Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

IIS Url rewrite and ARR to NDES (mscep.dll) issue

Posted on 2010-08-19
2
Medium Priority
?
1,652 Views
Last Modified: 2012-05-10
Hi Guys,

Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0

Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.

 Here is my web.config file for the reverse proxy server :

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Catch ndes/ links" stopProcessing="true">
                    <match url="^ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>
                <rule name="Catch ndes2/ links" stopProcessing="true">
                    <match url="^/ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="RewriteRelativePaths" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
                    <action type="Rewrite" value="/{R:1}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
        <tracing>
            <traceFailedRequests>
                <add path="*">
                    <traceAreas>
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
                    </traceAreas>
                    <failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
                </add>
            </traceFailedRequests>
        </tracing>
        <httpErrors errorMode="Detailed" />
    </system.webServer>
</configuration>

So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/

and rewriting them to www.myinternalsite.com/certsrv/mscep/

here is what I see on the iis logs from the reverse proxy server:

The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?

2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 15


2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 0


2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&message=MIIF7AYJKoZIhvcNAQcCoIIF3TCCBdkCAQExDjAMBggqhkiG9w0CBQUAMIIDbAYJ%0AKoZIhvcNAQcBoIIDXQSCA1kwggNVBgkqhkiG9w0BBwOgggNGMIIDQgIBADGCAaUw%0AggGhAgEAMIGIMHoxEjAQBgoJkiaJk%2FIsZAEZFgJ1azESMBAGCgmSJomT8ixkARkW%0AAmNvMRYwFAYKCZImiZPyLGQBGRYGdGhlZmNhMTgwNgYDVQQDEy9Db3JlIEFzc2V0%0AcyBTdWJvcmRpbmF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIKYRbNOAAAAAAA%0ABDANBgkqhkiG9w0BAQEFAASCAQBHX3eO95VFvoaE6YNlo5sDyiuwJMgkB78fz6pw%0Aexn7CI5DxSz4Ho0ma3NozkkDWx8%2B2cz96W5r9UnXOJDO8%2BCBEAYFy6g5ofQ81x2T%0A%2Fw7%2B1Q5fJnYobFY5xJpApb9rLetp0NR1OKxf%2B7%2F%2BBs7LbjifF0WIreqUpndM2IT3%0ANOThrZoFhIjVUpHc4KtNDavpeQEaGlySub3bh4vg6i9KcFdfF4REjJRaQ3SidbDz%0AB8Eo4WnW2etg8HaJR6mV6VxFFCS4LFugiYirsU01VxpDeu4%2BsItlKeJPGua6iQam%0ATLf6ylDGfvfA4fB6EtgMuFQummcIY5jE88EJOGCk83WLpeHrMIIBkgYJKoZIhvcN%0AAQcBMBEGBSsOAwIHBAhph07whxTEjYCCAXBLJQ5HshkjInBbsxgDoRI%2BahK81IZu%0Aok3cZUV7221ZFrgOZ97JR0HRCWO2TC%2BAYzZ%2BzO%2Bk4qxE6cq4sD6%2FnTsNSH6OUrz7%0AMG90nyeuzFrj4KuDWNYpCJkimqA1OBdVb7cSbJF9TnRy7UN68Rt6zOhZfWsjAxh1%0AMN5pna3vLR5FTvs9Fb08qwH2GrnZ4w0dSxwrGqWhSfwP4Lh7a9jMao3ecFGlt9CZ%0AdTiL%2FxCFPyxHh3w7fu%2F1nuqN7y8jUPI5cJogLtDt4UfMy%2BzvL1VZMH1GZS00TAQc%0AW03Iq299Ntiw6TJ9w%2BPof51%2BdKODeg2XPrFay2B%2F14Lmktvd9nliZ5ySS1nWOHW6%0AKRJh%2F7gbeW283wuubhT9aBFC7TzDAhAHtQZRsrTC1AoNvmt2T0louqNSF4z%2BtNDo%0A3vpKDqU%2FOlmWvwEBSwbXcKhuS2PKxlp7k2amcyBIE88svigs3go15%2BTzrGEP8yKQ%0AsiZ5Oswt%2BUPwUaCCASEwggEdMIHIAgECMA0GCSqGSIb3DQEBBAUAMBoxGDAWBgkq%0AhkiG9w0BCQIWCUNBTkFEQS1OTDAeFw0xMDA4MTgxNTM3MzJaFw0yMDA4MTUxNTM3%0AMzJaMBoxGDAWBgkqhkiG9w0BCQIWCUNBTkFEQS1OTDBcMA0GCSqGSIb3DQEBAQUA%0AA0sAMEgCQQCWM8tNwx%2FoRF9kSblo%2BXh5PGG3bmZY8ZxB80gbXX3ks4ssik3%2FiZ3r%0AP%2F9vJvj%2FtjjgiOOEh6cENZz3uEE38bihAgMBAAEwDQYJKoZIhvcNAQEEBQADQQAc%0AMKLsOJXfDt%2BiXlL9H%2BnFWZjzgdx9VUMEhYhNY2s0jNavw2C%2BVe0GgxY0Ym4y%2B0r6%0ACuDCyufcZO%2F%2FTerhXmycMYIBLTCCASkCAQEwHzAaMRgwFgYJKoZIhvcNAQkCFglD%0AQU5BREEtTkwCAQIwDAYIKoZIhvcNAgUFAKCBozASBgpghkgBhvhFAQkCMQQTAjE5%0AMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZIhvcNAQkEMRIEEHsSYtfc%0AZFXDLpKVLRp8wgQwIAYKYIZIAYb4RQEJBTESBBAa46SkgvR%2FZe7lsCnP%2FKcKMDAG%0ACmCGSAGG%2BEUBCQcxIhMgNUZCQzQwNzY2RTg0N0EzNDRDNTFFQzIxRUU1RDA5OTUw%0ADQYJKoZIhvcNAQEBBQAEQF7ZATDofAPDjwEtd%2FHX5hj9Yykat3FLkq6CB3L6mqX7%0Ad%2Ffd9FKgetT8skwKiqXltwAqi585zYWlfIVvHQZdD7M%3D%0A 81 - ---cisco router external ip-- - 404 15 0 421




Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!

Thanks in advance,



Mike.

0
Comment
Question by:IT_Dept
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 17

Accepted Solution

by:
Rovastar earned 1500 total points
ID: 33578647
The 404 error is a 404.15 error that you are getting is:

404.15 - Query string too long.

That is why it is failing.
0
 

Author Closing Comment

by:IT_Dept
ID: 33829915
thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction HyperText Transfer Protocol (http://www.ietf.org/rfc/rfc2616.txt) or "HTTP" is the underpinning of internet communication.  As a teacher of web development I have heard many questions, mostly from my younger students who have come to t…
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question