So you need to share port 443 Windows Reverse Proxy – IIS / ARR
So I have finally had to setup my first IIS / ARR reverse proxy the other day and it was not as easy as I had hoped. Having gotten through the tricky points I thought to take a moment to write up a quick How to for everyone that wants to try this.
The basics steps are to setup a separate VM-AppProxy server with IIS installed and leave it disconnected from the domain so it can be used in the perimeter.
I am doing this on 2012 R2 but the same steps should work for 2008 R2 or 2012. After installing the server and running all the windows updates to bring it current you can start installing IIS and .net 3.5 and begin setting up the rewrite rules for the various service URL’s you want to redirect.
-
- Install Windows Server
If you need help with this you can reference various articles on the web to get you to this point. Be sure to update the server with all available windows updates so it is secure and bug free.
- Install Windows Server
- Install the IIS and .net 3.5.1 Role and feature
Open Server Manager.
Under Manage menu, select Add Roles and Features
Select Role-based or Feature-based Installation
Select the appropriate server (local is selected by default)
Select Web Server (IIS) next
Choose .net 3.5 and 4 and all the subfeatures
Click Next again and let the role and features install to completion -
- Install the MS Web Platform Installer
Download and install the MS Web Platform Installer 4.6 using this link
http://www.microsoft.com/web/downloads/platform.aspx
- Install the MS Web Platform Installer
-
- Download and Install ARR Plugin for IIS
After you have installed the Web Platform Installer you can then install ARR 3.0
http://www.iis.net/downloads/microsoft/application-request-routing
- Download and Install ARR Plugin for IIS
-
- Run Windows Update again
Run Windows Update again to get all the security updates and fixes for IIS and .net
- Run Windows Update again
- Open IIS Manager on the proxy server
You should now see a option for Server Farms listed under Sites. -
- Setup Server Farms For Each URL Redirect
You will need to create a separate Server Farm for each of the URL’s you want to redirect. I have set this up to redirect all my Lync 2013, Exchange 2013, Nagios, RDP Gateway, and Spiceworks URL’s.
- Setup Server Farms For Each URL Redirect
- Create a server farm
Right click on Sever Farms and create a new farm
Name the server farm the URL you are redirecting, for demonstration purposes I will start with my Spiceworks install.
Name = spiceworks.yourdomain.com
Hit Next
Server Address will be the LAN IP of the server hosting the service
Server address = 192.168.x.x
Under advanced Settings is where you can redirect the traffic coming in on 443 to another port. For Lync you will redirect this from 443 to 4443. Otherwise if you are just redirecting 443 then leave this setting alone.
Click Finish -
- Configure Caching, Proxy, and Routing Rules
On the server farm you created you need to set a few additional settings to keep traffic from timing out.
Under Caching – disable disk cache
Under Proxy – change the timeout to 200 – this can be adjusted to fit your needs but I find 200sec is plenty.
Under Routing Rules – Disable SSL offloading
- Configure Caching, Proxy, and Routing Rules
- Set Rewrite Rules
Click on the servername in IIS and on the home screen choose URL Rewrite
You will see two default rules created for each of the server farms you created.
Delete the one that is not SSL as we are only using this for 443 traffic.
(If you want to redirect port 80 you can leave that and set the rule but for the purposes of this How To I am only doing 443 / SSL.)
Double click the SSL rule and set the following settings
Requested URL = Matches Pattern
Using = Wildcards
Pattern = *
Ignore Case = Checked
Delete any Conditions that were created and then click Add
Condition input = {HTTP_HOST}
Check if Input string = Matches Pattern
Pattern = spiceworks.*
Ignore Case = checked
Hit OK
Scroll down to Action
Action type = Route to Server Farm
Action Properties
Scheme = https://
Server farm = spiceworks.yourdomain.com
Path = /{R:0}
Stop processing of subsequent rules = checked.
Hit Apply in the upper right -
- Port Firewall to IIS ARR Server
Port your firewall on 443 to the new IIS ARR LAN IP and set external DNS entries
- Port Firewall to IIS ARR Server
-
- Apply wildcard SSL cert
You will need a wildcard SSL cert on the new IIS ARR server for yourdomain.com. Just get a 3rd party cert or request one from your internal PKI server for testing. Either way you go without the SSL cert installed and active this will not work.
Click the Server in IIS and on the Home screen choose SSL certificates.
Request the new wildcard cert and save the request to a text file.
Get the SSL cert from your 3rd part and download the certificate
Go back to the IIS home screen and SSL certificates and complete the certificate request
Click on the Default Web Site in IIS and then Click Bindings on the right and choose https 443
Drop down under SSL certificate and choose the new cert you just imported / completed.
Hit OK
- Apply wildcard SSL cert
-
- Repeat for other URL’s
Repeat steps 7 – 10 for the other URL’s you want to redirect.
- Repeat for other URL’s
-
- Troublshooting IIS ARR Using Failed Request Tracing
If you are having issues getting IIS ARR to work you can turn on Failed Request Tracing by Installing a feature under IIS – Health and Diagnostics called Tracing.
Open Server Manager
Add Roles and Features
Next, next to features
Find Web Server IIS then Health and Diagnostics and check the box next to Tracing and Install
Open IIS and click the Default Web Site and on the right under Configure Choose Failed Request Tracing
Check the box to enable and set a log path
- Troublshooting IIS ARR Using Failed Request Tracing
-
- URL Rewrite Patterns For Common MS Products
{HTTP_HOST} Matches the Pattern = autodiscover.yourdomain.com
In conclusion this is a fairly easy process but I was stuck on how to format the rules correctly. Once I realized that I had to delete what was automatically created and set it up manually I made progress quickly.
I am still having issues with the Spiceworks Android App not getting redirected properly on 443 but I am working on that now and I think I have a fix.
The fix for the Android was the URL needs a wild card for the App. I set the rule as above and I am now able to get to my Spiceworks Install over 443 through the IIS ARR!
References
- URL Rewrite Patterns For Common MS Products