IIS server reverse proxy to JCAPS integration server

Similar Messages

• Solution: iPad/iPhone Login issues with IIS as Reverse Proxy (Android and Windows Phone works)

  Hi,
  I had issues with iPad/iPhone access from external and tried a lot. Now I found my solution I like to share.
  I setup a IIS on Windows Server 2012 with ARR 2.5 and Android and Windows Phone could login but not iPad and iPhone.
  The IIS Log on the reverse proxy showed:
  2013-02-26 12:03:31 <IP> POST /webticket/webticketservice.svc X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=1996c8d7-09d0-4310-8da4-a8dfb7940e28 443 - <ClientIP> Lync%202010/1.6+CFNetwork/609+Darwin/13.0.0 - 401 0 0 124
  2013-02-26 12:03:31 <IP> POST /webticket/webticketservice.svc X-ARR-CACHE-HIT=0 443 - <ClientIP> Lync%202010/1.6+CFNetwork/609+Darwin/13.0.0 - 502 3 12018 93
  First Request gets a 401 while anonymous. Second try would be with authentication but it never reached the internal front end server.
  After I installed a fix for ARR
  http://forums.iis.net/t/1195560.aspx/1?ARR+502+3+Bad+Gateway+0x80072ef2+2147954418+The+supplied+handle+is+the+wrong+type+for+the+requested+operation the Apple Devices could login.

  Hi,
  This resolved our problem too!! So happy after 2 weeks of messing around with just about every setting recommended from all types of forums and rebuilding our reverse proxy I was at a loose end. 
  Our environment is Lync 2013 Enterprise, Lync 2013 Edge, IIS as Reverse Proxy on Server 2012 using ARR 2.5
  We had Android and Windows clients working but no iOS devices at all. In the iOS log we were seeing 
  <h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>502 - Web server received an invalid response while acting as a gateway or proxy server.</h2> <h3>There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.</h3> </fieldset></div></div></body></html>
  When the client was trying to retrieve from the webticketservice.svc
  2013-04-11 17:19:44.659 Lync[4970:6c61000] INFO TRANSPORT TransportUtilityFunctions.cpp/907:<ReceivedResponse>
  POST https://lyncwebext.contoso.com/webticket/webticketservice.svc
  Request Id: 0x72cfc18
  HttpHeader:Content-Length 1477
  HttpHeader:Content-Type text/html
  HttpHeader:Date Thu, 11 Apr 2013 16:22:25 GMT
  HttpHeader:Server Microsoft-IIS/8.0
  HttpHeader:StatusCode 502
  Installed the HotFix from here:-
  Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64)
  Rebooted the Reverse Proxy and iOS clients worked straight away for both Lync 2010 and Lync 2013 on both iPhone 5 and iPad both. 
  I hope this helps others as I was losing the plot :-)
  Cheers
  Sam

• IIS ARR reverse proxy..can someone explain how traffic goes?

  I'm building a reverse proxy server from the ground up, and I'm using IIS ARR. 
  I'm following this awesome guide to do it: 
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
  I'm having a hard time grasping this IIS stuff and I was wondering if someone could explain something.
  Am I supposed to use the external IP of the reverse proxy in external DNS, or the external IP of the edge server?
  Are my simple URLs (I'm using lws, meet, dialin, and lyncdiscover in IIS ARR) supposed to externally resolve to the reverse proxy, and then my accessedge URLS resolving to the external IP of the edge? 
  I'm trying to figure out what to ask to have added to external DNS, and I was thinking that all these requests would come into the Edge, and then the edge would push it up to the reverse proxy for port translation, and then down to the front end, or something. 
  Thanks!
  Brandon
  Edit: I think I might have figured it out... Is the external IP of the reverse proxy the "Lync Web Services External IP"? If that's the case, I got confused in my validator.

  You beat me to it.  Yes, you'd communicate with the edge directly.  The reverse proxy is for Lync Web Services such as your external web services URL, meet, lyncdiscover, dialin, etc.  It's just a method of publishing your front ends
  to the Internet.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Iview capable of performing reverse proxy for application integration.

  Is there a iview in EP capable of reverse proxying a web application. We are attempting to setup
  our production landscape. We can  of course use apache to reverse proxy applications hidden behind our dmz by punching a bunch of holes through our firewall. This is not something we wish wish to do as it totally circumvents the safety imposed by our firewalls and dmz. Not having this capability causes all sorts of difficulties with application integration, cross domain scripting issues as well as administrative burden by having to maintain, secure and expose these internally hosted applications.
  If this functionality does not exist in out of the box EP, does anyone know a third
  party that offers this? 
  Thanks
  Cliff Baeseman

  Cliff,
  I am not sure I understood your question correctly.
  EP is an application running on NetWeaver Application Server. This AS has a component called as Web dispatcher which works like a reverse proxy but isn't meant to proxy applications running on a different server other than NetWeaver AS.
  Where is your web application deployed?
  More info needed.
  Regards,
  Kiran

• Direct calls within the oracle application server to the IIS using reverse

  trying to direct calls within the oracle application server to the IIS using reverse proxy. I am having problems...
  What is trying to be achieved is a call to the 3rd party web server (IIS with Oracle SSO plug-in) that will be invoked from the OAS.
  Any suggestions

  First you might get more response if you move your question to following forum:
  Oracle Application Server - General
  Second, I didn't quite understand your question. Can you pl. clarify it bit more? What exactly do you mean by invoking IIS from OAS (I am assuming by OAS you mean OC4J here)?
  Thanks
  Shail

• Reverse Proxy and OWA

  Hi,
  Setup:
  3 CAS servers - Exchange 2010
  1 IIS ARR reverse proxy
  I followed these two
  1 2 write-ups on how to setup Exchange 2010 OWA to use IIS ARR as a reverse proxy. The problem I'm having is
  when all three servers are online in the server farm OWA doesn't work properly. You can log in fine, but it appears to not load fully and you can't click on anything (eg Calendar, emails, forward, reply, etc). If I were to take all the servers offline except
  for one (doesn't matter which one), OWA functions normally.
  Since some users also access OWA internally I have configured IIS on each CAS server to redirect to HTTPS and the OWA virtual directoy. I don't think this is causing the problem, but I thought I should mention it.
  I followed the articles exactly. I'm not sure what could be causing the problem.
  Thanks

  Hi,
  According to your description, there may be some problem on the configuration of your IIS ARR.
  Thus, let’s troubleshoot ARR using Failed Request Tracing Rules to find the root cause.
  For the detail steps, please refer to the following article:
  http://www.iis.net/learn/troubleshoot/using-failed-request-tracing/using-failed-request-tracing-rules-to-troubleshoot-application-request-routing-arr
  And we can also check if the URL rewrite rules are working as expected:
  For more steps, please refer to the partition named Verifying if the above rules are working as expected in the reference below:
  http://blogs.technet.com/b/exchange/archive/2013/08/05/part-3-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
  Thanks,
  Angela
  Angela Shi
  TechNet Community Support

• Proper reverse proxy in DMZ

  Hi all,
  I am having OS X Server in Server-LAN part of network and I am using it for Open Directory, Profile Manager, Mail server... Of course push notifications are there too. However Apple needs to have the same server visible from internet to make push notifications and profile manager work.
  In best practices I found solution using d-nat on certain ports, but exposing server to the internet this way is not acceptable. Therefore I am looking for some reverse proxy solution that I can put into my DMZ zone, that would allow me to use these services without direct exposure the server to the internet.
  Currently I solved it using rinetd, but I am not very happy with this solution either.
  Missing good solution for more than a year I wander how do you solve this issue?
  Thanks.

  The only Exchange role that is supported in a DMZ is the Edge role, but that doesn't do reverse proxy.
  Several months ago I would have suggested you install TMG, but that product is no longer offered.  There are third-party reverse proxy solutions, some integrated with load balancers and firewalls.
  Windows Server 2012 R2 has ARR and WAP, both which do some of what you might want; you might investigate those.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Reverse Proxying in IIS server with WebLogic Server 8.1

  Hi All,
  I have a customer who wants to know if we have an IIS server in DMZ (De-materialized Zone) that is used as a Reverse proxy server (server #1).
  He installed IISProxy.DLL and IISForward.DLL per PeopleSoft's and BEA instructions. They opened up a port to their PeopleSoft server (server #2) where their weblogic 8.1 is running the PeopleSoft Web server.
  From outside the city (i.e. from home) he can go to
  http://www.roundrocktexas.gov/PRTL9/signon.html and connect to their PeopleSoft 9 Enterprise Portal (so far so good). However, when he clicks on a link on his portal to go to a document or an application that is set up on another server (server #3, is an IIS web server) the link fails.
  If he is in intranet all links function properly and there is no problem.
  What he would like to be able to do is to be able to access the content on server #3 when logging in via the RPS (Reverse Proxy Server)(server #1) which is connecting him to server #2. As a test one of the non-PeopleSoft URLs that work internally is http://websrvr/fitness/login.asp. He is trying to connect from server #1 to it which resides on server #3 when he tries that he could not find file.
  I have gone through some of the links and I came to know that IIS does not support reverse proxying. I am not sure completely. For reverse proxying, we need to use ISA server (Microsoft Product) before IIS. Is this true?
  Is Reverse Proxying supported in IIS? If yes, can anyone suggest me what to do in the above scenario.
  Thanks,
  Sreedevi

  Your DOCTYPE references 2.4, it should be 2.3. WLS 8.1 supports J2EE 1.3 which was servlet 2.3.
  Servlet 2.4 is part of J2EE 1.4 and is supported by WLS 9.0/9.1. Also it uses XML Schema not a DTD.
  -- Rob
  WLS Blog http://dev2dev.bea.com/blog/rwoollen/

• How do I use Sun Web Server 7.0u1 reverse proxy to change public URLs?

  Some of our installations use the Sun Web Server 7.0 (update 1, usually)
  for hosting some of the public resource and reverse-proxying other parts
  of the URI namespace from other backend servers (content, application
  and other types of servers).
  So far every type of backend server served a unique part of the namespace
  and there was no collision of names, and the backend resources were
  published in a one-to-one manner. That is, a backend resource like, say,
  http://appserver:8080/content/page.html would be published in the internet
  as http://www.publicsite.com/content/page.html
  I was recently asked to research whether we can rename some parts of
  the public URI namespace, to publish some or all resources as, say,
  http://www.publicsite.com/data/page.html while using the same backend
  resources.
  Another quest, possibly related in solution, was to make a tidy url for the
  first page the user opens of the site. That is, in the current solution when
  a visitor types the url "www.publicsite.com" in his or her browser, our web
  server returns an HTTP-302 redirect to the actual first page URL, so the
  browser sends a second request (and changes the URL in its location bar).
  One customer said that it is not "tidy". They don't want the URL to change
  right upon first rendering the page. They want the root page to be rendered
  instantly i the first HTTP request.
  So far I found that I can't solve these problems. I believe these problems
  share a solution because it relies on ability to control the actual URI strings
  requested by Sun Web Server from backend servers.
  Some details follow, now:
  It seems that the reverse proxy (Service fn="service-passthrough") takes
  only the $uri value which was originally requested by the browser. I didn't
  yet manage to override this value while processing a request, not even if
  I "restart" a request. Turning the error log up to "finest" I see that even
  when making the "service-passthrough" operation, the Sun Web Server
  still remembers that the request was for "/test" (in my test case below);
  it does indeed ask the backend server for an URI "/test" and that fails.
  [04/Mar/2009:21:45:34] finest (25095) www.publicsite.com: for host xx.xx.xx.83
  trying to GET /content/MainPage.html while trying to GET /test, func_exec reports:
  fn="service-passthrough" rewrite-host="true" rewrite-location="true"
  servers="http://10.16.2.127:8080" Directive="Service" DaemonPool="2b1348"
  returned 0 (REQ_PROCEED)My obj.conf file currently has simple clauses like this:
  # this causes /content/* to be taken from another (backend) server
  NameTrans fn="assign-name" from="/content" name="content-test" nostat="/content"
  # this causes requests to site root to be HTTP-redirected to a certain page URI
  <If $uri =~ '^/$'>
      NameTrans fn="redirect"
          url="http://www.publicsite.com/content/MainPage.html"
  </If>
  <Object name="content-test">
  ### This maps http://public/content/* to http://10.16.2.127:8080/content/*
  ### Somehow the desired solution should instead map http://public/data/* to http://10.16.2.127:8080/content/*
      Service fn="service-passthrough" rewrite-host="true" rewrite-location="true" servers="http://10.16.2.127:8080"
      Service fn="set-variable" set-srvhdrs="host=www.publicsite.com:80"
  </Object>
  I have also tried "restart"ing the request like this:
      NameTrans fn="restart" uri="/data"or desperately trying to set the new request uri like this:
      Service fn="set-variable"  uri="/magnoliaPublic/Main.html"Thanks for any ideas (including a statement whether this can be done at all
  in some version of Sun Web Server 7.0 or its opensourced siblings) ;)
  //Jim

  Some of our installations use the Sun Web Server 7.0 (update 1, usually)please plan on installing the latest service pack - 7.0 Update 4. these updates addresses potentially critical bug fixes.
  I was recently asked to research whether we can rename some parts of
  the public URI namespace, to publish some or all resources as, say,
  http://www.publicsite.com/data/page.html while using the same backend
  resources.> now, if all the resources are under say /data, then how will you know which pages need to be sent to which back end resources. i guess, you probably meant to check for /data/page.html should go to <back-end>/content/page.html
  yes, you could do something like
  - edit your corresponding obj.conf (<hostname>-obj.conf or obj.conf depending on your configuration)
  <Object name=¨default¨>
  <If $uri = ¨/page/¨>
  #move this nametrans SAF (for map directive - which is for reverse proxy within <if> clause)
  NameTrans.. fn=map
  </If
  </Object>
  and you could do https-<hostname>/bin/reconfig (dynamic reconfiguration) to check out if this is what you wanted. also, you might want to move config/server.xml <log-level> to finest and do your configuration . this way, you would get enough information on what is going on within your server logs.
  finally,when you are satisfied, you might have to run the following command to make your manual change into admin config repository.
  <install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname>
  <install-root>/bin/wadm deploy-config --user=admin <hostname>
  you might want to check out this for more info on how you could use <if> else condition to handle your requirement.
  http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
  finally, you might want to refer to this doc - which explains on ws7 request processing overview. this should provide you with some pointers as to what these different directives mean
  http://docs.sun.com/app/docs/doc/820-6599/gbysz?a=view
  >
  One customer said that it is not "tidy". They don't want the URL to change
  right upon first rendering the page. They want the root page to be rendered
  instantly i the first HTTP request.
  please check out the rewrite / restart SAF. this should help you.
  http://docs.sun.com/app/docs/doc/820-6599/gdada?a=view
  pl. understand that - like with more web servers - ordering of directives is very important within obj.conf. so, you might want to make sure that you verify the obj.conf directive ordering is what you want it to do..
  It seems that the reverse proxy (Service fn="service-passthrough") takes
  only the $uri value which was originally requested by the browser. I didn't
  yet manage to override this value while processing a request, not even if
  I "restart" a request. Turning the error log up to "finest" I see that even
  when making the "service-passthrough" operation, the Sun Web Server
  still remembers that the request was for "/test" (in my test case below);
  it does indeed ask the backend server for an URI "/test" and that fails.
  now, you are in the totally wrong direction. web server 7 includes a highly integrated reverse proxy solution compared to 6.1. unlike 6.1, you don´t have to download a separate plugin . however, you will need to manually migrate your 6.1 based reverse proxy settings into 7.0. please check out this blog link on how to set up a reverse proxy
  http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
  feel free to post to us if you need any futher help
  you are probably better off - starting fresh
  - install ws7u4
  - use gui or CLI to create a reverse proxy and map one on one - say content
  http://docs.sun.com/app/docs/doc/820-6601/create-reverse-proxy-1?a=view
  if you don´t plan on using ws7 integrated web container (ability to process jsp/servlet), then you could disable java support as well. this should reduce your server memory footprint
  <install-root>/bin/wadm disable-java user=admin config=<hostname>
  <install-root>/bin/wadm create-reverse-proxy user=admin uri-prefix=/content server=<http://your back end server/ config=<hostname> --vs=<hostname>
  <install-root>/bin/wadm deploy-config --user=admin <hostname>
  now, you can check out the regular express processing and <if> syntax from our docs and try it out within <https-<hostname>/config/<hostname>-obj.conf> file and restart the server. pl. note that once you disable java, ws7 admin server creates <vs>-obj.conf and you need to edit this file and not default obj.conf for your changes to be read by server.
  >
  I have also tried "restart"ing the request like this:
  NameTrans fn="restart" uri="/data"
  ordering is very important here... you need to do this some thing like
  <Object name=default>
  <If not $restarted>
  NameTrans fn=restart uri from=/¨ uri=/foo.
  </If>

• Sun Web server 6.1 SP9 Reverse proxy - Changing Web Server Context

  I am trying to configure a Reverse Proxy such that it can change the context of the requested URL.
  My SOWS reverse proxy plug-in is running on server server1.sample.com and the destination server is running on server2.sample.com. The use case, the incoming URL is [|http://server1.sample.com/dummy1/]...... and I need to map this to {color:#0000ff}http://server2.sample.com/*dummy2*/.....;{color} It looks like the reverse proxy only maps to a server level but disregards the context. The reason I say that, in the server 2 logs I see - .... trying to GET /dummy1....; I needed the call to look for dummy2 context. Can this be done?

  well, web server uri processing does not understand web application level context (in terms of java web applications). however, if you would like to map all uri's ending with /dummy1 to go to /dummy2, then you can easily do this with web server 7 regular express processing
  http://blogs.sun.com/elving/entry/mass_virtual_hosting_in_7
  http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
  besides web server 7 includes a very tightly integrated reverse proxy unlike 6.1 where you need reverse proxy as a separate plugin. so, you might want to check out if ws7 can serve your needs
  - sriram

• Ask the Experts: Single Sign-On with Cisco WebEx Meetings Server, Internet Reverse Proxy, and Enterprise License Manager Solutions

  With Arun Kumar
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Single Sign-On (SSO) with Cisco WebEx Meetings Server (Cisco WMS), Internet Reverse Proxy (IRP), and Enterprise License Manager (ELM) solutions.
  SSO standards such as Security Assertion Markup Language (SAML) 2.0 provide secure mechanisms for passing credentials and related information between different websites that have their own authorization and authentication systems. SSO enables simplified user authentication and management.
  IRP provides public access, enabling users to host or attend meetings from the Internet and mobile devices. Although IRP is optional, Cisco encourages its use because it provides a better user experience for your mobile workforce.
  Example question topics include:
  SSO profiles and SAML 2.0 Identity providers (IdPs) supported in Cisco WMS
  Basic configuration of IdPs
  Interaction between IdPs and Cisco WMS
  Difference between the cloud client implementation and Cisco WMS
  Meeting access behavior in a split-horizon network topology with SSO
  How to enable public access to Cisco WMS
  Cisco WMS ELM operations
  Cisco WMS ELM compared to other unified communications ELM or standalone ELM and compatibility/inoperability between them
  Arun Kumar is a team lead in the San Jose Conferencing Technical Assistance Center. He has over eight years of experience in conferencing technology and specializes in Cisco Unified Meeting Place Express and Cisco WebEx Meeting Server. He joined Cisco in 2010 as an escalation engineer for the Cisco Telepresence group. Before joining Cisco he worked for the UK's third-largest internet service provider Supanet on VoIP technology and the *Nix domain. Kumar holds a master of science degree in computer science from Sikkim Manipal University in India, and he holds CCIE (Voice) and VMware Certified Professional certifications.
  Remember to use the rating system to let Arun know if you have received an adequate response.
  Arun might not be able to answer each question because of the volume expected during this event. Remember that you can continue the conversation on the Collaboration, Voice, and Video community Other Subjects subcommunity shortly after the event. This event lasts through Monday May 17, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Mobile Service,
  CWMS and Jabber integrations:
  http://www.cisco.com/en/US/docs/voice_ip_comm/jabber/Windows/9_1/JABW_BK_E4CC9599_00_environment-configuration-guide_chapter_01.html#JABW_TK_SF2ED5E1_00
  In above link start from section: Set Up Cisco WebEx Meetings Server on Cisco Unified Presence
  then move to section: Add Cisco WebEx Meetings Server to a Profile
  Once done, move to section: Specify Conferencing Credentials in the Client side. You will see above server already listed there, just go ahead and enter your username and password (pleae make sure this user already exists on your CWMS) and accept any certificate/s if presented. Jabber Integration is done and you can start testing the same.
  Attached CWMS - AFDS integration doc.
  Please let me know if any furhter question.
  Thanks, Arun

• HTTP tunneling and reverse proxy server

  We're currently using Windows Media Services (WMS) to stream
  video on our website. There is an option WMS to use the HTTP
  protocol and to specify the port you'd like to use. This has
  allowed us to stream video through our external firewall, through
  our reverse proxy server, and through our internal firewall to our
  media server. I've been trying for two days now to get Flash Media
  Server (FMS) to do the same thing. For some reason the HTTP
  tunneling (RTMPT) protocol doesn't appear to be acting like the
  HTTP protocol that WMS is using. Anyone have some tips on this
  configuration. I've scoured web resources and documentation as best
  I could. Any help would be greatly appreciated.
  Thanks.

  To give a better picture, here's a more complete description of set up and goals
  Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
  DMZ server is running IIS 8. Here are what some of the sites look like.
  jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
  email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
  media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
  other stuff like this -> 10.1.10.x port 80 or others
  All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server. 
  What do I need to do in IIS to have those sites get directed to the proper internal locations?
  Thanks!!

• Reverse Proxy FTP server

  Now that TMG is end of life, I am setting up a new Web Application Proxy server to handle all of our reverse proxy duties. This has been fine except that it doesn't seem to be able to publish FTP. So I ask the Microsoft community, how am I supposed to
  reverse proxy an FTP server that's using FTPs? IIS ARR is not the solution. Thanks.

  Hi,
  Sorry to say that I only found that TMG/ISA or the IIS with ARR can be used as a reverse proxy for applications. Maybe some third-party reverse proxy server can
  achieve that.
  Best regards,
  Susie

• DNS Resolution - Reverse Proxy Server

  Hi,
  I am deploying Reverse Proxy Server using ARR for publishing Lync 2013. I have added following servers in server farms:-
  1. dialin.domain.com
  2. meet.domain.com
  3. lyncdiscover.domain.com
  4. lyncweb.domain.com
  5. wacsrv.domain.com (office web apps server)
  I am confused over the following:-
  1. My internal domain is .local, i.e. my front end server is fes.domain.local. In this case, how my reverse proxy server will resolve my internal server names? do I need to add static mapping using host file?
  2. Will dialin, meet, lyncdiscover, lyncweb point to Front End Server?

  Yes, you will use a host file or DNS zone on the internal DNS server (split DNS) to resolve the IP of the Front End from your IIS ARR box.
  You will point dialin, meet, lyncdiscover to the front end server.
  On the Front End server in topology builder override the External FQDN on the Lync Web Services to use the external name. (most likely lyncweb.domain.com or whatever you choose)
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
  Georg Thomas | Lync MVP
  Blog www.lynced.com.au | Twitter
  @georgathomas
  Lync Edge Port Check (Beta)

• WebServer 6.1 SP3 SSL reverse proxy to Sun One Application Server 7

  I have an application in the appserver7 that requires SSL authentication. I have already installed a self cert in the appserver7, and the authentication works fine when I browse directly to the appserver.
  The appserver7 has both listener for port 80 and 443 enabled.
  I'm currently setting up a webserver (WebServer 6.1 SP3) to act as a reverse proxy to the appserver7. The reverse proxy for the basic jsp pages found in the appserver worked fine.
  When I try to access the login page, in the appserver, in ssl mode, I am unable to do so. I then try changing the obj.conf to the following, from http to https:
  <Object name="passthrough">
  ObjectType fn="force-type" type="magnus-internal/passthrough"
  Service fn="service-passthrough" method="(GET|HEAD|POST)" servers="https://172.2
  8.48.53"
  However, it still doesn't work.
  Do I need to install a self cert in the webserver and enable the ssl listener as well?
  Do I need to install any reverse proxy addon for the appserver? Any
  setup for the obj.conf in the appserver?
  Any ideas how to get this done?
  Thanks.
  Mac.

  The Web Server 6.1 SP3 Reverse Proxy Plugin is supported, but it sounds like you're trying to do something that simply isn't possible.
  If you want the Reverse Proxy Plugin to perform SSL mutual authentication with the Application Server using the client's certificate, that's impossible due to the nature of SSL mutual authentication. If the plugin could impersonate the client, then SSL would be vulnerable to MITM (Man In The Middle Attacks). Fortunately, SSL isn't vulnerable to such attacks because the plugin doesn't know the client's private key.
  If you simply want the Reverse Proxy Plugin to pass information about the client's certificate along to the Application Server, that hapens automatically. There's nothing special to configure. Note that the plugin will not authenticate to the Application Server in this case. Rather, it will simply copy the X.509 certificate into the proprietary Proxy-auth-cert: HTTP request header.
  The application running on the Application Server can inspect the Proxy-auth-cert: header using standard Servlet APIs. Alternatively, you can use Application Server 7's auth-passthrough AuthTrans SAF to cause the contents of the Proxy-auth-cert: header to be copied to the javax.servlet.request.X509Certificate Servlet attribute.