zimbra-proxy tests and questions

[stephenwilley]

At the moment:

1 server doing everything

Going to:

2 x MTA/LDAP
2 x Mailbox
1 x Zimbra-proxy (with http reverse proxying)

Question:

1) Does zimbra-proxy need to be installed on the mailbox (target) servers as well, or just on the 1 zimbra-proxy (source) dedicated machine?

Tests:

Since we're using our 1 server setup in production, I can't break that right now. I've trying the proxy setup seperately as follows:

Built a mailbox server (and installed zimbra-proxy on it)
Built the zimbra-proxy box (just installed core and proxy on it)
Used all the default settings for ports in the config and when asked for a master LDAP server, pointed it at our 1 live server

I read this page: http://www.zimbra.com/docs/ne/latest...Proxy.7.1.html and tried various permutations including running the enable (with -w) line on both the proxy and the mailbox servers. I notice that the zimbraMailReferMode is set to 'wronghost' on the 1 live server (it's set to 'reverse-proxied' on the new ones) and if I change it, bad things happen so I have to change it back (which is why I'm guessing you have to install zimbra-proxy on 'target' nodes too).

I've created a user account on the new mailbox server and if I try to log into it through the proxy URL, it works, but still changes the address bar to the name of the mailbox server.

Is this all just not going to work until all the machines in my setup have zimbra-proxy installed? I was hoping to be able to see it work before I went and changed our production setup.

I've read this back and tried to explain things properly, but it doesn't seem to read very well. If I can clarify anything, please let me know. Thanks for any help.

BTW - zmprov doesn't run on the machine that just has core and proxy installed. It gives the following error (but the zmproxyinit command still works and outputs three prov> thingies):

ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)

[Klug]

The answer to the initial question is : you need to setup zimbra-proxy only on the proxy machine.

Do you have any firewall between the proxy and the mailstores ?

[stephenwilley]

Looking at the logs, it appears to be because I haven't set zimbraPublicServiceHostname as required in the docs. Unfortunately, this isn't something I can test without downtime, as at the moment, all our REST URLs simply point to our one active server. Obviously the new proxy has a different name during testing and I can't break existing shared calendars etc.

I guess I'll take the plunge on a weekend instead.

Two questions though:

1) I can't run zmprov as zimbra on a server that only has zimbra-proxy and zimbra-core installed. It gives the following error:
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)
I'll submit this to zimbra support but if anyone's got any ideas...

2) The proxy docs require that I run:
/opt/zimbra/bin/zmprov modifyServer mailbox_server_name zimbraMailReferMode reverse-proxied zimbraMailPort 8080 zimbraMailSSLPort 8443 zimbraMailMode http but that returns the error:
ERROR: service.INVALID_REQUEST (invalid request: port 8443 conflict between zimbraMailSSLProxyPort and zimbraMailSSLPort on server mailbox_server_name)
Do I just run instead?:
/opt/zimbra/bin/zmprov modifyServer mailbox_server_name zimbraMailReferMode reverse-proxied
Again, I'll submit this to support.

[Klug]

1) I can't run zmprov as zimbra on a server that only has zimbra-proxy and zimbra-core installed. It gives the following error:
ERROR: zclient.IO_ERROR (invoke Connection refused, server: localhost) (cause: java.net.ConnectException Connection refused)
I'll submit this to zimbra support but if anyone's got any ideas...

Use "zmprov -l", it gets zmprov to talk to the LDAP server directly.

2) The proxy docs require that I run:
/opt/zimbra/bin/zmprov modifyServer mailbox_server_name zimbraMailReferMode reverse-proxied zimbraMailPort 8080 zimbraMailSSLPort 8443 zimbraMailMode http but that returns the error:
ERROR: service.INVALID_REQUEST (invalid request: port 8443 conflict between zimbraMailSSLProxyPort and zimbraMailSSLPort on server mailbox_server_name)
Do I just run instead?:
/opt/zimbra/bin/zmprov modifyServer mailbox_server_name zimbraMailReferMode reverse-proxied
Again, I'll submit this to support.

You're sure you ran this on the mailbox server, not proxy ?

[stephenwilley]

Yeah, it was run on the mailbox server. I've just been looking at the number of bugs that have been fixed (or are being fixed) in 5.0.9. I know it's beta so maybe it's a bit premature to be looking at this as a production solution.

I think I'll wait to upgrade to 5.0.9 before moving forward too much with the proxy stuff.

Thanks for your help.

Stephen

[Klug]

I made additional tries/tests and hit the same problem.

As soon as I add a zimbra-proxy to my ZCS infrastructure and tries to set zimbraMailSSLPort (or zimbraMailPort or zimbraPOP3Port, etc) I get the same error.

It seems that, as soon as there's a zimbra-proxy in the infrastructure, the mailbox servers get their zimbraMailSSLProxyPort (and all zimbra*ProxyPort attributes) filled with values.
These values are the same than the default ports, thus the error message !

I had to change the values for all the zimbra*ProxyPort on the mailbox server to other values (7143, 7443, etc)...

You should definitely open a case by Zimbra's support and a related bug...

[Klug]

I ended up in getting everything to work on my own.
The man problem is the documentation (not up to date and not correct for 5.0.8).

Read this : [SOLVED] zimbra-proxy limitations