Remote_user not passed in reverse proxy

Similar Messages

• X.509 client certificate not working through Reverse proxy

  Dear expert,
  We are working on fiori infrastructure. Our current scope is to enable X.509 authentication for both internet and intranet. However, the intranet scenario for X.509 authentication is working fine but internet is not, we got error message of "Base64 decoding of certificate failed". For landscape, the only difference between internet and intranet is we have apache reverse proxy in DMZ. We are using gateway as fron-end server, business suite and HANA in the back-end.
  As X.509 authentication works fine under intranet scenario, we assume that the configuration for X.509 for both front-end and back-end are correct. With that assumption, the issue would exist in reverse proxy. We are using apache 2.4.7 with openssl 1.0.1e, but we have upgraded the openssl to the latest version 1.0.1h for SSL certificate generation. Below are the apache configuration for X.509.
  Listen 1081
  <VirtualHost *:1081>
  SSLEngine on
  SSLCertificateFile  "D:/Apache24/conf/server.cer"
  SSLCertificateKeyFile  "D:/Apache24/conf/server.key"
  SSLCertificateChainFile  "D:/Apache24/conf/server-ca.cer"
  SSLCACertificateFile "D:/Apache24/conf/client-ca.cer"
  SSLVerifyClient optional
  SSLVerifyDepth  10
  SSLProxyEngine On
  SSLProxyCACertificateFile "D:/Apache24/conf/internal-ca.cer"
  SSLProxyMachineCertificateFile "D:/Apache24/conf/server.pem"
  AllowEncodedSlashes On
  ProxyPreserveHost on
  RequestHeader unset Accept-Encoding
  <Proxy *>
       AddDefaultCharset Off
       SSLRequireSSL
       Order deny,allow
       Allow from all
  </Proxy>
  RequestHeader set ClientProtocol https
  RequestHeader set x-sap-webdisp-ap HTTPS=1081
  RequestHeader set SSL_CLIENT_CERT  ""
  RequestHeader set SSL_CLIENT_S_DN  ""
  RequestHeader set SSL_CLIENT_I_DN  ""
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
  ProxyPass / https://ldcinxd.wdf.sap.corp:1081/  nocanon Keepalive=on
  proxyPassReverse /  https://ldcinxd.wdf.sap.corp:1081/
  We are out of mind on how to resolve this issue. Please kindly help if you have any idea on it.
  thanks,
  Best regards,
  Xian' an

  Hi Samuli,
  Really thanks for your reply.
  Yes, we have tried your suggestion above in the apache configure file above, but when testing the HANA service, we got error message "Certificate could not be authenticated".
  Yes, web dispatcher makes the X.509 authentication much easier as under intranet scenario, no DMZ between browser and web dispatcher. Client certificate pass through web dispatcher directly and it works perfectly this way. Not sure why it doesn' t work through apache reverse proxy.
  Best regards,
  Xian' an

• WebDynpro applications not working through Reverse Proxy

  Hi All,
  I have configured a Reverse Proxy using apache 2.2.4 and when i access my Portal (NW04s EP 7.0 SPS08) through reverse proxy i'm not able to display any webdynpro application (e.g. Identity Management). I'm getting Page can not be displayed. I think reverse proxy is not able to convert the request into absolute URLs.
  If someone had the same problem,please let me know.
  Regards
  Vaib

  I resolved the problem on my own by adding webdynpro directive to the httpd.conf.
  Thanx
  Vaib

• Reverse Proxy - Apache vs SAP Web Dispatcher

  Hi,
  my config consists in a portal (EP7.0 - DB/CI + AS) and an ECC system (ECC 6.0 - DB/CI + AS).
  Web developments are based on Abap Web Dynpro and are also located on ECC.
  To ensure load balancing there are 2 web dispatchers : one on EP DB/CI, one on ECC DB/CI.
  Those 2 systems are located in intranet. Intranet access are realized via http.
  Moreover I need to open this solution to internet. I need a component to filter access in DMZ and ensure reverse proxy + https functions.
  Technical target chain links are depicted below.
  internet access : browser (https) -
  >  (https) reverse proxy in DMZ (http) -
  > IS (Portal/ECC)
  intranet access : browser (http) -
  > IS (portal/ECC)
  At the moment two application gateway solutions have been identified :
  Apache (MOD_PROXY + MOD_HTTPS) - My configuration is based on Linux
  SAP Web Dispatcher ("cascading" implementation as described in OSS note 740234)
  I'm looking for PROs and CONs of those 2 solutions and I'm also seeking for the impact of ensuring https encryption/decryption at the application gateway level ("a priori" this usage is not transparent in term of server sizing - CPU/memory, do I require to implement an SSL accelerator ?).
  Regards.
  Frederic.

  Hi,
  PRO Webdispatcher:
  - Supports SAP Java + ABAP
  - Loadbalancing of SAP applications (stateful)
  - Supports load balancing (saplb_* cookie)
  - Free of costs
  - easy to set up (up & running in 2 minutes)
  - Supports HA solutions out-of-the-box (process HA)
  - Filter + Rules to modify the requests
  CONS Webdispatcher
  - not a full reverse proxy
  - Limited functionality
  - one more server/solution (normaly, a company already does have a reverse proxy solution in place)
  - limited user base (only SAP customers)
  PRO Apache
  - free
  - widly in use
  - full reverse proxy
  - allows more complex filtering / rewriting
  - can be used for more web solutions, reuse of existing apache reverse proxy
  CONS Apache
  - does not support SAP load balancing (connection to the message server port for load distribution)
  - can be more complex to set up
  - SAP specific technology / problems are more harder to fix (ABAP, Stateful connections, sap_lb*)
  Short: both will server well as a reverse proxy.
  Rule of thumb: If you go for Apache or Web Dispatcher should mainly depend on you current IT landscape. If you already do have an apache in use, use Apache. You already have the people / knowledge, try to foster it .
  If you start from scratch and have SAP Logon Groups or many WebDynpro ABAP applications, go for the Web Dispatcher.
  br,
  Tobias

• Lync mobility and HTTP authentication test failed. Is reverse proxy required?

  I currently have the following setup.
  1 x 2013 edge server lync1.local.com
  has 3 dmz ips for external names 
  has 1 internal ip
  2 x 2013 std front end servers lync2 & lync3.local.com
  Ive read that in 2013 the mobility service is installed automatically on the front end servers and i do see it running on both.
  All my clients can connect from the windows and mac clients(internally and externally) but not from phone or windows app store client (internally or externally)
  running the exchangeconnectivity test on the website i get the following error
  Testing HTTP authentication methods for URL https://lyncdiscover.external.com/Autodiscover/AutodiscoverService.svc/root/user.
    HTTP authentication test failed.
  Additional Details
  A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
  HTTP Response Headers:
  X-MS-Server-Fqdn: lync1.local.com
  Connection: close
  Content-Length: 64
  Content-Type: text/plain
  Server: RTC/5.0
  Elapsed Time: 427 ms.
  After some reading I notice that many people refer to a reverse proxy when dealing with mobility.
  I do not have a reverse proxy server installed. Is this required for the mobility to work correctly? I cant just use the edge server?
  Thanks in advance for any help.

  Take a look at Georg Thomas' blog: http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html also the Citrix official documentation: http://www.citrix.com/global-partners/microsoft/netscaler.html 
  Please mark posts as answers/helpful if it answers your question.
  Blog
  Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

• ISP redundancy and reverse proxy

  Greetings, community!
  We have two EDGE TMG servers and two INTERNAL TMG servers.
  We have two providers with two dedicated external IP addresses each.
  I configure ISP Redundancy for each EDGE TMG servers with parameters:
  Each EDGE TMG server has two External NIC and one Internal NIC. 
  EDGE 1: Provider1_IP1 and Provider2_IP1
  EDGE 2: Provider1_IP2 and Provider2_IP2
  ISP Connections:
  Provider1 and Provider2
  So, the trouble:
  We have some published Web-Services, like OWA, ActiveSync, TerminalGatewayServers and others.
  Also we made 4 external DNS records for each Web-Service.
  For example:
  mail.domain.com Provider1_IP1
  mail.domain.com Provider1_IP2
  mail.domain.com Provider2_IP1
  mail.domain.com Provider2_IP2
  If we try to connect from external to any published Web-Services, we have big delay (~ 30 sec), and then it connected.
  After some tests we find that ONLY ONE EDGE TMG server is used for reverce proxy. IP Addresses from EDGE 1 is unavailable from external access. But it still works as Web-Proxy from Internal connections. Reverse-Proxy works only for EDGE 2 IP Addresses.
  If we shutdown EDGE 2 TMG server, then Reverse-Proxy for EDGE 1 IP addresses are works correctly.
  Why all 4 my external IP addresses are not works for reverse-proxy? Only 2 from one of my EDGE servers.

  So, I still try to solve my problem...
  When I try to connect from External to one of my EDGE1 IP addresses, I got these logs:
  LOGS on DMZ server (EDGE1):
  Failed Connection Attempt DMZ-TMG-01 21.07.2014 11:27:40 
  Log type: Firewall service 
  Status: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3427) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 21000ms Original Client IP: 77.73.111.194 
  LOGS on INTERNAL server:
  Initiated Connection BLK-TMG-02 21.07.2014 11:27:20 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Source: External (77.73.111.194:3427) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  Closed Connection BLK-TMG-02 21.07.2014 11:27:40 
  Log type: Firewall service 
  Status: A connection was abortively closed after one of the peers sent an RST packet.  
  Source: External (77.73.111.194:3427) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 304 Number of bytes received: 192
  Processing time: 20281ms Original Client IP: 77.73.111.194
  When I try to connect my EDGE2 server external IP addresses, then:
  LOGS on DMZ server (EDGE2):
  Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3429) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  Closed Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
  Rule: Publish TMGBE HTTP 
  Source: External (77.73.111.194:3429) 
  Destination: Internal (172.16.0.100:80) 
  Protocol: HTTP Server 
  Additional information 
  Number of bytes sent: 534 Number of bytes received: 146
  Processing time: 203ms Original Client IP: 77.73.111.194
  Then traffic was redirected to HTTPS:
  Initiated Connection DMZ-TMG-02 21.07.2014 11:57:17 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Rule: Publish TMGBE HTTPS 
  Source: External (77.73.111.194:3430) 
  Destination: Internal (172.16.0.100:443) 
  Protocol: HTTPS Server 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194
  LOGS on INTERNAL server:
  Failed Connection Attempt BLK-TMG-02 21.07.2014 11:57:17 
  Log type: Web Proxy (Reverse) 
  Status: 12311 The page must be viewed over a secure channel (Secure Sockets Layer (SSL)). Contact the server administrator.  
  Rule: Publish OWA 
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Request: GET http://mail.domain.com/ 
  Filter information: Req ID: 0a314138; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
  Protocol: http 
  User: anonymous 
  Additional information 
  Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  Object source: (No source information is available.)
  Cache info: 0x0
  Processing time: 1 MIME type:  
  It's OK, because IIS require SSL. Then:
  Initiated Connection BLK-TMG-02 21.07.2014 11:57:18 
  Log type: Firewall service 
  Status: The operation completed successfully.  
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 0 Number of bytes received: 0
  Processing time: 0ms Original Client IP: 77.73.111.194 
  Closed Connection BLK-TMG-02 21.07.2014 11:57:18 
  Log type: Firewall service 
  Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.  
  Source: External (77.73.111.194:3429) 
  Destination: Local Host (172.16.0.100:80) 
  Protocol: HTTP 
  Additional information 
  Number of bytes sent: 786 Number of bytes received: 318
  Processing time: 15ms Original Client IP: 77.73.111.194
  And HTTPS:
  Allowed Connection BLK-TMG-02 21.07.2014 11:57:17 
  Log type: Web Proxy (Reverse) 
  Status: 302 Moved Temporarily 
  Rule: Publish OWA 
  Source: External (77.73.111.194:3430) 
  Destination: Local Host (10.1.200.129:443) 
  Request: GET http://mail.domain.com/ 
  Filter information: Req ID: 0a31413a; Compression: client=Yes, server=No, compress rate=0% decompress rate=0% 
  Protocol: https 
  User: anonymous 
  Additional information 
  Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
  Object source: Internet (Source is the Internet. Object was added to the cache.)
  Cache info: 0x40000000 (Response should not be cached.)
  Processing time: 1 MIME type: text/html; charset=UTF-8 
  I can't understand the difference between there servers. If I shutdown EDGE2, the Publishing will work fine through EDGE1.

• Doubts regarding reverse proxy in DMZ

  Hi,
  We are going to implement DMZ in a test environment following the metalink note:287176.1.
  We have two sun servers so we have chosen Section 2.2(Fig 4) of 287176.1 as our deployment architecture.
  The steps we are going to follow are:
  1.Install Oracle Applications 11.5.10.2 in internal server.
  2.Clone the application to external server.
  3.Open the following ports:
  80,443 in the external firewall and 1521 in the data firewall.
  4.Follow steps from section 5.1,5.2,5.3,5.4 of 287176.1.
  5.Configure the URL firewal specific to the product that we want to expose for external use.
  Can someone please validate the above steps.
  Also please clarify the following doubts:
  1.Do we need a seperate external URL and domain to access the application from internet??
  If yes then this domain and URL mapping is done in which configuration file??
  2.Do we need to set up a reverse proxy server also for this architecture?If yes then is it necessary to deploy another reverse proxy server in front of external web server?
  Cant we configure the external web tier itself as reverse proxy??
  If yes then,how do we do it using 9iAS shipped with EBS...as we dont want to use standalone Apache for this and the document 287176.1 describes the steps to use a standalone Apache in section.(.Appendix D)..
  Please help...
  We have been given a time frame and limited resources to implement this POC.So a response is highly appreciated..
  Thanks
  ex:External URL:

  We have two sun servers so we have chosen Section 2.2(Fig 4) of 287176.1 as our deployment architecture.If you chose the above configuration there is no reverse proxy setup.
  1.Do we need a seperate external URL and domain to access the application >>from internet?? If yes then this domain and URL mapping is done in which >>configuration file??The changes are done on the external web tier in the application context file. (s_webentryhost - set to DMZ host name
  s_webentrydomain - domain name of DMZ host
  s_active_webport - port where the host will listen to requests
  s_webentyurlprotocol - http or https according to your configuration
  s_login_page - http(s)://webentypoint:webentrydomain:activewebport )
  2.Do we need to set up a reverse proxy server also for this architecture?Again section 2.2 does not require a reverse proxy only external webhost
  Please remember that the external host in DMZ runs only webtier. All the other services should be disabled.
  If yes then,how do we do it using 9iAS shipped with EBSClone the AppsTier to external host. Edit the context file and disable all the processes except
  <oa_process_status oa_var="s_apcstatus">enabled</oa_process_status>
  Then you have a webtier running without standalone Apache.
  I have recently finished configuring this setup.
  Message was edited by:
  bhetaal

• Session ID in the Reverse Proxy in the Response

  Hi,
  Can anyone tell if the request is going from the reverse proxy to the application server, will the response also flow back from the app server to reverse proxy and then back to the client.
  Actually I want to fetch some information (MSISDN) from an external system the first time request comes to a proxy server. This is to be done on reverse proxy and map this information to the session id. Now my question is that the session id will be created in the App server and not on the reverse proxy. So can I map this information in the reverse proxy from the response when session id has already been created.
  Pls let me know if I have not phrased my question properly
  Thanks
  AA

  Andy,
  If you do all this in reverse, what happens, i.e., start with AS 2, get redirected to login, then repeat on AS1? Also, you didn't say what happens after the first step: you alter the URL, then login, then what? Do you end up on pg 40 with the session ID you as altered?
  If the behavior is symmetric, I think this is expected in 2.2.1. You are asking to join a session already owned by the SSO-authenticated user.
  Scott

• How to configure SharePoint HNSC with a reverse proxy server so that HNSC Share Point URLs are not exposed to end users.

  Could you please let me know how SharePoint HNSC can be configured with a reverse proxy server so that HNSC Share Point URLs are not exposed to end users.
  In normal path based site collections/web applications, reverse proxy configuration can be done using alternate access mappings with  Public URL = "proxy URL", internal = "HNSC Share Point URL" so that share point sends response back
  to Public URL = "proxy URL".
  In Host Named Site Collections,  alternate access mappings  are not supported. Each HNSC is designed to have only one URL in each zone. Zone is one of the five zones(Default,Intranet,Internet,Custom,Extranet) with each of which only one alternate
  URL is associated.  This is what we are able to get using power shell command "Set-SPSiteUrl", but this will not help us to get the response back to proxy URL after a request sent to share point because we could not find any mechanism in share
  point HNSC to respond  to a different URL(proxy URL). Consequently, Share Point URLs are exposed to  external users.
  Below share point article in MSDN blog is symmetrical to what we are observing with Share Point 2013 and Proxy Server. It mentions that internal HNSC URLs can’t be hidden using any proxy server. If  hiding the internal Share Point URLS is a requirement,
  it suggests to use a web application instead of host named site collections.
  Though I’m also observing the same behavior with Share Point 2013 HNSC, Could you please confirm my understanding is correct.
  http://blogs.msdn.com/b/kaevans/archive/2012/03/27/what-every-sharepoint-admin-needs-to-know-about-host-named-site-collections.aspx
  Excerpt from above article-
  "Host Named Site Collections Only Use One Host Name
  Continuing on the discussion on AAMs and host named site collections, you cannot use multiple host names to address a site collection in SharePoint 2010. Because host-named site collections have a single URL, they do not support alternate access mappings and
  are always considered to be in the Default zone.  This is important if you are using a reverse proxy to provide access to external users. Products like Unified Access Gateway 2010 allow external users to authenticate to your gateway and access a site
  as http://uag.sharepoint.com and forward the call to http://portal.sharepoint.com. Remember that URL rewriting is not permitted. Further, a site collection can only respond to one host name. This means if you are using a reverse proxy, it must forward the
  calls to the same URL.  If your networking team has a policy against exposing internal URLs externally, you must instead use web applications and extend the web application using an alternate access mapping."<u5:p></u5:p>

  Hi Satish,
  You are right that only one URL is allowed for each zone of the host-name site collections in both SharePoint 2010 and SharePoint 2013.
  It is by design that each host-name site collection only support one URL for each zone.
  The article below is about RTM version of SharePoint, and it is the same for SharePoint 2013 with the latest CU.
  https://support.microsoft.com/en-us/kb/2826457
  So to make the URL of HNSC not exposed to external users is not supported, you need to use path-based sites instead.
  Best regards.
  Thanks
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Images,css not appearing properly after accessing the reverse proxy page.

  Usecase :
  1) OHS1 with mod_osso agent deployed.
  2) OHS1 configured as reverse proxy.It points to the webserver(OHS2) of the app1.
  OHS1(mod_osso agent installed)-->OHS2(app1 webserver)
  3) httpd.conf entry in OHS1:
  ProxyRequests Off
  <Proxy *>
  Order deny,allow
  Allow from all
  </Proxy>
  ProxyPass /test/ http://tkcltkcl.padma.xxx.com:8088/test/
  ProxyPassReverse /test/ http://tkcltkcl.padma.xxx.com:8088/test/
  4) The direct url for appl1 works as per expectation. The reverse proxy redirects from the OHS1 correctly to the app1 OHS webserver accessing the app1 url.But the contents in the redirected app1 url are not aligned properly.Images,css,placement of html links are not appearing properly on the page.
  Do we need to do any other configuration in the revere proxy setup so as to avoid the misalignment on the redirected page?
  Thanks.

  Hi:
  Thanks for the reply! I have been UTTERLY scrupulous about
  keeping precisely time-matched and points-in-my-process-matched
  copies of the project folder for logical, "scientific" testing in
  RH5 and RH7, on precisely matched content.
  I have never even tried to open an RH7-processed copy of the
  project in RH5 because I was warned strongly against this action.
  It boils down to this; I cleaned up, FANATICALLY, all those
  illegitmate filenames, ran the project again in 5, still got
  impermissible missing images (and I mean MORALLY impermissible,
  because I'm doing the right thing!)
  Then, I took that project folder, copied it, and opened the
  exact same ingredients, via the .xpj file, in RH7. Same missing
  images.
  WAIT! Left out something important in first post! Dang; this
  was important! I've fixed missing images, had them appear properly
  upon compilation, then had others that HAD been right, come out
  missing. Have also had reimported, re-placed images come out upon
  compilation following repair, and then go missing again on third or
  later, subsequent compilations. Maddening.
  Am EXTREMELY reluctant to delete CPD file, because the last
  time I did that, I lost EXTENSIVE work I'd done on TOC and Index.
  Not cool at all.
  Hope this wasn't too cranky; truly grateful for help. Just
  very frustrated.
  Thanks!

• Webdynpro application not functioning from Apache Reverse Proxy

  Hi Experts,
  We are currently working on custom webdynpro application, which needs to be exposed to Internet. We are using Apache HTTP Server as a reverse proxy.
  We canable to access URL, but no images are getting displayed and also the application not functioning when we click any button/links.
  Below is the HTTPD file configuration.
  ProxyPass /esampleApp  http://hostname:port/webdynpro/dispatcher/local/esampUI/ESamplingApp
  ProxyPassReverse /esampleApp  http://hostname:port/webdynpro/dispatcher/local/esampUI/ESamplingApp
  When we look into  image URL, which is being called from Apache, we  found out "webdynpro" is missing in the URL.
  Actual URL in Portal Server: (working)
  http://portalhostname:port/webdynpro/resources/local/esampUI/Components/esampling.ui.ESamplingComp/logo.gif
  Apache URL:
  http://Apachehostname:port/resources/local/esampUI/Components/esampling.ui.ESamplingComp/logo.gif
  Please suggest.
  Thanks
  Aravind

  We also had the same issue, but the problem was that instead of http https was getting called.
  This has to do with 2 settings:
  1. Check the reverse proxy re-write URL's again. Note that there will be 2-3 entries one for webdynpro as well.
  2. Open your system definintion in system admin-sys configuration adn check the WAS settings. this should point to the FQDN of the proxy server and not to the R3 server.
  ankur

• Reverse proxy plugin does not like the POST method

  My second tier is not functionning properly when placed behind a S1WS6 with reverse proxy
  Client ====== SunOne web server with Passthrough ====== .NET app server & web services.
  The web server configuration (reverse proxy � libpassthrough.so) is configured and is working correctly when it comes to requesting normal pages, however a problem arises when the request is made either by:
  1- Invoking a web service on the .Net tier, or
  2- The .Net tier performs a server.transfer call within the same .net server (Page transfer)
  Keep in mind that the .Net tier works fine when not accessed through the reverse proxy.
  It seems that when a POST method is invoked, a Session Close is sent before data is sent back !!
  We tried to isolate the problem from different angles but came up short, the http server log shows that the request was made
  192.168.2.7 - - [14/Jul/2004:14:10:56 +0300] "POST /wavedms2.0/TestWebService/TestService.asmx HTTP/1.1" 100 0
  Although response 100 indicates that it is waiting for more, while the web service error shows the following:
  The underlying connection was closed: An unexpected error occurred on a receive.
  at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
  at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
  at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
  at TestWebService.oWebService.MyWebSvc.HelloWorld()
  at TestWebService.Form1.button1_Click(Object sender, EventArgs e)
  In general, any page that uses POST method faces the same problem.I appreciate any help you can provide us with a solution on this issue.

  The Application Server plugin, libpassthrough.so, was designed to connect Web Server to Application Server. Unfortunately, it does not work with IIS which sends unsolicited "HTTP/1.1 100 Continue" responses.

• Reverse Proxy in SOAMANAGER not working

  SAP Environment: SAP Netweaver 7.01 SP3
  Service Testing Tool: SOAPUI
  Requirements: Redirect the end-point (serverA) in the WSDL of a web service created from an ABAP proxy to the load balancer
  What I have done:
  1. Defined a Reverse Proxy in SOAMANAGER to redirect from serverA:8010 to loadBalancer:80.
  2. Tested the service and it worked fine.
  3. To make sure the Reverse Proxy was working, I changed loadBalancer:80 to a server name that does not exist.
  4. Tested the service again and it still worked.
  Questions:
  1. Found SAP help on Reverse Proxy but it does not explain all the fields.  In the Reverse Proxy configuration, there is a Status field, any idea what value should be put there?  I have left it blank.
  2. Is there any other configuration needed for the Reverse Proxy to work?
  3. Is there a way to check if the Reverse Proxy is working?
  Any help will be appreciated.

  Got the rever proxy to work.  Below are the field values in the reverse proxy setting that has worked:
  Reverse proxy name: <any name>
  Incoming http header host name: server1.domain..company.com (get it from the end-point in WSDL) 
  Incoming ICM port: port (get it from the end-point in WSDL)
  Substitute host name: server2.domain..company.com (has to be FQDN)
  Substitute http port: 80 (in my case)
  Substitute https port: (blank)
  Additional path prefix: (blank)
  Meta data protocol subsitution: http
  Endpoint protocol subsitution: http
  Status: active

• Controls_ie5.js file not completely downloadable through reverse proxy

  Hi,
  We have EP6.0 SP11 implemented in our production and we have setup Apache as reverse proxy server.
  With RP, url for portal is http://salesportal.company.com/irj
  Internal URL would be http://mirag.company.com:50000/irj
  We have set rewriting rule in Apache and proxy filter in portal web.xml.
  System was working perfectly with SP09 with Reverse Proxy. Last week i upgraded the sytem to SP11 and after that i seem to get lot of error message refering to java script controls_ie5.js.
  Problem is, when I login to portal with RP url it get java script error at lower left cornor of IE. But if I login with internal URL, I do not get any JS error and the server works seamless. We could find out that we are not able to download controls_ie5.js file using RP URL. Only partial file is getting downloaded to IE Temp. Internet Files folder.
  Any help is appreciated. Thanks.
  best regards,
  Vishnu

  Don't use the reverse proxy filter - it is deprecated for NW04 in favor of the http provider service (of the dispatcher) parameter "ProxyMappings". See help.sap.com for more details on ProxyMappings.
  Do an http trace of the request for the .js, also check your compression, keep-alive, and chunking settings in your VisAdmin to see if something got out of whack on the upgrade.
  Nick

• Reverse proxy redirecting not proxying

  I'm having trouble getting a reverse proxy to work as I expected it to.
  Scenario;
  Webserver 7 u 3 installed on host1.domain.com, instance listening on 8080
  Reverse proxy point configured for /agentsample -> http://host2.otherdomain.com:8080
  Now when I go to http://host1.domain.com:8080/agentsample two redirects occur, first is back to itself, then a second redirect to http://host2.otherdimain.com:8080/agentsample. This is where I have a problem, why am I being redirected, and not proxied?
  Furthermore, if I set the webserver7 up to be on port 80, crate a proxy for /agentsampe -> http://host2.otherdomain.com:8080 and then browse to http://host1.domain.com/agentsample I get redirected to http://host2.otherdomain.com/agentsample (which won't connect).
  So, does anyone know why this isn't working? I have other proxy points configed on host2.domain.com /idm -> http://host3.otherdomain.com:8202 for example, it works as expected, browsing to http://host2.domain.com:8080/idm gives me the page contect from host2.otherdomain.com but with the host2.domain.com URL - true proxying, no redirects.
  Any assistance appreciated.

  hi there,
  i'm getting the same redirecting behaviour with web server 7, update 3.
  the obj.conf says:
  <Object name="default">
  AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
  NameTrans fn="ntrans-j2ee" name="j2ee"
  NameTrans fn="pfx2dir" from="/mc-icons" dir="/opt/sun/webserver7/lib/icons" name="es-internal"
  PathCheck fn="uri-clean"
  PathCheck fn="check-acl" acl="default"
  PathCheck fn="find-pathinfo"
  PathCheck fn="find-index-j2ee"
  PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
  PathCheck fn=validate_session_policy
  ObjectType fn="type-j2ee"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
  Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
  Service method="TRACE" fn="service-trace"
  Error fn="error-j2ee"
  AddLog fn="flex-log"
  </Object>
  <Object name="j2ee">
  Service fn="service-j2ee" method="*"
  </Object>
  <Object name="es-internal">
  PathCheck fn="check-acl" acl="es-internal"
  </Object>
  <Object name="cgi">
  ObjectType fn="force-type" type="magnus-internal/cgi"
  Service fn="send-cgi"
  </Object>
  <Object name="send-precompressed">
  PathCheck fn="find-compressed"
  </Object>
  <Object name="compress-on-demand">
  Output fn="insert-filter" filter="http-compression"
  </Object>and the instance specific obj.conf says: ( with additions from the opensso web agent )
  <Object name="default">
  AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
  NameTrans fn="ntrans-j2ee" name="j2ee"
  NameTrans fn="pfx2dir" from="/mc-icons" dir="/opt/sun/webserver7/lib/icons" name="es-internal"
  NameTrans fn="map" from="/testapp" name="reverse-proxy-/testapp" to="http:/testapp"
  PathCheck fn="uri-clean"
  PathCheck fn="check-acl" acl="default"
  PathCheck fn="find-pathinfo"
  PathCheck fn="find-index-j2ee"
  PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
  PathCheck fn="validate_session_policy"
  ObjectType fn="type-j2ee"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
  Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
  Service method="TRACE" fn="service-trace"
  Error fn="error-j2ee"
  AddLog fn="flex-log"
  </Object>
  <Object name="j2ee">
  Service fn="service-j2ee" method="*"
  </Object>
  <Object name="es-internal">
  PathCheck fn="check-acl" acl="es-internal"
  </Object>
  <Object name="cgi">
  ObjectType fn="force-type" type="magnus-internal/cgi"
  Service fn="send-cgi"
  </Object>
  <Object name="send-precompressed">
  PathCheck fn="find-compressed"
  </Object>
  <Object name="compress-on-demand">
  Output fn="insert-filter" filter="http-compression"
  </Object>
  <Object ppath="http:*">
  Service fn="proxy-retrieve" method="*"
  </Object>
  <Object ppath="*/UpdateAgentCacheServlet*">
  Service type="text/*" method="(POST)" fn="process_notification"
  </Object>
  <Object ppath="*/dummypost/sunpostpreserve*">
  Service type="text/*" method="(GET)" fn="append_post_data"
  </Object>
  <Object name="reverse-proxy-/testapp">
  Route fn="set-origin-server" server="sunagent.mydomain.com:8080"
  </Object>the behaviour can be observed thusly in the http headers ( thank you livehttpheaders firefox plugin..)
  http://sunproxy.mydomain.com/testapp/index.html
  GET /testapp/index.html HTTP/1.1
  Host: sunproxy.mydomain.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc9 Firefox/3.0.4
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  HTTP/1.x 302 Moved Temporarily
  Server: Sun-Java-System-Web-Server/7.0
  Date: Wed, 26 Nov 2008 06:49:09 GMT
  Location: http://sunsso.mydomain.com:80/opensso/UI/Login?goto=http%3A%2F%2Fsunproxy.mydomain.com%3A80%2Ftestapp%2Findex.html
  Content-Length: 0
  http://sunsso.mydomain.com/opensso/UI/Login?goto=http%3A%2F%2Fsunproxy.mydomain.com%3A80%2Ftestapp%2Findex.html
  GET /opensso/UI/Login?goto=http%3A%2F%2Fsunproxy.mydomain.com%3A80%2Ftestapp%2Findex.html HTTP/1.1
  Host: sunsso.mydomain.com:80
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc9 Firefox/3.0.4
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  HTTP/1.x 200 OK
  Date: Wed, 26 Nov 2008 06:53:00 GMT
  Cache-Control: private
  Pragma: no-cache
  Expires: 0
  X-DSAMEVersion: 8.0 (2008-July-21 07:32)
  AM_CLIENT_TYPE: genericHTML
  Set-Cookie: AMAuthCookie=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23; Domain=.mydomain.com; Path=/
  Set-Cookie: amlbcookie=01; Domain=.mydomain.com; Path=/
  Set-Cookie: JSESSIONID=D33E12C33D3B30A0905FFCA1A4D77561; Path=/opensso
  Content-Type: text/html;charset=UTF-8
  Connection: close
  Transfer-Encoding: chunked
  http://sunsso.mydomain.com/opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23
  POST /opensso/UI/Login?AMAuthCookie=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23 HTTP/1.1
  Host: sunsso.mydomain.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc9 Firefox/3.0.4
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://sunsso.mydomain.com/opensso/UI/Login?goto=http%3A%2F%2Fsunproxy.mydomain.com%3A80%2Ftestapp%2Findex.html
  Cookie: JSESSIONID=D33E12C33D3B30A0905FFCA1A4D77561; AMAuthCookie=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23; amlbcookie=01
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 193
  IDToken0=&IDToken1=amp_business_manager&IDToken2=amp_business_manager&IDButton=Log+In&goto=aHR0cDovL3N1bnByb3h5LnRob3VnaHR3b3Jrcy5jb206ODAvdGVzdGFwcC9pbmRleC5odG1s&encoded=true&gx_charset=UTF-8
  HTTP/1.x 302 Moved Temporarily
  Date: Wed, 26 Nov 2008 06:53:13 GMT
  Cache-Control: private
  Pragma: no-cache
  Expires: 0
  X-DSAMEVersion: 8.0 (2008-July-21 07:32)
  AM_CLIENT_TYPE: genericHTML
  X-AuthErrorCode: 0
  Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23; Domain=.mydomain.com; Path=/
  Set-Cookie: AMAuthCookie=LOGOUT; Domain=.mydomain.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
  Location: http://sunproxy.mydomain.com:80/testapp/index.html
  Content-Length: 0
  Connection: close
  Content-Type: text/plain; charset=UTF-8
  http://sunproxy.mydomain.com/testapp/index.html
  GET /testapp/index.html HTTP/1.1
  Host: sunproxy.mydomain.com:80
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc9 Firefox/3.0.4
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://sunsso.mydomain.com/opensso/UI/Login?goto=http%3A%2F%2Fsunproxy.mydomain.com%3A80%2Ftestapp%2Findex.html
  Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23
  HTTP/1.x 302 Moved Temporarily
  Server: Sun-Java-System-Web-Server/7.0
  Date: Wed, 26 Nov 2008 06:49:22 GMT
  Location: http://sunagent.mydomain.com:80/testapp/index.html
  Content-Length: 0
  Via: 1.1 https-sunproxy.mydomain.com
  Proxy-agent: Sun-Java-System-Web-Server/7.0
  http://sunagent.mydomain.com/testapp/index.html
  GET /testapp/index.html HTTP/1.1
  Host: sunagent.mydomain.com:80
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc9 Firefox/3.0.4
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://sunsso.mydomain.com/opensso/UI/Login?goto=http%3A%2F%2Fsunproxy.mydomain.com%3A80%2Ftestapp%2Findex.html
  Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23
  HTTP/1.x 200 OK
  Date: Wed, 26 Nov 2008 06:53:44 GMT
  Set-Cookie: JSESSIONID=68F78AD040184A4F9368D636243B2C70; Path=/testapp
  Content-Type: text/html;charset=ISO-8859-1
  Content-Language: en-US
  Content-Length: 3687
  Connection: close
  http://sunagent.mydomain.com/testapp/images/banner.jpg;jsessionid=68F78AD040184A4F9368D636243B2C70
  GET /testapp/images/banner.jpg;jsessionid=68F78AD040184A4F9368D636243B2C70 HTTP/1.1
  Host: sunagent.mydomain.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc9 Firefox/3.0.4
  Accept: image/png,image/*;q=0.8,*/*;q=0.5
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: http://sunagent.mydomain.com/testapp/index.html
  Cookie: JSESSIONID=68F78AD040184A4F9368D636243B2C70; amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23
  HTTP/1.x 200 OK
  Date: Wed, 26 Nov 2008 06:53:45 GMT
  Etag: W/"49462-1226285588000"
  Last-Modified: Mon, 10 Nov 2008 02:53:08 GMT
  Content-Type: image/jpeg
  Content-Length: 49462
  Connection: close
  http://sunagent.mydomain.com/favicon.ico
  GET /favicon.ico HTTP/1.1
  Host: sunagent.mydomain.com
  User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008111217 Fedora/3.0.4-1.fc9 Firefox/3.0.4
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfcyANye01dpdxmpwm4JviJusoORmambL5kU%3D%40AAJTSQACMDE%3D%23
  HTTP/1.x 404 Not Found
  Date: Wed, 26 Nov 2008 06:53:48 GMT
  Set-Cookie: JSESSIONID=1A8BE19023EF620D6822C0DABCEEF838; Path=/
  Content-Type: text/html;charset=utf-8
  Content-Length: 988
  Connection: close
  ----------------------------------------------------------