Solved

IIS Url rewrite and ARR to NDES (mscep.dll) issue

Posted on 2010-08-19
2
1,610 Views
Last Modified: 2012-05-10
Hi Guys,

Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0

Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.

 Here is my web.config file for the reverse proxy server :

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Catch ndes/ links" stopProcessing="true">
                    <match url="^ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>
                <rule name="Catch ndes2/ links" stopProcessing="true">
                    <match url="^/ndes/(.*)" negate="false" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{CACHE_URL}" pattern="^(https?)://" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                    <action type="Rewrite" url="{C:1}://ndes.mysite.com/certsrv/mscep/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="RewriteRelativePaths" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
                    <action type="Rewrite" value="/{R:1}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
        <tracing>
            <traceFailedRequests>
                <add path="*">
                    <traceAreas>
                        <add provider="WWW Server" areas="Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI" verbosity="Verbose" />
                    </traceAreas>
                    <failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
                </add>
            </traceFailedRequests>
        </tracing>
        <httpErrors errorMode="Detailed" />
    </system.webServer>
</configuration>

So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/

and rewriting them to www.myinternalsite.com/certsrv/mscep/

here is what I see on the iis logs from the reverse proxy server:

The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?

2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 15


2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&message=TRUSTPOINT 81 - ---cisco router external ip-- Mozilla/4.0+(compatible;+MSIE+5.0;+Cisco+PKI) 200 0 0 0


2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&message=MIIF7AYJKoZIhvcNAQcCoIIF3TCCBdkCAQExDjAMBggqhkiG9w0CBQUAMIIDbAYJ%0AKoZIhvcNAQcBoIIDXQSCA1kwggNVBgkqhkiG9w0BBwOgggNGMIIDQgIBADGCAaUw%0AggGhAgEAMIGIMHoxEjAQBgoJkiaJk%2FIsZAEZFgJ1azESMBAGCgmSJomT8ixkARkW%0AAmNvMRYwFAYKCZImiZPyLGQBGRYGdGhlZmNhMTgwNgYDVQQDEy9Db3JlIEFzc2V0%0AcyBTdWJvcmRpbmF0ZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQIKYRbNOAAAAAAA%0ABDANBgkqhkiG9w0BAQEFAASCAQBHX3eO95VFvoaE6YNlo5sDyiuwJMgkB78fz6pw%0Aexn7CI5DxSz4Ho0ma3NozkkDWx8%2B2cz96W5r9UnXOJDO8%2BCBEAYFy6g5ofQ81x2T%0A%2Fw7%2B1Q5fJnYobFY5xJpApb9rLetp0NR1OKxf%2B7%2F%2BBs7LbjifF0WIreqUpndM2IT3%0ANOThrZoFhIjVUpHc4KtNDavpeQEaGlySub3bh4vg6i9KcFdfF4REjJRaQ3SidbDz%0AB8Eo4WnW2etg8HaJR6mV6VxFFCS4LFugiYirsU01VxpDeu4%2BsItlKeJPGua6iQam%0ATLf6ylDGfvfA4fB6EtgMuFQummcIY5jE88EJOGCk83WLpeHrMIIBkgYJKoZIhvcN%0AAQcBMBEGBSsOAwIHBAhph07whxTEjYCCAXBLJQ5HshkjInBbsxgDoRI%2BahK81IZu%0Aok3cZUV7221ZFrgOZ97JR0HRCWO2TC%2BAYzZ%2BzO%2Bk4qxE6cq4sD6%2FnTsNSH6OUrz7%0AMG90nyeuzFrj4KuDWNYpCJkimqA1OBdVb7cSbJF9TnRy7UN68Rt6zOhZfWsjAxh1%0AMN5pna3vLR5FTvs9Fb08qwH2GrnZ4w0dSxwrGqWhSfwP4Lh7a9jMao3ecFGlt9CZ%0AdTiL%2FxCFPyxHh3w7fu%2F1nuqN7y8jUPI5cJogLtDt4UfMy%2BzvL1VZMH1GZS00TAQc%0AW03Iq299Ntiw6TJ9w%2BPof51%2BdKODeg2XPrFay2B%2F14Lmktvd9nliZ5ySS1nWOHW6%0AKRJh%2F7gbeW283wuubhT9aBFC7TzDAhAHtQZRsrTC1AoNvmt2T0louqNSF4z%2BtNDo%0A3vpKDqU%2FOlmWvwEBSwbXcKhuS2PKxlp7k2amcyBIE88svigs3go15%2BTzrGEP8yKQ%0AsiZ5Oswt%2BUPwUaCCASEwggEdMIHIAgECMA0GCSqGSIb3DQEBBAUAMBoxGDAWBgkq%0AhkiG9w0BCQIWCUNBTkFEQS1OTDAeFw0xMDA4MTgxNTM3MzJaFw0yMDA4MTUxNTM3%0AMzJaMBoxGDAWBgkqhkiG9w0BCQIWCUNBTkFEQS1OTDBcMA0GCSqGSIb3DQEBAQUA%0AA0sAMEgCQQCWM8tNwx%2FoRF9kSblo%2BXh5PGG3bmZY8ZxB80gbXX3ks4ssik3%2FiZ3r%0AP%2F9vJvj%2FtjjgiOOEh6cENZz3uEE38bihAgMBAAEwDQYJKoZIhvcNAQEEBQADQQAc%0AMKLsOJXfDt%2BiXlL9H%2BnFWZjzgdx9VUMEhYhNY2s0jNavw2C%2BVe0GgxY0Ym4y%2B0r6%0ACuDCyufcZO%2F%2FTerhXmycMYIBLTCCASkCAQEwHzAaMRgwFgYJKoZIhvcNAQkCFglD%0AQU5BREEtTkwCAQIwDAYIKoZIhvcNAgUFAKCBozASBgpghkgBhvhFAQkCMQQTAjE5%0AMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHwYJKoZIhvcNAQkEMRIEEHsSYtfc%0AZFXDLpKVLRp8wgQwIAYKYIZIAYb4RQEJBTESBBAa46SkgvR%2FZe7lsCnP%2FKcKMDAG%0ACmCGSAGG%2BEUBCQcxIhMgNUZCQzQwNzY2RTg0N0EzNDRDNTFFQzIxRUU1RDA5OTUw%0ADQYJKoZIhvcNAQEBBQAEQF7ZATDofAPDjwEtd%2FHX5hj9Yykat3FLkq6CB3L6mqX7%0Ad%2Ffd9FKgetT8skwKiqXltwAqi585zYWlfIVvHQZdD7M%3D%0A 81 - ---cisco router external ip-- - 404 15 0 421




Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!

Thanks in advance,



Mike.

0
Comment
Question by:IT_Dept
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 17

Accepted Solution

by:
Rovastar earned 500 total points
ID: 33578647
The 404 error is a 404.15 error that you are getting is:

404.15 - Query string too long.

That is why it is failing.
0
 

Author Closing Comment

by:IT_Dept
ID: 33829915
thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question