Certificate and Reverse Proxy

Hi everyone,
I'm trying to configure a Push Mail solution with my Iphone 2 (2.1) in my company.
The goal is to access my Exchange server through a reverse proxy with a certificate for authentication.
FIRST TEST:
- Set up configuration on the Iphone to connect a public IP adress as Exchange Server.
- On the reverse proxy, this IP is forwarded to the Exchange Front-End server.
- On the reverse proxy, NO certificate configured for authentication -> It's working fine ! I can see my e-mails&calendar on my Iphone !
Bad solution for security reasons...
SECOND TEST:
- Activate certificate on the reverse proxy.
- Install the certificate on the Iphone with Web Configuration utility: The certificate is shown in the General Tab on the Iphone.
- Trying to connect, ERROR... I can see in the event log of my reverse proxy that no valid certificate from my Iphone were submitted.
Any idea why the Iphone doesn't send the certificate to allow authentication on my reverse proxy ?
Thank you,
Stan

Kristoffer,
The answer will depend on how you have NGINX configured from a reverse proxy standpoint.  The certificate will need to match the hostname entered on the client in this case sapmobile.customer.com.   Since the traffic from the client will never get directly to the SMP 3 server the certificate should be installed on the NGINX installation as this is where the Agentry client will connect to and receive the certificate to validate against the hostname entered.
NGINX will need to also be configured to validate the connection between itself and SMP 3.0 or to ignore the certificate if it doesn't trust it.
The certificate on the SMP 3 server should be able to stay as the internal machine name assuming NGINX is acting as a true proxy and not just passing traffic through to the SMP 3 server.
Unfortunately I am unable to open the link you included on SDN to review what it says.
--Bill

Similar Messages

  • Combining Lync Edge certificate of Reverse Proxy

    I wonder if the creation of a certificate from the combined Lync Edge server names and Reverse Proxy will work?
    Wants to create a certificate for Lync Edge with CN = sip.domain.com and add names required for the Edge and Reverse Proxy as an additional DNS:
    sip.domain.com 
    webconf.domain.com
    webext.domain.com
    meet.domain.com
    dialin.domain.com
    lyncdiscover.domain.com

    Hi,
    Yes, you can use the same certificate for both Edge Server (external interface) and Reverse Proxy, which SAN including all Edge Server and Reverse Proxy needed (such as: webcon.contoso.com, sip.contoso.com, webext.contoso.com, meet.contoso.com, dialin.contoso.com,
    lyncdiscover.contoso.com, and so on).
    More details:
    https://technet.microsoft.com/en-us/library/gg398519.aspx?f=255&MSPPError=-2147217396
    https://technet.microsoft.com/en-us/library/gg429704.aspx
    There is no special SAN for federate with Skype. However, the certificate must be the public SAN certificate.
    Best Regards,
    Eason Huang
    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
    Eason Huang
    TechNet Community Support

  • Trasnparent proxy and reverse proxy at the same time

    Can I have in a Content Engine v 4.2 transparent proxy and reverse proxy at the same time ?

    Yes, as long as you are not redirecting the two services on the same interface. One service takes precedence over the other and I believe transparent web-cache redirect takes precedence over reverse-proxy.

  • SAN certificate for external access for edge server and reverse proxy

    Hello
    I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
    For external access and mobile user's , Iwant to enable all the feature for external user's .
    im planning to purchase san certificate ,
    my first question do I need only one SAN for both my edge server and the reverse proxy ?
    my second question about the name's that shoud be added to the certificate ?
    sip.mydomain.com
    av.mydomain.com
    webconf.mydomain.com
    what else I should add ? I want to add the names for all feature access.
    Kind Regards
    MK

    Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
    If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
    You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
    SAN on your cert.
    Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
    Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
    can present the third party certificate.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications
    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • HTTP tunneling and reverse proxy server

    We're currently using Windows Media Services (WMS) to stream
    video on our website. There is an option WMS to use the HTTP
    protocol and to specify the port you'd like to use. This has
    allowed us to stream video through our external firewall, through
    our reverse proxy server, and through our internal firewall to our
    media server. I've been trying for two days now to get Flash Media
    Server (FMS) to do the same thing. For some reason the HTTP
    tunneling (RTMPT) protocol doesn't appear to be acting like the
    HTTP protocol that WMS is using. Anyone have some tips on this
    configuration. I've scoured web resources and documentation as best
    I could. Any help would be greatly appreciated.
    Thanks.

    To give a better picture, here's a more complete description of set up and goals
    Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
    DMZ server is running IIS 8. Here are what some of the sites look like.
    jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
    email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
    media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
    other stuff like this -> 10.1.10.x port 80 or others
    All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server. 
    What do I need to do in IIS to have those sites get directed to the proper internal locations?
    Thanks!!

  • ISP redundancy and reverse proxy

    Greetings, community!
    We have two EDGE TMG servers and two INTERNAL TMG servers.
    We have two providers with two dedicated external IP addresses each.
    I configure ISP Redundancy for each EDGE TMG servers with parameters:
    Each EDGE TMG server has two External NIC and one Internal NIC. 
    EDGE 1: Provider1_IP1 and Provider2_IP1
    EDGE 2: Provider1_IP2 and Provider2_IP2
    ISP Connections:
    Provider1 and Provider2
    So, the trouble:
    We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.
    Also we made 4 external DNS records for each Web-Service.
    For example:
    mail.domain.com Provider1_IP1
    mail.domain.com Provider1_IP2
    mail.domain.com Provider2_IP1
    mail.domain.com Provider2_IP2
    If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.
    After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.
    If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.
    Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.

    So, I still try to solve my problem...
    When I try to connect from External to one of my EDGE1 IP addresses, I got these logs:
    LOGS on DMZ server (EDGE1):
    Failed Connection Attempt DMZ-TMG-01 21.07.2014 11:27:40 
    Log type: Firewall service 
    Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
    Rule: Publish TMGBE HTTP 
    Source: External (77.73.111.194:3427) 
    Destination: Internal (172.16.0.100:80) 
    Protocol: HTTP Server 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 21000ms Original Client IP: 77.73.111.194 
    LOGS on INTERNAL server:
    Initiated Connection BLK-TMG-02 21.07.2014 11:27:20 
    Log type: Firewall service 
    Status: The operation completed successfully.  
    Source: External (77.73.111.194:3427) 
    Destination: Local Host (172.16.0.100:80) 
    Protocol: HTTP 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 77.73.111.194
    Closed Connection BLK-TMG-02 21.07.2014 11:27:40 
    Log type: Firewall service 
    Status: A connection was abortively closed after one of the peers sent an RST packet.  
    Source: External (77.73.111.194:3427) 
    Destination: Local Host (172.16.0.100:80) 
    Protocol: HTTP 
    Additional information 
    Number of bytes sent: 304 Number of bytes received: 192
    Processing time: 20281ms Original Client IP: 77.73.111.194
    When I try to connect my EDGE2 server external IP addresses, then:
    LOGS on DMZ server (EDGE2):
    Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
    Log type: Firewall service 
    Status: The operation completed successfully.  
    Rule: Publish TMGBE HTTP 
    Source: External (77.73.111.194:3429) 
    Destination: Internal (172.16.0.100:80) 
    Protocol: HTTP Server 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 77.73.111.194
    Closed Connection DMZ-TMG-02 21.07.2014 11:57:17 
    Log type: Firewall service 
    Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
    Rule: Publish TMGBE HTTP 
    Source: External (77.73.111.194:3429) 
    Destination: Internal (172.16.0.100:80) 
    Protocol: HTTP Server 
    Additional information 
    Number of bytes sent: 534 Number of bytes received: 146
    Processing time: 203ms Original Client IP: 77.73.111.194
    Then traffic was redirected to HTTPS:
    Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
    Log type: Firewall service 
    Status: The operation completed successfully.  
    Rule: Publish TMGBE HTTPS 
    Source: External (77.73.111.194:3430) 
    Destination: Internal (172.16.0.100:443) 
    Protocol: HTTPS Server 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 77.73.111.194
    LOGS on INTERNAL server:
    Failed Connection Attempt BLK-TMG-02 21.07.2014 11:57:17 
    Log type: Web Proxy (Reverse) 
    Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.  
    Rule: Publish OWA 
    Source: External (77.73.111.194:3429) 
    Destination: Local Host (172.16.0.100:80) 
    Request: GET http://mail.domain.com/ 
    Filter information: Req ID: 0a314138; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
    Protocol: http 
    User: anonymous 
    Additional information 
    Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Object source: (No source information is available.)
    Cache info: 0x0
    Processing time: 1 MIME type:  
    It's OK, because IIS require SSL. Then:
    Initiated Connection BLK-TMG-02 21.07.2014 11:57:18 
    Log type: Firewall service 
    Status: The operation completed successfully.  
    Source: External (77.73.111.194:3429) 
    Destination: Local Host (172.16.0.100:80) 
    Protocol: HTTP 
    Additional information 
    Number of bytes sent: 0 Number of bytes received: 0
    Processing time: 0ms Original Client IP: 77.73.111.194 
    Closed Connection BLK-TMG-02 21.07.2014 11:57:18 
    Log type: Firewall service 
    Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
    Source: External (77.73.111.194:3429) 
    Destination: Local Host (172.16.0.100:80) 
    Protocol: HTTP 
    Additional information 
    Number of bytes sent: 786 Number of bytes received: 318
    Processing time: 15ms Original Client IP: 77.73.111.194
    And HTTPS:
    Allowed Connection BLK-TMG-02 21.07.2014 11:57:17 
    Log type: Web Proxy (Reverse) 
    Status: 302 Moved Temporarily 
    Rule: Publish OWA 
    Source: External (77.73.111.194:3430) 
    Destination: Local Host (10.1.200.129:443) 
    Request: GET http://mail.domain.com/ 
    Filter information: Req ID: 0a31413a; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
    Protocol: https 
    User: anonymous 
    Additional information 
    Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
    Object source: Internet (Source is the Internet. Object was added to the cache.)
    Cache info: 0x40000000 (Response should not be cached.)
    Processing time: 1 MIME type: text/html; charset=UTF-8 
    I can't understand the difference between there servers. If I shutdown EDGE2, the Publishing will work fine through EDGE1.

  • Lync 2013 Edge and Reverse proxy on same server with SNI

    Hello
    I cannot find information if it is possible to create a single Lync 2013 Edge server with a Reverse proxy on the same server?
    Would it not be possible to share port 443 with SNI support? That way we could use only one public IP?
    Thanks!

    Sorry, it doesn't work.  Remember that 443 isn't HTTPS for the Edge.  If you went with the single IP model for the edge, 443 would be used for the A/V role which would be STUN/TURN. 
    The edge will always want to listen on 443, it just doesn't work to collocate a reverse proxy.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications
    This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

  • HTTP Filtering and Reverse Proxy + DMZ

    Hello all, I'm consolidating a number of my services and securing up my network.
    To give some context I have 1 static IP, several websites in the form of subdomain.domain.com where domain.com is the same but there are numerous subdomains which reside on different servers. Until recently we were just using port forwarding, etc. to access
    these remotely (subdomain.domain.com:9090, subdomain2.domain.com:9091) etc. but I would like to clean this up.
    We have a 5505 ASA which our static IP is natted to. That has a static route to an IIS server in the 'DMZ' portion of our network. I would like to find a way to have this server see 'subdomain1.domain.com' and send it to the server hosting that service, and
    so on for the other services. 
    I think I want to use Reverse-Proxy but I have never delved in to IIS 8 before and the extent of my reverse proxy experience was using nginx to host several web services for a friend. 
    If I could get any advice on 1) how to filter the url requests and direct them to the right server (some are non-windows servers) and 2) how to do this securely from the DMZ to the internal lan?
    Thanks SO much for any help!

    To give a better picture, here's a more complete description of set up and goals
    Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
    DMZ server is running IIS 8. Here are what some of the sites look like.
    jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
    email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
    media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
    other stuff like this -> 10.1.10.x port 80 or others
    All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server. 
    What do I need to do in IIS to have those sites get directed to the proper internal locations?
    Thanks!!

  • VIrtual host and reverse proxy  FOR EBIZ R12.0.6

    we have 4 dev EBIZ instances on a single hp_ux itanium server on which I have to setup one instance for virtual hosting and to work behind a reverse proxy .
    any particular documents or steps for this.
    Thanks
    mn

    we have 4 dev EBIZ instances on a single hp_ux itanium server on which I have to setup one instance for virtual hosting and to work behind a reverse proxy .
    any particular documents or steps for this.Implementing Virtual Host, Concurrent Managers and EM DBconsole on Oracle Applications R12 [ID 603883.1]
    Conc-System Node Name Not Registered After Fresh Install Using Virtual Name [ID 948644.1]
    Is Auto Failover With Virtual Hostnames For Concurrent Processing Servers Supported In 11i Or R12? [ID 456540.1]
    Case History: Implementing a Reverse Proxy Alone in a DMZ Configuration - R12 [ID 726953.1]
    Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]
    Thanks,
    Hussein

  • Omniportlet and reverse proxy

    I have an Oracle Portal installation behind a reverse proxy with Portal on 1 server, SSO/OID on another server, and the database on a 3rd server.
    Portal works fine, but Omniportlet and Webclipping are using the server name and port for the Portal server and not the reverse proxy URL. The Portal server name and port are, of course, not accessible to users.
    There is no proxy between the Portal and the database.

    Originally Posted by ghuertae
    Hi.. I have one server with one IP internal 10.x.x.x with reverse proxy to one ip public 159.x.x.x why ?? because we need that server can be used for public and internal users.
    For example user external had a server 200.x.x.x and they need connect to my server 159.x.x.x to diferente ports like 8020, 8000 and the port 22 (ssh)
    With the port 8000 and 8020 no problem they can connect.. but with 22 port
    I did the next filter in my border manager 3.8 (novell 6.0)
    Src Interface : ALL
    Dest Interface : ALL
    Packet Type: ssh (default 22)
    Src Port: ALL
    Protocol: TCP
    Dest Port: 22
    Src Add Type: Host
    Src IP Add: 200.X.X.X
    Dest Add Type: Host
    Dest IP Add: 159.X.X.X
    and
    Src Interface : ALL
    Dest Interface : ALL
    Packet Type: ssh2 (default 22)
    Src Port: 22
    Protocol: TCP
    Dest Port: ALL
    Src Add Type: Host
    Src IP Add: 159.X.X.X
    Dest Add Type: Host
    Dest IP Add: 200.X.X.X
    In the server BorderManager setup "Aceleration -> Http Aceleration" I put WeB server port 22 / Named IP Address ip internal and in Proxy IP Addr the ip Public.
    If i did a Tel 159.X.X.X 22 I can connect, but if use a program putty �
    ssh 159.X.X.X commad i can not connect..!!!
    Is there an error in my filter? o is there something else that i have to do ?
    thanks a lot.
    ok the solution that i find is... use the reverse proxy and Nat for the same ip and it works fine.
    I can access to ssh without problem..!

  • SAPUI5 app and Reverse proxy configuration

    Hi
    Im trying to configure proxyserver for Cross origin resource sharing issue.
    The below steps i have configured in my machine.
    1. I have developed an application which consumes data through odata.
    2. Download and configured Apache server and enabled proxy module as per this url
    http://scn.sap.com/community/developer-center/front-end/blog/2013/06/29/solving-same-origin-policy-issue-in-different-ways
    3. In httpd.config file added the below reverse proxy setup
    ProxyPass /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
    ProxyPassReverse /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
    4. Changed my service url as
    var serviceUrl = "proxy/http/localhost/poodata";
    5. Also i have added java-property-utils-1.9.jar and cors-filter-1.8.jar then
    in web.xml i have added Eventhough its seems not neccessary.
      <filter>
      <display-name>CacheControlFilter</display-name>
      <filter-name>CacheControlFilter</filter-name>
      <filter-class>com.sap.ui5.resource.CacheControlFilter</filter-class>
      </filter>
      <filter>
      <filter-name>CORS</filter-name>
      <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
      </filter>
    6. Finally when i am executing the application throgh http://localhost:9080/SamplePO/ Its working. But Instead of localhost when im using IP address it shows NO DATA and throws the "500 internal server error - only allowed for local testing"
    also the application is trying to fetch data from 'http://10.130.41.158:9080/SamplePO/proxy/http/localhost/poodata/$metadata' where the location should be 'http/localhost/poodata/$metadata'.
    I want to access this application in my iPAD through WIFI by passing IP address followed by application name (http://10.130.41.158:9080/SamplePO).
    Please help me to fix this issue.
    Regards
    Yokesvaran Kumarasamy

    Hi Michael Herzog /  DJ Adams / Frank Welz,
    It seems you have v.good knowledge on this, can you please help with this issue.
    Thanks in Advance
    Regards
    Yokesvaran Kumarasamy

  • Need in depth knowledge about Certficate request and install for Reverse proxy and CAS role

    Hi,
    I have few confusions about Exchange 2010/13 certificate request and install. As per my understanding best practise is to assign public CA certificate to Reverse proxy and Local CA certificate to CAS servers but need to know that what should be the format
    of certificate request? Do we need to order public certificate just for mail.domain.com and add SAN for other web services URLs and is it required to add CAS array and server names to this certificate ? In what case we will add server names and what will happen
    if we don't add in it ? How the outlook clients connecting from internet will be using this certificate? I have very limited knowledge in certificates and it always pisses me off. Please help me with explanations and articles. I tried to google and gone through
    many articles but didn't get a fair idea. Thanks in advacnce. :) 

    Hi,
    Here are my answers you can refer to:
    1. Use the New-ExchangeCertificate cmdlet to generate a new certificate request:
    New-Exchangecertificate -domainname mail.domain.com, autodiscover.domain.com -generaterequest:$true -keysize 1024 -path "c:\Certificates\xxxx.req” -privatekeyexportable:$true –subjectname "c=US o=domain.com, CN=server.domain.com"
    2. CAS array name doesn’t need to be added in the certificate:
    http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx
    3. It depends on the situation that you configured to add the server name.
    4. Outlook clients use certificate for authentication.
    If you have any question, please feel free to let me know.
    Thanks,
    Angela Shi
    TechNet Community Support

  • Reverse Proxy and SLD on an Enterprise Portal 7.0

    Hi
    I need to configure SLD and Reverse Proxy on an Enterprise Portal Server.
    How do i do this...
    can you refer me to the applicable guides
    Thanks
    Kalyan

    Hello,
    Thank you to interest to my problem.
    Browser -
    SSL----
    > Firewall/DMZ (No SSL termination, all traffic forwarded to ISA Server). Yes but there is a port translation port 443 to 50201
    Firewall/DMZ -
    SSL----
    > ISA Servrer -- (SSL Termination)--. IN fact it is noit the ssl terminaison. But from this point the url is modify to reach the host with EP7.0
    ISA Server--SSL--
    > EP7.0 (port 502010) When I test my configuration I have the Message web page not found. With a capture software i have verified that the request is sent to my EP 7.0( url2). But no logon page appeares.  With the modification on line of the HTTP provider in the dispatcher, i have checked that the response contains the URL1 and the standard port. But none web page is displayed.
    Thank you for your help.
    Regards,
    Julien

  • SSO Reverse Proxy and UWL error

    We have installed a portal on NW 7.01, which uses a custom SSO application and reverse proxy.  We are using the portal for an MSS application, using some standard functionality such as the MSS team viewer and the Universal Worklist.  Everything is working fine when I log in directly to the portal without the SSO application, connection to R3 (ECC 6.0) with the Team Viewer and the Universal Worklist.  When I use the Single Sign-On, I get in to the portal fine, the connection is good on our iViews including the MSS Team Viewer, but I get an error with the Universal Worklist.  I am first prompted if I want to display nonsecure items, if I click yes I get an error inside the UWL iView:
    Network Access Message: The page cannot be displayed
    Error Code: 502 Proxy Error. The host was not found.(11001)
    What settings do I need to change with UWL using SSO and reverse proxy - any ideas?
    Thanks,
    Jeff Mathieson

    We have installed a portal on NW 7.01, which uses a custom SSO application and reverse proxy.  We are using the portal for an MSS application, using some standard functionality such as the MSS team viewer and the Universal Worklist.  Everything is working fine when I log in directly to the portal without the SSO application, connection to R3 (ECC 6.0) with the Team Viewer and the Universal Worklist.  When I use the Single Sign-On, I get in to the portal fine, the connection is good on our iViews including the MSS Team Viewer, but I get an error with the Universal Worklist.  I am first prompted if I want to display nonsecure items, if I click yes I get an error inside the UWL iView:
    Network Access Message: The page cannot be displayed
    Error Code: 502 Proxy Error. The host was not found.(11001)
    What settings do I need to change with UWL using SSO and reverse proxy - any ideas?
    Thanks,
    Jeff Mathieson

  • CSM, Reverse Proxy, and Sticky

    First, here is a diagram of my setup:
    CSM w/VIP for Front-End Web Servers (acting as Authorization and Reverse Proxy)
    |
    SSL Module for termination of HTTPS traffic
    |
    Front-End Web Servers
    |
    CSM w/VIP for Back-end Web Servers
    |
    Back-end Web Servers
    What I need a way to do is to ensure that users gets to the same Back-end Web Server for their entire session. The Front-End Web Servers act as a Reverse Proxy for all requests going to the Back-End Web Servers and are configured to send requests to the VIP for the Back-End Web Servers.

    Gilles,
    Thanks for the response. This is https traffic for the user, but from the Front-End to the Back-End it's just http. Unfortunately it's SAP so it's not a normal HTTP Back-end that can generate cookies. Currently I am only running 3.1(7). What is the status of the 4.1 train? Being new I am concerned about utilizing this level. What has been the experience of customers on this code level in the field?

Maybe you are looking for