup
  • When prompted for a name, give the FQDN (ex. shoretelproxy.domainname.com)
  • When prompted to install additional components, highlight the OpenSSL server and LAMP server options, then press enter to proceed

Once your server is ready, set a static IP address

  • Type sudo vi /etc/network/interfaces (You will be prompted for your user password)
  • Under “auto eth0”, change “iface eth0 inet dhcp” to “iface eth0 inet static” and add IP information to be formatted like this:
auto eth0
iface eth0 inet static
address x.x.x.x
netmask 255.255.255.0
network x.x.x.0
broadcast x.x.x.255
gateway x.x.x.1
dns-nameservers x.x.x.x x.x.x.x
dns-search yourdomain.com
  • Press Ctrl + O then Enter to save the configuration.  Press Ctrl + X to exit
  • Apply the network changes by typing: sudo ifdown eth0 and then sudo ifup eth0
  • If clients will be accessing the reverse proxy from the internal network, make sure to create an internal DNS record pointing to the static IP

Before we continue, let’s update the Ubuntu server

sudo apt-get update
sudo apt-get upgrade

Next, load the additional modules needed for apache2

sudo a2enmod ssl
sudo a2enmod rewrite
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_connect

Restart apache2 with:

sudo service apache2 restart

Now create directories to store the SSL cert

sudo mkdir /etc/apache2/ssl
sudo mkdir /etc/apache2/ssl/certs
sudo mkdir /etc/apache2/ssl/private
cd /etc/apache2/ssl

To create my CSR, I used DigiCert’s OpenSSL wizard here: https://www.digicert.com/easy-csr/openssl.htm

  • Move the private key: sudo mv servername_domain_com.key /etc/apache2/ssl/private/
  • View the csr by entering: cat servername_domain_com.csr
  • Copy and paste that output into your SSL cert provider form

Once you receive the download for your .crt files, you will need to transfer them to your server

  • Download and install free ftp software (like Filezilla or WinSCP) on your PC
  • FTP to your server IP with your username and password on port 22
  • Browse to your user directory (/home/username) and drop and drag your CA.crt and server.crt files
  • Back on the Ubuntu server, we will move the files to the correct location
  • Type: sudo mv /home/username/filename.crt /etc/apache2/ssl/certs for both crt files

You need to tell Apache to listen on your reverse proxy port (5501)

Type: sudo vi /etc/apache2/ports.conf
Under “Listen 80”, add the following:

NameVirtualHost *:5501
Listen 5501

Press escape, then type :wq! and enter to save the file and exit

Next, create a new site to use for the reverse proxy

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/proxy
sudi vi /etc/apache2/sites-available/proxy

Edit your config to look like this:

<VirtualHost *:5501>
ServerAdmin webmaster@localhost
ServerName servername.domain.com

DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None

</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine On
SSLProxyEngine On

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /etc/apache2/ssl/certs/server_domain_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/private/server_domain_com.key
SSLCACertificateFile /etc/apache2/ssl/certs/CAfile.crt

RewriteRule ^/theme/(.+)$ /director2/theme/$1 [P]
RewriteRule ^/yui_2.7.0/(.+)$ /director2/yui_2.7.0/$1 [P]
RewriteRule ^/js/(.+)$ /director2/js/$1 [P]

ProxyPass /authenticate/ http://ShoretelDirectorIP/
ProxyPassReverse /authenticate/ http:// ShoretelDirectorIP /

ProxyPass /cas/ http:// ShoretelDirectorIP:5447/
ProxyPassReverse /cas/ http:// ShoretelDirectorIP:5447/

ProxyPass /director2/ http:// ShoretelDirectorIP:5449/
ProxyPassReverse /director2/ http:// ShoretelDirectorIP:5449/

</VirtualHost>

Make sure to save and then exit the file

Now enable your new proxy site

  • Type: sudo a2ensite proxy
  • Restart apache: sudo service apache2 restart

Now you should be able to start the iPhone app, enter the public DNS name, and enable the proxy on port 5501