Reverse proxy OPTIONS request
Hi all,
After recommendation, I am using the reverse proxy in Sun Web Server 7.0 to send requests to my web application in Tomcat. In my Tomcat web.xml, I have configured all requests (no extension or path) to be handled by a dispatcher servlet. I have a session filter which needs the HTTP host to setup the session correctly. This works fine but every so often I get a null pointer exception. On closer inspection, I can see this in the error log:
[28/Sep/2009:22:26:31] info ( 2308): trying to OPTIONS http://localhost:90, check-http-server reports: HTTP7750: server localhost:90 online
Is this the reverse proxy? Can I get round this somehow without changes to my application?
Thanks,
Surjit
I'd fix the Servlet filter. It sounds broken. I think I may have to do something in the servlet filter like ignore requests with OPTIONS methods. I'll try to give a bit more explanation; we are supporting multiple countries so we have the following domains:
http://uk.mysite.com/
http://fr.mysite.com/
http://de.mysite.com/
etc.
These domains all point to the same webserver and java requests are reverse proxied to the same Tomcat web application as we have a single codebase that serves all countries. The web application session filter will use the country code from the server host (e.g. xx.mysite.com) to setup the session so we can show the correct language to the user.
The reverse proxy setup has been setup like this in obj.conf:
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="localhost:90"
</Object>I use localhost as I don't need to specify any country specific domain here. This works fine but the reverse proxy health check will send localhost as the server host to the tomcat instance. The session filter tries to map localhost in our country lookup mapping which doesnt exist and then throws a null pointer exception.
That said, I get the impression you want to send
requests to a single Tomcat instance on the local host. No, this is just for development purposes. In production we will use the reverse proxy to load balance over 4 JBoss servers so we will need the set origin SAF.
Thanks,
Surjit
Similar Messages
-
Exchange 2013 pre-authentication & Reverse Proxy Options
Hello,
I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
along with Exchange 2010.
I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
Nicholas,Hello,
I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
along with Exchange 2010.
I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
Nicholas,
How about IIS ARR?
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
Exchange 2013 using ARR reverse proxy OWA options won't open
Hi,
I've been using the exchange team's blog post (http://blogs.technet.com/b/exchange/archive/2013/08/05/part-3-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx)
as a guidelin on configuring my ARR deployment in my lab.
Everything was working perfectly right until i got the last part of the blog on restricting the pattern matches.
The rewrite rules all work fine and everything is working as expected with the excpetion of the fact that i cannot access the options in OWA. ECP itself works great if i access it via the
https://ecp.domain.com/ecp url, but as soon as i use the https//mail.domain.com/ecp it just wont display anything.
Looking at the failed request logs it just shows that it executes a 302 rewrite to ecp.domain.com, which is what i would expect it to base done rewrite rule matching
https://mail.domain.com/ecp to the ecp.domain.com server farm.
If i look at the iis logs it looks like it's getting into some sort of loop (the section below is about a 10% of a single attempt to access the options pages:
2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp/ rfr=owa&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6983c585-b0ea-4fd0-9bb1-fc747ee8e992 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
- 302 0 0 15
2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp rfr=owa/&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=d32a3a4f-d8a6-4712-91d4-56360be33793 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
- 302 0 0 0
2014-06-28 12:25:38 xxx.xxx.xx.xxx GET /ecp rfr=owa//&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=14797897-f1ad-454a-b73c-fde041a43d2b 443 - xxx.xxx.xx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C)
- 302 0 0 0
Did anyone ever run into something like this? Or have an idea where i may have made a mistake? I've tried everything i could think of.
The rewrite rules i have in place are basically exactly the same as the exchange team's blog but just in case i overlooked somehthing, please se the image below.
thanks in advance for your timeHello,
I wanted to see if anyone has any suggestions on reverse proxy options that can do pre-authentication like TMG use to do? I am currently trying to deploy out a new Excahnge 2013 setup in coexistence with an existing Exchange 2010 environment
which will then be migrated over. And one of the requirements is to block certain users from accessing webmail externally while still allowing others to access webmail. That is currently achieved by using a TMG server but that is going to be decommissioned
along with Exchange 2010.
I have been searching online but so far I have not found anything that seemed to meet this requirement. I have seen that IIS Web Application Proxy tied in with AD FS would do the job. But there is some issue there with Excahnge 2010 still being active that
won't allow it to work. Some suggestions I have seen online involved changing permissions on the IIS directory or modifying web config files but those options didn't seem like they provided a consistent result.
So I am looking for some sort of option that is either inexpensive or some means of leveraging existing Microsoft technologies to achieve my goal any suggestions would be helpful.
Nicholas,
How about IIS ARR?
http://blogs.technet.com/b/exchange/archive/2013/07/19/reverse-proxy-for-exchange-server-2013-using-iis-arr-part-1.aspx
http://blogs.technet.com/b/exchange/archive/2013/08/02/part-2-reverse-proxy-for-exchange-server-2013-using-iis-arr.aspx
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
Help with Apache Reverse Proxy configuration with SAP Portal and SAP Webgui
Dear Experts,
I have an issue configuring Apache to work with SAP Portal and ERP webgui. Accessing Portal through Reverse Proxy is working fine. But the problem arises when we try to open an iView ERP webgui transaction page from Portal with the Reverse Proxy. Have anyone implemented similar requirements and could advice on the configuration required on the Apache side? Thank youhi,
pls check the below links for reference:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/24396589-0a01-0010-3c8c-ab2e3acf6fe2
searchsap.techtarget.com/searchSAP/downloads/chapter-december.pdf
1)Learn to implement the reverse proxy filter and portal gateway in SAP Enterprise Portal 6.0 on Web Application Server 6.40.
https:/.../irj/sdn/nw-portalandcollaboration?rid=/webcontent/uuid/006efe7b-1b73-2910-c4ae-f45aa408da5b
.2 )Configuring the Portal for Your Reverse Proxy Filter Solution . ... This document describes the reverse proxy filter mechanism in SAP Enterprise ...
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/32ad9b90-0201-0010-3c8a-c900cd685f8f
3)have full reverse proxy functionality. Possibly. filter. requests. Internet ... Reverse proxy (optionally with authentication etc.) ...
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c066c390-0201-0010-3cba-cd42dfbcc8be
Note:please reward points if solution found helpfull
Regards
Chandrakanth.k -
Wildcard as CN on Reverse Proxy?
Hello,
Is there support for a wildcard entry as the subject name CN for Lync 2013 Reverse Proxy to replace the following urls?
webext.contoso.com
dialin.contoso.com
meet.contoso.com
officewebapps.contoso.com
lyncdiscover.contoso.com
Thank you.Right.
At the bottom of this site https://technet.microsoft.com/en-us/library/gg398920.aspx you'll
find also an answer:
"Wildcard entries are supported in the subject alternative name field of the certificate assigned to the reverse proxy. For details about how to configure the certificate request for the reverse proxy, see Request
and configure a certificate for your reverse HTTP proxy in Lync Server 2013."
So you can have a wildcard certificate with a subject name / cn reverseproxy.mydomain.com and a * as a SAN. -
Reverse proxy for web application
Hi,
The users of our a enterprise Java based web application must access a third web application through simple HTML links and then navigate in the target application.
But for security reasons and constraints the direct exchange between the browers of users and server of the other web application is not allowed.
Our web application must retrieve the web page from the other application and must return it to the users's browser. Is there a convenient way to implement this requirement in J2EE ? In this case our web application must play the role of a simple reverse proxy, must request a target JSP page from other application and process it to rewrite the URLs contained in the HTML page, then send the response to user's web browser.
Has somebedoy already done such a technical requirement ? Is there a library to implement easily this use case ?
Thansk a lot
RegardsJust use Apache HTTPD 2.4 with mod_proxy and mod_proxy_html. No need to do it 'within J2EE'.
-
Apache as reverse proxy - 400 Bad request
Hi all,
I'm configured apache as reverse proxy according to this blog:
The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
When I try to navigate http://testcomp/irj I get "400 - Bad request"
See exception;
<i>Message : User Guest, IP address
Cannot parse the http request. Http error response [400 Bad Request] will be returned. Request is [Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
GET /irj HTTP/1.1
Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
com.sap.engine.services.httpserver.exceptions.HttpIllegalArgumentException: Incompatible field content in the MIME header.
at com.sap.engine.services.httpserver.lib.headers.MimeHeaderField.parse(MimeHeaderField.java:364)
at com.sap.engine.services.httpserver.lib.headers.MimeHeaders.init(MimeHeaders.java:504)
at com.sap.engine.services.httpserver.server.RequestAnalizer.initialize(RequestAnalizer.java:196)
at com.sap.engine.services.httpserver.server.Client.initialize(Client.java:84)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:143)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Severity : Error
Category :
Location : com.sap.engine.services.httpserver
Application :
Thread : SAPEngine_Application_Thread[impl:3]_32
Datasource : 9332850:C:usrsapPD9JC00j2eeclusterserver0logdefaultTrace.trc
Message ID : 000C29EFE9A300570000002D00000B9000043A81D3311894
Source Name : com.sap.engine.services.httpserver
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : 5359e85066e411dcbf6b000c29efe9a3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives :
Resource Bundlename :
Session : 2
Source : com.sap.engine.services.httpserver
ThreadObject : SAPEngine_Application_Thread[impl:3]_32
Transaction :
User : Guest</i>
The lines I added to http.conf
<i>#Enable reverse-proxying
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://testcomp/logon</i>
I tried with apache version 2.2.3 & 2.0.59 with no success.
My J2EE/Portal version is 6.17.
Since this is a testing environment the two computers are under the same workgroup (no domain).
If I naviagte directly to the portal (without the reverse proxy) everything is working.
How can I solve it?
Regards,
OmriHi Jakub,
Thanks for the answer.
It's not working for me...
I'm attaching my httpd.conf file.
Also, what apache version do you use?
Can you send me your post your httpd.conf file?
Thanks,
Omri
httpd.conf
This is the main Apache HTTP server configuration file. It contains the
configuration directives that give the server its instructions.
See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
In particular, see
<URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
for a discussion of each configuration directive.
Do NOT simply read the instructions in here without understanding
what they do. They're here only as hints or reminders. If you are unsure
consult the online docs. You have been warned.
Configuration and logfile names: If the filenames you specify for many
of the server's control files begin with "/" (or "drive:/" for Win32), the
server will use that explicit path. If the filenames do not begin
with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
with ServerRoot set to "c:/apache" will be interpreted by the
server as "c:/apache/logs/foo.log".
NOTE: Where filenames are specified, you must use forward slashes
instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
If a drive letter is omitted, the drive on which Apache.exe is located
will be used by default. It is recommended that you always supply
an explicit drive letter in absolute paths, however, to avoid
confusion.
ThreadsPerChild: constant number of worker threads in the server process
MaxRequestsPerChild: maximum number of requests a server process serves
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot: The top of the directory tree under which the server's
configuration, error, and log files are kept.
Do not add a slash at the end of the directory path. If you point
ServerRoot at a non-local disk, be sure to point the LockFile directive
at a local disk. If you wish to share the same ServerRoot for multiple
httpd daemons, you will need to change at least LockFile and PidFile.
ServerRoot "c:/apache"
Listen: Allows you to bind Apache to specific IP addresses and/or
ports, instead of the default. See also the <VirtualHost>
directive.
Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#Listen 12.34.56.78:80
Listen 80
Dynamic Shared Object (DSO) Support
To be able to use the functionality of a module which was built as a DSO you
have to place corresponding `LoadModule' lines at this location so the
directives contained in it are actually available before they are used.
Statically compiled modules (those listed by `httpd -l') do not need
to be loaded here.
Example:
LoadModule foo_module modules/mod_foo.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
<b>LoadModule proxy_module modules/mod_proxy.so</b>
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
<b>LoadModule proxy_http_module modules/mod_proxy_http.so</b>
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so
'Main' server configuration
The directives in this section set up the values used by the 'main'
server, which responds to any requests that aren't handled by a
<VirtualHost> definition. These values also provide defaults for
any <VirtualHost> containers you may define later in the file.
All of these directives may appear inside <VirtualHost> containers,
in which case these default settings will be overridden for the
virtual host being defined.
ServerAdmin: Your address, where problems with the server should be
e-mailed. This address appears on some server-generated pages, such
as error documents. e.g. [email protected]
ServerAdmin @@ServerAdmin@@
ServerName gives the name and port that the server uses to identify itself.
This can often be determined automatically, but we recommend you specify
it explicitly to prevent problems during startup.
If your host doesn't have a registered DNS name, enter its IP address here.
ServerName localhost:80
DocumentRoot: The directory out of which you will serve your
documents. By default, all requests are taken from this directory, but
symbolic links and aliases may be used to point to other locations.
DocumentRoot "c:/apache/htdocs"
Each directory to which Apache has access can be configured with respect
to which services and features are allowed and/or disabled in that
directory (and its subdirectories).
First, we configure the "default" to be a very restrictive set of
features.
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Satisfy all
</Directory>
Note that from this point forward you must specifically allow
particular features to be enabled - so if something's not working as
you might expect, make sure that you have specifically enabled it
below.
This should be changed to whatever you set DocumentRoot to.
<Directory "c:/apache/htdocs">
Possible values for the Options directive are "None", "All",
or any combination of:
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Note that "MultiViews" must be named explicitly --- "Options All"
doesn't give it to you.
The Options directive is both complicated and important. Please see
http://httpd.apache.org/docs/2.2/mod/core.html#options
for more information.
Options Indexes FollowSymLinks
AllowOverride controls what directives may be placed in .htaccess files.
It can be "All", "None", or any combination of the keywords:
Options FileInfo AuthConfig Limit
AllowOverride None
Controls who can get stuff from this server.
Order allow,deny
Allow from all
</Directory>
DirectoryIndex: sets the file that Apache will serve if a directory
is requested.
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
The following lines prevent .htaccess and .htpasswd files from being
viewed by Web clients.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>
ErrorLog: The location of the error log file.
If you do not specify an ErrorLog directive within a <VirtualHost>
container, error messages relating to that virtual host will be
logged here. If you do define an error logfile for a <VirtualHost>
container, that host's errors will be logged there and not here.
ErrorLog logs/error.log
LogLevel: Control the number of messages logged to the error_log.
Possible values include: debug, info, notice, warn, error, crit,
alert, emerg.
LogLevel warn
<IfModule log_config_module>
The following directives define some format nicknames for use with
a CustomLog directive (see below).
LogFormat "%h %l %u %t \"%r\" %>s %b \"%You need to enable mod_logio.c to use %I and %Oi\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
The location and format of the access logfile (Common Logfile Format).
If you do not define any access logfiles within a <VirtualHost>
container, they will be logged here. Contrariwise, if you do
define per-<VirtualHost> access logfiles, transactions will be
logged therein and not in this file.
CustomLog logs/access.log common
If you prefer a logfile with access, agent, and referer information
(Combined Logfile Format) you can use the following directive.
#CustomLog logs/access.log combined
</IfModule>
<IfModule alias_module>
Redirect: Allows you to tell clients about documents that used to
exist in your server's namespace, but do not anymore. The client
will make a new request for the document at its new location.
Example:
Redirect permanent /foo http://www.example.com/bar
Alias: Maps web paths into filesystem paths and is used to
access content that does not live under the DocumentRoot.
Example:
Alias /webpath /full/filesystem/path
If you include a trailing / on /webpath then the server will
require it to be present in the URL. You will also likely
need to provide a <Directory> section to allow access to
the filesystem path.
ScriptAlias: This controls which directories contain server scripts.
ScriptAliases are essentially the same as Aliases, except that
documents in the target directory are treated as applications and
run by the server when requested rather than as documents sent to the
client. The same rules about trailing "/" apply to ScriptAlias
directives as to Alias.
ScriptAlias /cgi-bin/ "c:/apache/cgi-bin/"
</IfModule>
"c:/apache/cgi-bin" should be changed to whatever your ScriptAliased
CGI directory exists, if you have that configured.
<Directory "c:/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
Apache parses all CGI scripts for the shebang line by default.
This comment line, the first line of the script, consists of the symbols
pound (#) and exclamation followed by the path of the program that
can execute this specific script. For a perl script, with perl.exe in
the C:\Program Files\Perl directory, the shebang line should be:
#!c:/program files/perl/perl
Note you mustnot_ indent the actual shebang line, and it must be the
first line of the file. Of course, CGI processing must be enabled by
the appropriate ScriptAlias or Options ExecCGI directives for the files
or directory in question.
However, Apache on Windows allows either the Unix behavior above, or can
use the Registry to match files by extention. The command to execute
a file of this type is retrieved from the registry by the same method as
the Windows Explorer would use to handle double-clicking on a file.
These script actions can be configured from the Windows Explorer View menu,
'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
button allows you to modify the Actions, of which Apache 1.3 attempts to
perform the 'Open' Action, and failing that it will try the shebang line.
This behavior is subject to change in Apache release 2.0.
Each mechanism has it's own specific security weaknesses, from the means
to run a program you didn't intend the website owner to invoke, and the
best method is a matter of great debate.
To enable the this Windows specific behavior (and therefore -disable- the
equivilant Unix behavior), uncomment the following directive:
#ScriptInterpreterSource registry
The directive above can be placed in individual <Directory> blocks or the
.htaccess file, with either the 'registry' (Windows behavior) or 'script'
(Unix behavior) option, and will override this server default option.
DefaultType: the default MIME type the server will use for a document
if it cannot otherwise determine one, such as from filename extensions.
If your server contains mostly text or HTML documents, "text/plain" is
a good value. If most of your content is binary, such as applications
or images, you may want to use "application/octet-stream" instead to
keep browsers from trying to display binary files as though they are
text.
DefaultType text/plain
<IfModule mime_module>
TypesConfig points to the file containing the list of mappings from
filename extension to MIME-type.
TypesConfig conf/mime.types
AddType allows you to add to or override the MIME configuration
file specified in TypesConfig for specific file types.
#AddType application/x-gzip .tgz
AddEncoding allows you to have certain browsers uncompress
information on the fly. Note: Not all browsers support this.
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
If the AddEncoding directives above are commented-out, then you
probably should define those extensions to indicate media types:
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddHandler allows you to map certain file extensions to "handlers":
actions unrelated to filetype. These can be either built into the server
or added with the Action directive (see below)
To use CGI scripts outside of ScriptAliased directories:
(You will also need to add "ExecCGI" to the "Options" directive.)
#AddHandler cgi-script .cgi
For type maps (negotiated resources):
#AddHandler type-map var
Filters allow you to process content before it is sent to the client.
To parse .shtml files for server-side includes (SSI):
(You will also need to add "Includes" to the "Options" directive.)
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
</IfModule>
The mod_mime_magic module allows the server to use various hints from the
contents of the file itself to determine its type. The MIMEMagicFile
directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
Customizable error responses come in three flavors:
1) plain text 2) local redirects 3) external redirects
Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
EnableMMAP and EnableSendfile: On systems that support it,
memory-mapping or the sendfile syscall is used to deliver
files. This usually improves server performance, but must
be turned off when serving from networked-mounted
filesystems or if support for these functions is otherwise
broken on your system.
#EnableMMAP off
#EnableSendfile off
Supplemental configuration
The configuration files in the conf/extra/ directory can be
included to add extra features or to modify the default configuration of
the server, or you may simply copy their contents here and change as
necessary.
Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
Language settings
#Include conf/extra/httpd-languages.conf
User home directories
#Include conf/extra/httpd-userdir.conf
Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
Virtual hosts
#Include conf/extra/httpd-vhosts.conf
Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
Various default settings
#Include conf/extra/httpd-default.conf
Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
Note: The following must must be present to support
starting without SSL on platforms with no /dev/random equivalent
but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
<b>ProxyPreserveHost On
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://sapportal:50000/irj
#ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://sapportal:50000/logon
#ProxyPassReverse /logon http://testcomp/logon</b> -
Need in depth knowledge about Certficate request and install for Reverse proxy and CAS role
Hi,
I have few confusions about Exchange 2010/13 certificate request and install. As per my understanding best practise is to assign public CA certificate to Reverse proxy and Local CA certificate to CAS servers but need to know that what should be the format
of certificate request? Do we need to order public certificate just for mail.domain.com and add SAN for other web services URLs and is it required to add CAS array and server names to this certificate ? In what case we will add server names and what will happen
if we don't add in it ? How the outlook clients connecting from internet will be using this certificate? I have very limited knowledge in certificates and it always pisses me off. Please help me with explanations and articles. I tried to google and gone through
many articles but didn't get a fair idea. Thanks in advacnce. :)Hi,
Here are my answers you can refer to:
1. Use the New-ExchangeCertificate cmdlet to generate a new certificate request:
New-Exchangecertificate -domainname mail.domain.com, autodiscover.domain.com -generaterequest:$true -keysize 1024 -path "c:\Certificates\xxxx.req” -privatekeyexportable:$true –subjectname "c=US o=domain.com, CN=server.domain.com"
2. CAS array name doesn’t need to be added in the certificate:
http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx
3. It depends on the situation that you configured to add the server name.
4. Outlook clients use certificate for authentication.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Arrowpoint Cookies, Reverse Proxy and Multiplexed Client Requests
Hi,
I have a reverse proxy which is performing SSL offload and making backend connections to two web servers. Between the reverse proxy and the two webservers, a CSS is in place to load balance between the web servers. There is a requirement for session stickiness on the web servers and since client IP details are lost through the reverse proxy I have used the arrowpoint-cookie method to load balance connections.
However, the reverse proxy seems to make only a handful of connections to the servers compared to the number incoming client connections and we have noticed that stickiness is broken. Now, I would assume this is correct if arrowpoint-cookie makes a load balancing based on the first HTTP get in a tcp stream and not on a per transaction basis AND our reverse proxy is multiplexing client requests. However, I can not convince myself of how the arrowpoint-cookie method actually works.
I wondered if anyone had any insight on this or had experienced similar issues with arrowpoint cookies?Hi Gilles,
I have implemented this today, and we are still seeing issues with requests hitting the wrong server.
A bit more info, the reverse proxy is an AXG Web Aopplication Firewall. I have been looking at this and am considering disabling connection re-use on here.
However I am also wondering if this might be to do with the flow timeout multiplier I am using which is 5 (80 seconds). Perhaps this is too low?
Thanks, David. -
Lync Reverse Proxy Alternatives
When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services.
TMG is way too expensive and complex for such a limited, simple use case.
I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
We decided to use Apache 2.2 on Windows Server 2008 R2.
Here's how we configured it:
Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy.
http://technet.microsoft.com/en-us/library/gg398069.aspx
Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server.
http://httpd.apache.org/download.cgi
We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
Use the Certificates MMC on your front end server to export the certificate and include the private key.
Transfer the resultant .pfx file to your reverse proxy server.
Use OpenSSL to convert your .pfx file to PEM:
openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes
Separate the private key from the certificate using notepad:
Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag.
Save that text to a new file named
yourcert.key.
Save
yourcert.pem, which should now only include the certificate.
Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
for storing the certificates.
Edit httpd.conf (typically in
C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
(See http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
for more information on each directive)
Uncomment the following lines, which will enable proxy and SSL:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Add the following lines to configure reverse proxy behavior:
#Be a reverse proxy, not a forward proxy
ProxyRequests Off
#Accept requests from any client to any URL
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
#Set the network buffer to improve throughput
ProxyReceiveBufferSize 4096
#Configure the Reverse Proxy to forward all requests to your front end server on 4443
ProxyPass / https://yourfrontend.domain.com:4443/
ProxyPassReverse / https://yourfrontend.domain.com:4443/
#Preserve Host Headers for Lync
ProxyPreserveHost On
Optionally, configure logging directives, bindings and server name.
Save and close httpd.conf
Edit httpd-ssl.conf (typically in conf\extra):
Configure the session cache:
Uncomment:
SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
Comment out:
SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
Locate the <VirtualHost _default_:443> tag and configure the following:
Add the following directive:
SSLProxyEngine On
Configure the path to your SSL Certificate saved in step 3-5 above:
SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
Configure the path to your private key saved in step 3-5 above:
SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
Optionally, configure logging directives.
Save and close httpd-ssl.conf
Restart the Apache2.2 service
Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
the reverse proxy to talk to the front end Lync server on 8080 and 4443.
From an external connection, test connectivity through the reverse proxy:
Test
https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
Test the Lync Web App by setting up an online meeting and following the URL to join the meeting.
You can force the use of the web app by appending ?sl= to the end of the meet.company.com link.
See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
Hope this information is helpful and saves some of you some money and trouble.
Please contact me if you need further clarification or see any mistakes in my notes.
Best regards,
Kenneth Walden
Enterprise Systems Supervisor
GSD&M
Austin, TXI'd like to thank you for this article. We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product. Anyways, your
blog saved me a LOT of headache. I owe you big time.
AWESOME JOB.
-Greg
*****EDIT***
Decided to come back in there and post good information. We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting. The "DIALUP" url was working fine but the "MEETING" url was broken. On our WFE servers we were getting
the event error as below. Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON". Once we put that in there ALL was good.
Notice that the MEET portion was the only thing that was really broken. So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER. Look for
http://10.x.x.x/meet/ or soemthing in the event logs.
Log Name: Application
Source: ASP.NET 2.0.50727.0
Date: 11/16/2011 1:26:35 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: OneofMyInternalWFEservers.local
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/16/2011 1:26:35 PM
Event time (UTC): 11/16/2011 6:26:35 PM
Event ID: b2039ecd0a62482284030f62e1e639d8
Event sequence: 129
Event occurrence: 28
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
Trust level: Full
Application Virtual Path: /meet
Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
Machine name: MYWFE.local
Process information:
Process ID: 14204
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: HttpException
Exception message: Server cannot append header after HTTP headers have been sent.
Request information:
Request URL:
https://FQDN:4443/meet/MyName/456456
User host address: gatewayIP
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 7
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ASP.NET 2.0.50727.0" />
<EventID Qualifiers="32768">1309</EventID>
<Level>3</Level>
<Task>3</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
<EventRecordID>4483</EventRecordID>
<Channel>Application</Channel>
<Computer>XXXXXXXXXXXXXXXXXX</Computer>
<Security />
</System>
<EventData>
<Data>3005</Data>
<Data>An unhandled exception has occurred.</Data>
<Data>11/16/2011 1:26:35 PM</Data>
<Data>11/16/2011 6:26:35 PM</Data>
<Data>b2039ecd0a62482284030f62e1e639d8</Data>
<Data>129</Data>
<Data>28</Data>
<Data>0</Data>
<Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
<Data>Full</Data>
<Data>/meet</Data>
<Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
<Data>SNKXS300</Data>
<Data>
</Data>
<Data>14204</Data>
<Data>w3wp.exe</Data>
<Data>NT AUTHORITY\NETWORK SERVICE</Data>
<Data>HttpException</Data>
<Data>Server cannot append header after HTTP headers have been sent.</Data>
<Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
<Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
<Data>10.71.1.1</Data>
<Data>
</Data>
<Data>False</Data>
<Data>
</Data>
<Data>NT AUTHORITY\NETWORK SERVICE</Data>
<Data>7</Data>
<Data>NT AUTHORITY\NETWORK SERVICE</Data>
<Data>False</Data>
<Data> at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
</Data>
</EventData>
</Event> -
How to set up reverse proxy to allow user access portal site from internet
Hi all,
I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
I am confused to which option to use. Also i went through the metalink document 270160.1
Please help me which option to choose to do this.
Thanks.Hi Hozy,
May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
I appreciate your feedback.
Thanks
Krish -
Load Balancing with Reverse Proxy Plug-in in SunOne 6.1
Hello
we are configuring our reverse proxy web server SunOn 6.1 for load balancing and we have some conflicting information that we have found on the internet. The options we have found are the following:
1- In one case, it seems that all we need to do is add the destination servers to the servers parameter (quoted, space-delimited). We have read that the proxy server will simply round-robin requests.
2- In another case, we have seen that we have to use an loadbalancer.xml file with the server names and reference the file from both magnus.conf and obj.conf.
I have doubts about the second option because I really think this is configuration in 7.0 not 6.1.
Also, I also need to configure session stickiness but it is not clear how this works. There is an option for sticky cookies that defaults to JSESSIONID if not configured. Does this mean that I will have session stickiness but simply without the use of cookies?
ANY HELP? We need to solve this in the next day.HI,
This may work for you.
obj.conf
<Object name="passthrough1">
Service fn="service-passthrough" servers="http://localhost:8080"
</Object>
<Object name="default">
AuthTrans fn="match-browser" browser="MSIE" ssl-unclean-shutdown="true"
NameTrans fn="assign-name" from="/idm(|/*)" name="passthrough1"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="D:/Sun/WebServer6.1/ns-icons" name="es-internal"
NameTrans fn="document-root" root="$docroot"
PathCheck fn="nt-uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index" index-names="intro.htm,index.html,home.html,index.jsp"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD)" type="magnus-internal/imagemap" fn="imagemap"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Service method="(GET|HEAD|POST)" type="~magnus-internal/" fn="send-file"
Service method="TRACE" fn="service-trace"
Error fn="error-j2ee"
AddLog fn="flex-log" name="access"
</Object>
<Object name="j2ee">
Service fn="service-j2ee" method="*"
</Object>
<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>
============================================
magnus.conf
# The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
# They will not be supported in future releases of the Web Server.
NetsiteRoot D:/Sun/WebServer6.1
ServerName abc
ServerID https-www.abc.com
RqThrottle 128
DNS off
Security off
ExtraPath D:/Sun/WebServer6.1/bin/https/bin
Init fn=flex-init access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%"
Init fn="load-modules" shlib="D:/Sun/WebServer6.1/bin/https/bin/j2eeplugin.dll" shlib_flags="(global|now)"
Init fn="load-modules" shlib="D:/Sun/WebServer6.1/plugins/passthrough/passthrough.dll" -
Apache reverse proxy and SSL termination
Hi Guru's
Can anyone tell me, how to do SSL termination at apache reverse proxy. I am using apache reverse proxy for accesing portal from internet. Apache is configured for SSL and portal is NON SSL.
I am using header variable login module in portal. i wanted to terminate SSL at apache reverse proxy and then all traffic after that should be clear text.
should i maitain any property. is there any documentation for it.
Please help me
TomThe majority of the work here is around configuring your Web Dispatcher and Apache Reverse proxy. The work on the portal is straight forward enabling of SSL.
You can follow http://help.sap.com/saphelp_nw2004s/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm for setting this up.
what level I need to configure SSL and how do I proceed in both scenarios?
Your question itself says where you need SSL. SSL is required where ever you need HTTPS communication.
how do I proceed in both scenarios?
From a portal perspective, the configuration should remain the same.
Do I have to install SSL at portal, web dispatcher or at Apache level?
SSL needs to be configured at all the 3 levels if you are looking at end to end SSL implementation.
See the following for possible SSL implementation options:
http://help.sap.com/saphelp_nw04/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm
https://cw.sdn.sap.com/cw/docs/DOC-115509
Will SSL termination work for scenario 2?
Yes this should work - see http://help.sap.com/saphelp_nw2004s/helpdata/en/36/fd39eacf4cde4a8fe32d7f29b3db16/frameset.htm
However in case of SSL Termination, the request to your portal from the web dispatcher will be sent as HTTP.
I would recommend you to take a step by step (backward approach).
First, enable SSL on your portal and make sure it works - going directly to the server.
Then, you can introduce the Web Dispatcher - and test if every thing works going through the web dispatcher.
Finally - you can test the end to end flow - with your Reverse proxy involved.
- Shanti -
Problem with Mobile clients - Reverse proxy
Hi Guys,
I have an issue that is driving me batty. I've set up a reverse proxy and am putting my mobile clients through it. I've used the Lync connectivity analyzer which is telling me that everything is good. However I am getting an error in my mobile clients to
the effect "Please check your account info and try again"
It looks like my IIS logs are showing 401 errors on the webticketservice.svc
2014-05-30 00:48:01 192.168.0.58 GET / sipuri=sip:[email protected]&X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=0b8473bc-76f4-48e6-b29d-1028dad0dc2f 443 - 24.114.103.233 ACOMO - 200 0 0 93
2014-05-30 00:48:01 192.168.0.58 GET / - 80 - 24.114.103.233 ACOMO - 406 0 0 62
2014-05-30 00:48:01 192.168.0.58 GET /autodiscover/autodiscoverservice.svc/root/user originaldomain=openjive.com&X-ARR-LOG-ID=624d5656-03de-4d23-b7be-ef1d86f986ea 443 OPENJIVE\bryan 24.114.103.233 ACOMO - 401 0 0 72
2014-05-30 00:48:01 192.168.0.58 GET /autodiscover/autodiscoverservice.svc/root/user originaldomain=openjive.com&X-ARR-LOG-ID=989d376d-f93d-4a61-a2e8-75e44a2f630e 443 OPENJIVE\bryan 24.114.103.233 ACOMO - 401 0 0 62
2014-05-30 00:48:01 192.168.0.58 POST /webticket/webticketservice.svc/mex X-ARR-LOG-ID=96ab4698-b8bc-4ff6-829f-60bdd7e9d64e 443 OPENJIVE\bryan 24.114.103.233 ACOMO - 200 0 0 209
2014-05-30 00:48:01 192.168.0.58 POST /webticket/webticketservice.svc X-ARR-LOG-ID=6884e7ec-01fa-4014-96ec-1e891fbb1c7e 443 OPENJIVE\bryan 24.114.103.233 ACOMO - 401 0 0 116
2014-05-30 00:48:03 192.168.0.58 POST /webticket/webticketservice.svc X-ARR-LOG-ID=c4f2790c-983a-4d4f-b647-dc0c30d2335d 443 OPENJIVE\bryan 24.114.103.233 ACOMO - 401 0 0 84
Any ideas would be appreciated. I am running windows 2012 R2 across the board. The reverse proxy is IIS 8.5 with ARR 3.Here is the connectivity analyzer results.
Sending HTTP request to
https://lyncdiscover.openjive.com/[email protected]
Logging test parameters:
SIP Uri: [email protected]
User Name: openjive\bryan
Discovery Type: Automatic Discovery
Network access: NetworkAccessExternal
Selected client: ApplicationLyncMobile2013
Starting Lync server autodiscovery
Please wait; this test may take several minutes to complete...
Starting automatic discovery for secure (HTTPS) internal channel
lyncdiscoverinternal.openjive.com can't be resolved by the DNS server. Skipping internal discovery.
Starting automatic discovery for secure (HTTPS) external channel
Cookie found in autodiscover response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
Pragma: no-cache
X-MS-Server-Fqdn: banff.openjive.local
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Date: Fri, 30 May 2014 00:49:45 GMT
Content-Length: 1049
Content-Type: application/vnd.microsoft.rtc.autodiscover+xml; v=1
Expires: -1
Parsing the response for URL
https://lyncdiscover.openjive.com/[email protected]. Full response: <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AccessLocation="External"><Root><Link token="Domain" href="https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/domain?originalDomain=openjive.com"
/><Link token="User" href="https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=openjive.com"
/><Link token="Self" href="https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=openjive.com" /><Link
token="OAuth" href="https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=openjive.com" /><Link
token="External/XFrame" href="https://lyncweb.openjive.com/Autodiscover/XFrame/XFrame.html" /><Link token="Internal/XFrame" href="https://banff.openjive.local/Autodiscover/XFrame/XFrame.html"
/><Link token="XFrame" href="https://lyncweb.openjive.com/Autodiscover/XFrame/XFrame.html" /></Root></AutodiscoverResponse>
Autodiscover URL
https://lyncdiscover.openjive.com/[email protected] redirected to
https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=openjive.com
Sending HTTP request to
https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
Cookie found in autodiscover response: StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
X-MS-WebTicketURL:
https://lyncweb.openjive.com/WebTicket/WebTicketService.svc
X-MS-WebTicketSupported: cwt,saml
X-MS-Server-Fqdn: banff.openjive.local
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Fri, 30 May 2014 00:49:45 GMT
Content-Length: 1293
Content-Type: text/html
Authorization required for
https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
Obtaining WebTicket from
https://lyncweb.openjive.com/WebTicket/WebTicketService.svc
On-premises WebTicket server:
https://lyncweb.openjive.com/WebTicket/WebTicketService.svc/Auth
AcquireTicketAsync succeeded for
https://lyncweb.openjive.com/WebTicket/WebTicketService.svc/Auth
WebTicket: <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-bf1eeeeb-c7b5-4d50-87df-929bf90bd370" Issuer="https://banff.openjive.local:4443/f0ca8325-b055-5552-be4f-fb4088f97387"
IssueInstant="2014-05-30T00:52:05.151Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2014-05-30T00:52:05.151Z" NotOnOrAfter="2014-05-30T08:49:30.151Z"><saml:AudienceRestrictionCondition><saml:Audience>https://lyncweb.openjive.com/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2014-05-30T00:52:05.151Z"><saml:Subject><saml:NameIdentifier Format="sip:[email protected]</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:[email protected]</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo
xmlns="<e:EncryptedKey">http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="<e:EncryptionMethod">http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod
Algorithm="</e:EncryptionMethod><KeyInfo><KeyName>f0ca8325-b055-5552-be4f-fb4088f97387:8d149b659ca1d29</KeyName></KeyInfo><e:CipherData><e:CipherValue>kE4cKJAJbZL3GFCEx3/XxiBO/nhVPZJ15xEIQk96DjkxRNgzgxlh+w==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature">http://www.w3.org/2001/04/xmlenc#kw-aes256"></e:EncryptionMethod><KeyInfo><KeyName>f0ca8325-b055-5552-be4f-fb4088f97387:8d149b659ca1d29</KeyName></KeyInfo><e:CipherData><e:CipherValue>kE4cKJAJbZL3GFCEx3/XxiBO/nhVPZJ15xEIQk96DjkxRNgzgxlh+w==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature
xmlns="<SignedInfo><CanonicalizationMethod">http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="</CanonicalizationMethod><SignatureMethod">http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod
Algorithm="</SignatureMethod><Reference">http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#SamlSecurityToken-bf1eeeeb-c7b5-4d50-87df-929bf90bd370"><Transforms><Transform
Algorithm="</Transform><Transform">http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="</Transform></Transforms><DigestMethod">http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
Algorithm="</DigestMethod><DigestValue>krqtSvw6JUlsbBsxdbXSsHyIgFzUD1G7DOKZ635AC4Q=</DigestValue></Reference></SignedInfo><SignatureValue>qo+GkTNnjyl250pQVkSSTCI707At83dn2zu1ZOSLoSlPF74FuzRgCysD5UPrgMvY5SYi+pi2igwEV7zt7ALtWFuAJWPU3e0mNT701xyO86+f11YtHXC/NhQDudJvq7DO3uWRGgZGdBodt82OyZlXKifplMgEE352y0+S4jy0GmKCpvHTbytUthInMSxSAp7UWcU+6ourkAj4NpLbSywgm4su6byHEZmZyJ1/6eZ6/xO3a395dxhlBoMbIs+Gk9zcQ75KL/VAy7WTcBq+kJ/16yfd9q73VzYO5NBSEgrOHW/xZuRUYusLyhSZ0AJTVaUUJuBi6XdG44kaP0Nsz9UTrw==</SignatureValue><KeyInfo><o:SecurityTokenReference">http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>krqtSvw6JUlsbBsxdbXSsHyIgFzUD1G7DOKZ635AC4Q=</DigestValue></Reference></SignedInfo><SignatureValue>qo+GkTNnjyl250pQVkSSTCI707At83dn2zu1ZOSLoSlPF74FuzRgCysD5UPrgMvY5SYi+pi2igwEV7zt7ALtWFuAJWPU3e0mNT701xyO86+f11YtHXC/NhQDudJvq7DO3uWRGgZGdBodt82OyZlXKifplMgEE352y0+S4jy0GmKCpvHTbytUthInMSxSAp7UWcU+6ourkAj4NpLbSywgm4su6byHEZmZyJ1/6eZ6/xO3a395dxhlBoMbIs+Gk9zcQ75KL/VAy7WTcBq+kJ/16yfd9q73VzYO5NBSEgrOHW/xZuRUYusLyhSZ0AJTVaUUJuBi6XdG44kaP0Nsz9UTrw==</SignatureValue><KeyInfo><o:SecurityTokenReference
xmlns:o="<o:KeyIdentifier">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier ValueType="AhJJ0tEVWf4IRNbKNKfDMD1Qyvg=</o:KeyIdentifier></o:SecurityTokenReference></KeyInfo></Signature></saml:Assertion">http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">AhJJ0tEVWf4IRNbKNKfDMD1Qyvg=</o:KeyIdentifier></o:SecurityTokenReference></KeyInfo></Signature></saml:Assertion>
Sending HTTP request to
https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
Cookie found in autodiscover response: StatusCode: 200, ReasonPhrase: 'OK', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
Pragma: no-cache
X-MS-Server-Fqdn: banff.openjive.local
X-Content-Type-Options: nosniff
Cache-Control: no-cache
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Date: Fri, 30 May 2014 00:49:45 GMT
Content-Length: 2111
Content-Type: application/vnd.microsoft.rtc.autodiscover+xml; v=1
Expires: -1
Parsing the response for URL
https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/[email protected]. Full response: <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="External"><User><SipServerInternalAccess fqdn="banff.openjive.local" port="5061" /><SipClientInternalAccess fqdn="banff.openjive.local"
port="5061" /><SipServerExternalAccess fqdn="lyncedge.openjive.com" port="5061" /><SipClientExternalAccess fqdn="lyncedge.openjive.com" port="5061" /><Link token="Internal/Autodiscover" href="https://banff.openjive.local/Autodiscover/AutodiscoverService.svc/root"
/><Link token="Internal/AuthBroker" href="https://banff.openjive.local/Reach/sip.svc" /><Link token="Internal/WebScheduler" href="https://banff.openjive.local/Scheduler"
/><Link token="Internal/CertProvisioning" href="https://banff.openjive.local/CertProv/CertProvisioningService.svc" /><Link token="External/Autodiscover" href="https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root"
/><Link token="External/AuthBroker" href="https://lyncweb.openjive.com/Reach/sip.svc" /><Link token="External/WebScheduler" href="https://lyncweb.openjive.com/Scheduler"
/><Link token="External/CertProvisioning" href="https://lyncweb.openjive.com/CertProv/CertProvisioningService.svc" /><Link token="Internal/Mcx" href="https://lyncweb.openjive.com/Mcx/McxService.svc"
/><Link token="External/Mcx" href="https://lyncweb.openjive.com/Mcx/McxService.svc" /><Link token="Ucwa" href="https://lyncweb.openjive.com/ucwa/v1/applications"
/><Link token="Internal/Ucwa" href="https://banff.openjive.local/ucwa/v1/applications" /><Link token="External/Ucwa" href="https://lyncweb.openjive.com/ucwa/v1/applications"
/><Link token="External/XFrame" href="https://lyncweb.openjive.com/Autodiscover/XFrame/XFrame.html" /><Link token="Internal/XFrame" href="https://banff.openjive.local/Autodiscover/XFrame/XFrame.html"
/><Link token="XFrame" href="https://lyncweb.openjive.com/Autodiscover/XFrame/XFrame.html" /><Link token="Self" href="https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/user"
/></User></AutodiscoverResponse>
Server discovery has completed for https://lyncdiscover.openjive.com/.
Autodiscover full response for URL https://lyncdiscover.openjive.com/ is <?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AccessLocation="External"><User><SipServerInternalAccess fqdn="banff.openjive.local" port="5061" /><SipClientInternalAccess fqdn="banff.openjive.local"
port="5061" /><SipServerExternalAccess fqdn="lyncedge.openjive.com" port="5061" /><SipClientExternalAccess fqdn="lyncedge.openjive.com" port="5061" /><Link token="Internal/Autodiscover" href="https://banff.openjive.local/Autodiscover/AutodiscoverService.svc/root"
/><Link token="Internal/AuthBroker" href="https://banff.openjive.local/Reach/sip.svc" /><Link token="Internal/WebScheduler" href="https://banff.openjive.local/Scheduler"
/><Link token="Internal/CertProvisioning" href="https://banff.openjive.local/CertProv/CertProvisioningService.svc" /><Link token="External/Autodiscover" href="https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root"
/><Link token="External/AuthBroker" href="https://lyncweb.openjive.com/Reach/sip.svc" /><Link token="External/WebScheduler" href="https://lyncweb.openjive.com/Scheduler"
/><Link token="External/CertProvisioning" href="https://lyncweb.openjive.com/CertProv/CertProvisioningService.svc" /><Link token="Internal/Mcx" href="https://lyncweb.openjive.com/Mcx/McxService.svc"
/><Link token="External/Mcx" href="https://lyncweb.openjive.com/Mcx/McxService.svc" /><Link token="Ucwa" href="https://lyncweb.openjive.com/ucwa/v1/applications"
/><Link token="Internal/Ucwa" href="https://banff.openjive.local/ucwa/v1/applications" /><Link token="External/Ucwa" href="https://lyncweb.openjive.com/ucwa/v1/applications"
/><Link token="External/XFrame" href="https://lyncweb.openjive.com/Autodiscover/XFrame/XFrame.html" /><Link token="Internal/XFrame" href="https://banff.openjive.local/Autodiscover/XFrame/XFrame.html"
/><Link token="XFrame" href="https://lyncweb.openjive.com/Autodiscover/XFrame/XFrame.html" /><Link token="Self" href="https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/user"
/></User></AutodiscoverResponse>
SendRequest failed for
https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root/[email protected]
Automatic discovery results for https://lyncdiscover.openjive.com/
Access Location : External
SIP Server Internal Access : banff.openjive.local
SIP Server External Access : lyncedge.openjive.com
SIP Client Internal Access : banff.openjive.local
SIP Client External Access : lyncedge.openjive.com
Internal Auth broker service :
https://banff.openjive.local/Reach/sip.svc
External Auth broker service :
https://lyncweb.openjive.com/Reach/sip.svc
Internal Auto discover service :
https://banff.openjive.local/Autodiscover/AutodiscoverService.svc/root
External Auto discover service :
https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root
Internal MCX service :
https://lyncweb.openjive.com/Mcx/McxService.svc
External MCX service :
https://lyncweb.openjive.com/Mcx/McxService.svc
Internal UCWA service :
https://banff.openjive.local/ucwa/v1/applications
External UCWA service :
https://lyncweb.openjive.com/ucwa/v1/applications
Internal Webscheduler service :
https://banff.openjive.local/Scheduler
External Webscheduler service :
https://lyncweb.openjive.com/Scheduler
Total server discovery time: 1.1 seconds
Server discovery succeeded for secure (HTTPS) external channel against URL
https://lyncdiscover.openjive.com/
Starting automatic discovery for unsecure (HTTP) external channel
Sending HTTP request to
http://lyncdiscover.openjive.com/[email protected]
Cookie found in autodiscover response: StatusCode: 406, ReasonPhrase: 'Not Acceptable', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
Date: Fri, 30 May 2014 00:49:45 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Content-Length: 1346
Content-Type: text/html
Autodiscover: SendRequest(): the URL
http://lyncdiscover.openjive.com/[email protected] couldn't be connected. Complete HTTP headers:\r\n Date: Fri, 30 May 2014 00:49:45 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Couldn't connect to URL
http://lyncdiscover.openjive.com/[email protected] (HTTP status code NotAcceptable)
System.Exception: Couldn't connect to URL
http://lyncdiscover.openjive.com/[email protected] (HTTP status code NotAcceptable)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.TerminateAD(String mesg)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<SendRequest>d__d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<TryNextUrl>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.LyncServer.WebServices.AutoDiscoverManager.<StartDiscoveryJourney>d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at LyncConnectivityAnalyzerCore.Utilities.<RetrieveUserLocation>d__3e.MoveNext()
Server discovery failed for unsecured external channel against
http://lyncdiscover.openjive.com/
None, AutoInternalDNSFail, AutoInternalSecureD, AutoInternalUnsecureD, AutoExternalUnsecureD, ManualDNSFail, ManualSecureD, ManualUnsecureD, AuthBrokerInternalLMXCheckGET, AuthBrokerInternalLMXCheckPOST, AuthBrokerExternalLMXCheckGET, AuthBrokerExternalLMXCheckPOST,
MobilityMCXInternalLMXCheckGET, MobilityMCXInternalLMXCheckPOST, MobilityMCXExternalLMXCheckGET, MobilityMCXExternalLMXCheckPOST, LMXSIPServerInternalDNS, LMXSIPServerExternalDNS, MobilityUCWAInternalCheckPOST, MobilityUCWAExternalCheckPOST
Starting the requirement tests for Lync Mobile 2013 App
Please wait; this test may take several minutes to complete...
Testing the app requirements using the following discovery response:
Access Location : External
SIP Server Internal Access : banff.openjive.local
SIP Server External Access : lyncedge.openjive.com
SIP Client Internal Access : banff.openjive.local
SIP Client External Access : lyncedge.openjive.com
Internal Auth broker service :
https://banff.openjive.local/Reach/sip.svc
External Auth broker service :
https://lyncweb.openjive.com/Reach/sip.svc
Internal Auto discover service :
https://banff.openjive.local/Autodiscover/AutodiscoverService.svc/root
External Auto discover service :
https://lyncweb.openjive.com/Autodiscover/AutodiscoverService.svc/root
Internal MCX service :
https://lyncweb.openjive.com/Mcx/McxService.svc
External MCX service :
https://lyncweb.openjive.com/Mcx/McxService.svc
Internal UCWA service :
https://banff.openjive.local/ucwa/v1/applications
External UCWA service :
https://lyncweb.openjive.com/ucwa/v1/applications
Internal Webscheduler service :
https://banff.openjive.local/Scheduler
External Webscheduler service :
https://lyncweb.openjive.com/Scheduler
Starting tests for Mobility (UCWA) service
UCWA user agent string: <input xmlns="<property">http://schemas.microsoft.com/rtc/2012/03/ucwa"><property name="culture">en-US</property><property name="endpointId">44:D8:84:3C:68:68</property><property
name="type">Phone</property><property name="userAgent">LyncConnectivityAnalyzer/5.0.8308.582 (Windows OS 6.0)</property></input>
Verifying external Ucwa service:
https://lyncweb.openjive.com/ucwa/v1/applications
On-premises WebTicket server:
https://lyncweb.openjive.com/WebTicket/WebTicketService.svc/Auth
AcquireTicketAsync succeeded for
https://lyncweb.openjive.com/WebTicket/WebTicketService.svc/Auth
WebTicket: <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-cda8f5c3-dc31-46d1-b9ba-51fa49cffcd3" Issuer="https://banff.openjive.local:4443/f0ca8325-b055-5552-be4f-fb4088f97387"
IssueInstant="2014-05-30T00:52:06.062Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2014-05-30T00:52:06.062Z" NotOnOrAfter="2014-05-30T08:44:42.062Z"><saml:AudienceRestrictionCondition><saml:Audience>https://lyncweb.openjive.com/</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2014-05-30T00:52:06.062Z"><saml:Subject><saml:NameIdentifier Format="sip:[email protected]</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:[email protected]</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod><KeyInfo
xmlns="<e:EncryptedKey">http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="<e:EncryptionMethod">http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod
Algorithm="</e:EncryptionMethod><KeyInfo><KeyName>f0ca8325-b055-5552-be4f-fb4088f97387:8d149b659ca1d29</KeyName></KeyInfo><e:CipherData><e:CipherValue>HiaWvrXQLacT+brihMO3w2xV0JCWsOj2hQNAkbGkl1yuavEW5U2+yA==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature">http://www.w3.org/2001/04/xmlenc#kw-aes256"></e:EncryptionMethod><KeyInfo><KeyName>f0ca8325-b055-5552-be4f-fb4088f97387:8d149b659ca1d29</KeyName></KeyInfo><e:CipherData><e:CipherValue>HiaWvrXQLacT+brihMO3w2xV0JCWsOj2hQNAkbGkl1yuavEW5U2+yA==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><Signature
xmlns="<SignedInfo><CanonicalizationMethod">http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="</CanonicalizationMethod><SignatureMethod">http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod
Algorithm="</SignatureMethod><Reference">http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#SamlSecurityToken-cda8f5c3-dc31-46d1-b9ba-51fa49cffcd3"><Transforms><Transform
Algorithm="</Transform><Transform">http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="</Transform></Transforms><DigestMethod">http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod
Algorithm="</DigestMethod><DigestValue>9aGUpr6tQkHD1fj+o1gDZSFMpPp1HwnNjO9BmmGjA+Y=</DigestValue></Reference></SignedInfo><SignatureValue>jfleXw8Do6pavetwKPAGEEIezTJlJhF2UlnuNh04dK4FlCJMRowZbxHUyqUjTsCbjIdvVMhljsPrufsPwPd4v1ksvf8apfeVJ2zZZSyIqLLCjKW3Vus7X6DlBqZ+YB8rP1dGKleuH5E7kuk4asAc5XpzjoB3xvLf5cXp2hVvKuhwlDhqQp3dCIFnNCGPQLbqY+hek55uNcmyspJno13YbQ/fje/1CJxfwiN3M0o2dPskIMvOt1oqHlxn1zIeWm1lWkKd/ZDjchoWzmqiO67cbXuJpe7IrqwCx4WT7vHMkyHZznXB6D55pgPen94+h0Vwq75mWZeYBMIeXOM3t+7HnA==</SignatureValue><KeyInfo><o:SecurityTokenReference">http://www.w3.org/2001/04/xmlenc#sha256"></DigestMethod><DigestValue>9aGUpr6tQkHD1fj+o1gDZSFMpPp1HwnNjO9BmmGjA+Y=</DigestValue></Reference></SignedInfo><SignatureValue>jfleXw8Do6pavetwKPAGEEIezTJlJhF2UlnuNh04dK4FlCJMRowZbxHUyqUjTsCbjIdvVMhljsPrufsPwPd4v1ksvf8apfeVJ2zZZSyIqLLCjKW3Vus7X6DlBqZ+YB8rP1dGKleuH5E7kuk4asAc5XpzjoB3xvLf5cXp2hVvKuhwlDhqQp3dCIFnNCGPQLbqY+hek55uNcmyspJno13YbQ/fje/1CJxfwiN3M0o2dPskIMvOt1oqHlxn1zIeWm1lWkKd/ZDjchoWzmqiO67cbXuJpe7IrqwCx4WT7vHMkyHZznXB6D55pgPen94+h0Vwq75mWZeYBMIeXOM3t+7HnA==</SignatureValue><KeyInfo><o:SecurityTokenReference
xmlns:o="<o:KeyIdentifier">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier ValueType="AhJJ0tEVWf4IRNbKNKfDMD1Qyvg=</o:KeyIdentifier></o:SecurityTokenReference></KeyInfo></Signature></saml:Assertion">http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">AhJJ0tEVWf4IRNbKNKfDMD1Qyvg=</o:KeyIdentifier></o:SecurityTokenReference></KeyInfo></Signature></saml:Assertion>
Successfully created the UCWA service
Completed tests for Mobility (UCWA) service
None, AutoInternalDNSFail, AutoInternalSecureD, AutoInternalUnsecureD, AutoExternalUnsecureD, ManualDNSFail, ManualSecureD, ManualUnsecureD, AuthBrokerInternalLMXCheckGET, AuthBrokerInternalLMXCheckPOST, AuthBrokerExternalLMXCheckGET, AuthBrokerExternalLMXCheckPOST,
MobilityMCXInternalLMXCheckGET, MobilityMCXInternalLMXCheckPOST, MobilityMCXExternalLMXCheckGET, MobilityMCXExternalLMXCheckPOST, LMXSIPServerInternalDNS, LMXSIPServerExternalDNS, MobilityUCWAInternalCheckPOST
Your deployment meets the minimum requirements for Lync Mobile 2013 App. -
ACE behind Reverse Proxy - performance issue
Hi,
I've got a config working to accommodate the required use of reverse proxy servers infront of my application servers. Traffic comes into the Front ACE and I insert a header "SRCIP" with the original client IP address which is preserved through the Rev Proxy servers and is then inspected on the Back ACE to create a sticky to a given application server/SRCIP pairing. The use of the RP's appears to require using the persistence-rebalance option otherwise the traffic get stuck to the wrong app server. The app functions perfectly with this config; however, there is a severe performance impact. Using load-runner, we see response times go from 1.5 seconds to 16 seconds for the same transactions comparing this config to a previous config which used static sticky to bind the RP to the app servers..
Question: Is there a better way to do this and remain dynamic, or some way to optimize this approach to reduce the performance impact.
Relevant Config for both ACE's here:
!!Front ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky ip-netmask 255.255.255.255 address source ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm ALPHA
policy-map type loadbalance first-match vip-R1A-ALPHA
class class-default
sticky-serverfarm ALPHA-SRCIP-sticky
insert-http SRCIP header-value "%is"
policy-map multi-match PREP-VIP
class VIP-ALPHA-R1A
loadbalance vip inservice
loadbalance policy vip-R1A-ALPHA
appl-parameter http advanced-options HTTP_REBAL
ssl-proxy server SSL_ALPHA_R1A
!!Back ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky http-header SRCIP ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm coresoms-ALPHAfarm
class-map type http loadbalance match-all SRCIP-MAP
2 match http header SRCIP header-value ".*"
policy-map type loadbalance first-match vip-lb-ALPHA
class SRCIP-MAP
sticky-serverfarm ALPHA-SRCIP-sticky
policy-map multi-match lb-vip
class VIP-ALPHA
loadbalance vip inservice
loadbalance policy vip-lb-ALPHA
appl-parameter http advanced-options HTTP_REBALHi Joseph,
To achieve this you need to do stickiness based on some L7 parameter (either the header you are currently using or some cookie), so, whatever you do you will have to use persistence rebalance.
I have one possible theory for your issue.
The ACE has two different ways of treating the L7 connections internally, that we call "proxied" and "unproxied". In essence, the proxied mode means that the traffic will be processed by one of the CPU (normally to inspect/modify the L7 data), while, on the unproxied mode, the ACE sets up a hardware shortcut that allows forwarding traffic without the need to do any processing on it.
For a L7 connection, the ACE will proxy it at the beginning, and, once all the L7 processing has been done it will unproxy the connection to save resources. Before it goes ahead with the unproxying, it needs to see the ACK for the last L7 data sent. This wait, on a Internet environment can introduce around 100-200ms of delay for each HTTP request, which can end up adding into a very big delay. By default, if the ACE sees that the RTT to the client is more than 200ms, the connection will never be unproxied to avoid these delays, so I think we could fix your issue by tweaking this threshold.
From what you described, I asssume you don't have many connections (because they all come through a proxy) and that the connections will have a lot of HTTP requests inside. With that in mind, I would suggest setting the threshold to 0 to ensure to keep connections always proxied. To do this, you would nee to configure a parameter map like the one below and add it to your VIP
parameter-map type connection
set tcp wan-optimization rtt 0
Even though this setting may avoid your issue, it also has some drawbacks. The main one is that the ACE20 only supports up to 512K simultaneous L7 connections in proxied state (which includes also the connections towards the servers, so, it would be 250K for client connections), so, if the amount of simultaneous connections reaches that limit, new connections would be dropped. The second issue, although not so impacting, would be that the maximum number of connections per second supported would also go down slightly due to the increased processing needed.
I hope this helps
Daniel
Maybe you are looking for
-
RE: (forte-users) RE: Forte 3 vs Java --Productivity
I think you should compare language to language, product to product and standard to standard. J2EE is a standard, like CORBA. It's not a product and it's not a language. J2EE is a standard, based on the language Java, but the same standard can be use
-
First of all thank you for your help, I am using Oracle 10g version: 10.1.2.0.2 Mostly the database full of Arabic description and words, and my problem also in a field contain Arabic language, I tried all the regional settings possible to come over
-
Adding content via multiple computers
So here's what I got. For awhile I've been managing my iPhone on my computer. Syncing my apps, and manually adding music. I just purchased a new comp and I'm trying to manage my iPhone with it, but I'm unable to add any music to the phone via the new
-
How can I combine two XDOXSLT functions?
Hi all, I would like to combine two xdoxslt functions: <?xdoxslt:get_variable($_XDOCTX, 'minYear')?> with <?xdoxslt:get_day('2000-04-08', $_XDOLOCALE)?> instead of 2000-04-08 I wrote this: <?xdoxslt:get_day('xdoxslt:get_variable($_XDOCTX, 'minYear')'
-
72dpi photo converted to 300dpi. What are the disadvantages of doing this?
Hi, Somehow I misplaced my original 300dpi Tiff photo, but was able to locate the same photo on my MAC which I had converted to a 72dpi JPEG photo. I need the photo to be of a higher resolution and increased the dpi to 300 as well as saved it as a TI