Disabling normal proxy function in a reverse-proxy server..

Similar Messages

• Webdynpro application not functioning from Apache Reverse Proxy

  Hi Experts,
  We are currently working on custom webdynpro application, which needs to be exposed to Internet. We are using Apache HTTP Server as a reverse proxy.
  We canable to access URL, but no images are getting displayed and also the application not functioning when we click any button/links.
  Below is the HTTPD file configuration.
  ProxyPass /esampleApp  http://hostname:port/webdynpro/dispatcher/local/esampUI/ESamplingApp
  ProxyPassReverse /esampleApp  http://hostname:port/webdynpro/dispatcher/local/esampUI/ESamplingApp
  When we look into  image URL, which is being called from Apache, we  found out "webdynpro" is missing in the URL.
  Actual URL in Portal Server: (working)
  http://portalhostname:port/webdynpro/resources/local/esampUI/Components/esampling.ui.ESamplingComp/logo.gif
  Apache URL:
  http://Apachehostname:port/resources/local/esampUI/Components/esampling.ui.ESamplingComp/logo.gif
  Please suggest.
  Thanks
  Aravind

  We also had the same issue, but the problem was that instead of http https was getting called.
  This has to do with 2 settings:
  1. Check the reverse proxy re-write URL's again. Note that there will be 2-3 entries one for webdynpro as well.
  2. Open your system definintion in system admin-sys configuration adn check the WAS settings. this should point to the FQDN of the proxy server and not to the R3 server.
  ankur

• Can a single instance of iPlanet Web Proxy act as a reverse proxy for multiple internal web sites?

   

  Hi Dave,
  You should be able to create multiple reverse mappings.
  Refer to the following technotes and see which scenario applies to your specific case:
  http://knowledgebase.iplanet.com/ikb/kb/articles/1504.html
  http://knowledgebase.iplanet.com/ikb/kb/articles/2050.html
  http://knowledgebase.iplanet.com/ikb/kb/articles/5129.html

• Sun Web Server Reverse Proxy and Weblogic HTTP to HTTPS redirection

  Hi,
  I am currently testing reverse-proxy from SJSW 7.0 update 5 to Weblogic server but I have encountered an issue.
  I have configured a context root to be forwarded to weblogic:
  Web Server: www.server.com
  URI: /path
  Reverse Proxy URL: wlserver:9000
  When I access https://www.server.com/path, I am getting the correct page. The issue is, the weblogic server is configured to redirect HTTP access to HTTPS, i.e., when I access http://www.server.com/path, it should be redirected to https://www.server.com/path. However, that is not the case. What happens is that I am being redirected instead to https://www.server.com/.
  If I don't use reverse proxy, that is, if I use the libproxy.so from weblogic, I get the correct redirection.
  Would appreciate it very much if someone can help me troubleshoot this issue.
  Thanks in advance!
  Edited by: agent_orange on Jul 29, 2010 2:30 AM
  Edited by: agent_orange on Jul 29, 2010 2:31 AM

  I am not sure, how you have configured your reverse proxy since you didn't attach / refer your current configuration file. this is how I would do it..
  - create a new configuration (using web server 7 admin gui , within configuration wizard, disable java option if you plan to use web server 7 only for reverse proxy)
  - select this new configuration and go to reverse proxy and try to reverse proxy / to the origin server.
  that is all it should need.
  your obj.conf or <hostname>-obj.conf depending on your configuration should look like following snippet
  <Object name="default">
  AuthTrans..
  NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
  </object>
  <Object name="reverse-proxy-/">
  Route fn=....
  Service ..
  </Object>
  this is all you should need..
  However, if you wanted to add complexity to your configuration, you could do some thing like
  <Object name="default">
  Auth..
  <If defined $security>
  NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
  </If>
  </Object>
  <Object name="reverse-proxy-/">
  Route...
  </Object>

• Reverse Proxy only in DMZ Node

  Hi Everyone,
  We are implementing reverse only proxy in DMZ in R12.1.1 option 2.4 in DMZ note. I have few doubts regarding the setup. I would appreciate if anyone could clarify those.
  I have a reverse proxy server in DMZ with a public IP and internal IP( We have built apache from souce as reverse proxy)
  I have a MT(Linux box) with Two IP's one for Internal Webentry (port 8001)and second IP for external webentry(port 8002). These two have been registered in DNS the first ip would resolve to appsmt and second one would resolve to appsrp
  We have Created packet filter rule allowing reverse proxy to communicate explicitly with MT(appsrp) on second IP (for external webentry) over TCP port 8002
  As per DMZ note 726953.1 or 380490.1
  1)what should I give when it prompts for host name when I run adclonectx.pl Step 5.9.1
  Target System Hostname (virtual or normal) [dcoll12xc] :
  should I give reverse proxy hostname or second host name on the MT for the external webentry
  2) What should I give values for below
  s_webentryhost
  s_webentrydomain
  s_active_webport
  s_server_ip_address
  should they be reverse proxy hostname/Ip or second host name/Ip on the MT for the external webentry?
  Thanks

  Hi user;
  Please follow Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]
  For your question 1 please check upper note part *5.9.1: Create a new context file for the external Web Entry Point* , it is explain there what you have to enter
  For your question 2 please check upper note part *5.4.1: Update Oracle E-Business Suite Applications Context File*, it is explain there what you have to enter
  Hope it helps
  Regard
  Helios

• Lync Reverse Proxy Alternatives

  When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services. 
  TMG is way too expensive and complex for such a limited, simple use case.
  I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
  We decided to use Apache 2.2 on Windows Server 2008 R2. 
  Here's how we configured it:
  Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy. 
  http://technet.microsoft.com/en-us/library/gg398069.aspx
  Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server. 
  http://httpd.apache.org/download.cgi
  We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
  Use the Certificates MMC on your front end server to export the certificate and include the private key.
  Transfer the resultant .pfx file to your reverse proxy server.
  Use OpenSSL to convert your .pfx file to PEM:
  openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes 
  Separate the private key from the certificate using notepad: 
  Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag. 
  Save that text to a new file named
  yourcert.key. 
  Save
  yourcert.pem, which should now only include the certificate.
  Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
  for storing the certificates.
  Edit httpd.conf (typically in
  C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
  (See  http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
   for more information on each directive)
  Uncomment the following lines, which will enable proxy and SSL:
  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule ssl_module modules/mod_ssl.so
  Include conf/extra/httpd-ssl.conf
  Add the following lines to configure reverse proxy behavior:
  #Be a reverse proxy, not a forward proxy
  ProxyRequests Off
  #Accept requests from any client to any URL
  <Proxy *>
  Order Deny,Allow
  Allow from all
  </Proxy>
  #Set the network buffer to improve throughput
  ProxyReceiveBufferSize 4096
  #Configure the Reverse Proxy to forward all requests to your front end server on 4443
  ProxyPass / https://yourfrontend.domain.com:4443/
  ProxyPassReverse / https://yourfrontend.domain.com:4443/
  #Preserve Host Headers for Lync
  ProxyPreserveHost On
  Optionally, configure logging directives, bindings and server name.
  Save and close httpd.conf
  Edit httpd-ssl.conf (typically in conf\extra):
  Configure the session cache:
  Uncomment:
  SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
  Comment out:
  SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
  Locate the <VirtualHost _default_:443> tag and configure the following:
  Add the following directive:
  SSLProxyEngine On
  Configure the path to your SSL Certificate saved in step 3-5 above:
  SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
  Configure the path to your private key saved in step 3-5 above:
  SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
  Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
  Optionally, configure logging directives.
  Save and close httpd-ssl.conf
  Restart the Apache2.2 service
  Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
  the reverse proxy to talk to the front end Lync server on 8080 and 4443.
  From an external connection, test connectivity through the reverse proxy:
  Test
  https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
  Test the Lync Web App by setting up an online meeting and following the URL to join the meeting. 
  You can force the use of the web app by appending ?sl= to the end of the meet.company.com link. 
  See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
  Hope this information is helpful and saves some of you some money and trouble.
  Please contact me if you need further clarification or see any mistakes in my notes.
  Best regards,
  Kenneth Walden
  Enterprise Systems Supervisor
  GSD&M
  Austin, TX

  I'd like to thank you for this article.  We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product.  Anyways, your
  blog saved me a LOT of headache.  I owe you big time. 
  AWESOME JOB. 
  -Greg
  *****EDIT***
  Decided to come back in there and post good information.  We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting.  The "DIALUP" url was working fine but the "MEETING" url was broken.  On our WFE servers we were getting
  the event error as below.   Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON".  Once we put that in there ALL was good.
  Notice that the MEET portion was the only thing that was really broken.  So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER.  Look for
  http://10.x.x.x/meet/ or soemthing in the event logs. 
  Log Name:      Application
  Source:        ASP.NET 2.0.50727.0
  Date:          11/16/2011 1:26:35 PM
  Event ID:      1309
  Task Category: Web Event
  Level:         Warning
  Keywords:      Classic
  User:          N/A
  Computer:      OneofMyInternalWFEservers.local
  Description:
  Event code: 3005
  Event message: An unhandled exception has occurred.
  Event time: 11/16/2011 1:26:35 PM
  Event time (UTC): 11/16/2011 6:26:35 PM
  Event ID: b2039ecd0a62482284030f62e1e639d8
  Event sequence: 129
  Event occurrence: 28
  Event detail code: 0
  Application information:
      Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
      Trust level: Full
      Application Virtual Path: /meet
      Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
      Machine name: MYWFE.local
  Process information:
      Process ID: 14204
      Process name: w3wp.exe
      Account name: NT AUTHORITY\NETWORK SERVICE
  Exception information:
      Exception type: HttpException
      Exception message: Server cannot append header after HTTP headers have been sent. 
  Request information:
      Request URL:
  https://FQDN:4443/meet/MyName/456456
      User host address: gatewayIP
      User: 
      Is authenticated: False
      Authentication Type: 
      Thread account name: NT AUTHORITY\NETWORK SERVICE
  Thread information:
      Thread ID: 7
      Thread account name: NT AUTHORITY\NETWORK SERVICE
      Is impersonating: False
      Stack trace:    at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
     at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
  Custom event details:
  Event Xml:
  <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
      <Provider Name="ASP.NET 2.0.50727.0" />
      <EventID Qualifiers="32768">1309</EventID>
      <Level>3</Level>
      <Task>3</Task>
      <Keywords>0x80000000000000</Keywords>
      <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
      <EventRecordID>4483</EventRecordID>
      <Channel>Application</Channel>
      <Computer>XXXXXXXXXXXXXXXXXX</Computer>
      <Security />
    </System>
    <EventData>
      <Data>3005</Data>
      <Data>An unhandled exception has occurred.</Data>
      <Data>11/16/2011 1:26:35 PM</Data>
      <Data>11/16/2011 6:26:35 PM</Data>
      <Data>b2039ecd0a62482284030f62e1e639d8</Data>
      <Data>129</Data>
      <Data>28</Data>
      <Data>0</Data>
      <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
      <Data>Full</Data>
      <Data>/meet</Data>
      <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
      <Data>SNKXS300</Data>
      <Data>
      </Data>
      <Data>14204</Data>
      <Data>w3wp.exe</Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>HttpException</Data>
      <Data>Server cannot append header after HTTP headers have been sent.</Data>
      <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
      <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
      <Data>10.71.1.1</Data>
      <Data>
      </Data>
      <Data>False</Data>
      <Data>
      </Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>7</Data>
      <Data>NT AUTHORITY\NETWORK SERVICE</Data>
      <Data>False</Data>
      <Data>   at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
     at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
  </Data>
    </EventData>
  </Event>

• Unable to set session in Oracle Portal useing reverse proxy

  I have deployed a reverse proxy (using Oracle HTTP Server) in front of a Oracle Portal Install (version 10.1.2.0.2). The steps followed to set this up came from the following documents:
  Steps mentioned in Section 9.2 Configuring a Reverse Proxy for OracleAS Portal and OracleAS Single Sign-On for a reverse proxy on a Oracle HTTP Server.
  http://download-west.oracle.com/docs/cd/B14099_15/core.1012/b13998/variants.htm#ASTED005
  Also performed steps mentioned in -> Section 5.3.7 - Step 7: Enable Session Binding on OracleAS Web Cache of the Oracle® Application Server Portal Configuration Guide 10g Release 2 (10.1.2) -- B14037-03.
  My current (example names shown only)setup details are as follows:
  Reverse Proxy for SSO server (running on internal.oracle.com:7777): proxy.oracle.com:7777
  Reverse Proxy for Portal server (running on internal.oracle.com:7778): proxy.oracle.com:7778
  With the above steps completed, I can successfully use the http://proxy.oracle.com:7777/pls/orasso for login into SSO without any issues.
  Users get authenticated successfully.
  I can also use http://proxy.oracle.com:7778/pls/portal for viewing pages on the portal fine . All self referencing links have also been successfully modified to point to proxy.oracle.com:7778.
  However, an attempt to login in the portal is not successful. Clicking on the 'Login' link successfully redirects to the SSO login page (http://proxy.oracle.com:7777/<login-page>). However, after successful authentication, the success page fails to show up and the user gets shown the initial login portal home page again.
  There are no error messages shown on the screen.But it seems that user session is failing to be initiated/set correctly, as shown by the log file (in $PORTAL_ORACLE_HOME/j2ee/OC4J_Portal/application-deployments/portal/OC4J_Portal_default_island_1/application.log ):
  06/11/21 16:49:31 portal: [module=RepositoryServlet, ecid=83928411196,1] Repository Gateway: LWUser: PUBLIC, Cookie: oracle.uix=0^^GMT+10:00;
  portal=9.0.3+en-au+us+AUSTRALIA+22BC75924EEAD8A2E040007F010019F7+8DAC5E3559C95F5E0090A6F56FFA58192CB0F437CA57A9102A6394F1EB7FAB5DEE3BFA12C65
  91C0C009B6......
  06/11/21 16:49:31 portal: [module=RepositoryServlet, ecid=83928411196,1] ERROR: Repository Gateway error: Database Error: ORA=20001 ORA-20001:
  Unable to obtain session information from the cookie. Please close your browser and reconnect.
  ORA-06512: at "PORTAL.WPG_SESSION", line 149
  ORA-06512: at line 22
  Any help with this will be appreciated.
  Thanks.

  Hi Chris,
  The begin of the expection stack gives you the reason:
  06/11/03 09:13:59 java.sql.SQLException: The method 'setSavepoint' cant be called when a global transaction is active
  The reason is, that either the whole global transaction must be commited or rollbacked.
  I don't know your actual configuration, but between the methods begin() and commit()/rollback() of the UserTransaction instance, OC4J/OracleAS uses a global transaction (= XA transaction) in your configuration. The state of a global transactions is completely under the control of the application server and several restrictions must be considered. One of them is, that you can't use the method setSavePoint/. E.g. you can't also call the method setAutoCommit(true) in this state, or change the transaction isolation level via setTransactionIsolation(newLevel).
  This is NOT a limitation of the OC4J/OracleAS but is true for ALL application servers.
  P.S. I can successfully set savepoints and rollback to savepoints in weblogic 9.0This means, that WebLogic 9.0 doesn't use a global transaction in this case.
  Because I don't know your configurations (Oracle and WebLogic) I can't say, why the behave different in this situation.
  Best,
  Manfred

• Reverse Proxy Problem

  Hi!
  I am configuring Oracle iPlanet is 7.0.15 to have one instance reverse proxy to another instance. They are different only in port numbers. The destination port is 2321.
  I have set up the reverse proxy in Content Handling -> Reverse Proxy setting.
  Problem is: When I display the URL of the proxy in the web browser, I see the index.html of the original instance, not the destination instance. I am expecting the web page to be redirected to the destination instance. Please help. Thanks.
  Here is the config:
  # Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
  # You can edit this file, but comments and formatting changes
  # might be lost when you use the administration GUI or CLI.
  <Object name="default">
  AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
  NameTrans fn="ntrans-j2ee" name="j2ee"
  NameTrans fn="pfx2dir" from="/mc-icons" dir="/package/oracle/webserver7/lib/icons" name="es-internal"
  NameTrans fn="map" from="/hk" name="reverse-proxy-/hk" to="http:/hk"
  PathCheck fn="uri-clean"
  PathCheck fn="check-acl" acl="default"
  PathCheck fn="find-pathinfo"
  PathCheck fn="find-index-j2ee"
  PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
  ObjectType fn="type-j2ee"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
  Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
  Service method="TRACE" fn="service-trace"
  Error fn="error-j2ee"
  AddLog fn="flex-log"
  </Object>
  <Object name="j2ee">
  Service fn="service-j2ee" method="*"
  </Object>
  <Object name="es-internal">
  PathCheck fn="check-acl" acl="es-internal"
  </Object>
  <Object name="cgi">
  ObjectType fn="force-type" type="magnus-internal/cgi"
  Service fn="send-cgi"
  </Object>
  <Object name="send-precompressed">
  PathCheck fn="find-compressed"
  </Object>
  <Object name="compress-on-demand">
  Output fn="insert-filter" filter="http-compression"
  </Object>
  <Object ppath="http:*">
  Service fn="proxy-retrieve" method="*"
  </Object>
  <Object name="reverse-proxy-/hk">
  Route fn="set-origin-server" server="http://localhost:2321"
  </Object>
  Please help. Thanks.

  Hi,
  You have set up your reverse proxy on the URL '/hk'
     NameTrans fn="map" from="/hk" name="reverse-proxy-/hk" to="http:/hk"
  If you want this to work for the URL '/index.html', you need to set up the revere proxy on the URL '/'.
  regards
  Tracey

• Problem on Setting up a Reverse Proxy on Web Proxy Server 4.0.1

  After you setup a reverse proxy using Web Proxy Server 4.0.1, if you get the following error --
  Proxy denies fulfilling the request
  Your client is not allowed to access the requested object.You probably forget to add a regular mapping from: / to: http://http.site.com/. The information provided in 4.0.1 Administration guide is misleading. You will have to add it NOW manually. (Note: in 3.6 it will be added automaticly)
  You will have to do the following step manually, what provided in the manual is misleading --
  Sun Java� System Web Proxy Server 4 .0.1 Administration Guide 2005Q4
  Chapter 14 Using a Reverse Proxy
  "Setting up a Reverse Proxy"
  5. To make the change, click OK.
  Once you click the OK button, the proxy server adds one or more additional
  mappings. To see the mappings, click the link called View/Edit Mappings.
  Additional mappings would be in the following format:
  from: /
  to: http://http.site.com/

  thanks, will verify and update the docs.
  rahul.

• Is Web Application Proxy enough as a secure Reverse Proxy/publishing solution

  Hello,
  What are people's thoughts on using the Web Application Proxy role as a reverse proxy with only a Firewall between it and the internet...?
  We need to replace our ISA 2006 boxes and I have been advocating using WAP with ADFS.
  However other 'Reverse Proxy' solution available seem to have more capabilities then just WAP and a Firewall; without  we leave ourselves exposed. For instance FortiNet's product FortiWeb has the following 'additional' capabilities:
  Protection for application layer attacks (SQL Injection, XSS, PHP/OS/LDAP/RFI/LFI injection and more)
  Automatic layer 7 anomaly-based application baselining and threat detection
  Data Leak Prevention (CC, SSN, server/application leakage)
  IP Reputation
  Are these required? Does WAP provide these capabilities but use different terminology?

  Hi,
  https://technet.microsoft.com/en-us/library/dn383650.aspx
  You will see that Web Application Proxy is designed as a perimeter solution (=running in DMZ)
  FortiWeb's product seems a web application firewall. This is a security solution. Security solutions are seldom required, but can help keeping your environment secure.
  IIS can also server as a reverse proxy and can do some security stuff too (ip and domain restictions, request filtering,...)
  Whether one or the other is the best solution for you, depends on your requirements.
  MCP/MCSA/MCTS/MCITP

• Reverse Proxy Planning for Exchange 2013

  Hi,
  We are planning Exchange 2010 to Exchange 2013 datacentre migration for 18000 users and all the Exchange planning is done. Now we are looking at planning of Reverse Proxy solution. We will be publishing different URLs for OWA, ActiveSync and Outlook Anywhere.
  UAG has been finalized by the organization. I don't find any document or links which suggests the planning of Reverse proxy for Exchange. Can you please let us know the sizing of UAG with respect to Exchange 2013. Thanks.

  Hi 
  Sizing as far i know there is no sizing document for UAG 
  But Minimum you need to have UAG 2010 SP3 to work with Exchange 2013
  You can see the support boundaries for UAG below technet
  http://technet.microsoft.com/en-us/library/ee522953.aspx
  Note : UAG requires each user to have a CAL
  You can also try 2012 R2 web application proxy . This does reverse proxy without the need of CAL's.
  You can give it a try if you wish to go with web app proxy and you can see below 
  http://technet.microsoft.com/en-us/library/dn383650.aspx
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish
  (MVP)

• Sophos Firewall\Reverse Proxy With Lync 2013

  We currently have Lync 2013 deployed internally and working like a champ for about 5 months now. We are in the process of trying to get this rolled out externally and running into issues.
  It seems we have the ports opened up properly but the MS remote connectivity analyzer comes back with certificate error "The certificate couldn't be validated because SSL negotiation wasn't successful.
  I'm pretty certain our certificates are correct for the external edge server and the external firewall\Reverse proxy. From the Lync planning tool we have been following it and so far successful until the certificates. The certificates tool shows we should
  have the following certs assigned: (keep in mind we have 2 separate certificates assigned)
  Edge Server External
  Subject name: lyncaccess.domain.com
  SAN:webcon.domain.com and sip.domain.com
  Reverse Proxy:
  rp0100.domain.com (reverse proxy FQDN does resolve)
  SAN: dialin.domain.com, meet.domain.com, and temwac.domain.com (office web apps server)
  We requested the certificates from Go daddy and have them installed and the SANs are in there correct. The connectivity analyzer is able to get to our server using autodiscover over port 443, we see the traffic come in through the firewall and nothing is
  blocked just the certificate could not be validated.
  Has anyone deployed Lync using the Sophos UTM as a reverse Proxy any other ideas as to what we are missing with these certificates?
  The certificate couldn't be validated because SSL negotiation wasn't successful.
  The certificate couldn't be validated because SSL negotiation wasn't successful.

  lyncdiscover.domain.com does not resolve. Discovery is working fine through the connectivity analyzer. We actually figured that part out about the SSL. It seems we had the firewall and Reverse proxy rules in place on the Sophos appliance but the firewall
  rules leaving the edge server were being blocked. It took us about 1.5 days to figure that part out.
  The connectivity analyzer now is able to authenticate the certificates successfully. Of course it wouldn't be a Lync roll out without the next issue coming up.
  The next issue we have is the connectivity analyzer reaching the AV service. Which we are going to assume is a routing issue as well and are currently troubleshooting it:
  Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
  Error Type: RegisterException.
  Deregister Reason: None.
  Response Code: 504.
  Response Text: Server time-out.
  http://social.technet.microsoft.com/Forums/lync/en-US/f95c47cc-f8eb-4646-bdac-6c7244b26ff1/couldnt-sign-in-error-error-message-the-endpoint-was-unable-to-register-new-deployment?forum=ocsplanningdeployment
  Wish me luck.

• Proxy Listener, Reverse Proxy and Security

  I am wondering if someone can help me regarding security. I added an additional proxy listener to do reverse proxy. Unfortunately I started to notice my bandwidth usage skyrocket - outside users were using me as a proxy. How do I limit a proxy listener that I am using externally to only process requests for my internal web servers? Thank you...
  Joe

  Hi
  Is there a way to authenticate a database user without creating
  a connection in a java application container like geronimo?If you want that the database engine authenticates the users, you have to connect to it. If you really want to do it before attempting a connection, I see no other possibility than to let the application do the authentication. In such a situation it is common to use a technical user for the database. If specific DB-features like VPD are needed, then you should use a proxy user instead. But, once more, the authentication should be performed from the application.
  HTH
  Chris

• Looking for open source Reverse proxy

  toby wells wrote:Gary D Williams wrote:Squid -SquidFaq/ReverseProxy - Squid Web Proxy WikiNote that a reverse proxy won't automatically secure a website.ExactlyYou need something like Naxsi for that - its a bolt onto nginx which is a reverse proxy itselfEven then, if things like SQL injection attacks can still happen if the database inputs are not sanitised. A reverse proxy will pass those through no problems unless it has the ability to check those as well.A reverse proxy is fine as a caching device but I wouldn't really call it a security device. It's still best to harden every step in the external facing chain and to sanitise the inputs.

  Gary D Williams wrote:
  Squid -> SquidFaq/ReverseProxy - Squid Web Proxy WikiNote that a reverse proxy won't automatically secure a website.Exactly
  You need something like Naxsi for that - its a bolt onto nginx which is a reverse proxy itself

• How to disable hostname verification on iplanet reverse proxy

  I am looking for a way to disable hostname verification of the application server url specified in teh reverse proxy setup.
  I am using the following setting in my Object definitions. It is failing due to the certificate CN is not matching the url I specified
  The error is :
  for host xx.yy.zz.ww trying to GET /uri/loginAction.do, service-http reports: HTTP7758: error sending request (SSL_ERROR_BAD_CERT_DOMAIN: Requested domain name does not match the server's certificate.)
  Route fn="set-origin-server" server="https://bbb.com:7002/" poll-timeout="20000" retries="2"
  My tomcat certificate CN has  aaa.com
  While I am using the tomcat on bbb.com.
  Is there any way to disable hostname verification on a reverproxy setup. I am unable to find any relevant documentation on this.
  The closest discussion I found was https://forums.oracle.com/thread/1943116 but it did not conclude anything.

  Found a solution from Oracle Knowledge base:
  This fixed our issue
  <Object name="reverse-proxy-/abc">
  ObjectType fn="ssl-client-config" validate-server-cert="false"
  Route fn="set-origin-server" server="https://server1.test.com:11011" server="https://server2.test.com:11011"
  </Object>