ACE as Reverse Proxy

Can ACE function as reverse proxy without the ACE Web application Firewall?

Hi,
If you configure source NAT on all of the client traffic, the ACE will act more or less like a reverse proxy requesting the data from the server using the configured NAT IP instead of the client original one.
Just keep in mind that the ACE won't ever do any caching whatsoever so you can forget about it if this is what you are looking for.
Regards,
Nicolas

Similar Messages

ACE 4710, reverse proxy?

Hello All,
Please forgive my ignorance but can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time. Thanks for your input.

Hi Mate,
The reverse proxy servers can perform many tasks, like:
Note: this info from Wikipedia: http://en.wikipedia.org/wiki/Reverse_proxy
Reverse proxies can hide the existence and characteristics of the origin server(s), The ACE will do that.
Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult, The ACE has some built-in security features, you can refer to this document for full detail:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/security/guide/securgd.html
In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware. The ACE can do this:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/ssl/guide/sslgd.html
A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource. The ACE can do that perfectly.
A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator. A reverse proxy can optimize content by compressing it in order to speed up loading times. Please check this link for more detail about ACE Application Acceleration and Optimization:
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/app_acc_and_opt/guide/appaccoptgd.html
Best regards,
Ahmad

ACE behind Reverse Proxy - performance issue

Hi,
I've got a config working to accommodate the required use of reverse proxy servers infront of my application servers. Traffic comes into the Front ACE and I insert a header "SRCIP" with the original client IP address which is preserved through the Rev Proxy servers and is then inspected on the Back ACE to create a sticky to a given application server/SRCIP pairing. The use of the RP's appears to require using the persistence-rebalance option otherwise the traffic get stuck to the wrong app server. The app functions perfectly with this config; however, there is a severe performance impact. Using load-runner, we see response times go from 1.5 seconds to 16 seconds for the same transactions comparing this config to a previous config which used static sticky to bind the RP to the app servers..
Question: Is there a better way to do this and remain dynamic, or some way to optimize this approach to reduce the performance impact.
Relevant Config for both ACE's here:
!!Front ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky ip-netmask 255.255.255.255 address source ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm ALPHA
policy-map type loadbalance first-match vip-R1A-ALPHA
class class-default
    sticky-serverfarm ALPHA-SRCIP-sticky
    insert-http SRCIP header-value "%is"
policy-map multi-match PREP-VIP
class VIP-ALPHA-R1A
    loadbalance vip inservice
    loadbalance policy vip-R1A-ALPHA
    appl-parameter http advanced-options HTTP_REBAL
    ssl-proxy server SSL_ALPHA_R1A
!!Back ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky http-header SRCIP ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm coresoms-ALPHAfarm
class-map type http loadbalance match-all SRCIP-MAP
2 match http header SRCIP header-value ".*"
policy-map type loadbalance first-match vip-lb-ALPHA
class SRCIP-MAP
    sticky-serverfarm ALPHA-SRCIP-sticky
policy-map multi-match lb-vip
class VIP-ALPHA
    loadbalance vip inservice
    loadbalance policy vip-lb-ALPHA
    appl-parameter http advanced-options HTTP_REBAL

Hi Joseph,
To achieve this you need to do stickiness based on some L7 parameter (either the header you are currently using or some cookie), so, whatever you do you will have to use persistence rebalance.
I have one possible theory for your issue.
The ACE has two different ways of treating the L7 connections internally, that we call "proxied" and "unproxied". In essence, the proxied mode means that the traffic will be processed by one of the CPU (normally to inspect/modify the L7 data), while, on the unproxied mode, the ACE sets up a hardware shortcut that allows forwarding traffic without the need to do any processing on it.
For a L7 connection, the ACE will proxy it at the beginning, and, once all the L7 processing has been done it will unproxy the connection to save resources. Before it goes ahead with the unproxying, it needs to see the ACK for the last L7 data sent. This wait, on a Internet environment can introduce around 100-200ms of delay for each HTTP request, which can end up adding into a very big delay. By default, if the ACE sees that the RTT to the client is more than 200ms, the connection will never be unproxied to avoid these delays, so I think we could fix your issue by tweaking this threshold.
From what you described, I asssume you don't have many connections (because they all come through a proxy) and that the connections will have a lot of HTTP requests inside. With that in mind, I would suggest setting the threshold to 0 to ensure to keep connections always proxied. To do this, you would nee to configure a parameter map like the one below and add it to your VIP
    parameter-map type connection
      set tcp wan-optimization rtt 0
Even though this setting may avoid your issue, it also has some drawbacks. The main one is that the ACE20 only supports up to 512K simultaneous L7 connections in proxied state (which includes also the connections towards the servers, so, it would be 250K for client connections), so, if the amount of simultaneous connections reaches that limit, new connections would be dropped. The second issue, although not so impacting, would be that the maximum number of connections per second supported would also go down slightly due to the increased processing needed.
I hope this helps
Daniel

ACE SSL Reverse Proxy for multible URLs

Hi,
I am trying to setup an ACE as a reverse proxy (one-arm mode) for HTTPS connections for multiple URLs to multiple serverfarms. From what i know i have two options:
1. Use different VIP for each URL and do
L4 loadbalancing or use a
combination of IP address and port.
2. Use different VIP for each URL, do
SSL offloading and do L7 URL based
loadbalancing.
So with these options i am bind to use different IPs for each site. Is there a way i can use one VIP and then offload SSL and do URL based loadbalancing? From my knowledge we are restricted by the nature of the SSL. The reason is that the SSL protocol is a separate layer which encapsulates the HTTP protocol. So the problem is that the SSL session is a separate transaction that takes place before the HTTP session even starts so there is no visibility of the HTTP header.
Any comments appreciated
George Georgiou

Geroge,
your understanding is absolutely correct.
We need to know the site in order to decrypt te traffic because the certificate is associated to a domain name.
But without decrypting, we can't see the domain name.
So, the only way to know the domain without decrypting is to allocate a single ip to each domain.
There is no other solution.
Gilles.

ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

Hi All,
I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
The customer wants the following:
They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
Anyone have an idea how to build this?

Hi,
It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
As per the below example:
I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
serverfarm host 1313-GIN-GWAP-SDC-80
rserver RSERVER1
    backup-rserver test1
    inservice
rserver test1
    inservice standby
rserver test2
    inservice standby
regards,
Ajay Kumar

ACE Reverse Proxy question

Hello, I have a client that needs to reverse proxy sessions to two backend servers. Can the ACE preform reverse proxies?

Gregg,
you need to create an action-list and assign it to your policy-map
switch/Admin(config)# action-list type optimization http avs_default
switch/Admin(config-actlist-optm)# ?
Configure optimization actions:
appscope Appscope measurement against optimization
cache Cache optimization
delta Delta optimization
do EXEC command
dynamic Enable just-in-time object accelaration
end Exit from configure mode
exit Exit from this submode
flashforward Flashforward optimization
flashforward-object Flashforward object optimization
no Negate a command or set its defaults
You will probably want to use cache forward or cache dynamic.
More info at
http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/2.0/user/guide/UG_optimization.html
Gilles.

What is the alternative to TMG/ISA For SSL-Bridging-Capable Reverse Proxy For System Center 2012 R2 IBCM?

When I look up alternatives to TMG many other answers say something like "Don't worry about it. TMG 2010 is under support until 2020."
Well, we don't have TMG and can't buy it since it is off the market. Can it still be legitimately purchased through any resellers?
We need a reverse proxy that specifically supports SSL-Bridging so that device certificate authentication is not broken when the connection passes through the proxy.
Which reverse proxies that are currently on the market are known to work successfully with System Center Config Manager Internet-Based Client Management and also with other Microsoft products such as Lync 2010 and RD Gateway 2012 R2?
Do any Cisco ASA or ACE models support the required functionality for machine certificate authentication?
We have ISA 2006 licenses available, but I would hate to roll that out and then have to replace it in only 2 years rather than using something that can stay in place long term. Maybe we could use ISA 2006 temporarily as a stopgap if the next version
released of Windows Server Web Application Proxy would meet the requirements and can be deployed in production before ISA 2006 is completely EOL.
I hate that Microsoft keeps discontinuing all the related products to this before they have their replacements ready.

Hi,
You are correct, all TMG product sales officially ended in December 2012.
In addition, an ISA Server and a TS Gateway server can be used together to enhance security for remote connections to internal network resources. However, it
seems that ISA 2006 cannot support that on Windows Server 2012 R2. For more detailed information:
Configuring the TS Gateway ISA Server Scenario
Personally, Web application proxy would be an alternate. In addition, for the question related to Cisco product, you can contact Cisco for assistance.
Best regards,
Susie

Can the 4710 reverse proxy like the Apache rerwite rule

We currently have web servers configured with Apache that act as reverse proxies using an Apache rewrite rule. The end user connects to the Apache web server and it proxies that connection to the backend app server. Is the 4710 capable of acting as a reverse proxy like Apache which would eliminate the need for a web server?
Thanks

Hi,
Although this is not the most common scenario it is doable. What you will need is to NAT the client source IP to the ACE VIP and send the request to the web server. If there is a web farm then you can use another context of ACE to loadbalance the request to the web farm.Actually i have setup ACE as a reverse proxy in replacement of an ISA server by using the one-arm mode for the implementation. Beware though that you will need to use Policy Based Routing or NAT so as for the return traffic to go though ACE. Also you will need to insert the client IP in the x-forwarded-for HTTP header for proper analysis (as you would do with Apache).
See below link for routed mode (it is for the c6500 / ACE module but same applies for the ACE 4710 appliance
http://supportwiki.cisco.com/ViewWiki/index.php/Configure_ACE_with_Source_NAT_and_Client_IP_Header_Insert
Hope it helps,
./G

How do I use Sun Web Server 7.0u1 reverse proxy to change public URLs?

Some of our installations use the Sun Web Server 7.0 (update 1, usually)
for hosting some of the public resource and reverse-proxying other parts
of the URI namespace from other backend servers (content, application
and other types of servers).
So far every type of backend server served a unique part of the namespace
and there was no collision of names, and the backend resources were
published in a one-to-one manner. That is, a backend resource like, say,
http://appserver:8080/content/page.html would be published in the internet
as http://www.publicsite.com/content/page.html
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.
Another quest, possibly related in solution, was to make a tidy url for the
first page the user opens of the site. That is, in the current solution when
a visitor types the url "www.publicsite.com" in his or her browser, our web
server returns an HTTP-302 redirect to the actual first page URL, so the
browser sends a second request (and changes the URL in its location bar).
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
So far I found that I can't solve these problems. I believe these problems
share a solution because it relies on ability to control the actual URI strings
requested by Sun Web Server from backend servers.
Some details follow, now:
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
[04/Mar/2009:21:45:34] finest (25095) www.publicsite.com: for host xx.xx.xx.83
trying to GET /content/MainPage.html while trying to GET /test, func_exec reports:
fn="service-passthrough" rewrite-host="true" rewrite-location="true"
servers="http://10.16.2.127:8080" Directive="Service" DaemonPool="2b1348"
returned 0 (REQ_PROCEED)My obj.conf file currently has simple clauses like this:
# this causes /content/* to be taken from another (backend) server
NameTrans fn="assign-name" from="/content" name="content-test" nostat="/content"
# this causes requests to site root to be HTTP-redirected to a certain page URI
<If $uri =~ '^/$'>
    NameTrans fn="redirect"
        url="http://www.publicsite.com/content/MainPage.html"
</If>
<Object name="content-test">
### This maps http://public/content/* to http://10.16.2.127:8080/content/*
### Somehow the desired solution should instead map http://public/data/* to http://10.16.2.127:8080/content/*
    Service fn="service-passthrough" rewrite-host="true" rewrite-location="true" servers="http://10.16.2.127:8080"
    Service fn="set-variable" set-srvhdrs="host=www.publicsite.com:80"
</Object>
I have also tried "restart"ing the request like this:
    NameTrans fn="restart" uri="/data"or desperately trying to set the new request uri like this:
    Service fn="set-variable" uri="/magnoliaPublic/Main.html"Thanks for any ideas (including a statement whether this can be done at all
in some version of Sun Web Server 7.0 or its opensourced siblings) ;)
//Jim

Some of our installations use the Sun Web Server 7.0 (update 1, usually)please plan on installing the latest service pack - 7.0 Update 4. these updates addresses potentially critical bug fixes.
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.> now, if all the resources are under say /data, then how will you know which pages need to be sent to which back end resources. i guess, you probably meant to check for /data/page.html should go to <back-end>/content/page.html
yes, you could do something like
- edit your corresponding obj.conf (<hostname>-obj.conf or obj.conf depending on your configuration)
<Object name=¨default¨>
<If $uri = ¨/page/¨>
#move this nametrans SAF (for map directive - which is for reverse proxy within <if> clause)
NameTrans.. fn=map
</If
</Object>
and you could do https-<hostname>/bin/reconfig (dynamic reconfiguration) to check out if this is what you wanted. also, you might want to move config/server.xml <log-level> to finest and do your configuration . this way, you would get enough information on what is going on within your server logs.
finally,when you are satisfied, you might have to run the following command to make your manual change into admin config repository.
<install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
you might want to check out this for more info on how you could use <if> else condition to handle your requirement.
http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
finally, you might want to refer to this doc - which explains on ws7 request processing overview. this should provide you with some pointers as to what these different directives mean
http://docs.sun.com/app/docs/doc/820-6599/gbysz?a=view
>
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
please check out the rewrite / restart SAF. this should help you.
http://docs.sun.com/app/docs/doc/820-6599/gdada?a=view
pl. understand that - like with more web servers - ordering of directives is very important within obj.conf. so, you might want to make sure that you verify the obj.conf directive ordering is what you want it to do..
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
now, you are in the totally wrong direction. web server 7 includes a highly integrated reverse proxy solution compared to 6.1. unlike 6.1, you don´t have to download a separate plugin . however, you will need to manually migrate your 6.1 based reverse proxy settings into 7.0. please check out this blog link on how to set up a reverse proxy
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
feel free to post to us if you need any futher help
you are probably better off - starting fresh
- install ws7u4
- use gui or CLI to create a reverse proxy and map one on one - say content
http://docs.sun.com/app/docs/doc/820-6601/create-reverse-proxy-1?a=view
if you don´t plan on using ws7 integrated web container (ability to process jsp/servlet), then you could disable java support as well. this should reduce your server memory footprint
<install-root>/bin/wadm disable-java user=admin config=<hostname>
<install-root>/bin/wadm create-reverse-proxy user=admin uri-prefix=/content server=<http://your back end server/ config=<hostname> --vs=<hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
now, you can check out the regular express processing and <if> syntax from our docs and try it out within <https-<hostname>/config/<hostname>-obj.conf> file and restart the server. pl. note that once you disable java, ws7 admin server creates <vs>-obj.conf and you need to edit this file and not default obj.conf for your changes to be read by server.
>
I have also tried "restart"ing the request like this:
NameTrans fn="restart" uri="/data"
ordering is very important here... you need to do this some thing like
<Object name=default>
<If not $restarted>
NameTrans fn=restart uri from=/¨ uri=/foo.
</If>

Lync Reverse Proxy Alternatives

When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services.
TMG is way too expensive and complex for such a limited, simple use case.
I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
We decided to use Apache 2.2 on Windows Server 2008 R2.
Here's how we configured it:
Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy.
http://technet.microsoft.com/en-us/library/gg398069.aspx
Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server.
http://httpd.apache.org/download.cgi
We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
Use the Certificates MMC on your front end server to export the certificate and include the private key.
Transfer the resultant .pfx file to your reverse proxy server.
Use OpenSSL to convert your .pfx file to PEM:
openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes
Separate the private key from the certificate using notepad:
Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag.
Save that text to a new file named
yourcert.key.
Save
yourcert.pem, which should now only include the certificate.
Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
for storing the certificates.
Edit httpd.conf (typically in
C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
(See http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
for more information on each directive)
Uncomment the following lines, which will enable proxy and SSL:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Add the following lines to configure reverse proxy behavior:
#Be a reverse proxy, not a forward proxy
ProxyRequests Off
#Accept requests from any client to any URL
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
#Set the network buffer to improve throughput
ProxyReceiveBufferSize 4096
#Configure the Reverse Proxy to forward all requests to your front end server on 4443
ProxyPass / https://yourfrontend.domain.com:4443/
ProxyPassReverse / https://yourfrontend.domain.com:4443/
#Preserve Host Headers for Lync
ProxyPreserveHost On
Optionally, configure logging directives, bindings and server name.
Save and close httpd.conf
Edit httpd-ssl.conf (typically in conf\extra):
Configure the session cache:
Uncomment:
SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
Comment out:
SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
Locate the <VirtualHost _default_:443> tag and configure the following:
Add the following directive:
SSLProxyEngine On
Configure the path to your SSL Certificate saved in step 3-5 above:
SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
Configure the path to your private key saved in step 3-5 above:
SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
Optionally, configure logging directives.
Save and close httpd-ssl.conf
Restart the Apache2.2 service
Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
the reverse proxy to talk to the front end Lync server on 8080 and 4443.
From an external connection, test connectivity through the reverse proxy:
Test
https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
Test the Lync Web App by setting up an online meeting and following the URL to join the meeting.
You can force the use of the web app by appending ?sl= to the end of the meet.company.com link.
See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
Hope this information is helpful and saves some of you some money and trouble.
Please contact me if you need further clarification or see any mistakes in my notes.
Best regards,
Kenneth Walden
Enterprise Systems Supervisor
GSD&M
Austin, TX

I'd like to thank you for this article. We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product. Anyways, your
blog saved me a LOT of headache. I owe you big time.
AWESOME JOB.
-Greg
*****EDIT***
Decided to come back in there and post good information. We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting. The "DIALUP" url was working fine but the "MEETING" url was broken. On our WFE servers we were getting
the event error as below.   Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON". Once we put that in there ALL was good.
Notice that the MEET portion was the only thing that was really broken. So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER. Look for
http://10.x.x.x/meet/ or soemthing in the event logs.
Log Name:      Application
Source:        ASP.NET 2.0.50727.0
Date:          11/16/2011 1:26:35 PM
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      OneofMyInternalWFEservers.local
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/16/2011 1:26:35 PM
Event time (UTC): 11/16/2011 6:26:35 PM
Event ID: b2039ecd0a62482284030f62e1e639d8
Event sequence: 129
Event occurrence: 28
Event detail code: 0
Application information:
    Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
    Trust level: Full
    Application Virtual Path: /meet
    Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
    Machine name: MYWFE.local
Process information:
    Process ID: 14204
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
    Exception type: HttpException
    Exception message: Server cannot append header after HTTP headers have been sent.
Request information:
    Request URL:
https://FQDN:4443/meet/MyName/456456
    User host address: gatewayIP
    User:
    Is authenticated: False
    Authentication Type:
    Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
    Thread ID: 7
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace:    at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
   at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="ASP.NET 2.0.50727.0" />
    <EventID Qualifiers="32768">1309</EventID>
    <Level>3</Level>
    <Task>3</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
    <EventRecordID>4483</EventRecordID>
    <Channel>Application</Channel>
    <Computer>XXXXXXXXXXXXXXXXXX</Computer>
    <Security />
</System>
<EventData>
    <Data>3005</Data>
    <Data>An unhandled exception has occurred.</Data>
    <Data>11/16/2011 1:26:35 PM</Data>
    <Data>11/16/2011 6:26:35 PM</Data>
    <Data>b2039ecd0a62482284030f62e1e639d8</Data>
    <Data>129</Data>
    <Data>28</Data>
    <Data>0</Data>
    <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
    <Data>Full</Data>
    <Data>/meet</Data>
    <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
    <Data>SNKXS300</Data>
    <Data>
    </Data>
    <Data>14204</Data>
    <Data>w3wp.exe</Data>
    <Data>NT AUTHORITY\NETWORK SERVICE</Data>
    <Data>HttpException</Data>
    <Data>Server cannot append header after HTTP headers have been sent.</Data>
    <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
    <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
    <Data>10.71.1.1</Data>
    <Data>
    </Data>
    <Data>False</Data>
    <Data>
    </Data>
    <Data>NT AUTHORITY\NETWORK SERVICE</Data>
    <Data>7</Data>
    <Data>NT AUTHORITY\NETWORK SERVICE</Data>
    <Data>False</Data>
    <Data>   at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
   at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
</Data>
</EventData>
</Event>

IIS Reverse Proxy with URL rewrite.

Hi all, hoping to leverage the wealth of knowledge contained here.
Any assistance would be very welcome.
I'm having an issue getting a reverse proxy and URL rewrite working in IIS 7.0.
I need to redirect all requests with a specific virtual directory suffix only.
ie; https://domain.test.com/outbound/Content/query_etc
With /Outbound/ being the trigger.
This should be redirected to http://10.10.10.10/inbound/Content/query_etc
While at the same time, requests without the /outbound/ suffix should be handled locally.
I have configured the reverse proxy as described in a few articles, and have had no luck.
Here's a snippet from my (sanitized) web.config at the site level.
<rewrite>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A" pattern="^http(s)?://10.10.10.10/inbound/(.*)" />
<action type="Rewrite" value="https://domain.test.com/outbound/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="^outbound/(.*)" />
<action type="Rewrite" url="http://10.10.10.10/inbound/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
</rule>
</rules>
</rewrite>
To me, this looks correct, yet it doesn't work.
With this, I get the normal 404 - Error Code 0x80070002, with the text indicating the local directory doesn't exist, so.... not being picked up by the filter for redirection.

Hi Andrew,
Looking at your requirements it appears you need Reverse Proxy To Another Site/Server.
By using URL Rewrite Module together with
Application Request Routing module you can have IIS 7 act as a
reverse proxy.
It seems like URL Rewrite can't re-route the request somewhere else out of the server.
Even when you rewrite the url the actual connection remains with the server. Hence if your original server doesn't have /inbound/Content/query_etc it will fail with 404.
Hosting multiple domain names under a single account using URL Rewrite.
It’s a common desire to have a single IIS website that handles multiple sites with different domain names.
References:
How to create a url alias using IIS URL Rewrite:
http://blogs.technet.com/b/mspfe/archive/2013/11/27/how-to-create-a-url-alias-using-iis-url-rewrite.aspx
Reverse Proxy with URL Rewrite v2 and Application Request Routing:
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
Regards,
Satyajit
Please“Vote As Helpful”
if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

How to change Script path for Reserved.ReportViewerWebControl.axd when working behind reverse proxy?

Hi,
My application works behind a reverse proxy which has polices for secure and unsecure areas of the application. Architecture and Infra team is not willing to allow any root level policies in any case
When report viewer control is rendered on the page, it is adding a reference to the http handler Reserved.ReportViewerWebControl.axd in the script tag and the URL is at the root level. Unfortunately like other AjaxControlToolkit web resources I cannot modify
the URL to refer to the local script using ScriptManager.
Do we have any other property / means by which I can get this altered.
It is so unfortunate that the Microsoft.ReportViewer.WebForms assembly resources like scripts etc are not exposed as webresource at the assembly level and there is no way to modify this.
Does anyone has any solution to this?
Appreciate your help
Thanks in advance
Badal

Hi Badal,
Thank you for your question.
I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated.
Thank you for your understanding and support.
Thanks,
Alisa Tang
If you have any feedback on our support, please click
here.
Alisa Tang
TechNet Community Support

WebServer 6.1 SP3 SSL reverse proxy to Sun One Application Server 7

I have an application in the appserver7 that requires SSL authentication. I have already installed a self cert in the appserver7, and the authentication works fine when I browse directly to the appserver.
The appserver7 has both listener for port 80 and 443 enabled.
I'm currently setting up a webserver (WebServer 6.1 SP3) to act as a reverse proxy to the appserver7. The reverse proxy for the basic jsp pages found in the appserver worked fine.
When I try to access the login page, in the appserver, in ssl mode, I am unable to do so. I then try changing the obj.conf to the following, from http to https:
<Object name="passthrough">
ObjectType fn="force-type" type="magnus-internal/passthrough"
Service fn="service-passthrough" method="(GET|HEAD|POST)" servers="https://172.2
8.48.53"
However, it still doesn't work.
Do I need to install a self cert in the webserver and enable the ssl listener as well?
Do I need to install any reverse proxy addon for the appserver? Any
setup for the obj.conf in the appserver?
Any ideas how to get this done?
Thanks.
Mac.

The Web Server 6.1 SP3 Reverse Proxy Plugin is supported, but it sounds like you're trying to do something that simply isn't possible.
If you want the Reverse Proxy Plugin to perform SSL mutual authentication with the Application Server using the client's certificate, that's impossible due to the nature of SSL mutual authentication. If the plugin could impersonate the client, then SSL would be vulnerable to MITM (Man In The Middle Attacks). Fortunately, SSL isn't vulnerable to such attacks because the plugin doesn't know the client's private key.
If you simply want the Reverse Proxy Plugin to pass information about the client's certificate along to the Application Server, that hapens automatically. There's nothing special to configure. Note that the plugin will not authenticate to the Application Server in this case. Rather, it will simply copy the X.509 certificate into the proprietary Proxy-auth-cert: HTTP request header.
The application running on the Application Server can inspect the Proxy-auth-cert: header using standard Servlet APIs. Alternatively, you can use Application Server 7's auth-passthrough AuthTrans SAF to cause the contents of the Proxy-auth-cert: header to be copied to the javax.servlet.request.X509Certificate Servlet attribute.

How to set up reverse proxy to allow user access portal site from internet

Hi all,
I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
I am confused to which option to use. Also i went through the metalink document 270160.1
Please help me which option to choose to do this.
Thanks.

Hi Hozy,
May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
I appreciate your feedback.
Thanks
Krish

Reverse proxy to applications on a server by just domain names possible?

Hi All
I am looking for a solution to set up a single server, that hosts four J2EE web applications running on a Glassfish application server with just only one IP address.
When a user wants to use an application, he/she can just type URL without specifing port and path, and the corresponding web application will be displayed accordingly as shown below
http://sub1.domain1.com -- > webapp1 at port 9100
https://sub2.domain1.com -- > webapp2 at port 9200
http://sub1.domain2.com -- > webapp3 at port 9300
https://sub2.domain2.com -- > webapp4 at port 9400
I am wandering whether I could use reverse proxy of Sun Java System Web Server 7 to route the traffic from the domain names to their own application on Glassfish as shown above? I tried by creating two HTTP listeners to listen at port 80, and 443 respectively, but I could not access different applications based on domain names without specifying specifix path or port.
Is there any recommended resources or example of the mapping, or any other suggested solution?

Thank you for your reply nsegura. I created 4 different virtual servers as you suggested and it worked :)
However, I have a problem in reverse proxy base on path.
The scenario is below
I have an J2EE application that needs to be deployed in three different environment (production, training, testing). It
is the same application for three environments, so I want them to have the same context-root. I want to use Sun Web Server 7.0 to reverse proxy to the application in each environment based on path, not URL redirect. Example of URL are shown below
https://sub.domain3.com/app -- > http://localhost:9500 (with context-root /app)
https://sub.domain3.com/training/app -- > http://localhost:9600 (with context-root /app)
https://sub.domain3.com/testing/app -- > http://localhost:9700 (with context-root /app)
So far, it works if I set context-root of the application in each environment differently
https://sub.domain3.com/app -- > http://localhost:9500 (with context-root /app)
https://sub.domain3.com/training/app -- > http://localhost:9600 (with context-root /training/app)
https://sub.domain3.com/testing/app -- > http://localhost:9700 (with context-root /testing/app)
I am wandering whether there is a solution with Sun Web Server 7 that I can use to achieve reverse proxy of the same application in different environments without having to modifying context-root for each environment and use URL redirect?
I was thinking about using rewriting path with reverse proxy, but I did not see this function under reverse proxy tab.
Any ideas?

ACE as Reverse Proxy

Similar Messages

Maybe you are looking for