ARR for Custom SSL Ports [Answered]RSS

8 replies

Last post Jul 19, 2018 12:54 PM by mettlus

  • ARR for Custom SSL Ports

    Jul 16, 2018 05:54 PM|mettlus|LINK

    I have 3 web servers out of which 2 are hosting multiple SSL Sites ( 1 site is bound to default port 443 while the other to 5403)

    ARR Works fine with default SSL Port for load balancing

    But when I create another rule to intercept any requests for port 5403 and route it to the server farm, it fails.

     <rewrite>
                <globalRules>
                    <clear />
                    <rule name="WebServices" patternSyntax="Wildcard" stopProcessing="true">
                        <match url="*5403*" />
                        <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                        <action type="Rewrite" url="https://mysite:5403/{R:2}" />
                    </rule>
                    <rule name="ARR_mysite_loadbalance" enabled="false" patternSyntax="Wildcard" stopProcessing="true">
                        <match url="*" />
                        <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                        <action type="Rewrite" url="http://mysite/{R:0}" />
                    </rule>
                    <rule name="ARR_mysite_loadbalance_SSL" enabled="false" patternSyntax="Wildcard" stopProcessing="true">
                        <match url="*" />
                        <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                            <add input="{HTTPS}" pattern="on" />
                        </conditions>
                        <action type="Rewrite" url="https://mysite/{R:0}" />
                    </rule>
                </globalRules>
            </rewrite>
    
        </system.webServer>
        <location path="" overrideMode="Allow">
        <webFarms>
            <webFarm name="mysite" enabled="true">
                    <server address="10.16.10.19" enabled="true" />
                    <server address="10.16.10.17" enabled="true" />
                <applicationRequestRouting>
                    <protocol>
                        <cache enabled="false" />
                    </protocol>
                        <affinity />
                </applicationRequestRouting>
            </webFarm>
            <applicationRequestRouting>
                <hostAffinityProviderList>
                    <add name="Microsoft.Web.Arr.HostNameRoundRobin" />
                </hostAffinityProviderList>
            </applicationRequestRouting>
        </webFarms>
        </location>

    SV
  • Rovastar Rovastar

    5482 Posts

    MVP

    Moderator

    Re: ARR for Custom SSL Ports

    Jul 17, 2018 12:25 AM|Rovastar|LINK

    I think you need a separate farm for this one that communicates only over you special port.

    when adding a server to the farm, click the "Advanced settings make a custom port.

    That makes mores sense anyway as you want different farms for different sites

    I'm also not sure your rule would work. I think you need pattern as .* as normal and have a condition for {SERVER_PORT} =5403


    Also you need to have ARR listening on this port too and terminating the SSL on ARR.

    Life is much easier if you offload your SSL to your ARR and have the backend as http.
    As you are using internal IPs you network is secure from ARR.
    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR for Custom SSL Ports

    Jul 17, 2018 12:20 PM|mettlus|LINK

    But my Cisco LB does it fine right now, it routes any port to my 2 webservers.

    I have a single DNS how will both farms share it?

    Right now with my Cisco LB I do https://www.mysites.com:5403/custompath

    https://mysite.com/

    All work well

    SV
  • Rovastar Rovastar

    5482 Posts

    MVP

    Moderator

    Re: ARR for Custom SSL Ports

    Jul 17, 2018 07:57 PM|Rovastar|LINK

    I'm not sure what you mean by your reply.

    I thought I explained how to do this on ARR. Was it not clear.

    I think you will need another farm with the same servers for using port 5403 and a correct rule to capture the port info.

    If you are getting issue confirm that the patterns and conditions are met for rewrite rule with failed request tracing

    https://forums.iis.net/t/1193146.aspx?Rule+not+working+as+expected+Use+Failed+Request+Tracing

    That explains in detail what is happening.

    Did the instruction not works for ARR (used as a loadbalancer to other backend servers) in your env or are you having another issue?

     

    Not sure what it has to do with Cisco Load Balancer are you using that as well? And is that stripping out the port before it hits ARR or are you just using it as an  example of doing something a different way on a different load balancer. *shrug*

    If you are unclear if you are receiving that port check your logs then check the IIS logs and/or use things like wireshark on the server.

    PS Also it is an idea to use stopProcessing="true" in your rules it often makes things a clearer then you know for sure what the rules do if you match them rather than in some cases moving onto other rules.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR for Custom SSL Ports

    Jul 18, 2018 02:05 PM|mettlus|LINK

    Thanks, it works, the only fallacy is

    I can't access my site with 

    mysite.com:5403

    I have to do https://mysite.com

    created 2 farms with one having custom https port 5403 and 2 URL Rewrites

    earlier in my cisco solution i could access the site with https://mysite.com:5403

    SV
  • Rovastar Rovastar

    5482 Posts

    MVP

    Moderator

    Re: ARR for Custom SSL Ports

    Jul 18, 2018 02:37 PM|Rovastar|LINK

    Is the 5403 rules first?

    Does it get triggered in failed request tracing? That is the best way to tell what is happening.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR for Custom SSL Ports

    Jul 18, 2018 03:33 PM|mettlus|LINK

    Yes,

    All is working fine but now I can access the site only like http://mysite.com/custompath

    I have the URL Rewrite which is intercepting {REQUEST_URI} /custompath and routing to farm

    earlier with Cisco LB i could access like http://mysite.com:5403/custompath

    Thanks

    SV
  • Rovastar Rovastar

    5482 Posts

    MVP

    Moderator

    Re: ARR for Custom SSL Ports

    Jul 19, 2018 01:04 AM|Rovastar|LINK

    I don't think you have understood my previous posts.

    Here is the rule and farm config for sending traffic to a specific https port.

    <rule name="5403 rule" stopProcessing="true" patternSyntax="ECMAScript">
      <match url="(.*)" />
      <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
        <add input="{SERVER_PORT}" pattern="5403" />
      </conditions>
      <action type="Rewrite" url="https://5403farm/{R:0}" />
    </rule>

     

    <webFarm name="5403farm" enabled="false">
       <server address="10.10.10.1" enabled="true">
        <applicationRequestRouting httpsPort="5403" />
      </server>
      <applicationRequestRouting>
        <healthCheck url="https://10.10.10.1:5403" statusCodeMatch="200-399" />
      </applicationRequestRouting>
    </webFarm>

    place this as your first rule in your ARR and I had a site setup up on ARR listening on https port 5403 also replace the IP address for the relevant one)s) in your farm and whatever is the correct health test.

    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: ARR for Custom SSL Ports

    Jul 19, 2018 12:54 PM|mettlus|LINK

    You are the best

    SV