Issue in configuring TMG as Forward/Reverse Proxy
I am trying to setup reverse and forward proxy using TMG 2010. I have following networks:
Internal Networks:
10.2.1.0/24
10.3.1.0/24
DMZ (Perimeter) Network:
10.7.1.0/24 NAT relationship with external network e.g. Public IPs
I've setup one TMG node and selected "Back Firewall" as topology.
NIC 1 Config: (Internal)
IP: 10.2.1.20
Subnet: 255.255.255.0
DW: Not defined
DNS: 10.2.1.5
NIC 2 Config: (Perimeter)
IP: 10.7.1.20
Subnet: 255.255.255.0
DW: 10.7.1.5
DNS: Not Defined
During setup when wizard asked me to define internal IP ranges, I defined 10.2.1.1 - 10.2.1.255 instead of selecting Adaptor.
Setup Completed successfully.
I created Allow rule from internal to local host.
From Client-end:
From client machines i can not access TMG internal interface IP (because gateway is not defined on TMG internal interface i guess)
while i can access DMZ interface IP i.e. 10.7.1.20 and can telnet port 8080.
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in client-side browser, that throws an error "10061 no connection could be made because the target machine actively refused it"
Failed Connection Attempt
Log Type: Web Proxy (Forward)
Status:10061 No connection could be made because the target machine actively refused it.
Rule: Allow
Source: Internal (10.2.1.39)
Destination:LocalHost (10.7.1.20:8080)
Request:Get http://www.google.com
Protocol:http
On TMG server:
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in browser that still throws an error "10061 no connection could be made because the target machine actively refused it"
But when i define internal interface IP as proxy in browser i.e. 10.2.1.20:8080 it works.
Allowed Connection
Log Type: Web Proxy (Forward)
Status:303 Not Modified
Rule: [System] Allow all HTTP traffic from forefront TMG to all networks (for CRL downloads)
Source: LocalHost (10.7.1.20:10082)
Destination: External (94.245.34.74:80)
Request:Get http://someurl
Protocol:http
What am i missing please advise and what could be the work around to get this work from internal network.
Regards,
Hello Quan,
Thanks for your reply..
No it didn't work. I'm still using that as reverse proxy and unable to configure that as forward. :-)
Regards,
Farrukh
Similar Messages
-
Forward/reverse proxy chain losing headers
I have the following setup:
user(browser) -> proxy1 -> proxy2 -> webserver
This has both forward and reverse mappings. In proxy 1, I have an NSAPI plugin that appends a name/value(uid:userid) pair into the HTTP headers, at the end of my current header string . I use
const char *HEADERS = "full-headers"; //HEADER NAME
pblock_findval((char *)HEADERS, request->reqpb))
pblock_remove((char *)HEADERS, request->reqpb);
pblock_nvinsert((char *)HEADERS, (char*)"current list of NV pairs, uid: user123", request->reqpb);
In the previous proxy versions to 3.63, the second proxy and teh webserver receive my entire header string(full-headers) without any issue and just as I sent it.
With version 3.63, my UID is missing from the "
Protocol Request PB (rq->reqpb)" section along with some other info in my header string. I use sdump to view the headers, plus my backend app is not receiving the uid.
Has anyone else had the issue of their headers getting mangled, and or missing in Proxy 3.63 ?Or does anyone have any ideas to the issue?Yep, good catch
There is a bug in the proxy : Proxy 3.6 SP3 removes "Proxy-authenticate:" HTTP header when forwarding requests to other proxies.
This is basically in adherence to RFC2616 clause
13.5.1 End-to-end and Hop-by-hop Headers:
For the purpose of defining the behavior of caches and non-caching
proxies, we divide HTTP headers into two categories:
- End-to-end headers, which are transmitted to the ultimate
recipient of a request or response. End-to-end headers in
responses MUST be stored as part of a cache entry and MUST be
transmitted in any response formed from a cache entry.
- Hop-by-hop headers, which are meaningful only for a single
transport-level connection, and are not stored by caches or
forwarded by proxies.
The following HTTP/1.1 headers are hop-by-hop headers:
- Connection
- Keep-Alive
- Proxy-Authenticate
- Proxy-Authorization
- TE
- Trailers
- Transfer-Encoding
- Upgrade
All other headers defined by HTTP/1.1 are end-to-end headers.
This somehow messed up the proxy chain configurations
This has been fixed in SP4 which will be released in a week or two
Thx
Maneesh -
SAP Webdispatcher - Reverse Proxy Configuration
Hi All,
Need your help in configuration SAP Webdispatcher as reverse proxy. Currently we are using Apache as reverse proxy, but we are facing 400 Bad Request error and not able to solve the issue.
So We are planning to install Webdispatcher and configure reverse proxy and test.
Below is the Apache Reverse proxy configuration. Need help in configuring the same parameters in SAP Webdispatcher
ProxyPass /sap http://srmerver:8000/sap
ProxyPass /SRM-MDM http://mdmserver:50100/SRM-MDM
ProxyPass /mdmimages http://portalserver:8090/mdmimages
ProxyPass /irj http://portalserver:50100/irj
ProxyPass /saml2 http://portalserver:50100/saml2
ProxyPass / http://portalserver:50100/
ProxyPassReverse /sap http://srmserver:8000/sap
ProxyPassReverse /SRM-MDM http://mdmserver:50100/SRM-MDM
ProxyPassReverse /mdmimages http://portalserver:8090/mdmimages
ProxyPassReverse /irj http://portalserver:50100/irj
ProxyPassReverse /saml2 http://portalserver:50100/saml2
ProxyPassReverse / http://portalserver:50100/
Regards
PonnusamyHi
Kindly refer the SCN link
How to...Configure SAP Webdispatcher as a reverse proxy
http://basisondemand.com/Documents/Whitepaper_on_SAP_Web_Dispatcher.pdf
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a015cea3-9627-2e10-a792-8f39e3d0b59d?QuickLink=index&…
Regards
Sriram -
Reverse Proxy Configuration - (HPVM Guest) - 11iV3
Hello Unix Champs,
On 11iV3 - Vm Guest - we want to configure this server as reverse proxy
Please share step by step procedure/documents to do same.
Thanks in advance
Regards,
Prashant BehalHi,
In addition to Luca's comment in order to determine if the farm is actually working correctly in the first instance, did you disable or remove the old server farm?
Can you also confirm that there are no static routes in place on the IIS ARR box?
Kind regards
Ben
Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries. -
Reverse Proxy Configuration - HPVM (Guest)
Hello Unix Champs,
On 11iV3 - Vm Guest - we want to configure this server as reverse proxy
Please share step by step procedure/documents to do same.
Thanks in advance
Regards,
Prashant BehalAssuming your webserver is apache, you have to make the apache proxy-aware. This can be done statically (while building apache from source with --with-proxy option) or dynamically with a LoadModule directive.
Once the above is done, you will need to write these directives in the apache httpd.conf:
ProxyEnable Off
ProxyPass /localurl remote-url
ProxyPassReverse....
In the OAM config, protect /localurl.
For other webservers, read the documentation of that webserver.
Hope this helps. -
Sun Web Server Reverse Proxy and Weblogic HTTP to HTTPS redirection
Hi,
I am currently testing reverse-proxy from SJSW 7.0 update 5 to Weblogic server but I have encountered an issue.
I have configured a context root to be forwarded to weblogic:
Web Server: www.server.com
URI: /path
Reverse Proxy URL: wlserver:9000
When I access https://www.server.com/path, I am getting the correct page. The issue is, the weblogic server is configured to redirect HTTP access to HTTPS, i.e., when I access http://www.server.com/path, it should be redirected to https://www.server.com/path. However, that is not the case. What happens is that I am being redirected instead to https://www.server.com/.
If I don't use reverse proxy, that is, if I use the libproxy.so from weblogic, I get the correct redirection.
Would appreciate it very much if someone can help me troubleshoot this issue.
Thanks in advance!
Edited by: agent_orange on Jul 29, 2010 2:30 AM
Edited by: agent_orange on Jul 29, 2010 2:31 AMI am not sure, how you have configured your reverse proxy since you didn't attach / refer your current configuration file. this is how I would do it..
- create a new configuration (using web server 7 admin gui , within configuration wizard, disable java option if you plan to use web server 7 only for reverse proxy)
- select this new configuration and go to reverse proxy and try to reverse proxy / to the origin server.
that is all it should need.
your obj.conf or <hostname>-obj.conf depending on your configuration should look like following snippet
<Object name="default">
AuthTrans..
NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
</object>
<Object name="reverse-proxy-/">
Route fn=....
Service ..
</Object>
this is all you should need..
However, if you wanted to add complexity to your configuration, you could do some thing like
<Object name="default">
Auth..
<If defined $security>
NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
</If>
</Object>
<Object name="reverse-proxy-/">
Route...
</Object> -
Hi folks,
I have a huge problem here. I have a apache 2.0.50 on a Linux system that is to act as a reverse proxy for an enterprise portal. I have set up the apache to do reverse proxying and so far I have made first success. I can get to the login page of the portal and I even managed to make it show the images. The problem is, when I try to log on to the portal I am always send back to the logon page in the very instance. If I enter the wrong logon information I see the authorization failed text, but when I enter correct information I only see the logon page again.
I will put tyhe relevant part of my httpd.conf to this message and hope someone can point me to the right location or maybe even tell me what I'm doing wrong.
And ny the way, the portal itself works perfectky when connected directly.
Kind regards,
Christian Guenther
Reverse proxy configuration ############################################
NameVirtualHost 172.30.210.96
<VirtualHost 172.30.210.96>
ServerAdmin [email protected]
ServerName host.external.de
SSL is turned off at the moment
SSLEngine Off
SSLCertificateFile /etc/apache2/ssl.crt/proxy.cert.cert
SSLCertificateKeyFile /etc/apache2/ssl.key/proxy.cert.key
Set up as a proxy for internal SAP systems
ProxyRequests Off
ProxyPreserveHost Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
IRJ
<Location /irj/>
ProxyPass http://host.internal.lan:8001/irj/
ProxyPassReverse http://host.internal.lan:8001/irj/
rewriting rules for proxy
RewriteEngine On
RewriteCond % \.jsp
RewriteRule ^(.+) % [P]
RewriteCond % \.servlet
RewriteRule ^(.+) %
Portal
rewriting rules for proxy
[P]
</Location>
<Location />
ProxyPass http://host.internal.lan:8001/
ProxyPassReverse http://host.internal.lan:8001/
RewriteEngine On
RewriteCond % \.jsp
RewriteRule ^(.+) % [P]
RewriteCond % \.servlet
RewriteRule ^(.+) % [P]
</Location>
</VirtualHost>This is a valid configuration for an Apache Reverse Proxy:
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot /usr/local/apache2
Listen 443
#LoadModule dir_module modules/mod_dir.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule include_module modules/mod_include.so
#LoadModule autoindex_module modules/mod_autoindex.so
LoadModule access_module modules/mod_access.so
#LoadModule auth_module modules/mod_auth.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule mime_module modules/mod_mime.so
#LoadModule env_module modules/mod_env.so
#LoadModule headers_module modules/mod_headers.so
#LoadModule setenvif_module modules/mod_setenvif.so
LoadModule alias_module modules/mod_alias.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule ssl_module modules/mod_ssl.so
ServerAdmin [email protected]
ServerName your.servername.com
UseCanonicalName Off
make sure zou include these with valid entries...
Include conf/log.conf
Include conf/mime.conf
Include conf/default.conf
Include conf/ssl.conf
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
this is for the MS IE SSL bug
BrowserMatch ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0#
force-response-1.0
Header add P3P CP="NOI"
Proxy with caching
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
CacheRoot /usr/local/apache2/Cache
CacheEnable disk /
CacheDirLevels 5
CacheDirLength 3
<VirtualHost *:443>
ServerName your.servername.com
ServerAdmin [email protected]
Set the level of log entries - debug produces A LOT of messages
LogLevel debug
ErrorLog logs\error.log
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs\access.log common
NEVER turn this On, it would create a forward proxy
ProxyRequests Off
ProxyPreserveHost On
it is important that the proxy uses active protocol used in the
internet section of the request
RequestHeader set ClientProtocol https
Header add P3P CP="NOI"
we need to answer HTTPS requests, so we need an ssl engine
SSLEngine On
and a cipher suite plus certificate
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:+eNULL
SSLProtocol all -SSLv2
of course these entries have to be adopted
SSLCertificateFile conf/certs/server.crt
SSLCertificateKeyFile conf/certs/server.key
SSLOptions +StdEnvVars
this is for the bloody MS IE - I don't know why, but they seem to
have trouble learning in redmond
BrowserMatch ".MSIE." \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request.log \
"%t %h %x %x \"%r\" %b"
below are the proxied hosts - you always need ProxyPass
AND ProxyPassReverse otherwise it will not work correctly
ITS
#ProxyPass /iac/ http://itsserver:8081/iac/
#ProxyPassReverse /iac/ http://itsserver:8081/iac/
direct portal connection this ought to be the IP
ProxyPass /irj/ http://10.8.1.14:50000/irj/
ProxyPassReverse /irj/ http://10.8.1.14:50000/irj/
ProxyPass /logon/ http://10.8.1.14:50000/logon/
ProxyPassReverse /logon/ http://10.8.1.14:50000/logon/
Rewrite Rule in case ICM puts session information in URL
NEVER REALLY HARMS
RewriteEngine On
RewriteRule ^/(sap\(.*) http://10.8.1.14:50000/$1 [P,L]
#ProxyPass /chooselogin/ http://10.8.9.0:50000/chooselogin/
#ProxyPassReverse /chooselogin/ http://10.8.9.0:50000/chooselogin/
</VirtualHost> -
ISP redundancy and reverse proxy
Greetings, community!
We have two EDGE TMG servers and two INTERNAL TMG servers.
We have two providers with two dedicated external IP addresses each.
I configure ISP Redundancy for each EDGE TMG servers with parameters:
Each EDGE TMG server has two External NIC and one Internal NIC.
EDGE 1: Provider1_IP1 and Provider2_IP1
EDGE 2: Provider1_IP2 and Provider2_IP2
ISP Connections:
Provider1 and Provider2
So, the trouble:
We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.
Also we made 4 external DNS records for each Web-Service.
For example:
mail.domain.com Provider1_IP1
mail.domain.com Provider1_IP2
mail.domain.com Provider2_IP1
mail.domain.com Provider2_IP2
If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.
After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.
If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.
Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.So, I still try to solve my problem...
When I try to connect from External to one of my EDGE1 IP addresses, I got these logs:
LOGS on DMZ server (EDGE1):
Failed Connection Attempt DMZ-TMG-01 21.07.2014 11:27:40
Log type: Firewall service
Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: Publish TMGBE HTTP
Source: External (77.73.111.194:3427)
Destination: Internal (172.16.0.100:80)
Protocol: HTTP Server
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 21000ms Original Client IP: 77.73.111.194
LOGS on INTERNAL server:
Initiated Connection BLK-TMG-02 21.07.2014 11:27:20
Log type: Firewall service
Status: The operation completed successfully.
Source: External (77.73.111.194:3427)
Destination: Local Host (172.16.0.100:80)
Protocol: HTTP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 77.73.111.194
Closed Connection BLK-TMG-02 21.07.2014 11:27:40
Log type: Firewall service
Status: A connection was abortively closed after one of the peers sent an RST packet.
Source: External (77.73.111.194:3427)
Destination: Local Host (172.16.0.100:80)
Protocol: HTTP
Additional information
Number of bytes sent: 304 Number of bytes received: 192
Processing time: 20281ms Original Client IP: 77.73.111.194
When I try to connect my EDGE2 server external IP addresses, then:
LOGS on DMZ server (EDGE2):
Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17
Log type: Firewall service
Status: The operation completed successfully.
Rule: Publish TMGBE HTTP
Source: External (77.73.111.194:3429)
Destination: Internal (172.16.0.100:80)
Protocol: HTTP Server
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 77.73.111.194
Closed Connection DMZ-TMG-02 21.07.2014 11:57:17
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: Publish TMGBE HTTP
Source: External (77.73.111.194:3429)
Destination: Internal (172.16.0.100:80)
Protocol: HTTP Server
Additional information
Number of bytes sent: 534 Number of bytes received: 146
Processing time: 203ms Original Client IP: 77.73.111.194
Then traffic was redirected to HTTPS:
Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17
Log type: Firewall service
Status: The operation completed successfully.
Rule: Publish TMGBE HTTPS
Source: External (77.73.111.194:3430)
Destination: Internal (172.16.0.100:443)
Protocol: HTTPS Server
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 77.73.111.194
LOGS on INTERNAL server:
Failed Connection Attempt BLK-TMG-02 21.07.2014 11:57:17
Log type: Web Proxy (Reverse)
Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.
Rule: Publish OWA
Source: External (77.73.111.194:3429)
Destination: Local Host (172.16.0.100:80)
Request: GET http://mail.domain.com/
Filter information: Req ID: 0a314138; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
Protocol: http
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 1 MIME type:
It's OK, because IIS require SSL. Then:
Initiated Connection BLK-TMG-02 21.07.2014 11:57:18
Log type: Firewall service
Status: The operation completed successfully.
Source: External (77.73.111.194:3429)
Destination: Local Host (172.16.0.100:80)
Protocol: HTTP
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 77.73.111.194
Closed Connection BLK-TMG-02 21.07.2014 11:57:18
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Source: External (77.73.111.194:3429)
Destination: Local Host (172.16.0.100:80)
Protocol: HTTP
Additional information
Number of bytes sent: 786 Number of bytes received: 318
Processing time: 15ms Original Client IP: 77.73.111.194
And HTTPS:
Allowed Connection BLK-TMG-02 21.07.2014 11:57:17
Log type: Web Proxy (Reverse)
Status: 302 Moved Temporarily
Rule: Publish OWA
Source: External (77.73.111.194:3430)
Destination: Local Host (10.1.200.129:443)
Request: GET http://mail.domain.com/
Filter information: Req ID: 0a31413a; Compression: client=Yes, server=No, compress rate=0% decompress rate=0%
Protocol: https
User: anonymous
Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x40000000 (Response should not be cached.)
Processing time: 1 MIME type: text/html; charset=UTF-8
I can't understand the difference between there servers. If I shutdown EDGE2, the Publishing will work fine through EDGE1. -
Web Dispatcher as the Full reverse proxy
Hi all,
Has anyone configured SAP Web Dispatcher(WD) as the full reverse proxy for THE portal? We need to open our portal on to the internet and we thinking to put WD inside the DMZ and have it forward the requests to the portal server. Which is explained well in a blog on SDN. According to that Blog, WD works ONLY as a redirecting server (or may be a load balancer). When it redirects a request to an internal server, the ip(or domain name) of the server is shown in the address bar. Ex: http://extrenal.com is being redirected to http://internal:50000/irj/index.html thus exposing the internal name or IP.
I thought Reverse proxy when works, it hides the internal ips and and forwards the requests. So my question here is How to configure WD so it won't show the internal Portal IP(or domain name).
Any ideas?
I know it could be done using IIS, Apache or Squid.
Best,
N.Hi again,
Yes, most probably, you will have to configure specially the corporate reverse proxy.
That is what is explained in the WIKI and the help.sap.com documentation. Did you read it ? If not, do it, it's a must !
This is not very simple because SAP web applications, generate a lot of dynamic URLs and must "know" that reverse proxies are used.
Understand that it is a project and not not just a 5 minutes configuration...
For example when using Apache as a reverse proxy, you need at least to set :
ProxyPreserveHost on and ProxyPassReverse
You need to decide if you want to rewrite URLS.
You need to manage URL mangling if you use BSP applications in the SAP backend.
In short, you need to know what is the corporate reverse proxy and you need to do a specific SAP configuration both on the corporate reverse proxy and the SAP web dispatcher.
This configuration depends from your specific needs.
Regards,
Olivier -
Apache Reverse Proxy: Domain problem
Hi,
I have a problem with Apache Reverse Proxy (Apache 2.2) and SAP Enterprise Portal 6.0.
I configured Apache as a Reverse Proxy Server (with SSL)so that the portal is accessible through the internet. Everything is working fine but the OWA integration doesn't work over the Reverse Proxy.
If I log on to <u>http://portalsrv.mydomain.xx:12345/irj</u> the OWA integration works fine with SSO and there is no problem with session management.
If I log on to <u>https://revproxy.mydomain.zz:1234/irj</u> and want to open Outlook I get the message that Session management doesn't work. However the other components like ESS work fine. Deactivating the DSM Logger is not a solution to this problem.
The Log tells me:
1.
Application domain 'mydomain.xx' differs from Portal domain 'mydomain.zz'.
Session Management will not work for Application 'abc.mydomain.xx'
2.
Application schema 'http' differs from Portal schema 'https'.
Session Management will not work for Application 'abc.mydomain.xx'
Is there a possibility to write a Rewrite-Rule in the Apache-Conf?
For instance:
https://abc.mydomain.xx --> http://abc.mydomain.zz
Does anybody made such a rule?
I hope anybody can help me with the problem.
Thank youHi Daniel,
ok I`ll try to find a solution in parallel and keep you up to date.
In the following my settings in case I missed something:
<VirtualHost test.firma.de:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /apache/keys/pac_ssl_qep_dmz_server.crt
SSLCertificateKeyFile /apache/keys/pac_ssl_qep_dmz_server.key
ServerName test.firma.de:443
ServerAdmin [email protected]
LogLevel debug
ErrorLog logs/ssl_443_error
CustomLog logs/ssl_443_access_log common
ProxyVia Off
ProxyPreserveHost On
ReWriteEngine on
ReWriteLogLevel 0
ReWriteLog logs//ssl_443_rewrite_http.log
ProxyPass / https://backend.firma.de:50001/
ProxyPassReverse / https://backend.firma.de:50001/
</VirtualHost>
Regards, Jens -
Reverse Proxy in SOAMANAGER not working
SAP Environment: SAP Netweaver 7.01 SP3
Service Testing Tool: SOAPUI
Requirements: Redirect the end-point (serverA) in the WSDL of a web service created from an ABAP proxy to the load balancer
What I have done:
1. Defined a Reverse Proxy in SOAMANAGER to redirect from serverA:8010 to loadBalancer:80.
2. Tested the service and it worked fine.
3. To make sure the Reverse Proxy was working, I changed loadBalancer:80 to a server name that does not exist.
4. Tested the service again and it still worked.
Questions:
1. Found SAP help on Reverse Proxy but it does not explain all the fields. In the Reverse Proxy configuration, there is a Status field, any idea what value should be put there? I have left it blank.
2. Is there any other configuration needed for the Reverse Proxy to work?
3. Is there a way to check if the Reverse Proxy is working?
Any help will be appreciated.Got the rever proxy to work. Below are the field values in the reverse proxy setting that has worked:
Reverse proxy name: <any name>
Incoming http header host name: server1.domain..company.com (get it from the end-point in WSDL)
Incoming ICM port: port (get it from the end-point in WSDL)
Substitute host name: server2.domain..company.com (has to be FQDN)
Substitute http port: 80 (in my case)
Substitute https port: (blank)
Additional path prefix: (blank)
Meta data protocol subsitution: http
Endpoint protocol subsitution: http
Status: active -
OCS on a single computer / DMZ using Apache reverse proxy
Hi there,
we've installed the OCS 10.1.2 on a single Solaris box in our internal LAN. Everything works fine internally. We would like to configure a Apache reverse proxy in our DMZ to get the possibility to use it from outside (as shown in "Oracle Collaboration Suite Deployment Guide", chapter 3, Figure 3-2 Single Computer in a DMZ). Unfortunately I didn't find any configuration hints for the reverse proxy.
Can someone provide me with an example configuration?
Thanks,
ChristophHello Andreas and Christoph!
I have the same problem like Christoph. We made a Singlebox-Installation of OCS 10.1.2 in the intranet. Now I am looking for installation documentation, how I have to configure a Apache or Oracle Standalone Webcache as a reverseproxy in the DMZ. to allow access the OCS from the internet. I only read, that it is possible, but nothing about the way.
I have installed a Webcache (OAS 10.1.2 Java Edition not dht standalone Veersion from the Companion CD) and configured by my own knowledge. The result was network errors.
Is there anywhere information?
Best regards!
Axel -
Doubts regarding reverse proxy in DMZ
Hi,
We are going to implement DMZ in a test environment following the metalink note:287176.1.
We have two sun servers so we have chosen Section 2.2(Fig 4) of 287176.1 as our deployment architecture.
The steps we are going to follow are:
1.Install Oracle Applications 11.5.10.2 in internal server.
2.Clone the application to external server.
3.Open the following ports:
80,443 in the external firewall and 1521 in the data firewall.
4.Follow steps from section 5.1,5.2,5.3,5.4 of 287176.1.
5.Configure the URL firewal specific to the product that we want to expose for external use.
Can someone please validate the above steps.
Also please clarify the following doubts:
1.Do we need a seperate external URL and domain to access the application from internet??
If yes then this domain and URL mapping is done in which configuration file??
2.Do we need to set up a reverse proxy server also for this architecture?If yes then is it necessary to deploy another reverse proxy server in front of external web server?
Cant we configure the external web tier itself as reverse proxy??
If yes then,how do we do it using 9iAS shipped with EBS...as we dont want to use standalone Apache for this and the document 287176.1 describes the steps to use a standalone Apache in section.(.Appendix D)..
Please help...
We have been given a time frame and limited resources to implement this POC.So a response is highly appreciated..
Thanks
ex:External URL:We have two sun servers so we have chosen Section 2.2(Fig 4) of 287176.1 as our deployment architecture.If you chose the above configuration there is no reverse proxy setup.
1.Do we need a seperate external URL and domain to access the application >>from internet?? If yes then this domain and URL mapping is done in which >>configuration file??The changes are done on the external web tier in the application context file. (s_webentryhost - set to DMZ host name
s_webentrydomain - domain name of DMZ host
s_active_webport - port where the host will listen to requests
s_webentyurlprotocol - http or https according to your configuration
s_login_page - http(s)://webentypoint:webentrydomain:activewebport )
2.Do we need to set up a reverse proxy server also for this architecture?Again section 2.2 does not require a reverse proxy only external webhost
Please remember that the external host in DMZ runs only webtier. All the other services should be disabled.
If yes then,how do we do it using 9iAS shipped with EBSClone the AppsTier to external host. Edit the context file and disable all the processes except
<oa_process_status oa_var="s_apcstatus">enabled</oa_process_status>
Then you have a webtier running without standalone Apache.
I have recently finished configuring this setup.
Message was edited by:
bhetaal -
MS ISA Reverse Proxy and access to webgui apps
Hi All,
We have an EP7 system that is connected to backend ECC and BI systems. External users now need to access EP via an MS ISA server that acts as a reverse proxy.This works fine when accessing EP itself, but not when accessing webgui iviews that point to the backend ECC system, as the generated absolute url contains the backend hostname which is not resolvable from the external browser. We have edited the ECC system properties in EP to point to the external url instead of the ECC hostname, and in the browser I can see that it points to https://publicurl.company.com:8000/sap/bc/*. However, we get 'IE cannot display the page..' errors in the browser. What are we missing here?
Regards,
MarkHi Mark,
First of all you need to configure ISA as a reverse proxy to your ECC system as well as to your portal, perhaps using a different address for the same server, e.g publicurl.company.com for the portal and ecc.publicurl.company.com for the ECC system.
Next, you need to make sure that internal access to ecc.publicurl.company.com will also go to ECC, possibly by setting up a local DNS entry.
Finally, you should edit the system entry for ECC in the Portal and set the ISA, WebAS and ITS hostnames to be ecc.publicurl.company.com.
As you can see, this is primarily an infrastucture problem rather than a portal problem...
Hope this helps,
Darren -
Forward parameters in reverse proxy configuration
Hi,
Looking at the detailed configuration in a reverse proxy rule in SJSWS, I have derived the following conclusions:
1) Where the SJSWS listener has SSL-enabled, reverse proxy works on a HTTPS in, HTTP out basis.
2) Details in the incoming request's SSL header, such as User DN, will be stripped out and remapped into the outgoing request as a custom header, e.g. "Proxy-user-dn".
Can anybody tell me if I have gotten anything wrong above?
We are currently switching over from an Apache/mod_proxy/mod_ssl --> Apache/mod_jk --> Apache Tomcat server setup to a hybrid model where SJSWS is the web server reverse proxying to Tomcat (old apps) and SJSAS (new apps).
My question:
All our apps use the User DN string as the user ID. Previously, we developed a custom module in Apache to read the DN at the Apache level and then rewrite it into the Basic Auth user name header in the outgoing request. The Tomcat webapp will then authenticate the user based on the Basic Auth user name property. Is it possible for me to remap it into something similar here in the SJSWS reverse proxy configuration?
Thanks!
WongI am not a reverse proxy expert, but this Object-type SAF should forward userdn
http://docs.sun.com/app/docs/doc/820-1062/6ncoqnq3b?l=en&a=view&q=forward-user-dn
You can look for more such SAFs in this document.
Maybe you are looking for
-
My father updated his iPhone and once he did that he would receive all of my texts and iMessages, is that because we are on the same iCloud account? And if that's why how can I remove it or make it so he doesn't get all my messages
-
My friend's RAW files won't go back to the large size they were after outsourcing LR SMART PREVIEWS to outsource editor. what went wrong? When she sent the files to the outsourcer they were NOT zipped together. They were ZIPPED back to her however.
-
Sslpassword or sslpassword.conf
Silly question could be. Before creating a self-signed certificate, I see a file named sslpassword.conf. # more sslpassword.conf Internal (Software) Token:password The admin guide of Messaging 2005 Q4 says: To Create Self-signed Certificates (P. 639)
-
IPhone 4 rebooting during video playback
My new iPhone 4 is rebooting whenever I play a video. It can be a Youtube, a podcast or a video I recorded with the camera. Sometimes it does it a minute or so into the video, sometimes when the video ends. I am also getting artifacts on the screen d
-
Hello, We have a X100e that has developed a problem with the external VGA port no longer sending video to a monitor. We have replaced the video drivers, updated the video driver, replaced cables and monitors, checked the BIOS and basical