Solved

IIS Url rewrite and ARR to NDES (mscep.dll) issue

Posted on 2010-08-19
2
1,601 Views
Last Modified: 2012-05-10
Hi Guys,

Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0

Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.

 Here is my web.config file for the reverse proxy server :

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Catch ndes/ links" stopProcessing="true">
                    <match url="^ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>
                <rule name="Catch ndes2/ links" stopProcessing="true">
                    <match url="^/ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="RewriteRelativePaths" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
                    <action type="Rewrite" value="/{R:1}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
        <tracing>
            <traceFailedRequests>
                <add path="*">
                    <traceAreas>
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
                    </traceAreas>
                    <failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
                </add>
            </traceFailedRequests>
        </tracing>
        <httpErrors errorMode="Detailed" />
    </system.webServer>
</configuration>

So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/

and rewriting them to www.myinternalsite.com/certsrv/mscep/

here is what I see on the iis logs from the reverse proxy server:

The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?

2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 15


2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 0


2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&message=MIIF7AYJKoZIhvcNAQcCoIIF3TCCBdkCAQExDjAMBggqhkiG9w0CBQUAMIIDbAYJ%0AKoZIhvcNAQcBoIIDXQSCA1kwggNVBgkqhkiG9w0BBwOgggNGMIIDQgIBADGCAaUw%0AggGhAgEAMIGIMHoxEjAQBgoJkiaJk%2FIsZAEZFgJ1azESMBAGCgmSJomT8ixkARkW%0AAmNvMRYwFAYKCZImiZPyLGQBGRYGdGhlZmNhMTgwNgYDVQQDEy9Db3JlIEFzc2V0%0AcyBTdWJvcmRpbmF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIKYRbNOAAAAAAA%0ABDANBgkqhkiG9w0BAQEFAASCAQBHX3eO95VFvoaE6YNlo5sDyiuwJMgkB78fz6pw%0Aexn7CI5DxSz4Ho0ma3NozkkDWx8%2B2cz96W5r9UnXOJDO8%2BCBEAYFy6g5ofQ81x2T%0A%2Fw7%2B1Q5fJnYobFY5xJpApb9rLetp0NR1OKxf%2B7%2F%2BBs7LbjifF0WIreqUpndM2IT3%0ANOThrZoFhIjVUpHc4KtNDavpeQEaGlySub3bh4vg6i9KcFdfF4REjJRaQ3SidbDz%0AB8Eo4WnW2etg8HaJR6mV6VxFFCS4LFugiYirsU01VxpDeu4%2BsItlKeJPGua6iQam%0ATLf6ylDGfvfA4fB6EtgMuFQummcIY5jE88EJOGCk83WLpeHrMIIBkgYJKoZIhvcN%0AAQcBMBEGBSsOAwIHBAhph07whxTEjYCCAXBLJQ5HshkjInBbsxgDoRI%2BahK81IZu%0Aok3cZUV7221ZFrgOZ97JR0HRCWO2TC%2BAYzZ%2BzO%2Bk4qxE6cq4sD6%2FnTsNSH6OUrz7%0AMG90nyeuzFrj4KuDWNYpCJkimqA1OBdVb7cSbJF9TnRy7UN68Rt6zOhZfWsjAxh1%0AMN5pna3vLR5FTvs9Fb08qwH2GrnZ4w0dSxwrGqWhSfwP4Lh7a9jMao3ecFGlt9CZ%0AdTiL%2FxCFPyxHh3w7fu%2F1nuqN7y8jUPI5cJogLtDt4UfMy%2BzvL1VZMH1GZS00TAQc%0AW03Iq299Ntiw6TJ9w%2BPof51%2BdKODeg2XPrFay2B%2F14Lmktvd9nliZ5ySS1nWOHW6%0AKRJh%2F7gbeW283wuubhT9aBFC7TzDAhAHtQZRsrTC1AoNvmt2T0louqNSF4z%2BtNDo%0A3vpKDqU%2FOlmWvwEBSwbXcKhuS2PKxlp7k2amcyBIE88svigs3go15%2BTzrGEP8yKQ%0AsiZ5Oswt%2BUPwUaCCASEwggEdMIHIAgECMA0GCSqGSIb3DQEBBAUAMBoxGDAWBgkq%0AhkiG9w0BCQIWCUNBTkFEQS1OTDAeFw0xMDA4MTgxNTM3MzJaFw0yMDA4MTUxNTM3%0AMzJaMBoxGDAWBgkqhkiG9w0BCQIWCUNBTkFEQS1OTDBcMA0GCSqGSIb3DQEBAQUA%0AA0sAMEgCQQCWM8tNwx%2FoRF9kSblo%2BXh5PGG3bmZY8ZxB80gbXX3ks4ssik3%2FiZ3r%0AP%2F9vJvj%2FtjjgiOOEh6cENZz3uEE38bihAgMBAAEwDQYJKoZIhvcNAQEEBQADQQAc%0AMKLsOJXfDt%2BiXlL9H%2BnFWZjzgdx9VUMEhYhNY2s0jNavw2C%2BVe0GgxY0Ym4y%2B0r6%0ACuDCyufcZO%2F%2FTerhXmycMYIBLTCCASkCAQEwHzAaMRgwFgYJKoZIhvcNAQkCFglD%0AQU5BREEtTkwCAQIwDAYIKoZIhvcNAgUFAKCBozASBgpghkgBhvhFAQkCMQQTAjE5%0AMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZIhvcNAQkEMRIEEHsSYtfc%0AZFXDLpKVLRp8wgQwIAYKYIZIAYb4RQEJBTESBBAa46SkgvR%2FZe7lsCnP%2FKcKMDAG%0ACmCGSAGG%2BEUBCQcxIhMgNUZCQzQwNzY2RTg0N0EzNDRDNTFFQzIxRUU1RDA5OTUw%0ADQYJKoZIhvcNAQEBBQAEQF7ZATDofAPDjwEtd%2FHX5hj9Yykat3FLkq6CB3L6mqX7%0Ad%2Ffd9FKgetT8skwKiqXltwAqi585zYWlfIVvHQZdD7M%3D%0A 81 - ---cisco router external ip-- - 404 15 0 421




Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!

Thanks in advance,



Mike.

0
Comment
Question by:IT_Dept
2 Comments
 
LVL 17

Accepted Solution

by:
Rovastar earned 500 total points
ID: 33578647
The 404 error is a 404.15 error that you are getting is:

404.15 - Query string too long.

That is why it is failing.
0
 

Author Closing Comment

by:IT_Dept
ID: 33829915
thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HyperText Transfer Protocol (http://www.ietf.org/rfc/rfc2616.txt) or "HTTP" is the underpinning of internet communication.  As a teacher of web development I have heard many questions, mostly from my younger students who have come to t…
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question