IIS 7 and Above
502 - Web server received an invalid response while acting as a gatew...
Last post Aug 22, 2018 06:38 AM by Prohharish
Mar 13, 2018 09:07 AM|Prohharish|LINK
I have OS Windows Server 2008 Standard SP2 with IIS 7.0 on which portal application is setup which has a Url Rewrite rules, as per the Web Pen Test report we have to disable weak ciphers and protocols so we disabled SSL3.0 and TLS1.0 and installed the support
patch and enabled registry for TLS 1.1 and TLS 1.2. But immediately after this steps I am getting error "502 - Web server received an invalid response while acting as a gateway or proxy server." while communicating with rest service.
We also did registry settings as per the post https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in and Enable the SchUseStrongCrypto property in the Windows registry
to use as the default protocols: TLS 1.1 and TLS 1.2 for below registry keys,
But still I am getting same error. What else I am missing or is Windows Server 2008 standard SP2 and IIS 7.0 do not completely support TLS1.1 and TLS1.2. I feel this is something related to ARR and WinHttp but I am not getting any thing from web, any help
on this is really an appreciable.
Mar 14, 2018 07:49 AM|Yuk Ding|LINK
So we need to figure out this issue is caused by the IIS rewrite proxy server or the TLS cipher. So to check the TLS problem, you could try to disable the ssl and check if the website could be load correctly. If the problem is caused by the SSL/TLS cipher
configuration, then you could try the IIS crypto to help you achieve the best performance.
However, if the 502.3 still occur with your application, then you need to ensure the application request routing has been installed while it is the dependent feature for IIS reverse/forward proxy.
Mar 14, 2018 03:10 PM|Prohharish|LINK
Hi Yuk Ding,
First of all thanks for replying, it all starts with the TLS up-gradation for PCI compliance so we disabled the TLS 1.0 and SSL 3.0 protocol and to do this we already used the IISCrypto tool which you have suggested but as it do not show protocol entry of
TLS 1.1 and TLS 1.2 into the tool, probably because of the OS Windows Server 2008 Standard SP2 we did the registry configuration settings manually. Settings work fine for other 3 application but the one application which I have mentioned in my first post (Portal)
which has a Url Rewrite rules is failing to communicate with the rest service(hosted differently on IIS7.0) resulting in 502.3 - Bad Gateway error.
So as per your suggestion do we need to reinstalled the ARR (as earlier before starting with TLS up-gradation portal was able to communicate with the rest service and everything was working fine), OR do we need to update the ARR version.
I will also go through your provided links.
Your input on this will be helpful.
Note: We are using secure https protocol to load the web sites.
Mar 15, 2018 05:25 PM|Rovastar|LINK
I don't think you have added the correct registry information for enabling TLS1.2 on Windows 2008
That link was about the WinHTTP stuff and being used a default for more internal coding processes (.net (and ARR) calling another site on 1.2 needs to have these things enabled)
But you need the stuff in here:
so the SCHANNEL (the cryptography engine windows uses) can have them enabled, That is what IIScrypto is looking at and I would expect them to appear (after a reboot - always a reboot for getting thing working in schannel registery stuff)
Aug 22, 2018 06:38 AM|Prohharish|LINK
Thanks for your reply and assistance,
I am updating this thread after a long time as we have found the cause and solution and it is tested in to all our production environment. The issue was with the site using WinHttp for the communication, same is described in to the below link,
So, as WinHttp was unable to support the TLS 1.1, and TLS 1.2 on Windows server 2008 standard SP2 we have decided to update the servers to Windows server 2008 R2 and do
the TLS settings as described in above thread and it works for us.