We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

ARR 2 with URL Rewrite 2 and end-to-end SSL from client to back-end servers [Answered]RSS

6 replies

Last post Jul 27, 2017 06:27 PM by RaviA4G

  • ARR 2 with URL Rewrite 2 and end-to-end SSL from client to back-end servers

    Feb 14, 2017 04:29 PM|RaviA4G|LINK

    I have a model  shown below

    client ===> DMZ load balancer ===> DMZ IIS 1...to n (ARR & URL Rewrite) ===> Internal load balancer ====> IBM WebSphere 1 to n

    IIS with ARR and URL Rewrite is set up as reverse proxy, no server farms here. The URL Rewrite rule is configured with Rewrite action to the internal load balancer URL.

    A page on DMZ IIS renders content from the internally hosted WebSphere servers. In test environment, IIS to WebSphere communication works great, but everything over plain HTTP and  no load balancers in picture.

    Now, we are at next step where this whole thing should flow thru NetScaler load balancers and end-to-end SSL all the way from client to the back-end WAS.

    1) The actual request would come with SSL certificate from DMZ load balancer, and will ARR send that certificate AS IS to the internal load balancer in a state where the load balancer can decrypt the traffic using that certificate, if I uncheck Enable SSL offloading  or use {C:1}://xxxx for the URL rewrite rule ?

    2) The internal load balancer is configured for now to use it's own client/server certificates, but in this whole set up it will be receiving HTTP requests signed with DMZ load balancer certificates. Basically the internal load balancer need to deal with two client certificates, one BAU certificate and one for requests coming thru reverse proxy. I read SNI feature of NetScaler and hoping that will work. Any insights into that concept ?

    Thank you.

    -Ravi
  • Re: ARR 2 with URL Rewrite 2 and end-to-end SSL from client to back-end servers

    Feb 15, 2017 10:06 AM|Yuk Ding|LINK

    Hi raviamineno@gmail.com,

    To further help you about this issue, I am trying to invoke someone experienced to help look into this thread, this may take some time and as soon as we get any result, we will post back.  Best Regards,

    Best Regards,

    Yuk Ding

    Yuk Ding

    MSDN Community Support
    Please remember to "Mark as Answer" the responses that resolved your issue.
  • Rovastar Rovastar

    5495 Posts

    MVP

    Moderator

    Re: ARR 2 with URL Rewrite 2 and end-to-end SSL from client to back-end servers

    Feb 15, 2017 05:15 PM|Rovastar|LINK

    My first question is have you tried doing it with SSL?

    Probably best to try first in test and see what the outcome is.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR 2 with URL Rewrite 2 and end-to-end SSL from client to back-end servers

    Feb 21, 2017 04:01 PM|RaviA4G|LINK

    I did. But without load balancer. Enabled https on my local IIS's with a self-signed SSL cert and tried connecting directly to WAS using https URL. The error is 503.2 - a security error occurred. FRT also shows the same information.

    ModuleName ApplicationRequestRouting
    Notification 128
    HttpStatus 502
    HttpReason Bad Gateway
    HttpSubStatus 3
    ErrorCode 2147954575
    ConfigExceptionInfo
    Notification EXECUTE_REQUEST_HANDLER

    My first confusion is, how ARR builds https request to back-end (it could be a load balancer or another web server).

    in My test, browser started the request with self signed certificate, it went thru IIS, ARR and ARR proxied it to back-end, and while sending it, with what SSL certificate ARR re-encrypts the traffic?  with the same self-signed certificate ? or should I install the back-end server's public key on IIS having ARR or should I install the back-end server's private key on IIS having ARR ?

    I tried installing public key of back-end web server on my local machine, tried the test. It failed with the same error.

    To use private key of the back-end web server, I may need to create a binding on Default Web Site, but I'm not sure if this is something I have to do.

    -Ravi
  • Re: ARR 2 with URL Rewrite 2 and end-to-end SSL from client to back-end servers

    Jul 19, 2017 12:36 AM|RaviA4G|LINK

    Hi Yuk,

    would you help further on the issue ? we are stuck  to implement https to backend server.

    Thanks.

    -Ravi
  • Rovastar Rovastar

    5495 Posts

    MVP

    Moderator

    Re: ARR 2 with URL Rewrite 2 and end-to-end SSL from client to back-end servers

    Jul 19, 2017 02:16 PM|Rovastar|LINK

    tbh I only ARR with the farms and don't bother with reverse proxy rules like that. They do the same thing but there is a little more visibility for me, at least.

    Try setting up a farm to see what you get.

    For the first time you can let the wizard do it. Then you will understand the structure in the URLrewrite rules (server level) and you can edit them directly (often easier and you can do radical things like rename the farms with things breaking)

    Other than that what traffic is being sent about just HTTP?

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR 2 with URL Rewrite 2 and end-to-end SSL from client to back-end servers

    Jul 27, 2017 06:27 PM|RaviA4G|LINK

    Finally we were able to resolve the issue last weekend and now end-to-end SSL up until the internal server works!

    As I worked upon this model this is what I understood:

    1) The SSL session initiated by the browser is terminated by ARR irrespective of your selection for "SSL offloading" in URL Rewrite's Reverse proxy rule configuration.

    2) If you check SSL offloading, the connection initiated by ARR to back-end server is over http

    3) If you uncheck SSL offloading, the connection initiated by ARR to the Back-end server is with the same protocol, with which browser made the  original request. Here is the tricky part, what SSL certificate is used by ARR to encrypt traffic if the original request is over https?  It's plain simple, the same SSL certificate with which your back-end server or load balancer is configured. The difficult part is that procuring the right certificate. Avoid using personal certificates for Enterprise applications in test and prod environments, just request certificates from your enterprise cert management group. If you have to use personal certs for DEV then create certificate right, with accurate root. And then the Root certificate must be available in the Computer account -> Trusted Root Certification authorities store of  IIS running the ARR. Here mistakes are bound to happen, if you simply double click the certificate on the server and finish installation by selecting  auto select the store depending on the cert type, you will be in trouble, this installs the cert in logged in user's account.  Do a cert import to trusted store of the local computer.

    Double check if the back-end  server's cert is available in IIS ARR's cert store  or not, even for enterprise certificates. For my situation, the test server never created issues - looks like someone had already put the cert in trusted store, but prod servers didn't have the certificate and it eaten up good 2 hours figuring that out. I'm a programmer and not an  IIS admin, if we ask admins, could you double check so and so, what ??? not required is the response...so you get what I'm trying to say, in case of 502.3- "A security error occurred",  until you see the cert in computer account's trusted store, doing other debugging is waste of time. mmc command helps to give you the  information about certs on that machine.

    I  believe the browser automatically downloads the cert and put it in the right store when it initiates an SSL connection for the first time and ARR doesn't do it, so the manual checkup  as described above - I'm not 100% sure about this, just a theory.

    So, that's it, now you have end-to-end SSL for reverse proxy rules.

    Thanks Yuk and Rovastar for your inputs.

    -Ravi