IIS Url rewrite and ARR to NDES (mscep.dll) issue
Hi Guys,
Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0
Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.
Here is my web.config file for the reverse proxy server :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Catch ndes/ links" stopProcessing="true">
<match url="^ndes/(.*)" negate="false" />
<conditions logicalGrouping="MatchAll"
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING
</serverVariables>
<action type="Rewrite" url="{C:1}://ndes.mysite.c
</rule>
<rule name="Catch ndes2/ links" stopProcessing="true">
<match url="^/ndes/(.*)" negate="false" />
<conditions logicalGrouping="MatchAll"
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING
</serverVariables>
<action type="Rewrite" url="{C:1}://ndes.mysite.c
</rule>
</rules>
<outboundRules>
<rule name="RewriteRelativePaths
<match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
<action type="Rewrite" value="/{R:1}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_T
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="WWW Server" areas="Authentication,Secu
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
</add>
</traceFailedRequests>
</tracing>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/
and rewriting them to www.myinternalsite.com/certsrv/mscep/
here is what I see on the iis logs from the reverse proxy server:
The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&messag
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&messag
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&mes
Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!
Thanks in advance,
Mike.
Im not sure if this is even possible but I am having trouble rewriting requests from a reverse proxy server in a DMZ to an internal 2008 r2 server with the subordinate ca and NDES features installed. I am using IIS 7.5 With ARR and url rewrite 2.0
Just to clarify the situation, I am trying to send a certificate enrollment request (from a cisco router) through to the MSCEP.dll located on the internal server. This works if i go direct to the internal server but with the reverse proxy in betweeen it fails. The iis logs shows that the first 2 requests succeed but the 3rd http get request from the router request triggers a 404 error on the reverse proxy server and the request dies. However from a browser I am able to visit this page with no worries.
Here is my web.config file for the reverse proxy server :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<rule name="Catch ndes/ links" stopProcessing="true">
<match url="^ndes/(.*)" negate="false" />
<conditions logicalGrouping="MatchAll"
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING
</serverVariables>
<action type="Rewrite" url="{C:1}://ndes.mysite.c
</rule>
<rule name="Catch ndes2/ links" stopProcessing="true">
<match url="^/ndes/(.*)" negate="false" />
<conditions logicalGrouping="MatchAll"
<add input="{CACHE_URL}" pattern="^(https?)://" />
</conditions>
<serverVariables>
<set name="HTTP_ACCEPT_ENCODING
</serverVariables>
<action type="Rewrite" url="{C:1}://ndes.mysite.c
</rule>
</rules>
<outboundRules>
<rule name="RewriteRelativePaths
<match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script " pattern="^/(.*)" negate="false" />
<action type="Rewrite" value="/{R:1}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_T
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
<tracing>
<traceFailedRequests>
<add path="*">
<traceAreas>
<add provider="WWW Server" areas="Authentication,Secu
</traceAreas>
<failureDefinitions timeTaken="00:00:00" statusCodes="404,200" />
</add>
</traceFailedRequests>
</tracing>
<httpErrors errorMode="Detailed" />
</system.webServer>
</configuration>
So from that I am basicly catching urls that match www.myexternalsite.com:81/ndes/
and rewriting them to www.myinternalsite.com/certsrv/mscep/
here is what I see on the iis logs from the reverse proxy server:
The first two GET requests succeed as my router grabs the ca certificate. when it send the third it is presented with a 404 error. my question is why does it not match and rewrite the third GET request? Based on the rules I have set this should work?
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACert&messag
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=GetCACaps&messag
2010-08-18 15:37:42 ---reverse proxy ip-- GET /ndes/mscep.dll/pkiclient.exe operation=PKIOperation&mes
Any help with getting this request to match would be much appreciated :) or suggestions to achieve a similar solution in a different way!
Thanks in advance,
Mike.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER