Go Premium for a chance to win a PS4. Enter to Win


IIS Url rewrite and ARR to NDES (mscep.dll) issue

Posted on 2010-08-19
Medium Priority
Last Modified: 2012-05-10
Hi Guys,

Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0

Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.

 Here is my web.config file for the reverse proxy server :

<?xml version="1.0" encoding="UTF-8"?>
                <clear />
                <rule name="Catch ndes/ links" stopProcessing="true">
                    <match url="^ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                <rule name="Catch ndes2/ links" stopProcessing="true">
                    <match url="^/ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                <rule name="RewriteRelativePaths" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
                    <action type="Rewrite" value="/{R:1}" />
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                <add path="*">
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
                    <failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
        <httpErrors errorMode="Detailed" />

So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/

and rewriting them to www.myinternalsite.com/certsrv/mscep/

here is what I see on the iis logs from the reverse proxy server:

The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?

2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 15

2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 0

2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&message=MIIF7AYJKoZIhvcNAQcCoIIF3TCCBdkCAQExDjAMBggqhkiG9w0CBQUAMIIDbAYJ%0AKoZIhvcNAQcBoIIDXQSCA1kwggNVBgkqhkiG9w0BBwOgggNGMIIDQgIBADGCAaUw%0AggGhAgEAMIGIMHoxEjAQBgoJkiaJk%2FIsZAEZFgJ1azESMBAGCgmSJomT8ixkARkW%0AAmNvMRYwFAYKCZImiZPyLGQBGRYGdGhlZmNhMTgwNgYDVQQDEy9Db3JlIEFzc2V0%0AcyBTdWJvcmRpbmF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIKYRbNOAAAAAAA%0ABDANBgkqhkiG9w0BAQEFAASCAQBHX3eO95VFvoaE6YNlo5sDyiuwJMgkB78fz6pw%0Aexn7CI5DxSz4Ho0ma3NozkkDWx8%2B2cz96W5r9UnXOJDO8%2BCBEAYFy6g5ofQ81x2T%0A%2Fw7%2B1Q5fJnYobFY5xJpApb9rLetp0NR1OKxf%2B7%2F%2BBs7LbjifF0WIreqUpndM2IT3%0ANOThrZoFhIjVUpHc4KtNDavpeQEaGlySub3bh4vg6i9KcFdfF4REjJRaQ3SidbDz%0AB8Eo4WnW2etg8HaJR6mV6VxFFCS4LFugiYirsU01VxpDeu4%2BsItlKeJPGua6iQam%0ATLf6ylDGfvfA4fB6EtgMuFQummcIY5jE88EJOGCk83WLpeHrMIIBkgYJKoZIhvcN%0AAQcBMBEGBSsOAwIHBAhph07whxTEjYCCAXBLJQ5HshkjInBbsxgDoRI%2BahK81IZu%0Aok3cZUV7221ZFrgOZ97JR0HRCWO2TC%2BAYzZ%2BzO%2Bk4qxE6cq4sD6%2FnTsNSH6OUrz7%0AMG90nyeuzFrj4KuDWNYpCJkimqA1OBdVb7cSbJF9TnRy7UN68Rt6zOhZfWsjAxh1%0AMN5pna3vLR5FTvs9Fb08qwH2GrnZ4w0dSxwrGqWhSfwP4Lh7a9jMao3ecFGlt9CZ%0AdTiL%2FxCFPyxHh3w7fu%2F1nuqN7y8jUPI5cJogLtDt4UfMy%2BzvL1VZMH1GZS00TAQc%0AW03Iq299Ntiw6TJ9w%2BPof51%2BdKODeg2XPrFay2B%2F14Lmktvd9nliZ5ySS1nWOHW6%0AKRJh%2F7gbeW283wuubhT9aBFC7TzDAhAHtQZRsrTC1AoNvmt2T0louqNSF4z%2BtNDo%0A3vpKDqU%2FOlmWvwEBSwbXcKhuS2PKxlp7k2amcyBIE88svigs3go15%2BTzrGEP8yKQ%0AsiZ5Oswt%2BUPwUaCCASEwggEdMIHIAgECMA0GCSqGSIb3DQEBBAUAMBoxGDAWBgkq%0AhkiG9w0BCQIWCUNBTkFEQS1OTDAeFw0xMDA4MTgxNTM3MzJaFw0yMDA4MTUxNTM3%0AMzJaMBoxGDAWBgkqhkiG9w0BCQIWCUNBTkFEQS1OTDBcMA0GCSqGSIb3DQEBAQUA%0AA0sAMEgCQQCWM8tNwx%2FoRF9kSblo%2BXh5PGG3bmZY8ZxB80gbXX3ks4ssik3%2FiZ3r%0AP%2F9vJvj%2FtjjgiOOEh6cENZz3uEE38bihAgMBAAEwDQYJKoZIhvcNAQEEBQADQQAc%0AMKLsOJXfDt%2BiXlL9H%2BnFWZjzgdx9VUMEhYhNY2s0jNavw2C%2BVe0GgxY0Ym4y%2B0r6%0ACuDCyufcZO%2F%2FTerhXmycMYIBLTCCASkCAQEwHzAaMRgwFgYJKoZIhvcNAQkCFglD%0AQU5BREEtTkwCAQIwDAYIKoZIhvcNAgUFAKCBozASBgpghkgBhvhFAQkCMQQTAjE5%0AMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZIhvcNAQkEMRIEEHsSYtfc%0AZFXDLpKVLRp8wgQwIAYKYIZIAYb4RQEJBTESBBAa46SkgvR%2FZe7lsCnP%2FKcKMDAG%0ACmCGSAGG%2BEUBCQcxIhMgNUZCQzQwNzY2RTg0N0EzNDRDNTFFQzIxRUU1RDA5OTUw%0ADQYJKoZIhvcNAQEBBQAEQF7ZATDofAPDjwEtd%2FHX5hj9Yykat3FLkq6CB3L6mqX7%0Ad%2Ffd9FKgetT8skwKiqXltwAqi585zYWlfIVvHQZdD7M%3D%0A 81 - ---cisco router external ip-- - 404 15 0 421

Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!

Thanks in advance,


Question by:IT_Dept
LVL 17

Accepted Solution

Rovastar earned 1500 total points
ID: 33578647
The 404 error is a 404.15 error that you are getting is:

404.15 - Query string too long.

That is why it is failing.

Author Closing Comment

ID: 33829915

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question