IIS 7 and Above
Application Request Routing (ARR)
Using a self signed certificate for ARR/URL Rewrite proof of concept
Last post Jan 26, 2012 01:14 PM by pirate99
Dec 22, 2011 10:40 AM|Mister C|LINK
Hi, I've successfully negotiated the set-up of ARR/URL Rewrite in IIS7 with the help of various posts on here - but there's one area which I can't resolve.
Part of this proof of concept exercise is to see how SSL hangs together without SSL offloading (in our scenario we need to secure traffic between the DMZ and the Application server due to the sensitivity of the data).
The pattern is a Reverse Proxy design, as follows
[Client Browser] >>>SSL>>> [Reverse Proxy Server IIS with ARR/URL Rewrite] >>>SSL>>> [Application Server IIS7]
For the purposes of the proof of concept, I had generated a self-signed certificate and imported that into the Reverse Proxy server.
When I log onto the Reverse Proxy server and pull up the Application Server URL in a browser from that machine, I see the normal warning saying the certificate isn't trusted, I accept this, and then the page displays.
However, when I pull up the Reverse Proxy test page (which rewrites to the Application Server URL) then I just get HTTP Error 502.3 - Bad Gateway.
Failed Request Routing log file info
HttpReason: Bad Gateway
ErrorDescription: A security error occurred
Would be extremely grateful for any pointers on how to resolve this! Thank you
Dec 22, 2011 11:51 AM|Mister C|LINK
I think I may have realised what the problem was.... I was generating the cert first on the Application server, then importing this to the Reverse Proxy server.
I have just tried creating a self-signed certificate on the Reverse Proxy server, and then importing this into the Application Server. This way round, it works.
Jan 19, 2012 08:35 AM|Adrian B.|LINK
Thanks for your hints. I also faced the same problems and realized the behavior. I can redo your workaround here but it is of course only working on one load balance server. Since i have 2 load balance server because of a high availabilty scenario only server
1 is working. on server 2 i still get:
I will try to find out if IUSR is not able to read self signed trusted certificates. I think there was something similar in another purpose concerning IUSR or ApplicationPool User with reading self signed certificates.
But really thanks for your hints. Brings me closer to the target.
Jan 24, 2012 06:12 PM|pirate99|LINK
Hi - I am trying to do the same thing, but am still not having any luck.
I created the self-signed SSL cert on the reverse proxy server, then exported it with its private key to a .pfx file. I then imported that .pfx file onto the app server machine, into Local Computer/Certificates/Trusted Certificates. I even imported it under
Personal/Certificates and granted explicit access to my App Pool domain account.
Are there any other tips you all can share? Thanks very much!
Jan 25, 2012 09:19 AM|Mister C|LINK
Jan 25, 2012 11:14 AM|pirate99|LINK
Jan 25, 2012 11:39 AM|Mister C|LINK
Hi Mark, great news - glad I could help!
~ Mr C
Jan 26, 2012 01:14 PM|pirate99|LINK
One last question (I hope!).
If I used a "real" SSL certificate instead of a self-signed certificate, would it also need to be installed on both machines? Or would it be OK to install separate SSL certs on each machine? I am looking to document these steps for a customer who would
be using real certs instead of the self-signed certs we create in our dev environment.
Many thanks again for any information!