Issue in configuring TMG as Forward/Reverse Proxy

Similar Messages

• Forward/reverse proxy chain losing headers

  I have the following setup:
  user(browser) -> proxy1 -> proxy2 -> webserver
  This has both forward and reverse mappings. In proxy 1, I have an NSAPI plugin that appends a name/value(uid:userid) pair into the HTTP headers, at the end of my current header string . I use
  const char *HEADERS = "full-headers"; //HEADER NAME
  pblock_findval((char *)HEADERS, request->reqpb))
  pblock_remove((char *)HEADERS, request->reqpb);
  pblock_nvinsert((char *)HEADERS, (char*)"current list of NV pairs, uid: user123", request->reqpb);
  In the previous proxy versions to 3.63, the second proxy and teh webserver receive my entire header string(full-headers) without any issue and just as I sent it.
  With version 3.63, my UID is missing from the "
  Protocol Request PB (rq->reqpb)" section along with some other info in my header string. I use sdump to view the headers, plus my backend app is not receiving the uid.
  Has anyone else had the issue of their headers getting mangled, and or missing in Proxy 3.63 ?Or does anyone have any ideas to the issue?

  Yep, good catch
  There is a bug in the proxy : Proxy 3.6 SP3 removes "Proxy-authenticate:" HTTP header when forwarding requests to other proxies.
  This is basically in adherence to RFC2616 clause
  13.5.1 End-to-end and Hop-by-hop Headers:
  For the purpose of defining the behavior of caches and non-caching
  proxies, we divide HTTP headers into two categories:
  - End-to-end headers, which are transmitted to the ultimate
  recipient of a request or response. End-to-end headers in
  responses MUST be stored as part of a cache entry and MUST be
  transmitted in any response formed from a cache entry.
  - Hop-by-hop headers, which are meaningful only for a single
  transport-level connection, and are not stored by caches or
  forwarded by proxies.
  The following HTTP/1.1 headers are hop-by-hop headers:
  - Connection
  - Keep-Alive
  - Proxy-Authenticate
  - Proxy-Authorization
  - TE
  - Trailers
  - Transfer-Encoding
  - Upgrade
  All other headers defined by HTTP/1.1 are end-to-end headers.
  This somehow messed up the proxy chain configurations
  This has been fixed in SP4 which will be released in a week or two
  Thx
  Maneesh

• SAP Webdispatcher - Reverse Proxy Configuration

  Hi All,
  Need your help in configuration SAP Webdispatcher as reverse proxy. Currently we are using Apache as reverse proxy, but we are facing 400 Bad Request error and not able to solve the issue.
  So We are planning to install Webdispatcher and configure reverse proxy and test.
  Below is the Apache Reverse proxy configuration. Need help in configuring the same parameters in SAP Webdispatcher
  ProxyPass /sap http://srmerver:8000/sap
  ProxyPass /SRM-MDM  http://mdmserver:50100/SRM-MDM
  ProxyPass /mdmimages http://portalserver:8090/mdmimages
  ProxyPass /irj http://portalserver:50100/irj
  ProxyPass /saml2 http://portalserver:50100/saml2
  ProxyPass / http://portalserver:50100/　
  ProxyPassReverse /sap http://srmserver:8000/sap
  ProxyPassReverse /SRM-MDM  http://mdmserver:50100/SRM-MDM
  ProxyPassReverse /mdmimages http://portalserver:8090/mdmimages
  ProxyPassReverse /irj  http://portalserver:50100/irj
  ProxyPassReverse /saml2 http://portalserver:50100/saml2
  ProxyPassReverse /  http://portalserver:50100/
  Regards
  Ponnusamy

  Hi
  Kindly refer the SCN link
  How to...Configure SAP Webdispatcher as a reverse proxy
  http://basisondemand.com/Documents/Whitepaper_on_SAP_Web_Dispatcher.pdf
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a015cea3-9627-2e10-a792-8f39e3d0b59d?QuickLink=index&…
  Regards
  Sriram

• Reverse Proxy Configuration - (HPVM Guest) - 11iV3

  Hello Unix Champs,
  On 11iV3 - Vm Guest -  we want to configure this server as reverse proxy
  Please share step by step procedure/documents to do same.
  Thanks in advance
  Regards,
  Prashant Behal

  Hi,
  In addition to Luca's comment in order to determine if the farm is actually working correctly in the first instance, did you disable or remove the old server farm?
  Can you also confirm that there are no static routes in place on the IIS ARR box?
  Kind regards
  Ben
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

• Reverse Proxy Configuration - HPVM (Guest)

  Hello Unix Champs,
  On 11iV3 - Vm Guest -  we want to configure this server as reverse proxy
  Please share step by step procedure/documents to do same.
  Thanks in advance
  Regards,
  Prashant Behal

  Assuming your webserver is apache, you have to make the apache proxy-aware. This can be done statically (while building apache from source with --with-proxy option) or dynamically with a LoadModule directive.
  Once the above is done, you will need to write these directives in the apache httpd.conf:
  ProxyEnable Off
  ProxyPass /localurl remote-url
  ProxyPassReverse....
  In the OAM config, protect /localurl.
  For other webservers, read the documentation of that webserver.
  Hope this helps.

• Sun Web Server Reverse Proxy and Weblogic HTTP to HTTPS redirection

  Hi,
  I am currently testing reverse-proxy from SJSW 7.0 update 5 to Weblogic server but I have encountered an issue.
  I have configured a context root to be forwarded to weblogic:
  Web Server: www.server.com
  URI: /path
  Reverse Proxy URL: wlserver:9000
  When I access https://www.server.com/path, I am getting the correct page. The issue is, the weblogic server is configured to redirect HTTP access to HTTPS, i.e., when I access http://www.server.com/path, it should be redirected to https://www.server.com/path. However, that is not the case. What happens is that I am being redirected instead to https://www.server.com/.
  If I don't use reverse proxy, that is, if I use the libproxy.so from weblogic, I get the correct redirection.
  Would appreciate it very much if someone can help me troubleshoot this issue.
  Thanks in advance!
  Edited by: agent_orange on Jul 29, 2010 2:30 AM
  Edited by: agent_orange on Jul 29, 2010 2:31 AM

  I am not sure, how you have configured your reverse proxy since you didn't attach / refer your current configuration file. this is how I would do it..
  - create a new configuration (using web server 7 admin gui , within configuration wizard, disable java option if you plan to use web server 7 only for reverse proxy)
  - select this new configuration and go to reverse proxy and try to reverse proxy / to the origin server.
  that is all it should need.
  your obj.conf or <hostname>-obj.conf depending on your configuration should look like following snippet
  <Object name="default">
  AuthTrans..
  NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
  </object>
  <Object name="reverse-proxy-/">
  Route fn=....
  Service ..
  </Object>
  this is all you should need..
  However, if you wanted to add complexity to your configuration, you could do some thing like
  <Object name="default">
  Auth..
  <If defined $security>
  NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
  </If>
  </Object>
  <Object name="reverse-proxy-/">
  Route...
  </Object>

• Reverse proxy with apache2

  Hi folks,
  I have a huge problem here. I have a apache 2.0.50 on a Linux system that is to act as a reverse proxy for an enterprise portal. I have set up the apache to do reverse proxying and so far I have made first success. I can get to the login page of the portal and I even managed to make it show the images. The problem is, when I try to log on to the  portal I am always send back to the logon page in the very instance. If I enter the wrong logon information I see the authorization failed text, but when I enter correct information I only see the logon page again.
  I will put tyhe relevant part of my httpd.conf to this message and hope someone can point me to the right location or maybe even tell me what I'm doing wrong.
  And ny the way, the portal itself works perfectky when connected directly.
  Kind regards,
     Christian Guenther
  Reverse proxy configuration ############################################
  NameVirtualHost 172.30.210.96
  <VirtualHost 172.30.210.96>
     ServerAdmin [email protected]
     ServerName host.external.de
  SSL is turned off at the moment
     SSLEngine Off
     SSLCertificateFile /etc/apache2/ssl.crt/proxy.cert.cert
     SSLCertificateKeyFile /etc/apache2/ssl.key/proxy.cert.key
  Set up as a proxy for internal SAP systems
     ProxyRequests Off
     ProxyPreserveHost Off
     <Proxy *>
        Order deny,allow
        Allow from all
     </Proxy>
  IRJ
    <Location /irj/>
      ProxyPass http://host.internal.lan:8001/irj/
      ProxyPassReverse http://host.internal.lan:8001/irj/
  rewriting rules for proxy
      RewriteEngine On
      RewriteCond %  \.jsp
      RewriteRule ^(.+) % [P]
      RewriteCond % \.servlet
      RewriteRule ^(.+) %
  Portal
  rewriting rules for proxy
  [P]
    </Location>
    <Location />
      ProxyPass http://host.internal.lan:8001/
      ProxyPassReverse http://host.internal.lan:8001/
      RewriteEngine On
      RewriteCond %  \.jsp
      RewriteRule ^(.+) % [P]
      RewriteCond % \.servlet
      RewriteRule ^(.+) % [P]
    </Location>
  </VirtualHost>

  This is a valid configuration for an Apache Reverse Proxy:
  ThreadsPerChild 250
  MaxRequestsPerChild  0
  ServerRoot /usr/local/apache2
  Listen 443
  #LoadModule dir_module modules/mod_dir.so
  LoadModule rewrite_module modules/mod_rewrite.so
  LoadModule include_module modules/mod_include.so
  #LoadModule autoindex_module modules/mod_autoindex.so
  LoadModule access_module modules/mod_access.so
  #LoadModule auth_module modules/mod_auth.so
  LoadModule log_config_module modules/mod_log_config.so
  #LoadModule mime_module modules/mod_mime.so
  #LoadModule env_module modules/mod_env.so
  #LoadModule headers_module modules/mod_headers.so
  #LoadModule setenvif_module modules/mod_setenvif.so
  LoadModule alias_module modules/mod_alias.so
  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule negotiation_module modules/mod_negotiation.so
  LoadModule ssl_module modules/mod_ssl.so
  ServerAdmin [email protected]
  ServerName your.servername.com
  UseCanonicalName Off
  make sure zou include these with valid entries...
  Include conf/log.conf
  Include conf/mime.conf
  Include conf/default.conf
  Include conf/ssl.conf
  BrowserMatch "Mozilla/2" nokeepalive
  BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
  BrowserMatch "RealPlayer 4\.0" force-response-1.0
  BrowserMatch "Java/1\.0" force-response-1.0
  BrowserMatch "JDK/1\.0" force-response-1.0
  BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
  BrowserMatch "MS FrontPage" redirect-carefully
  BrowserMatch "^WebDrive" redirect-carefully
  BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
  BrowserMatch "^gnome-vfs" redirect-carefully
  BrowserMatch "^XML Spy" redirect-carefully
  BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
  this is for the MS IE SSL bug
  BrowserMatch ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0#
  force-response-1.0
  Header add P3P CP="NOI"
  Proxy with caching
  LoadModule cache_module modules/mod_cache.so
  LoadModule disk_cache_module modules/mod_disk_cache.so
  CacheRoot /usr/local/apache2/Cache
  CacheEnable disk /
  CacheDirLevels 5
  CacheDirLength 3
  <VirtualHost *:443>
      ServerName your.servername.com
      ServerAdmin [email protected]
  Set the level of log entries - debug produces A LOT of messages
      LogLevel debug
      ErrorLog logs\error.log
      LogFormat "%h %l %u %t \"%r\" %>s %b" common
      CustomLog logs\access.log common
  NEVER turn this On, it would create a forward proxy   
      ProxyRequests Off
      ProxyPreserveHost On
  it is important that the proxy uses active protocol used in the
  internet section of the request
      RequestHeader set ClientProtocol https
      Header add P3P CP="NOI"
  we need to answer HTTPS requests, so we need an ssl engine   
      SSLEngine On
  and a cipher suite plus certificate
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:+eNULL
      SSLProtocol all -SSLv2
  of course these entries have to be adopted
      SSLCertificateFile conf/certs/server.crt
      SSLCertificateKeyFile conf/certs/server.key
      SSLOptions +StdEnvVars
  this is for the bloody MS IE - I don't know why, but they seem to
  have trouble learning in redmond
      BrowserMatch ".MSIE." \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
      CustomLog logs/ssl_request.log \
            "%t %h %x %x \"%r\" %b"
  below are the proxied hosts - you always need ProxyPass
  AND ProxyPassReverse otherwise it will not work correctly
  ITS
      #ProxyPass /iac/               http://itsserver:8081/iac/
      #ProxyPassReverse /iac/          http://itsserver:8081/iac/
  direct portal connection              this ought to be the IP
      ProxyPass /irj/               http://10.8.1.14:50000/irj/
      ProxyPassReverse /irj/          http://10.8.1.14:50000/irj/
      ProxyPass /logon/               http://10.8.1.14:50000/logon/
      ProxyPassReverse /logon/          http://10.8.1.14:50000/logon/
  Rewrite Rule in case ICM puts session information in URL
  NEVER REALLY HARMS
      RewriteEngine On
      RewriteRule  ^/(sap\(.*) http://10.8.1.14:50000/$1 [P,L]
      #ProxyPass /chooselogin/          http://10.8.9.0:50000/chooselogin/
      #ProxyPassReverse /chooselogin/     http://10.8.9.0:50000/chooselogin/
  </VirtualHost>

• ISP redundancy and reverse proxy

  Greetings, community!
  We have two EDGE TMG servers and two INTERNAL TMG servers.
  We have two providers with two dedicated external IP addresses each.
  I configure ISP Redundancy for each EDGE TMG servers with parameters:
  Each EDGE TMG server has two External NIC and one Internal NIC. 
  EDGE 1: Provider1_IP1 and Provider2_IP1
  EDGE 2: Provider1_IP2 and Provider2_IP2
  ISP Connections:
  Provider1 and Provider2
  So, the trouble:
  We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.
  Also we made 4 external DNS records for each Web-Service.
  For example:
  mail.domain.com Provider1_IP1
  mail.domain.com Provider1_IP2
  mail.domain.com Provider2_IP1
  mail.domain.com Provider2_IP2
  If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.
  After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.
  If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.
  Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.

  So, I still try to solve my problem...
  When I try to connect from External to one of my EDGE1 IP addresses, I got these logs:
  LOGS on DMZ server (EDGE1):
  Failed Connection Attempt DMZ-TMG-01 21.07.2014 11:27:40 
  Log type: Firewall service 
  Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3427) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 21000ms Original Client IP: 77.73.111.194 
  LOGS on INTERNAL server:
  Initiated Connection BLK-TMG-02 21.07.2014 11:27:20 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Source: External (77.73.111.194:3427) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  Closed Connection BLK-TMG-02 21.07.2014 11:27:40 
  Log type: Firewall service 
  Status: A connection was abortively closed after one of the peers sent an RST packet.  
  Source: External (77.73.111.194:3427) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 304 Number of bytes received: 192
  Processing time: 20281ms Original Client IP: 77.73.111.194
  When I try to connect my EDGE2 server external IP addresses, then:
  LOGS on DMZ server (EDGE2):
  Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3429) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  Closed Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3429) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 534 Number of bytes received: 146
  Processing time: 203ms Original Client IP: 77.73.111.194
  Then traffic was redirected to HTTPS:
  Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Rule: Publish TMGBE HTTPS 
  Source: External (77.73.111.194:3430) 
  Destination: Internal (172.16.0.100:443) 
  Protocol: HTTPS Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  LOGS on INTERNAL server:
  Failed Connection Attempt BLK-TMG-02 21.07.2014 11:57:17 
  Log type: Web Proxy (Reverse) 
  Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.  
  Rule: Publish OWA 
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Request: GET http://mail.domain.com/ 
  Filter information: Req ID: 0a314138; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
  Protocol: http 
  User: anonymous 
  Additional information 
  Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  Object source: (No source information is available.)
  Cache info: 0x0
  Processing time: 1 MIME type:  
  It's OK, because IIS require SSL. Then:
  Initiated Connection BLK-TMG-02 21.07.2014 11:57:18 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194 
  Closed Connection BLK-TMG-02 21.07.2014 11:57:18 
  Log type: Firewall service 
  Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 786 Number of bytes received: 318
  Processing time: 15ms Original Client IP: 77.73.111.194
  And HTTPS:
  Allowed Connection BLK-TMG-02 21.07.2014 11:57:17 
  Log type: Web Proxy (Reverse) 
  Status: 302 Moved Temporarily 
  Rule: Publish OWA 
  Source: External (77.73.111.194:3430) 
  Destination: Local Host (10.1.200.129:443) 
  Request: GET http://mail.domain.com/ 
  Filter information: Req ID: 0a31413a; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
  Protocol: https 
  User: anonymous 
  Additional information 
  Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  Object source: Internet (Source is the Internet. Object was added to the cache.)
  Cache info: 0x40000000 (Response should not be cached.)
  Processing time: 1 MIME type: text/html; charset=UTF-8 
  I can't understand the difference between there servers. If I shutdown EDGE2, the Publishing will work fine through EDGE1.

• Web Dispatcher as the Full reverse proxy

  Hi all,
  Has anyone configured SAP Web Dispatcher(WD) as the full reverse proxy for THE portal? We need to open our portal on to the internet and we thinking to put WD inside the DMZ and have it forward the requests to the portal server. Which is explained well in a blog on SDN. According to that Blog, WD works ONLY as a redirecting server (or may be a load balancer). When it redirects a request to an internal server, the ip(or domain name) of the server is shown in the address bar. Ex: http://extrenal.com is being redirected to http://internal:50000/irj/index.html thus exposing the internal name or IP.
  I thought Reverse proxy when works, it hides the internal ips and and forwards the requests. So my question here is How to configure WD so it won't show the internal Portal IP(or domain name).
  Any ideas?
  I know it could be done using IIS, Apache or Squid.
  Best,
  N.

  Hi again,
  Yes, most probably, you will have to configure specially the corporate reverse proxy.
  That is what is explained in the WIKI and the help.sap.com documentation. Did you read it ? If not, do it, it's a must !
  This is not very simple because SAP web applications, generate a lot of dynamic URLs  and must "know" that reverse proxies are used.
  Understand that it is a project and not not just a 5 minutes configuration...
  For example when using Apache as a reverse proxy, you need at least to set :
  ProxyPreserveHost on and ProxyPassReverse
  You need to decide if you want to rewrite URLS.
  You need to manage URL mangling if you use BSP applications in the SAP backend.
  In short, you need to know what is the corporate reverse proxy and you need to do a specific SAP configuration both on the corporate reverse proxy and the SAP web dispatcher.
  This configuration depends from your specific needs.
  Regards,
  Olivier

• Apache Reverse Proxy: Domain problem

  Hi,
  I have a problem with Apache Reverse Proxy (Apache 2.2) and SAP Enterprise Portal 6.0.
  I configured Apache as a Reverse Proxy Server (with SSL)so that the portal is accessible through the internet. Everything is working fine but the OWA integration doesn't work over the Reverse Proxy.
  If I log on to <u>http://portalsrv.mydomain.xx:12345/irj</u> the OWA integration works fine with SSO and there is no problem with session management.
  If I log on to <u>https://revproxy.mydomain.zz:1234/irj</u> and want to open Outlook I get the message that Session management doesn't work. However the other components like ESS work fine. Deactivating the DSM Logger is not a solution to this problem.
  The Log tells me:
  1.
  Application domain 'mydomain.xx' differs from Portal domain 'mydomain.zz'.
  Session Management will not work for Application 'abc.mydomain.xx'
  2.
  Application schema 'http' differs from Portal schema 'https'.
  Session Management will not work for Application 'abc.mydomain.xx'
  Is there a possibility to write a Rewrite-Rule in the Apache-Conf?
  For instance:
  https://abc.mydomain.xx --> http://abc.mydomain.zz
  Does anybody made such a rule?
  I hope anybody can help me with the problem.
  Thank you

  Hi Daniel,
  ok I`ll try to find a solution in parallel and keep you up to date.
  In the following my settings in case I missed something:
  <VirtualHost test.firma.de:443>
  SSLEngine on
  SSLProxyEngine on
  SSLCertificateFile /apache/keys/pac_ssl_qep_dmz_server.crt
  SSLCertificateKeyFile /apache/keys/pac_ssl_qep_dmz_server.key
  ServerName test.firma.de:443
  ServerAdmin [email protected]
  LogLevel debug
  ErrorLog logs/ssl_443_error
  CustomLog logs/ssl_443_access_log common
  ProxyVia Off
  ProxyPreserveHost On
  ReWriteEngine on
  ReWriteLogLevel 0
  ReWriteLog logs//ssl_443_rewrite_http.log
  ProxyPass / https://backend.firma.de:50001/
  ProxyPassReverse / https://backend.firma.de:50001/
  </VirtualHost>
  Regards, Jens

• Reverse Proxy in SOAMANAGER not working

  SAP Environment: SAP Netweaver 7.01 SP3
  Service Testing Tool: SOAPUI
  Requirements: Redirect the end-point (serverA) in the WSDL of a web service created from an ABAP proxy to the load balancer
  What I have done:
  1. Defined a Reverse Proxy in SOAMANAGER to redirect from serverA:8010 to loadBalancer:80.
  2. Tested the service and it worked fine.
  3. To make sure the Reverse Proxy was working, I changed loadBalancer:80 to a server name that does not exist.
  4. Tested the service again and it still worked.
  Questions:
  1. Found SAP help on Reverse Proxy but it does not explain all the fields.  In the Reverse Proxy configuration, there is a Status field, any idea what value should be put there?  I have left it blank.
  2. Is there any other configuration needed for the Reverse Proxy to work?
  3. Is there a way to check if the Reverse Proxy is working?
  Any help will be appreciated.

  Got the rever proxy to work.  Below are the field values in the reverse proxy setting that has worked:
  Reverse proxy name: <any name>
  Incoming http header host name: server1.domain..company.com (get it from the end-point in WSDL) 
  Incoming ICM port: port (get it from the end-point in WSDL)
  Substitute host name: server2.domain..company.com (has to be FQDN)
  Substitute http port: 80 (in my case)
  Substitute https port: (blank)
  Additional path prefix: (blank)
  Meta data protocol subsitution: http
  Endpoint protocol subsitution: http
  Status: active

• OCS on a single computer / DMZ using Apache reverse proxy

  Hi there,
  we've installed the OCS 10.1.2 on a single Solaris box in our internal LAN. Everything works fine internally. We would like to configure a Apache reverse proxy in our DMZ to get the possibility to use it from outside (as shown in "Oracle Collaboration Suite Deployment Guide", chapter 3, Figure 3-2 Single Computer in a DMZ). Unfortunately I didn't find any configuration hints for the reverse proxy.
  Can someone provide me with an example configuration?
  Thanks,
  Christoph

  Hello Andreas and Christoph!
  I have the same problem like Christoph. We made a Singlebox-Installation of OCS 10.1.2 in the intranet. Now I am looking for installation documentation, how I have to configure a Apache or Oracle Standalone Webcache as a reverseproxy in the DMZ. to allow access the OCS from the internet. I only read, that it is possible, but nothing about the way.
  I have installed a Webcache (OAS 10.1.2 Java Edition not dht standalone Veersion from the Companion CD) and configured by my own knowledge. The result was network errors.
  Is there anywhere information?
  Best regards!
  Axel

• Doubts regarding reverse proxy in DMZ

  Hi,
  We are going to implement DMZ in a test environment following the metalink note:287176.1.
  We have two sun servers so we have chosen Section 2.2(Fig 4) of 287176.1 as our deployment architecture.
  The steps we are going to follow are:
  1.Install Oracle Applications 11.5.10.2 in internal server.
  2.Clone the application to external server.
  3.Open the following ports:
  80,443 in the external firewall and 1521 in the data firewall.
  4.Follow steps from section 5.1,5.2,5.3,5.4 of 287176.1.
  5.Configure the URL firewal specific to the product that we want to expose for external use.
  Can someone please validate the above steps.
  Also please clarify the following doubts:
  1.Do we need a seperate external URL and domain to access the application from internet??
  If yes then this domain and URL mapping is done in which configuration file??
  2.Do we need to set up a reverse proxy server also for this architecture?If yes then is it necessary to deploy another reverse proxy server in front of external web server?
  Cant we configure the external web tier itself as reverse proxy??
  If yes then,how do we do it using 9iAS shipped with EBS...as we dont want to use standalone Apache for this and the document 287176.1 describes the steps to use a standalone Apache in section.(.Appendix D)..
  Please help...
  We have been given a time frame and limited resources to implement this POC.So a response is highly appreciated..
  Thanks
  ex:External URL:

  We have two sun servers so we have chosen Section 2.2(Fig 4) of 287176.1 as our deployment architecture.If you chose the above configuration there is no reverse proxy setup.
  1.Do we need a seperate external URL and domain to access the application >>from internet?? If yes then this domain and URL mapping is done in which >>configuration file??The changes are done on the external web tier in the application context file. (s_webentryhost - set to DMZ host name
  s_webentrydomain - domain name of DMZ host
  s_active_webport - port where the host will listen to requests
  s_webentyurlprotocol - http or https according to your configuration
  s_login_page - http(s)://webentypoint:webentrydomain:activewebport )
  2.Do we need to set up a reverse proxy server also for this architecture?Again section 2.2 does not require a reverse proxy only external webhost
  Please remember that the external host in DMZ runs only webtier. All the other services should be disabled.
  If yes then,how do we do it using 9iAS shipped with EBSClone the AppsTier to external host. Edit the context file and disable all the processes except
  <oa_process_status oa_var="s_apcstatus">enabled</oa_process_status>
  Then you have a webtier running without standalone Apache.
  I have recently finished configuring this setup.
  Message was edited by:
  bhetaal

• MS ISA Reverse Proxy and access to webgui apps

  Hi All,
  We have an EP7 system that is connected to backend ECC and BI systems. External users now need to access EP via an MS ISA server that acts as a reverse proxy.This works fine when accessing EP itself, but not when accessing webgui iviews that point to the backend ECC system, as the generated absolute url contains the backend hostname which is not resolvable from the external browser. We have edited the ECC system properties in EP to point to the external url instead of the ECC hostname, and in the browser I can see that it points to https://publicurl.company.com:8000/sap/bc/*. However, we get 'IE cannot display the page..' errors in the browser. What are we missing here?
  Regards,
  Mark

  Hi Mark,
  First of all you need to configure ISA as a reverse proxy to your ECC system as well as to your portal, perhaps using a different address for the same server, e.g publicurl.company.com for the portal and ecc.publicurl.company.com for the ECC system.
  Next, you need to make sure that internal access to ecc.publicurl.company.com will also go to ECC, possibly by setting up a local DNS entry.
  Finally, you should edit the system entry for ECC in the Portal and set the ISA, WebAS and ITS hostnames to be ecc.publicurl.company.com.
  As you can see, this is primarily an infrastucture problem rather than a portal problem...
  Hope this helps,
  Darren

• Forward parameters in reverse proxy configuration

  Hi,
  Looking at the detailed configuration in a reverse proxy rule in SJSWS, I have derived the following conclusions:
  1) Where the SJSWS listener has SSL-enabled, reverse proxy works on a HTTPS in, HTTP out basis.
  2) Details in the incoming request's SSL header, such as User DN, will be stripped out and remapped into the outgoing request as a custom header, e.g. "Proxy-user-dn".
  Can anybody tell me if I have gotten anything wrong above?
  We are currently switching over from an Apache/mod_proxy/mod_ssl --> Apache/mod_jk --> Apache Tomcat server setup to a hybrid model where SJSWS is the web server reverse proxying to Tomcat (old apps) and SJSAS (new apps).
  My question:
  All our apps use the User DN string as the user ID. Previously, we developed a custom module in Apache to read the DN at the Apache level and then rewrite it into the Basic Auth user name header in the outgoing request. The Tomcat webapp will then authenticate the user based on the Basic Auth user name property. Is it possible for me to remap it into something similar here in the SJSWS reverse proxy configuration?
  Thanks!
  Wong

  I am not a reverse proxy expert, but this Object-type SAF should forward userdn
  http://docs.sun.com/app/docs/doc/820-1062/6ncoqnq3b?l=en&a=view&q=forward-user-dn
  You can look for more such SAFs in this document.