HTTP Filtering and Reverse Proxy + DMZ

Similar Messages

• HTTP tunneling and reverse proxy server

  We're currently using Windows Media Services (WMS) to stream
  video on our website. There is an option WMS to use the HTTP
  protocol and to specify the port you'd like to use. This has
  allowed us to stream video through our external firewall, through
  our reverse proxy server, and through our internal firewall to our
  media server. I've been trying for two days now to get Flash Media
  Server (FMS) to do the same thing. For some reason the HTTP
  tunneling (RTMPT) protocol doesn't appear to be acting like the
  HTTP protocol that WMS is using. Anyone have some tips on this
  configuration. I've scoured web resources and documentation as best
  I could. Any help would be greatly appreciated.
  Thanks.

  To give a better picture, here's a more complete description of set up and goals
  Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
  DMZ server is running IIS 8. Here are what some of the sites look like.
  jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
  email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
  media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
  other stuff like this -> 10.1.10.x port 80 or others
  All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server. 
  What do I need to do in IIS to have those sites get directed to the proper internal locations?
  Thanks!!

• Trasnparent proxy and reverse proxy at the same time

  Can I have in a Content Engine v 4.2 transparent proxy and reverse proxy at the same time ?

  Yes, as long as you are not redirecting the two services on the same interface. One service takes precedence over the other and I believe transparent web-cache redirect takes precedence over reverse-proxy.

• ISP redundancy and reverse proxy

  Greetings, community!
  We have two EDGE TMG servers and two INTERNAL TMG servers.
  We have two providers with two dedicated external IP addresses each.
  I configure ISP Redundancy for each EDGE TMG servers with parameters:
  Each EDGE TMG server has two External NIC and one Internal NIC. 
  EDGE 1: Provider1_IP1 and Provider2_IP1
  EDGE 2: Provider1_IP2 and Provider2_IP2
  ISP Connections:
  Provider1 and Provider2
  So, the trouble:
  We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.
  Also we made 4 external DNS records for each Web-Service.
  For example:
  mail.domain.com Provider1_IP1
  mail.domain.com Provider1_IP2
  mail.domain.com Provider2_IP1
  mail.domain.com Provider2_IP2
  If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.
  After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.
  If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.
  Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.

  So, I still try to solve my problem...
  When I try to connect from External to one of my EDGE1 IP addresses, I got these logs:
  LOGS on DMZ server (EDGE1):
  Failed Connection Attempt DMZ-TMG-01 21.07.2014 11:27:40 
  Log type: Firewall service 
  Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3427) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 21000ms Original Client IP: 77.73.111.194 
  LOGS on INTERNAL server:
  Initiated Connection BLK-TMG-02 21.07.2014 11:27:20 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Source: External (77.73.111.194:3427) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  Closed Connection BLK-TMG-02 21.07.2014 11:27:40 
  Log type: Firewall service 
  Status: A connection was abortively closed after one of the peers sent an RST packet.  
  Source: External (77.73.111.194:3427) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 304 Number of bytes received: 192
  Processing time: 20281ms Original Client IP: 77.73.111.194
  When I try to connect my EDGE2 server external IP addresses, then:
  LOGS on DMZ server (EDGE2):
  Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3429) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  Closed Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3429) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 534 Number of bytes received: 146
  Processing time: 203ms Original Client IP: 77.73.111.194
  Then traffic was redirected to HTTPS:
  Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Rule: Publish TMGBE HTTPS 
  Source: External (77.73.111.194:3430) 
  Destination: Internal (172.16.0.100:443) 
  Protocol: HTTPS Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  LOGS on INTERNAL server:
  Failed Connection Attempt BLK-TMG-02 21.07.2014 11:57:17 
  Log type: Web Proxy (Reverse) 
  Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.  
  Rule: Publish OWA 
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Request: GET http://mail.domain.com/ 
  Filter information: Req ID: 0a314138; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
  Protocol: http 
  User: anonymous 
  Additional information 
  Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  Object source: (No source information is available.)
  Cache info: 0x0
  Processing time: 1 MIME type:  
  It's OK, because IIS require SSL. Then:
  Initiated Connection BLK-TMG-02 21.07.2014 11:57:18 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194 
  Closed Connection BLK-TMG-02 21.07.2014 11:57:18 
  Log type: Firewall service 
  Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 786 Number of bytes received: 318
  Processing time: 15ms Original Client IP: 77.73.111.194
  And HTTPS:
  Allowed Connection BLK-TMG-02 21.07.2014 11:57:17 
  Log type: Web Proxy (Reverse) 
  Status: 302 Moved Temporarily 
  Rule: Publish OWA 
  Source: External (77.73.111.194:3430) 
  Destination: Local Host (10.1.200.129:443) 
  Request: GET http://mail.domain.com/ 
  Filter information: Req ID: 0a31413a; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
  Protocol: https 
  User: anonymous 
  Additional information 
  Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  Object source: Internet (Source is the Internet. Object was added to the cache.)
  Cache info: 0x40000000 (Response should not be cached.)
  Processing time: 1 MIME type: text/html; charset=UTF-8 
  I can't understand the difference between there servers. If I shutdown EDGE2, the Publishing will work fine through EDGE1.

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• Lync 2013 Edge and Reverse proxy on same server with SNI

  Hello
  I cannot find information if it is possible to create a single Lync 2013 Edge server with a Reverse proxy on the same server?
  Would it not be possible to share port 443 with SNI support? That way we could use only one public IP?
  Thanks!

  Sorry, it doesn't work.  Remember that 443 isn't HTTPS for the Edge.  If you went with the single IP model for the edge, 443 would be used for the A/V role which would be STUN/TURN. 
  The edge will always want to listen on 443, it just doesn't work to collocate a reverse proxy.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• HTTP authentication via reverse proxy

  Hi,
  I've taken a dig around the interface for the 4.0.4 web proxy and in the documentation but haven't come up with much so far.
  What I want to do is configure a reverse proxy so that it feeds the HTTP authentication credentials into the server when we reverse from the proxy to it.
  i.e.
  user --> revproxy --> (http_details) --> webserver
  The user wont enter these, they'll be somehow if possible, be configured into the reverse proxy so it knows what HTTP realm string to match to a target host and feed the credentials into it.
  Is this possible?

  Since it is just a matter of adding Authorization header, it is possible.
  look around for other discussions for adding headers.

• VIrtual host and reverse proxy  FOR EBIZ R12.0.6

  we have 4 dev EBIZ instances on a single hp_ux itanium server on which I have to setup one instance for virtual hosting and to work behind a reverse proxy .
  any particular documents or steps for this.
  Thanks
  mn

  we have 4 dev EBIZ instances on a single hp_ux itanium server on which I have to setup one instance for virtual hosting and to work behind a reverse proxy .
  any particular documents or steps for this.Implementing Virtual Host, Concurrent Managers and EM DBconsole on Oracle Applications R12 [ID 603883.1]
  Conc-System Node Name Not Registered After Fresh Install Using Virtual Name [ID 948644.1]
  Is Auto Failover With Virtual Hostnames For Concurrent Processing Servers Supported In 11i Or R12? [ID 456540.1]
  Case History: Implementing a Reverse Proxy Alone in a DMZ Configuration - R12 [ID 726953.1]
  Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]
  Thanks,
  Hussein

• Omniportlet and reverse proxy

  I have an Oracle Portal installation behind a reverse proxy with Portal on 1 server, SSO/OID on another server, and the database on a 3rd server.
  Portal works fine, but Omniportlet and Webclipping are using the server name and port for the Portal server and not the reverse proxy URL. The Portal server name and port are, of course, not accessible to users.
  There is no proxy between the Portal and the database.

  Originally Posted by ghuertae
  Hi.. I have one server with one IP internal 10.x.x.x with reverse proxy to one ip public 159.x.x.x why ?? because we need that server can be used for public and internal users.
  For example user external had a server 200.x.x.x and they need connect to my server 159.x.x.x to diferente ports like 8020, 8000 and the port 22 (ssh)
  With the port 8000 and 8020 no problem they can connect.. but with 22 port
  I did the next filter in my border manager 3.8 (novell 6.0)
  Src Interface : ALL
  Dest Interface : ALL
  Packet Type: ssh (default 22)
  Src Port: ALL
  Protocol: TCP
  Dest Port: 22
  Src Add Type: Host
  Src IP Add: 200.X.X.X
  Dest Add Type: Host
  Dest IP Add: 159.X.X.X
  and
  Src Interface : ALL
  Dest Interface : ALL
  Packet Type: ssh2 (default 22)
  Src Port: 22
  Protocol: TCP
  Dest Port: ALL
  Src Add Type: Host
  Src IP Add: 159.X.X.X
  Dest Add Type: Host
  Dest IP Add: 200.X.X.X
  In the server BorderManager setup "Aceleration -> Http Aceleration" I put WeB server port 22 / Named IP Address ip internal and in Proxy IP Addr the ip Public.
  If i did a Tel 159.X.X.X 22 I can connect, but if use a program putty �
  ssh 159.X.X.X commad i can not connect..!!!
  Is there an error in my filter? o is there something else that i have to do ?
  thanks a lot.
  ok the solution that i find is... use the reverse proxy and Nat for the same ip and it works fine.
  I can access to ssh without problem..!

• SAPUI5 app and Reverse proxy configuration

  Hi
  Im trying to configure proxyserver for Cross origin resource sharing issue.
  The below steps i have configured in my machine.
  1. I have developed an application which consumes data through odata.
  2. Download and configured Apache server and enabled proxy module as per this url
  http://scn.sap.com/community/developer-center/front-end/blog/2013/06/29/solving-same-origin-policy-issue-in-different-ways
  3. In httpd.config file added the below reverse proxy setup
  ProxyPass /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
  ProxyPassReverse /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
  4. Changed my service url as
  var serviceUrl = "proxy/http/localhost/poodata";
  5. Also i have added java-property-utils-1.9.jar and cors-filter-1.8.jar then
  in web.xml i have added Eventhough its seems not neccessary.
    <filter>
    <display-name>CacheControlFilter</display-name>
    <filter-name>CacheControlFilter</filter-name>
    <filter-class>com.sap.ui5.resource.CacheControlFilter</filter-class>
    </filter>
    <filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
    </filter>
  6. Finally when i am executing the application throgh http://localhost:9080/SamplePO/ Its working. But Instead of localhost when im using IP address it shows NO DATA and throws the "500 internal server error - only allowed for local testing"
  also the application is trying to fetch data from 'http://10.130.41.158:9080/SamplePO/proxy/http/localhost/poodata/$metadata' where the location should be 'http/localhost/poodata/$metadata'.
  I want to access this application in my iPAD through WIFI by passing IP address followed by application name (http://10.130.41.158:9080/SamplePO).
  Please help me to fix this issue.
  Regards
  Yokesvaran Kumarasamy

  Hi Michael Herzog /  DJ Adams / Frank Welz,
  It seems you have v.good knowledge on this, can you please help with this issue.
  Thanks in Advance
  Regards
  Yokesvaran Kumarasamy

• Doubts about HTTPS requests and Java proxy

  Hello,
  I need help about SSL connections and Java.
  I'm developing a HTTP/S proxy with Java. To test my proxy, I use Firefox. I configure the proxy option in the browser. The proxy works good with HTTP requests, but with HTTPS requests doesn't work and I don't know why.
  I explain the steps that I do for a HTTPS request:
  * The browser sends a CONNECT message to the proxy.
  I check that the proxy receives the CONNECT request correctly.
  * The proxy establish a secure connection with the content server.
  I use an SSLSocket to connect with my content server, and the SSL handshake is succesful.
  * The proxy sends a 200 HTTP response to the client:
  I send
  HTTP/1.0 200 Connection established[CRLF]
  [CRLF]
  to the application client (Firefox)
  * The proxy sends/receive data to/from Firefox/content server
  I have a Socket between Firefox and my proxy, and a SSLSocket between my proxy and my content server. I use two threads to communicate the client and the server.
  Java code:
  //Thead server-->proxy-->application(Firefox)
  ThreadComm tpa = new ThreadComm(bis_serverSSL, bos_app);
  //Thread application(Firefox)-->proxy-->server
  ThreadComm tap = new ThreadComm(bis_app, bos_serverSSL);
  The "tpa" thread reads from the SSLSocket between the proxy and the server and sends data to the Socket between the proxy and Firefox.
  The "tap" thread reads from the Socket between the proxy and Firefox and sends data to the SSLSocket between the proxy and the server.
  This is the class ThreadComm:
  public class ThreadComm extends Thread{
      private BufferedInputStream bis = null;
      private BufferedOutputStream bos = null;
      public ThreadComm(BufferedInputStream bis, BufferedOutputStream bos) {
          this.bis = bis;
          this.bos = bos;
      @Override
      public void run() {
          int b = -1;
          FileOutputStream fos = null;
            do {
                 try {
                      b = bis.read();
                      System.out.print((char) b);
                      fos.write(b);
                      bos.write(b);
                      bos.flush();
                 } catch (Exception ex) {
                      Logger.getLogger(ThreadAplicacionProxy.class.getName()).log(Level.SEVERE, null, ex);
                      //b=-1;
            } while (b != -1);
      }But this doesn't work and I don't know why.      
  I have an Apache server with the mod_ssl enabled as content server, I can send requests (with Firefox) to the port 80(HTTP request) and 443(HTTPS request) without use my proxy and it works. If I use my proxy, HTTP request works but with HTTPS request doesn't work, I look the log of Apache and I see:
  [Tue Apr 27 17:32:03 2010] [info] Initial (No.1) HTTPS request received for child 62 (server localhost:443)
  [Tue Apr 27 17:32:03 2010] [error] [client 127.0.0.1] Invalid method in request \x80\x7f\x01\x03\x01
  [Tue Apr 27 17:32:03 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
  [Tue Apr 27 17:32:03 2010] [info] [client 127.0.0.1] Connection closed to child 62 with standard shutdown (server localhost:443)
  Why it say? Invalid method in request \x80\x7f\x01\x03\x01 , my proxy sends the data that the Firefox sends.
  I think than I have follow the explanations of [1] but doesn't work, I have problems in implementation in Java but I don't know where.
  I appreciate any suggestions.
  Thanks for your time.
  [1] http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txt

  ejp, I have checked the socket between the proxy and server and ... You are right! , I was using the port 80 instead of the 443 (incredible mistake!, I'm sorry). I was convinced that I was using the port 443... Well, is a little step, but I still have not won the war :)
  If I see the log files of Apache, We can see that something goes wrong.
  localhost-access.log
  >
  127.0.0.1 - - [04/May/2010:17:44:48 +0200] "\x 80\x 7f\x01\x03\x01" 501 219
  >
  localhost-error.log
  >
  [Tue May 04 17:44:48 2010] [info] Initial (No.1) HTTPS request received for child 63 (server localhost:443)
  [Tue May 04 17:44:48 2010] [error] [client 127.0.0.1] Invalid method in request \x80\x7f\x01\x03\x01
  [Tue May 04 17:44:48 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
  [Tue May 04 17:44:48 2010] [info] [client 127.0.0.1] Connection closed to child 63 with standard shutdown (server localhost:443)
  >
  I think that this happens because Apache receives the data without decrypt, this is the reason because in the log we can see the "Invalid method in request \x80\x7f\x01\x03\x01". This supposition is true?
  ejp, you say that the "Termination is quite tricky." I have changed my code following yours suggestions (using the join and the shutdownOutput) but the threads don't die.
  I explain you what I do:
  (in time 1)
  I launch the thread (threadFirefoxToApache) that reads data from Firefox and sends to Apache.
  I launch the thread (threadApacheToFirefox) that reads data from Apache and sends to Firefox.
  (in time 2)
  threadFirefoxToApache sends the firts data to the server.
  threadApacheToFirefox is waiting that the server says something.
  (in time 3)
  threadFirefoxToApache is waiting that Firefox says something.
  threadApacheToFirefox sends data to Firefox.
  (in time 4)
  threadFirefoxToApache is waiting that Firefox says something.
  threadApacheToFirefox is waiting that Firefox says something.
  and they are waiting... and never finish.
  In time 2, these first data are encrypted. The server receives these data and It doesn't understand. In time 3, the server sends a HTTP response "501 Method Not Implemented", here there is a problem because this data must be encrypt. According to the documentation that I read, the proxy cannot "understand" this data but I can "understand" this data. What's happen?
  Firefox encrypt the data and send to the proxy. This It's correct.
  The proxy encrypt the data another time, because I use the SSLSocket to send the data to the server. Then the server receives the data encrypted two times, when decrypt the data gets the data encrypted one time. And this is the reason why the server doesn't understand the data that sends Firefox. It's correct? May be.
  Then If I want that the server receives the data encrypted one time I need to use the socketToServer, It's correct?
  I will supposed that yes. If I use the socketToServer, the proxy doesn't understand nothing, because the data received from the socketToServer are encrypted (I only see simbols), but the Apache log says that there is a problem with the version? (If I use the socketToServer the threads die)
  >
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write change cipher spec A
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write finished A
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done
  [Tue May 04 19:55:42 2010] [info] Connection: Client IP: 127.0.0.1, Protocol: TLSv1, Cipher: RC4-MD5 (128/128 bits)
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 bytes from BIO#29bd910 [mem: 29ea0a8] (BIO dump follows)
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1750): -------------------------------------------------------------------------
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1789): | 0000: 80 7f 01 03 .... |
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1793): | 0005 - <SPACES/NULS>
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_io.c(1795): ------------------------------------------------------------------------
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
  [Tue May 04 19:55:42 2010] [info] [client 127.0.0.1] SSL library error 1 reading data
  [Tue May 04 19:55:42 2010] [info] SSL Library Error: 336130315 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
  [Tue May 04 19:55:42 2010] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully
  [Tue May 04 19:55:42 2010] [info] [client 127.0.0.1] Connection closed to child 63 with standard shutdown (server localhost:443)
  >
  What option is the correct? I need use the SSLSocketToServer or socketToServer to send/read the data to/from the server?. Use the SSLSocket has sense because the data travel in a secure socket, but use the Socket also has sense because the data are encrypted and they are protected by this encription. It's complicated...

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Certificate and Reverse Proxy

  Hi everyone,
  I'm trying to configure a Push Mail solution with my Iphone 2 (2.1) in my company.
  The goal is to access my Exchange server through a reverse proxy with a certificate for authentication.
  FIRST TEST:
  - Set up configuration on the Iphone to connect a public IP adress as Exchange Server.
  - On the reverse proxy, this IP is forwarded to the Exchange Front-End server.
  - On the reverse proxy, NO certificate configured for authentication -> It's working fine ! I can see my e-mails&calendar on my Iphone !
  Bad solution for security reasons...
  SECOND TEST:
  - Activate certificate on the reverse proxy.
  - Install the certificate on the Iphone with Web Configuration utility: The certificate is shown in the General Tab on the Iphone.
  - Trying to connect, ERROR... I can see in the event log of my reverse proxy that no valid certificate from my Iphone were submitted.
  Any idea why the Iphone doesn't send the certificate to allow authentication on my reverse proxy ?
  Thank you,
  Stan

  Kristoffer,
  The answer will depend on how you have NGINX configured from a reverse proxy standpoint.  The certificate will need to match the hostname entered on the client in this case sapmobile.customer.com.   Since the traffic from the client will never get directly to the SMP 3 server the certificate should be installed on the NGINX installation as this is where the Agentry client will connect to and receive the certificate to validate against the hostname entered.
  NGINX will need to also be configured to validate the connection between itself and SMP 3.0 or to ignore the certificate if it doesn't trust it.
  The certificate on the SMP 3 server should be able to stay as the internal machine name assuming NGINX is acting as a true proxy and not just passing traffic through to the SMP 3 server.
  Unfortunately I am unable to open the link you included on SDN to review what it says.
  --Bill

• Reverse Proxy and SLD on an Enterprise Portal 7.0

  Hi
  I need to configure SLD and Reverse Proxy on an Enterprise Portal Server.
  How do i do this...
  can you refer me to the applicable guides
  Thanks
  Kalyan

  Hello,
  Thank you to interest to my problem.
  Browser -
  SSL----
  > Firewall/DMZ (No SSL termination, all traffic forwarded to ISA Server). Yes but there is a port translation port 443 to 50201
  Firewall/DMZ -
  SSL----
  > ISA Servrer -- (SSL Termination)--. IN fact it is noit the ssl terminaison. But from this point the url is modify to reach the host with EP7.0
  ISA Server--SSL--
  > EP7.0 (port 502010) When I test my configuration I have the Message web page not found. With a capture software i have verified that the request is sent to my EP 7.0( url2). But no logon page appeares.  With the modification on line of the HTTP provider in the dispatcher, i have checked that the response contains the URL1 and the standard port. But none web page is displayed.
  Thank you for your help.
  Regards,
  Julien

• CSM, Reverse Proxy, and Sticky

  First, here is a diagram of my setup:
  CSM w/VIP for Front-End Web Servers (acting as Authorization and Reverse Proxy)
  |
  SSL Module for termination of HTTPS traffic
  |
  Front-End Web Servers
  |
  CSM w/VIP for Back-end Web Servers
  |
  Back-end Web Servers
  What I need a way to do is to ensure that users gets to the same Back-end Web Server for their entire session. The Front-End Web Servers act as a Reverse Proxy for all requests going to the Back-End Web Servers and are configured to send requests to the VIP for the Back-End Web Servers.

  Gilles,
  Thanks for the response. This is https traffic for the user, but from the Front-End to the Back-End it's just http. Unfortunately it's SAP so it's not a normal HTTP Back-end that can generate cookies. Currently I am only running 3.1(7). What is the status of the 4.1 train? Being new I am concerned about utilizing this level. What has been the experience of customers on this code level in the field?