Distributed Authentication Service Server or Reverse Proxy
My environment have two layers firewall in place. The DMZ is sitting on the first-tier firewall as general web sites while I plan to put Access Manager server on the second-tier firewall. As we know that, AM have to send SSO token back to the browser after authenticated. In this configuration, based on security policy we don't allow direct connection between the browser and AM. That's why we put DSSS or Reverse proxy on the DMZ zone and act as the gateway for internal & exteranl traffic.
Can anyone post the comparison, pros and cons between DSSS and Reverse Proxy? Which one is better in term of features and easy-to-implement?
Finally, Is there any other alternatives if don't want to use both DSSS and Reverse proxy? I ask this question because AM will be single point of failure of the whole system. If AM have been attacted from whether direct or indirect, all services will be unaccessable.
Best Regards,
mthekid
Bernhard,
Thanks for your response. Because my major concern is security so I want to prevent denial of service on Access Manager. It look like writing my own dist-auth equal mechanism will help. However, I have 3 different platforms in single sign-on environment. Does this mean I have to create 3 dist-auth-like ones ?
Do you think if they are worth to do (I hope I can find documentation and guideline at http://docs.sun.com) ? Please tell me frankly. I am semi-technical and presales. If they are too complex and time consuming, I may decide to with dist-auth.
Similar Messages
-
With Arun Kumar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
Example question topics include:
SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
Basic configuration of IdPs
Interaction between IdPs and Cisco WMS
Difference between the cloud client implementation and Cisco WMS
Meeting access behavior in a split-horizon network topology with SSO
How to enable public access to Cisco WMS
Cisco WMS ELM operations
Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
Remember to use the rating system to let Arun know if you have received an adequate response.
Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.Hello Mobile Service,
CWMS and Jabber integrations:
http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
then move to section: Add Cisco WebEx Meetings Server to a Profile
Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
Attached CWMS - AFDS integration doc.
Please let me know if any furhter question.
Thanks, Arun -
Web Server 7 Reverse Proxy URI Config
I am testing WS 7.2 to replace WS 6.1 and need input on the configuration of the reverse proxy setup. We currently are using the reverse proxy plugin on our 6.1 servers but I cannot get the same configuration to work on 7.2. I have followed the admin document but I don't want to use / as my URI. I need to only proxy requests for URLs that end in *cfm. Can I configure the new server to work like the 6.1 version?
6.1 Config
=======
obj.conf
NameTrans fn="assign-name" from="(*.cfm)" name="passthrough"
<Object name="passthrough">
ObjectType fn="force-type" type="magnus-internal/passthrough"
Service type="magnus-internal/passthrough" fn="service-passthrough" servers="http://host:8281"
Error reason="Bad Gateway" fn="send-error" uri="$docroot/badgateway.html"
</Object>
magnus.conf
Init fn="load-modules" shlib="/opt/SUNWwbsvr/plugins/passthrough/libpassthrough.so" funcs="init-passthrough,auth-passthrough,check-pass
through,service-passthrough" NativeThread="no"
Init fn="init-passthrough"In Web Server 7.0 you can use built in reverse proxy feature rather than using libpassthrough.so
configuring reverse proxy
http://docs.sun.com/app/docs/doc/820-2202/gdabp?l=en&a=view
http://docs.sun.com/app/docs/doc/820-2204/create-reverse-proxy-1?l=en&a=view
More information about map SAF :
http://docs.sun.com/app/docs/doc/820-2203/gdhnz?l=en&a=view
set-origin-server sAF:
http://docs.sun.com/app/docs/doc/820-2203/gdhqc?l=en&a=view
Blogs :
http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_sun -
404 error while accessing sicf services via apache reverse proxy
Hi,
I set up an reverse proxy with apache 2.2 and try to access SICF Services via this proxy. I got the following error message from the sap system:
Service cannot be reached
The termination occurred in system SMP with error code 404 and for the reason Not found.
The selected virtual host was 0 .
What can I do?
Please select a valid URL.
If you do not yet have a user ID, contact your system administrator.
ErrorCode:ICF-NF-http-c:000-u:SAPSYS-l:E-i:NE-SSMP01_SMP_00-v:0-s:404-r:Notfound
When I access J2EE services via the proxy it works.
Is there any configuration which have to be done in the ABAP Stack for accessing Services via the proxy server?
For tests I tried to access the simple ping service ( /default_host/sap/public/ )
Thanks and best regards,
TimHi Oliver,
I allready checked the SDN posts for the reverse proxy. Maybe I missed something.
The ProxyPreserveHost is on.
I redirect to the ICM. I only redirected to the J2EE for tests. This worked by the way withe the same conifiguration.
Here is my apache config:
VirtualHost *:5443>
ServerName domain.com
ServerAdmin test.de
ProxyPreserveHost On
#ProxyVia On
#AllowEncodedSlashes On
Rewrite Rules
- forward sap/public/ping?sap-client=001 -> Test Ping
- Passthrough /sap/public/ping/*
- Redirect any other URL -> Test Ping
RewriteEngine On
RewriteRule ^/sap/public/ping?sap-client=001$ /sap/public/ping?sap-client=001 [R,L]
RewriteRule ^/sap/public/(.*) /sap/public/$1 [PT,L]
RewriteRule (.*) /sap/public/ping?sap-client=001 [R,L]
RewriteLog logs/rewrite_SMP.log
RewriteLogLevel 3
Reverse Proxy to
- Disable Forward Proxy
- Allow Connections from All
- Reverse Mapping for 302 Response
- Forward / Requests to domain.com:8000
ProxyRequests Off
<Proxy *>
AddDefaultCharset off
Order Allow,Deny
Allow from all
</Proxy>
Forward Rules
ProxyPass /sap/public/ping http://domain.com:8000/sap/public/ping?sap-client=001
ProxyPassReverse / http://domain.com:8000/
</VirtualHost>
Best regards,
Tim -
SAN certificate for external access for edge server and reverse proxy
Hello
I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
For external access and mobile user's , Iwant to enable all the feature for external user's .
im planning to purchase san certificate ,
my first question do I need only one SAN for both my edge server and the reverse proxy ?
my second question about the name's that shoud be added to the certificate ?
sip.mydomain.com
av.mydomain.com
webconf.mydomain.com
what else I should add ? I want to add the names for all feature access.
Kind Regards
MKYour Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network. Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
SAN on your cert.
Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only.
Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
can present the third party certificate.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Sun Web server 7 - Reverse proxy to different
Hi All,
I have following scenario:
I have deploy my application into 2 dedicated weblogic servers, http://host1:7001/myapp and http://host2:7001/myapp. How can I configure the reverse proxy so whenever user enter the URL, webserver will forward different app server like below;
#1 - http://abc.com >> web server will forward to http://host1:7001/myapp
#2 - http://abc.com/controller>> web server will forward to http://host2:7001/myapp
I follow tutorial from this link >> http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
For requirement #1 it work perfectly since i put URI = /myapp and Server URL = http://host1:7001.
But for #2, it doesnt work since I put the URI=/controller.
We wanted to be like http://abc.com/controller, so it will forward to second app server which difference application.
Is it possible? or any other to do like that?
Thanks!Hi Sriram,
I'm having similar problem with atehac, the only difference is that the web server
#1 http://domain.com/web1 >> forwarded to http://local-pc1.com:8080/
#2 http://domain.com/web2 >> forwarded to http://local-pc2.com:8080/
This is the setting that I've made in <vs>obj.conf :
NameTrans fn="map" from="/web1" name="reverse-proxy-/web1" to="http:/"
NameTrans fn="map" from="/" name="reverse-proxy-/web1" to="http:/"
NameTrans fn="map" from="/web2" name="reverse-proxy-/web2" to="http:/"
NameTrans fn="map" from="/" name="reverse-proxy-/web2" to="http:/"
<Object name="reverse-proxy-/web1">
Route fn="set-origin-server" server="http://local-pc1.com:8080"
</Object>
<Object name="reverse-proxy-/web2">
Route fn="set-origin-server" server="http://local-pc2.com:8080"
</Object>
But the problem is local-pc2 won't be able to be accessed, while for local-pc1 will be mapped, but it omit /web1
So it will be like http://domain.com/web1 at the beginning, but after I press enter it became like http://domain.com
What I wish is something like http://domain.com/web1 all the way.
Do you have any idea Sriram?
Regards,
Berry -
Error message displays backend server name : Reverse Proxy
Hi Experts,
We are using Apache 2.2.16 for reverse proxy.Below is the scenario.
browser -
>Apache server -
>SAP Web Dispatcher -
>SAP SRM Portal---->SAP SRM ( backend )
Now https://apache_server_host:443/irj works fine. but whenever we select one iview , there is dump in backend system & error message at portal displays backend server.
e.g
Error application is coming up.
20101012
BASIS
074335
srmhost
http://srmhost.xyz.com8000/sap/bc/webdynpro/sapsrm/wda_l_fpm_oif/
RAISE_EXCEPTION
Exception condition "PURCHORG_NOT_FOUND" raised.
Now can we hide , srmhost ( backend ) or can we replace srmhost with Apache host name.
I am trying mod_substitute but it is not doing anything .
Best Regards,
Tushar.Solved by
AddOutputFilterByType SUBSTITUTE text/html
Substitute "s|http://srmhost:8000|https://apache_host|ni" -
Issues in ssl configuration with apache server (using reverse proxy)
Hi,
I am able to use apache server as a reverse proxy to connect to Portal. When I enter the web server url as https://mywebserver.com, I am able to connect to the http url of the Portal. But the moment I try to connect to the https url of Portal with this https url, I am not able to connect to the Portal. Thus I am not able to use apache as a proxy server for https connections it makes. What must I do. I read that mod_proxy_connect needs to be used, but how do I use this?
The second problem is that I need to use more than one kind of mapping.
For example I must be redirected to the Portal even if I use http://webserver.com , or even if I use https://webserver.com or even if I use http://webserver.com/irj or https://webserver.com/irj or http://ipaddress-websserver/irj etcI have SSLCertificateFile and
and SSLCertificateKeyFile .
My problem is with regard to ssl/CertificateChainFile?
what is this? Also how do I upload my J2EE Certificate into apache.
The problem is with Apache handshake is not happening.
I am forwarding the entire log during . I have put what I consider important in bold.Please have a look.
<b>----
</b>
Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1769): OpenSSL: Handshake: start
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: before/connect initialization
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv2/v3 write client hello A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 7/7 bytes from BIO#629160 [mem: 47855a8] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 16 03 01 04 1a 02 ...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1488): | 0007 - <SPACES/NULS>
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 1048/1048 bytes from BIO#629160 [mem: 47855af] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 00 36 03 01 44 74 67 cb-38 b5 8e 42 3b 59 c3 6c .6..Dtg.8..B;Y.l |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0010: 23 5c 07 d0 8b 24 89 89-11 2e 0d 80 ed 1a 06 ea #
...$.......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0020: 1d 10 b0 59 10 28 7c b4-02 cb d6 08 a8 e4 ea 5a ...Y.(|........Z |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0030: e5 88 5c 5d 90 00 39 00-0b 00 01 cc 00 01 c9 00 ..
]..9......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0040: 01 c6 30 82 01 c2 30 82-01 2b a0 03 02 01 02 02 ..0...0..+...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0050: 04 36 0b 23 72 30 0d 06-09 2a 86 48 86 f7 0d 01 .6.#r0...*.H.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0060: 01 04 05 00 30 14 31 12-30 10 06 03 55 04 03 13 ....0.1.0...U... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0070: 09 6c 6f 63 61 6c 68 6f-73 74 30 1e 17 0d 30 33 .localhost0...03 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0080: 31 30 30 32 30 37 32 35-30 30 5a 17 0d 30 35 31 1002072500Z..051 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0090: 30 30 32 30 37 32 35 30-30 5a 30 14 31 12 30 10 002072500Z0.1.0. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00a0: 06 03 55 04 03 13 09 6c-6f 63 61 6c 68 6f 73 74 ..U....localhost |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00b0: 30 81 9f 30 0d 06 09 2a-86 48 86 f7 0d 01 01 01 0..0...*.H...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00c0: 05 00 03 81 8d 00 30 81-89 02 81 81 00 ef d6 ff ......0......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00d0: a6 39 e1 64 a5 d3 fb 16-de 4e ee 1d 81 84 31 bc .9.d.....N....1. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00e0: e6 b7 96 07 3e 81 b9 94-d1 c1 e0 f9 00 3a 84 e8 ....>........:.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00f0: 7a 30 11 cd 41 26 d6 6c-95 90 93 95 17 e0 1a b7 z0..A&.l........ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0100: 00 0f 59 33 7d 1d f3 a0-83 17 c5 f3 7e b3 ad ed ..Y3}.......~... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0110: c9 60 ac af 9e 31 d2 ec-42 71 f9 c3 98 2e 93 f9 .`...1..Bq...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0120: 9d c3 c4 3d b3 7d 9b 97-83 1c 6b bd c0 75 cc 96 ...=.}....k..u.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0130: dc b9 a0 1b 00 79 85 e4-19 1f 61 42 54 db 91 94 .....y....aBT... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0140: d8 1d 72 13 08 36 22 49-3b fb 05 dc 33 02 03 01 ..r..6"I;...3... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0150: 00 01 a3 21 30 1f 30 1d-06 03 55 1d 0e 04 16 04 ...!0.0...U..... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0160: 14 ed ed 02 af 94 13 59-1c 42 e6 69 40 e5 80 dd .......Y.B.i@... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0170: a4 e9 33 91 02 30 0d 06-09 2a 86 48 86 f7 0d 01 ..3..0...*.H.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0180: 01 04 05 00 03 81 81 00-2c 22 08 bd 71 b6 80 43 ........,"..q..C |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0190: 5a 2a 8b e8 62 34 b4 b4-84 8a 47 4b 97 5e bf dd Z*..b4....GK.^.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01a0: 17 4c 0a 1c b7 0e cd c5-d1 cc d8 77 cd 38 10 ef .L.........w.8.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01b0: 22 02 f0 02 7f a2 39 2b-53 eb 31 b6 18 49 37 a0 ".....9+S.1..I7. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01c0: 50 47 f2 34 ab 33 eb 5f-ec 5a f9 f7 53 5f 27 eb PG.4.3._.Z..S_'. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01d0: 02 7f b4 28 3e e8 b1 c7-59 df 2c 93 25 c5 34 14 ...(>...Y.,.%.4. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01e0: 7a 34 7c 45 b4 eb 6b 34-93 26 98 51 37 d3 e6 b0 z4|E..k4.&.Q7... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01f0: 7f 83 e3 a9 04 d3 47 b3-3d de 43 57 27 45 82 c0 ......G.=.CW'E.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0200: 4d 48 bf c0 a7 2f 66 0c-0c 00 02 08 00 80 af 76 MH.../f........v |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0210: 1f f5 f6 48 a0 01 0f ed-55 4c 53 9a 7c 07 7a ba ...H....ULS.|.z. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0220: c7 9d 77 e8 8b c7 66 8f-80 03 18 c5 1f 4f 2a a0 ..w...f......O*. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0230: 08 6f 9f e3 13 94 30 56-e7 2f 96 7c 26 97 ba 12 .o....0V./.|&... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0240: aa fd 3e 43 e1 46 c2 d1-32 94 56 45 52 c0 24 6f ..>C.F..2.VER.$o |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0250: 38 e0 93 0f 3a f8 0a 7c-41 0e 4c 54 4f 5a 7e d4 8...:..|A.LTOZ~. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0260: 62 e6 71 cd a0 dc 1e 9b-17 e5 10 71 3c 9d c6 39 b.q........q<..9 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0270: 05 50 b6 15 37 0b 68 4f-24 50 74 47 13 1c 74 d8 .P..7.hO$PtG..t. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0280: 81 27 81 71 3a 4a c5 26-7d b8 e6 21 b3 d9 00 80 .'.q:J.&}..!.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0290: 4f 6f 5d e6 2d dc 77 46-e6 77 b1 94 3d 65 5b b0 Oo].-.wF.w..=e[. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02a0: 3d 39 7a 6c a2 c7 0b e3-27 08 fa 48 8d 75 1a fe =9zl....'..H.u.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02b0: 32 e6 13 d1 31 65 7d d5-11 34 21 78 38 d1 11 fb 2...1e}..4!x8... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02c0: ea 59 8e 24 79 5a 4b c2-f7 98 22 51 9f a7 4d 2b .Y.$yZK..."Q..M+ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02d0: 15 98 fe d4 43 4b 34 25-b3 9b b3 ae 57 d1 ea 69 ....CK4%....W..i |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02e0: 6e 02 7e 61 d7 80 b6 73-6a 3e ac eb 69 38 67 8f n.~a...sj>..i8g. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02f0: a9 2a dc 93 3d 22 f3 6e-6a 5d 51 1f b1 b1 10 5e .*..=".nj]Q....^ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0300: 82 28 48 0d 5a 78 f8 17-61 e0 c5 43 61 7a 42 6a .(H.Zx..a..CazBj |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0310: 00 80 42 fa 7e 11 b2 77-3a 8c de f1 52 5a e1 18 ..B.~..w:...RZ.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0320: d4 e7 8f ee 2c e0 06 ef-d5 37 87 62 07 14 d1 5a ....,....7.b...Z |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0330: ca 30 be fd dd 76 47 8f-ed f4 5f f3 64 6c 32 a9 .0...vG..._.dl2. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0340: d5 07 e2 9b f1 29 a3 bf-33 4a ed 72 6b 2e c3 0f .....)..3J.rk... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0350: 30 bd 13 a1 42 d8 f7 1d-58 8a 1c 53 d6 c3 c8 6e 0...B...X..S...n |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0360: 0e 51 e3 f5 a0 37 68 0d-04 c6 0e c4 4d cc ed 7c .Q...7h.....M..| |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0370: ef 8f 81 b3 52 34 0c 60-eb f8 01 19 cc 95 31 55 ....R4.`......1U |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0380: 7d 16 bf 0c df b8 e0 3d-8f 7c 7a 4a 64 98 93 59 }......=.|zJd..Y |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0390: eb ae 00 80 ef cb bc 38-ab 16 0e a2 b2 2d fa 0f .......8.....-.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03a0: da 55 2d 67 a8 b8 34 1b-bf 39 d9 d6 da 65 f2 8f .U-g..4..9...e.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03b0: 6f a2 b1 1d db bb d5 dd-ab cf 9e 63 00 e4 57 a5 o..........c..W. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03c0: 18 4a dc 60 b0 97 5d 67-34 96 bf a2 43 2b 7d 70 .J.`..]g4...C+}p |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03d0: d6 99 d2 31 d2 11 f4 f2-19 b8 0c 41 7d bf b1 7c ...1.......A}..| |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03e0: fb 31 cb 3e c2 0a e2 26-1a 7e 63 50 9b 62 c3 82 .1.>...&.~cP.b.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03f0: ca cd 36 82 0c 56 5f 26-f6 cc c6 6f 03 92 cc f5 ..6..V_&...o.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0400: 6b 55 1a d6 92 f9 5b 59-18 c2 62 21 eb d8 a4 ea kU....[Y..b!.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0410: fd b6 3e f7 0e ..>.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1488): | 1048 - <SPACES/NULS>
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server hello A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server certificate A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server key exchange A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server done A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write client key exchange A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write change cipher spec A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write finished A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 flush data
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 5/5 bytes from BIO#629160 [mem: 47855a8] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 15 03 01 00 02 ..... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 2/2 bytes from BIO#629160 [mem: 47855ad] (BIO dump follows)
Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 02 28 .( |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1782): OpenSSL: Read: SSLv3 read finished A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1801): OpenSSL: Exit: failed in SSLv3 read finished A
[Wed May 24 07:03:54 2006] [info] SSL Proxy connect failed
[Wed May 24 07:03:54 2006] [info] SSL Library Error: 336151568 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Wed May 24 07:03:54 2006] [info] Connection to child 249 closed with abortive shutdown(server apacheserver:443, client j2eeserver)
[Wed May 24 07:03:54 2006] [error] (20014)Error string not specified yet: proxy: pass request body failed to j2eeserver:50001 (j2eeserver)
[<b>Wed May 24 07:03:54 2006] [error] (20014)Error string not specified yet: proxy: pass request body failed to j2eeserver:50001 (j2eeserve) from apacheserver ()
[Wed May 24 07:04:10 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 5 bytes expected to read on BIO#612610 [mem: 62ac80]
[Wed May 24 07:04:10 2006] [info] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : SSL input filter read failed.
[Wed May 24 07:04:10 2006] [debug] ssl_engine_kernel.c(1787): OpenSSL: Write: SSL negotiation finished successfully
[Wed May 24 07:04:10 2006] [info] Connection to child 249 closed with standard shutdown(server apacheserver:443, client apacheserver)
</b> -
Sharepoint 2013 + Windows Server 2012 as reverse proxy
Hello All -
I'd like to ask if anyone has any experience with the new Windows Server 2012 (reverse) proxy, in providing a single sign-on service to Sharepoint 2013.
Scenario:
My client has a Sharepoint 2013 with 3 web applications (portal, teamsites, mysites). All three URLs are available externally via HTTPS only. All clients have AD credentials (no requirement for claims based authentication), although this includes 3 domains
in two different forests (trusts exist). Everything is already configured to allow clients access from domain-joined devices.
My client would like mobile devices (not domain-joined) to be able to access the three web applications without repeated logon prompts. Browser default settings must be used, they do not want to instruct people to perform any configuration on their mobile
device - it all has to work "out of the box" from the client side. Clients will be using iPads and iPhones with Safari, Windows Phones, Androids etc.
I'm considering proposing the use of a reverse-proxy, and rather than using the now depracated Forefront TMG or probably soon-to-be depracated UAG, I would like to jump straight in to the new and very cool looking Windows 2012 proxy server.
It's my understanding that this will provide a single sign-on service in this scenario. I'm unsure whether an ADFS server is also required even for pass-through, the information available is unclear, and also whether any special configuration is required
to a domain controller (DCs in the environment are all 2008R2, with 2008R2 functional level).
I would appreciate it if anyone could give an overview or point me in the direction of some accurate documentation regarding all of the above. Most importantly, if any of my assumptions above seem incorrect, please let me know.
Thank you!
sysadminI've heard no supportability statement with SharePoint and the Web Application Proxy (likely because it isn't GA yet). However, it does use ADFS for SSO, so you'll have to SAML-enable your Web Applications. The only downside to this is if you
use anything that is SAML-unfriendly, like PowerPivot [Data Refresh] and at least in 2010, Visio Services and InfoPath Forms Services.
Trevor Seward, MCC
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
BizTalk published WCF service throwing HTTP 404 error using ISA reverse proxy settings
I have published my schemas as a WCF service from BizTalk 2010 "Publish WCF Service" wizard. I used Wcf-basicHTTP adapter in receive port. I am able to run the service successfully on localhost IIS and I tested my biztalk solution by sending request using SOAP UI and got response successfully.... Now: Actually, I need to give this service endpoint to my vendor who will send request from outside my company's network i.e. internet. In my infrastrucrue BizTalk is behind the firewall so, we setup a REVERSE proxy server at DMZ layer and it is configured properly. I have tested a simple WCF service by replacing the localhost with Proxy server configured address <DNSName> and it worked absolutely fine. But when I change localhost in my BizTalk schema based published WCF service it is not working and I am getting following error. Really strugling to get it resolved. I wasted a whole 3 days....very upset. Please help me out by giving the detailed step solution. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested URL: /BizTalkServiceInstance/MyService.svc I am surprized why other c# code based WCF services are working fine with reverse proxy settings. Server Error in '/' Application. The resource cannot be found.Is there any special things to consider Biztalk exposed wcf servcie over ssl in IIS cluster with ISA
Hi Singam :)
First I would start by browsing any other files (files other than the one from WCF) just to ensure that the reverse-proxy’s redirection rules are set correctly. If you get the same 404 error when you try to access other service/files “through reverse-proxy”,
then it’s an issue in the redirection rule(s) in reverse-proxy.
If others are fine i.e. no issue in reverse-proxy setup as such, then try the following for WCF service's web.config file. I have seen this issue in WCF service (not just BizTalk’s artifacts exposed as service in reverse-proxy). Add serviceHostingEnvironment
config as show with in serviceModel section.
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Regards,
M.R.Ashwin Prabhu
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply. -
Reverse Proxy Server and gzip compressed pages
Hi ALL!
Does Proxy Server in reverse proxy configuration works with gzip compressed pages? How it will serve different browser versions which are supports compression differently.
Thanks. Happy New Year!Hi,
Domain relaxing will not work in this setting, ref. RFC 2109 http://www.ietf.org/rfc/rfc2109.txt
What you need to do is to create a DNS alias for the portal on domain [something].[company].com. Then create a portal component which returns the MYSAPSSO2 cookie and create an URL iView for it with the DNS alias hostname and add it to the default framework page. In this way, persons logging in will get the MYSAPSSO2 cookie for both domains [sap subdomain].[network domain].local and [network domain].[company].com
Regards
Dagfinn -
How to set up reverse proxy to allow user access portal site from internet
Hi all,
I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
I am confused to which option to use. Also i went through the metalink document 270160.1
Please help me which option to choose to do this.
Thanks.Hi Hozy,
May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
I appreciate your feedback.
Thanks
Krish -
Reverse proxy plugin does not like the POST method
My second tier is not functionning properly when placed behind a S1WS6 with reverse proxy
Client ====== SunOne web server with Passthrough ====== .NET app server & web services.
The web server configuration (reverse proxy � libpassthrough.so) is configured and is working correctly when it comes to requesting normal pages, however a problem arises when the request is made either by:
1- Invoking a web service on the .Net tier, or
2- The .Net tier performs a server.transfer call within the same .net server (Page transfer)
Keep in mind that the .Net tier works fine when not accessed through the reverse proxy.
It seems that when a POST method is invoked, a Session Close is sent before data is sent back !!
We tried to isolate the problem from different angles but came up short, the http server log shows that the request was made
192.168.2.7 - - [14/Jul/2004:14:10:56 +0300] "POST /wavedms2.0/TestWebService/TestService.asmx HTTP/1.1" 100 0
Although response 100 indicates that it is waiting for more, while the web service error shows the following:
The underlying connection was closed: An unexpected error occurred on a receive.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at TestWebService.oWebService.MyWebSvc.HelloWorld()
at TestWebService.Form1.button1_Click(Object sender, EventArgs e)
In general, any page that uses POST method faces the same problem.I appreciate any help you can provide us with a solution on this issue.The Application Server plugin, libpassthrough.so, was designed to connect Web Server to Application Server. Unfortunately, it does not work with IIS which sends unsolicited "HTTP/1.1 100 Continue" responses.
-
Reverse Proxy using S1AS7 with libpassthrough.so
My second tier is not functionning properly when placed behind a S1AS7 with reverse proxy
Client ====== SunOne web server with Passthrough ====== .NET app server & web services.
The web server configuration (reverse proxy � libpassthrough.so) is configured and is working correctly when it comes to requesting normal pages, however a problem arises when the request is made either by:
1- Invoking a web service on the .Net tier, or
2- The .Net tier performs a server.transfer call within the same .net server (Page transfer)
Keep in mind that the .Net tier works fine when not accessed through the reverse proxy.
We tried to isolate the problem from different angles but came up short, the http server log shows that the request was made
192.168.2.7 - - [14/Jul/2004:14:10:56 +0300] "POST /wavedms2.0/TestWebService/TestService.asmx HTTP/1.1" 100 0
Although response 100 indicates that it is waiting for more, while the web service error shows the following:
The underlying connection was closed: An unexpected error occurred on a receive.
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at TestWebService.oWebService.MyWebSvc.HelloWorld()
at TestWebService.Form1.button1_Click(Object sender, EventArgs e)
I appreciate any help you can provide us with a solution on this issue.Thanks a million, yes it is exactly the same
Do you know if this release is available for download / purchase???? -
Cannot connect to Reverse Proxy
Hi- I have what I think is a basic Lync setup, but it's basica-ally driving me crazy! What I have is:
1 Standard Edition Server
1 Edge Server
1 Reverse Proxy (IIS with ARR)
1 Office Web Apps Server
I've followed some of the numerous how-tos to set up these boxes. My internal setup works great with no issues.
I've worked with my security admin to get the firewall rules set up.. We have SSL certs (with SANs) installed and assigned on RP and Edge. I've set up persistent routes on RP and Edge to FE server. I can telnet from Reverse Proxy to Edge and
back. I've ran netstat to ensure both are listening on 443. But when I run the Microsoft Connectivity Analyzer (online) results show that connection to port 443 on the server failed and says that the port is either blocked or not listening.
Using the Lync Connectivity Analyzer (in house) shows that a connection to "Lyncdiscover.domain.com" failed.
Any insight is greatly appreciated.
ThanxPublic DNS records verified. (Although I do see some posts that say to create CNAME records instead of A records (we created A records) and other posts that say it doesn't matter.
Rewrite rules in IIS ARR verified.
I've triple-checked the certificate (issued by Digicert) and the simple URLs are all listed in the SAN:
sip.domain.com, meet.domain.com, dialin.domain.com, lyncdiscover.domain.com, and officewebapps.domain.com
Here's the error generated by the LCA:
An error occurred while sending the request.
Unable to connect to the remote server
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond [xx.xxx.xxx.xxx]:443
If I try to open the Default Web Site from the server, I'm first presented with "There is a problem with this website's security certificate. The security certificate presented by this website was issued for a different website's address" message.
Clicking on "continue to this website" I get a "403-Forbidden" error. I read in another post that this message was as expected.
Trying to connect to lyncdiscover.domain.com from a browser on the RP returns a "Server not found". [This leads me to believe that the request is not getting through the firewall]. Attempts to access the simple URLs returns a "This page cannot
be displayed"
All services work internally...
More telnet testing: As previously posted, I CAN telnet between RP and Edge (external IPs) but CANNOT telnet to public IP of RP on 443
A similar issue with the Edge Server: netstat shows 0.0.0.0:443 listening but cannot connect via telnet to public IP on 443
RELATED QUESTION: Do I need the SANs included on my internal cert, too?
Thanx
SteveSmo
"Never, ever doubt what nobody is sure about." -Willy Wonka
Maybe you are looking for
-
HI. I am hoping someone can help me. The computer I have used for the last 5 years for my I tunes died. I got a new computer and went to transfer my itunes play lists over - and see that I can only transfer purchases. To make matters worse, in o
-
I made a selection and used edit>copy but get a Photoshop Elements Editor error message, "Could not complete the copy command because of a program error." What have I dobe wrong?
-
My macbook pro 2.33 17 inch takes 9 minutes to start and does not start with lion
my macbook pro 2.33 17 inch takes 9 minutes to start on Snow Leopard and does not go beyond the apple log start up with lion. When I am using Snow Leopard after it has finished the starting process; everything works well..it is just the 9.10 minutes
-
Palm One v. 4.14 desktop software- instructions to sync contacts into Outlook 2003?
I am running Palm One, version 4.1.4. This is very old. I would like to bring contact information over to Outlook 2003. I do not want to bring the contacts over one by one in V-card format. I want to import all contacts at once into Outlook 2003
-
Hello all, I'm trying to allow users to insert rows on a form in such away that the added row renders in the middle of the form. Probably having a check box on each row saying 'insert row above'. The purpose is to emulate editing a table in a word pr