IIS 7 and Above
Application Request Routing (ARR)
How do I ignore SSL cert on ARR and use backend server's SSL instead?
Last post Sep 30, 2016 05:59 PM by Rovastar
Sep 28, 2016 04:28 PM|radman2|LINK
I want to use ARR to send the https to the backend server and use that server's certificate.
I have a Linux web server with a certificate installed on it. It's the correct cert b/c going to the IP of the server shows a mismatch, and the cert shows test.domain.com.
ARR is configured and https is working, but it's using the ARR's cert on 443, not the backend server.
In the Server Farm configuration, I have unchecked "Enabled Rewrite" and I have unchecked "Offload SSL"
The URL Rewrite rule sends all HTTPS (On) and HTTP_HOST (test.domain.com) to the server farm using https://.
How do I get ARR to send the requerst directly to the cert on the backend server and not use it's own cert?
Sep 28, 2016 05:53 PM|milope|LINK
I don't think ARR can do TCP level load balancing as it appears to run on an IIS worker process, which doesn't have the task of performing the SSL handshake done with the inbound connecting clients. When I've ran Failed Request Trace logs, it always seems
to stop the request and send a child request to the backend servers. If that's the case, you'll need to install the backend server's certificate on ARR to be able to achieve the correct handshake.
Sep 29, 2016 10:01 AM|Yuk Ding|LINK
Client did not send the request to the backend in web farm in application request routing.
ARR server use outbound rule to invoke the backend resource.
I’m afraid that you could only build the SSL between ARR server and IIS server.
This link provides the method to configure reverse proxy with URL rewrite rule:
The following link provide the steps to set SSL in IIS 7:
Sep 29, 2016 01:18 PM|radman2|LINK
So are you saying I need to:
1. install the certificate on the IIS server and on the backend server (where it currently is)?
2. Create a reverse proxy URL rewrite rule on the ARR server?
Sep 29, 2016 02:19 PM|Rovastar|LINK
Yeah that is how you do it. Terminate on the ARR and then send http or https communications to your backend servers.
Sep 30, 2016 08:12 AM|radman2|LINK
My IIS server has no web.config file under C:\Inetpub\wwwroot, so I can't create any reverse proxy rewrite rules. Plus, I'm using ARR 3.0, and those instructions are for ARR 2.0
Anyway, I successfully installed the 3rd certificate in IIS on the ARR server. But, I have two certs I need to use, test.domain.com and payroll.domain.com. IIS says both can't be bound to 443.
The wildcard cert is currently bound to 443, but I need test.domain.com and also payroll.domain.com to work also.
Now what do I do now to get these multiple https sites showing the correct certificate?
I read that I needed to have multiple IPs on the ARR server, but if I put the backend webserver's IP, then in a browser, it says it can't be found. If I put in the wildcard cert, then just the wildcard cert is used.
Sep 30, 2016 05:59 PM|Rovastar|LINK
The global rules for urlrewrite for ARR are in the applicationhost config file
stuff for ARR2 will work for ARR3
you cannot have 2 different SSL certs for the same IP.
If your wildcard is *.domain.com and you want test.domain.com and payroll.domain.com you can use teh wildcard cert.
Otherwise you will need another IP.