Solved

IIS Url rewrite and ARR to NDES (mscep.dll) issue

Posted on 2010-08-19
2
1,567 Views
Last Modified: 2012-05-10
Hi Guys,

Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0

Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.

 Here is my web.config file for the reverse proxy server :

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Catch ndes/ links" stopProcessing="true">
                    <match url="^ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>
                <rule name="Catch ndes2/ links" stopProcessing="true">
                    <match url="^/ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="RewriteRelativePaths" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
                    <action type="Rewrite" value="/{R:1}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
        <tracing>
            <traceFailedRequests>
                <add path="*">
                    <traceAreas>
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
                    </traceAreas>
                    <failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
                </add>
            </traceFailedRequests>
        </tracing>
        <httpErrors errorMode="Detailed" />
    </system.webServer>
</configuration>

So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/

and rewriting them to www.myinternalsite.com/certsrv/mscep/

here is what I see on the iis logs from the reverse proxy server:

The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?

2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 15


2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 0


2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&message=MIIF7AYJKoZIhvcNAQcCoIIF3TCCBdkCAQExDjAMBggqhkiG9w0CBQUAMIIDbAYJ%0AKoZIhvcNAQcBoIIDXQSCA1kwggNVBgkqhkiG9w0BBwOgggNGMIIDQgIBADGCAaUw%0AggGhAgEAMIGIMHoxEjAQBgoJkiaJk%2FIsZAEZFgJ1azESMBAGCgmSJomT8ixkARkW%0AAmNvMRYwFAYKCZImiZPyLGQBGRYGdGhlZmNhMTgwNgYDVQQDEy9Db3JlIEFzc2V0%0AcyBTdWJvcmRpbmF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIKYRbNOAAAAAAA%0ABDANBgkqhkiG9w0BAQEFAASCAQBHX3eO95VFvoaE6YNlo5sDyiuwJMgkB78fz6pw%0Aexn7CI5DxSz4Ho0ma3NozkkDWx8%2B2cz96W5r9UnXOJDO8%2BCBEAYFy6g5ofQ81x2T%0A%2Fw7%2B1Q5fJnYobFY5xJpApb9rLetp0NR1OKxf%2B7%2F%2BBs7LbjifF0WIreqUpndM2IT3%0ANOThrZoFhIjVUpHc4KtNDavpeQEaGlySub3bh4vg6i9KcFdfF4REjJRaQ3SidbDz%0AB8Eo4WnW2etg8HaJR6mV6VxFFCS4LFugiYirsU01VxpDeu4%2BsItlKeJPGua6iQam%0ATLf6ylDGfvfA4fB6EtgMuFQummcIY5jE88EJOGCk83WLpeHrMIIBkgYJKoZIhvcN%0AAQcBMBEGBSsOAwIHBAhph07whxTEjYCCAXBLJQ5HshkjInBbsxgDoRI%2BahK81IZu%0Aok3cZUV7221ZFrgOZ97JR0HRCWO2TC%2BAYzZ%2BzO%2Bk4qxE6cq4sD6%2FnTsNSH6OUrz7%0AMG90nyeuzFrj4KuDWNYpCJkimqA1OBdVb7cSbJF9TnRy7UN68Rt6zOhZfWsjAxh1%0AMN5pna3vLR5FTvs9Fb08qwH2GrnZ4w0dSxwrGqWhSfwP4Lh7a9jMao3ecFGlt9CZ%0AdTiL%2FxCFPyxHh3w7fu%2F1nuqN7y8jUPI5cJogLtDt4UfMy%2BzvL1VZMH1GZS00TAQc%0AW03Iq299Ntiw6TJ9w%2BPof51%2BdKODeg2XPrFay2B%2F14Lmktvd9nliZ5ySS1nWOHW6%0AKRJh%2F7gbeW283wuubhT9aBFC7TzDAhAHtQZRsrTC1AoNvmt2T0louqNSF4z%2BtNDo%0A3vpKDqU%2FOlmWvwEBSwbXcKhuS2PKxlp7k2amcyBIE88svigs3go15%2BTzrGEP8yKQ%0AsiZ5Oswt%2BUPwUaCCASEwggEdMIHIAgECMA0GCSqGSIb3DQEBBAUAMBoxGDAWBgkq%0AhkiG9w0BCQIWCUNBTkFEQS1OTDAeFw0xMDA4MTgxNTM3MzJaFw0yMDA4MTUxNTM3%0AMzJaMBoxGDAWBgkqhkiG9w0BCQIWCUNBTkFEQS1OTDBcMA0GCSqGSIb3DQEBAQUA%0AA0sAMEgCQQCWM8tNwx%2FoRF9kSblo%2BXh5PGG3bmZY8ZxB80gbXX3ks4ssik3%2FiZ3r%0AP%2F9vJvj%2FtjjgiOOEh6cENZz3uEE38bihAgMBAAEwDQYJKoZIhvcNAQEEBQADQQAc%0AMKLsOJXfDt%2BiXlL9H%2BnFWZjzgdx9VUMEhYhNY2s0jNavw2C%2BVe0GgxY0Ym4y%2B0r6%0ACuDCyufcZO%2F%2FTerhXmycMYIBLTCCASkCAQEwHzAaMRgwFgYJKoZIhvcNAQkCFglD%0AQU5BREEtTkwCAQIwDAYIKoZIhvcNAgUFAKCBozASBgpghkgBhvhFAQkCMQQTAjE5%0AMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZIhvcNAQkEMRIEEHsSYtfc%0AZFXDLpKVLRp8wgQwIAYKYIZIAYb4RQEJBTESBBAa46SkgvR%2FZe7lsCnP%2FKcKMDAG%0ACmCGSAGG%2BEUBCQcxIhMgNUZCQzQwNzY2RTg0N0EzNDRDNTFFQzIxRUU1RDA5OTUw%0ADQYJKoZIhvcNAQEBBQAEQF7ZATDofAPDjwEtd%2FHX5hj9Yykat3FLkq6CB3L6mqX7%0Ad%2Ffd9FKgetT8skwKiqXltwAqi585zYWlfIVvHQZdD7M%3D%0A 81 - ---cisco router external ip-- - 404 15 0 421




Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!

Thanks in advance,



Mike.

0
Comment
Question by:IT_Dept
2 Comments
 
LVL 17

Accepted Solution

by:
Rovastar earned 500 total points
ID: 33578647
The 404 error is a 404.15 error that you are getting is:

404.15 - Query string too long.

That is why it is failing.
0
 

Author Closing Comment

by:IT_Dept
ID: 33829915
thanks
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Foreword In the years since this article was written, numerous hacking attacks have targeted password-protected web sites.  The storage of client passwords has become a subject of much discussion, some of it useful and some of it misguided.  Of cou…
What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now