IT_Dept
asked on
IIS Url rewrite and ARR to NDES (mscep.dll) issue
Hi Guys,
Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0
Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.
Here is my web.config file for the reverse proxy server :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Catch ndes/ links" stopProcessing="true">
<match url="^ndes/(.*)" negate="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING " value="" />
</serverVariables>
<action type="Rewrite" url="{C:1}://ndes.mysite.c om/certsrv /mscep/{R: 1}" appendQueryString="true" logRewrittenUrl="true" />
</rule>
<rule name="Catch ndes2/ links" stopProcessing="true">
<match url="^/ndes/(.*)" negate="false" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING " value="" />
</serverVariables>
<action type="Rewrite" url="{C:1}://ndes.mysite.c om/certsrv /mscep/{R: 1}" appendQueryString="true" logRewrittenUrl="true" />
</rule>
</rules>
<outboundRules>
<rule name="RewriteRelativePaths " preCondition="ResponseIsHt ml1">
<match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
<action type="Rewrite" value="/{R:1}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_T YPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="WWW Server" areas="Authentication,Secu rity,Filte r,StaticFi le,CGI,Com pression,C ache,Reque stNotifica tions,Modu le,FastCGI " verbosity="Verbose" />
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
</add>
</traceFailedRequests>
</tracing>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/
and rewriting them to www.myinternalsite.com/certsrv/mscep/
here is what I see on the iis logs from the reverse proxy server:
The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&messag e=TRUSTPOI NT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+M SIE+5.0;+C isco+PKI) 200 0 0 15
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&messag e=TRUSTPOI NT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+M SIE+5.0;+C isco+PKI) 200 0 0 0
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&mes sage=MIIF7 AYJKoZIhvc NAQcCoIIF3 TCCBdkCAQE xDjAMBggqh kiG9w0CBQU AMIIDbAYJ% 0AKoZIhvcN AQcBoIIDXQ SCA1kwggNV BgkqhkiG9w 0BBwOgggNG MIIDQgIBAD GCAaUw%0Ag gGhAgEAMIG IMHoxEjAQB goJkiaJk%2 FIsZAEZFgJ 1azESMBAGC gmSJomT8ix kARkW%0AAm NvMRYwFAYK CZImiZPyLG QBGRYGdGhl ZmNhMTgwNg YDVQQDEy9D b3JlIEFzc2 V0%0AcyBTd WJvcmRpbmF 0ZSBDZXJ0a WZpY2F0aW9 uIEF1dGhvc ml0eQIKYRb NOAAAAAAA% 0ABDANBgkq hkiG9w0BAQ EFAASCAQBH X3eO95VFvo aE6YNlo5sD yiuwJMgkB7 8fz6pw%0Ae xn7CI5DxSz 4Ho0ma3Noz kkDWx8%2B2 cz96W5r9Un XOJDO8%2BC BEAYFy6g5o fQ81x2T%0A %2Fw7%2B1Q 5fJnYobFY5 xJpApb9rLe tp0NR1OKxf %2B7%2F%2B Bs7LbjifF0 WIreqUpndM 2IT3%0ANOT hrZoFhIjVU pHc4KtNDav peQEaGlySu b3bh4vg6i9 KcFdfF4REj JRaQ3SidbD z%0AB8Eo4W nW2etg8HaJ R6mV6VxFFC S4LFugiYir sU01VxpDeu 4%2BsItlKe JPGua6iQam %0ATLf6ylD GfvfA4fB6E tgMuFQummc IY5jE88EJO GCk83WLpeH rMIIBkgYJK oZIhvcN%0A AQcBMBEGBS sOAwIHBAhp h07whxTEjY CCAXBLJQ5H shkjInBbsx gDoRI%2Bah K81IZu%0Ao k3cZUV7221 ZFrgOZ97JR 0HRCWO2TC% 2BAYzZ%2Bz O%2Bk4qxE6 cq4sD6%2Fn TsNSH6OUrz 7%0AMG90ny euzFrj4KuD WNYpCJkimq A1OBdVb7cS bJF9TnRy7U N68Rt6zOhZ fWsjAxh1%0 AMN5pna3vL R5FTvs9Fb0 8qwH2GrnZ4 w0dSxwrGqW hSfwP4Lh7a 9jMao3ecFG lt9CZ%0AdT iL%2FxCFPy xHh3w7fu%2 F1nuqN7y8j UPI5cJogLt Dt4UfMy%2B zvL1VZMH1G ZS00TAQc%0 AW03Iq299N tiw6TJ9w%2 BPof51%2Bd KODeg2XPrF ay2B%2F14L mktvd9nliZ 5ySS1nWOHW 6%0AKRJh%2 F7gbeW283w uubhT9aBFC 7TzDAhAHtQ ZRsrTC1AoN vmt2T0louq NSF4z%2BtN Do%0A3vpKD qU%2FOlmWv wEBSwbXcKh uS2PKxlp7k 2amcyBIE88 svigs3go15 %2BTzrGEP8 yKQ%0AsiZ5 Oswt%2BUPw UaCCASEwgg EdMIHIAgEC MA0GCSqGSI b3DQEBBAUA MBoxGDAWBg kq%0AhkiG9 w0BCQIWCUN BTkFEQS1OT DAeFw0xMDA 4MTgxNTM3M zJaFw0yMDA 4MTUxNTM3% 0AMzJaMBox GDAWBgkqhk iG9w0BCQIW CUNBTkFEQS 1OTDBcMA0G CSqGSIb3DQ EBAQUA%0AA 0sAMEgCQQC WM8tNwx%2F oRF9kSblo% 2BXh5PGG3b mZY8ZxB80g bXX3ks4ssi k3%2FiZ3r% 0AP%2F9vJv j%2FtjjgiO OEh6cENZz3 uEE38bihAg MBAAEwDQYJ KoZIhvcNAQ EEBQADQQAc %0AMKLsOJX fDt%2BiXlL 9H%2BnFWZj zgdx9VUMEh YhNY2s0jNa vw2C%2BVe0 GgxY0Ym4y% 2B0r6%0ACu DCyufcZO%2 F%2FTerhXm ycMYIBLTCC ASkCAQEwHz AaMRgwFgYJ KoZIhvcNAQ kCFglD%0AQ U5BREEtTkw CAQIwDAYIK oZIhvcNAgU FAKCBozASB gpghkgBhvh FAQkCMQQTA jE5%0AMBgG CSqGSIb3DQ EJAzELBgkq hkiG9w0BBw EwHwYJKoZI hvcNAQkEMR IEEHsSYtfc %0AZFXDLpK VLRp8wgQwI AYKYIZIAYb 4RQEJBTESB BAa46SkgvR %2FZe7lsCn P%2FKcKMDA G%0ACmCGSA GG%2BEUBCQ cxIhMgNUZC QzQwNzY2RT g0N0EzNDRD NTFFQzIxRU U1RDA5OTUw %0ADQYJKoZ IhvcNAQEBB QAEQF7ZATD ofAPDjwEtd %2FHX5hj9Y ykat3FLkq6 CB3L6mqX7% 0Ad%2Ffd9F KgetT8skwK iqXltwAqi5 85zYWlfIVv HQZdD7M%3D %0A 81 - ---cisco router external ip-- - 404 15 0 421
Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!
Thanks in advance,
Mike.
Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0
Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.
Here is my web.config file for the reverse proxy server :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Catch ndes/ links" stopProcessing="true">
<match url="^ndes/(.*)" negate="false" />
<conditions logicalGrouping="MatchAll"
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING
</serverVariables>
<action type="Rewrite" url="{C:1}://ndes.mysite.c
</rule>
<rule name="Catch ndes2/ links" stopProcessing="true">
<match url="^/ndes/(.*)" negate="false" />
<conditions logicalGrouping="MatchAll"
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING
</serverVariables>
<action type="Rewrite" url="{C:1}://ndes.mysite.c
</rule>
</rules>
<outboundRules>
<rule name="RewriteRelativePaths
<match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
<action type="Rewrite" value="/{R:1}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_T
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="WWW Server" areas="Authentication,Secu
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
</add>
</traceFailedRequests>
</tracing>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/
and rewriting them to www.myinternalsite.com/certsrv/mscep/
here is what I see on the iis logs from the reverse proxy server:
The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&messag
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&messag
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&mes
Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!
Thanks in advance,
Mike.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER