Solved

Reverse proxy https Server error 502

Posted on 2013-11-05
3
4,121 Views
Last Modified: 2013-11-05
Hi,
I am testing the reverse proxy on windows 2008 r2 IIS 7.5
When using http everything works fine.
when adding https between the client and the reverse proxy, everything works fine.
but when I add https between the reverse proxy and the internal server,I get:

Server error
"502 - Web server received and invalid response while acting as a gateway or proxy server"

I have installed 2 different certificates at the proxy and at the server but I presume they work, Since I have no problems opening this https page from the reverse proxy...
(And I do not get certificate errors or warnings of any kind...)

I guess i missed something at the iis configuration...
I have written a simple URL rewrite rule which only points to
https://server_name/site_name/hello.html
(which works when I change it to http.)
I also tried it with\without "Enable SSL Offloading"
(I did not define a server-farm, dont know if its necessary)

What could be the problem? can I somehow debug the error and see what went wrong?
0
Comment
Question by:mashuf1976
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39623961
Is the certificate issued reflecting the public FQDN as the CN? (i.e. host.example.com)
Is your cert self-signed, or issued by a trusted CA?
Have you configured DNS to resolve to the public FQDN, on *both* the public and private side?  
This would require your internal DNS server(s) to have a zone for example.com, as opposed to using example.local -- After these prerequisites are met, you should be using the public FQDN (host.example.com) on either side.  

On the internal server to reverse proxy scenario, try modifying the %windir%\system32\drivers\etc\hosts file, on the internal server, to resolve the public FQDN to the private IP of the reverse proxy server, then connect using the public FQDN (i.e. host.example.com) rather than the local host name (i.e. host.domain.local)
0
 

Author Comment

by:mashuf1976
ID: 39624041
Thanks for your reply, this is a self-signed certificate.
The problem is that the reverse proxy is at the DMZ (which is exposed to the internet),
and therefor it could not be part of the domain  (in order to protect the company, and the AD server) -- which probably means it cannot have the same FQDN...

Is there a way to bypass this problem?
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 500 total points
ID: 39624689
Is your DMZ (ideally) configured to use a private network address in conjunction with a PAT entry to translate to the public side?  Public:443/TCP <-> DMZ:443/TCP?  If so, this is how you'd configure it for use on the private side as well: Private:443/TCP <-> DMZ:443/TCP.  After the translation and access rules are in place, you'd create a public FQDN zone on the private AD/DNS server, which resolves (i.e. host.domain.com ) to the production private IP address (which is then translated to the DMZ zone.)

So on the private side, host.domain.com would resolve to 10.100.100.100 and on the public side, host.domain.com would resolve to 189.170.68.100.  Whereas the actual reverse proxy address is 192.168.1.100.  In this way the certificate can be issued to host.domain.com and work on both sides.  Make sense?  I think your issue is more relating to name resolution (and perhaps your server trusting the self-signed certificate) than anything else.

The other approach is the static hosts entry on the internal server communicating with the reverse proxy to reflect the public FQDN, once the translations and access rules are in place.

That being said, the quickest resolution may be to reissue your self-signed certificate to include both the private and public FQDN's ( i.e. host, host.domain.local, host.domain.com ).  I'll post more on this momentarily.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month7 days, 15 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question