How do I ignore SSL cert on ARR and use backend server's SSL instead? [Answered]RSS

6 replies

Last post Sep 30, 2016 05:59 PM by Rovastar

  • How do I ignore SSL cert on ARR and use backend server's SSL instead?

    Sep 28, 2016 04:28 PM|radman2|LINK

    I want to use ARR to send the https to the backend server and use that server's certificate.

    I have a Linux web server with a certificate installed on it. It's the correct cert b/c going to the IP of the server shows a mismatch, and the cert shows test.domain.com.

    ARR is configured and https is working, but it's using the ARR's cert on 443, not the backend server.

    In the Server Farm configuration, I have unchecked "Enabled Rewrite" and I have unchecked "Offload SSL"

    The URL Rewrite rule sends all HTTPS (On) and HTTP_HOST (test.domain.com) to the server farm using https://.

    How do I get ARR to send the requerst directly to the cert on the backend server and not use it's own cert?

  • Re: How do I ignore SSL cert on ARR and use backend server's SSL instead?

    Sep 28, 2016 05:53 PM|milope|LINK

    I don't think ARR can do TCP level load balancing as it appears to run on an IIS worker process, which doesn't have the task of performing the SSL handshake done with the inbound connecting clients. When I've ran Failed Request Trace logs, it always seems to stop the request and send a child request to the backend servers. If that's the case, you'll need to install the backend server's certificate on ARR to be able to achieve the correct handshake.

  • Re: How do I ignore SSL cert on ARR and use backend server's SSL instead?

    Sep 29, 2016 10:01 AM|Yuk Ding|LINK

    Hi radman2,

    Client did not send the request to the backend in web farm in application request routing.

    ARR server use outbound rule to invoke the backend resource.

    I’m afraid that you could only build the SSL between ARR server and IIS server.

    This link provides the method to configure reverse proxy with URL rewrite rule:

    http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

    The following link provide the steps to set SSL in IIS 7:

    http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Re: How do I ignore SSL cert on ARR and use backend server's SSL instead?

    Sep 29, 2016 01:18 PM|radman2|LINK

    So are you saying I need to:

    1. install the certificate on the IIS server and on the backend server (where it currently is)?

    2. Create a reverse proxy URL rewrite rule on the ARR server?

  • Rovastar Rovastar

    5445 Posts

    MVP

    Moderator

    Re: How do I ignore SSL cert on ARR and use backend server's SSL instead?

    Sep 29, 2016 02:19 PM|Rovastar|LINK

    Yeah that is how you do it. Terminate on the ARR and then send http or https communications to your backend servers.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: How do I ignore SSL cert on ARR and use backend server's SSL instead?

    Sep 30, 2016 08:12 AM|radman2|LINK

    My IIS server has no web.config file under C:\Inetpub\wwwroot, so I can't create any reverse proxy rewrite rules. Plus, I'm using ARR 3.0, and those instructions are for ARR 2.0

    Anyway, I successfully installed the 3rd certificate in IIS on the ARR server. But, I have two certs I need to use, test.domain.com and payroll.domain.com. IIS says both can't be bound to 443.

    The wildcard cert is currently bound to 443, but I need test.domain.com and also payroll.domain.com to work also.

    Now what do I do now to get these multiple https sites showing the correct certificate?

    I read that I needed to have multiple IPs on the ARR server, but if I put the backend webserver's IP, then in a browser, it says it can't be found. If I put in the wildcard cert, then just the wildcard cert is used.

  • Rovastar Rovastar

    5445 Posts

    MVP

    Moderator

    Re: How do I ignore SSL cert on ARR and use backend server's SSL instead?

    Sep 30, 2016 05:59 PM|Rovastar|LINK

    The global rules for urlrewrite for ARR are in the applicationhost config file

    stuff for ARR2 will work for ARR3

    you cannot have 2 different SSL certs for the same IP.

    If your wildcard is *.domain.com and you want test.domain.com and payroll.domain.com you can use teh wildcard cert.

    Otherwise you will need another IP.

    Troubleshoot IIS in style
    https://www.leansentry.com/