SJSWS 7.0 Reverse Proxy Issue

Hi,
I am new here as well as to SJSWS.
We are migrating an Apache reverse proxy to SJSWS 7.0 due to some organisational decisions.
My current RP configuration in Apache on computer1 is as follows and this works great:
<IfModule mod_proxy.c>
<Proxy >
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
<Location /abc>
Order deny,allow
Allow from all
ProxyPass [http://computer2/portal]
ProxyPassReverse [http://computer2/portal]
ProxyPassReverseCookiePath /abc /portal
</Location>
</IfModule>
I am trying to configure the same on SJSWS as follows in <vs>-obj.conf :
<Object name="default">
NameTrans fn="map" from="/abc" name="reverse-proxy-/abc" to="http:/portal"
<Object ppath="http:">
Service fn="proxy-retrieve" method="*"*
</Object>
<Object name="reverse-proxy-/abc">
Route fn="set-origin-server" server=http://computer2
</Object>
This above config is not working and from the server logs on computer1 I can see that the subsequent GET requests are failing with example outputs as below:
[02/Jun/2010:12:09:05] warning (28415): for host xx.xx.xx.xx trying to GET /*xyz*/images/yyy.gif;jsessionid=A2E
D385AC9971ED4C4B8D8852F8AE392, send-file reports: HTTP4142: can't find /opt/app/sun/webserver7/https-computer1/docs/*xyz*/images/yyy.gif (File not found)
Seems like the origin server is redirecting to different directories within itself which my reverse proxy config in SJSWS is not able to handle.
Any inputs on what would be the equivalent configuration on SJSWS 7.0 for the config which is working flawlessly on Apache?
Edited by: esselle on Jun 1, 2010 8:14 PM
Edited by: esselle on Jun 1, 2010 8:15 PM

Hi,
The following seems to be working for me (configured on computer1):
NameTrans fn="map" from="/abc" name="reverse-proxy-/abc" to="http:/portal"
<Object ppath="http:*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/abc">
Route fn="set-origin-server" server="http://computer2"
</Object>It seems that you have <Object ppath="http:"> instead of <Object ppath="http:***">. Other than that, I can't see anything wrong with your setup.
If the above setup does not work:
Where did you get xyz from in GET /*xyz*/images/yyy.gif;jsessionid=A2E? Could you provide the access logs on both computer1 and computer2?

Similar Messages

IDM 6.1 Reverse Proxy issue

I would like to get some suggestions on our Reverse Proxy setup for IDM.
We have an instance of IDM running at our company and tried to turn on access to users outside of the company using Reverse Proxy and ran into an issue:
Connecting via the external url returns a page with the base href set to an internal URL
To resolve we did the following:
Currently our internal users get to the IDM server via
https://xxx.internal.com/idm/
External users access the IDM server via the Reverse Proxy server and
https://zzz.company.com/idm/
We Modified:
Waveset.properties
Original:
ui.web.baseHrefURL=
updated to:
ui.web.baseHrefURL=https://zzz.company.com/idm/
With ui.web.baseHrefURL=https://zzz.company.com/idm/ setup, I was able to access IDM from the internet and everything looked good. But that means that when an internal user uses the https://xxx.internal.com/idm/ link it is translated to https://zzz.company.com/idm/ so I think that means that the internal requests are going to be routed to the internet and then back to the internal user.
Is this the wrong way to set up Reverse Proxy? Any suggestions are greatly appreciated.

In a word, don't. The content at /some/path will still think it's deployed at /some/path. Any HTML links, images, or redirects it returns will point to the wrong place when a web browser accesses the content as /VIRTUAL_DIR/some/path.
If you want to access the content as /VIRTUAL_DIR/some/path on the frontend, why not deploy it as /VIRTUAL_DIR/some/path on the backend?

Windows Intergrated Authentication with reverse proxy issue with Safari

Hi All
I having a application which has Windows Integrated Authentication, for Internet users we are having a reverse proxy which has a IIS server which will authenticate using basic authentication then redirected to the actual application, every thing works as expected in IE and firefox but in safari there is a second login dialog box appears. When I did a packet capture using wireshark I noticed that in IE and FF the basic authentication which is carried forward to the actual application from IIS server but in Safari there is a NTLM negotiation in between because there is a 401 response so my application asks for on more login dialog. Dose any one knows why safari is behaving like this?
Thanks & Regards
Karthikeyan Vaithilingam

I found a related post https://discussions.apple.com/thread/3274071?start=0&tstart=0. There is an issue with basic authentication and Http Redirect.

SJSWS 7 u4 reverse proxy setup with client ip forwarding

Hi,
I am trying to set up a reverse proxy to glassfish enterprise 2.1 so that it will pass on the client ip address.
I have added this line to my obj.conf file:
ObjectType fn="forward-ip" hdr="Client-ip"
Entire obj.conf below:
<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/usr/webserver7/lib/icons" name="es-internal"
NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
PathCheck fn="uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index-j2ee"
PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
ObjectType fn="forward-ip" hdr="Client-ip"
ObjectType fn="type-j2ee"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
Service method="TRACE" fn="service-trace"
Error fn="error-j2ee"
AddLog fn="flex-log"
</Object>
<Object name="j2ee">
Service fn="service-j2ee" method="*"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>And have added this property to the both of the glassfish http-listeners:
authPassthroughEnabled=true
However the when I use this piece of code:
System.out.println(FacesContext.getCurrentInstance().getExternalContext().getRequest().getRemoteAddr())I see this in my glassfish logs
[#|2009-03-26T17:32:47.457+1300|WARNING|sun-appserver2.1|org.apache.coyote.tomcat5.CoyoteRequest|_ThreadID=21;_ThreadName
=httpSSLWorkerThread-8181-2;_RequestID=11ab6ecf-254c-4255-98d3-48856ab99b61;|PWC4013: Unable to determine client remote a
ddress from proxy (returns null)|#]
[#|2009-03-26T17:32:47.457+1300|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=21;_ThreadName=httpSSL
WorkerThread-8181-2;|
127.0.1.1 ip address|#]
There are no messages in the webserver logs
Can anybody see something that I am doing wrong?
Thanks in advance for your help,
Gareth

If Admin server shows its enabled, then it is enabled.
You can add forward-ip line in obj.conf manually and restart the server just to be sure.
Look at [http://forums.sun.com/thread.jspa?threadID=5344683|http://forums.sun.com/thread.jspa?threadID=5344683]. It says (in glassfish)
"Add this property to all <http-listener> elements in your domain.xml:
{code}<property name="authPassthroughEnabled" value="true"/>"

Reverse Proxy issue for domain name

Hi All,
We are in process of implementing reverse proxy to the SAP Portal and web dispatcher.
We given all rewrite rules accordingly, The public IP also resolves the domain name also.
Our domain is etender-aai.aero.
When we given rewrite rule with the public IP reverse proxy is working fine.
But when we given etender-aai.aero in rewrite rule its not working.
Please help me in this.
Thanks & Regards,
Sreekanth

Hi,
If you want help, you'll have to explain clearly what is your configuration and what you want to achieve.
I'm sorry to tell you that I absolutely did not nderstand anything about your problem....
Do you try to publish your SAP Portal externally on the internet ?
Do you use the web dispatcher as a reverse proxy ? or do you add an other reverse proxy (like Apache) in front of the web dispatcher ?
Regards,
Olivier

OAM- Apache Reverse Proxy issue when Form Authenticaion is used

Hi All,
Customer is using Apache 2.0.65 as a reverse proxy server. OAM has been integrated with OAS. A WebGate has been installed on OHS in infra.
When a protected resource (portal) is accessed, a login form appears. After entering the correct credentials, it does not go to the resource, instead gives displays some Header Variables on the Browser, instead of actual resource.
This happens only when a resource is protected with Form Authentication Scheme and while using with reverse proxy. The same Form Authentication scheme works without reverse proxy. With Basic LDAP Authentication, the same resource perfectly works even when reverse proxy is used.
Any suggestions?
Thanks in advance.
Regards,
Amol

Hi Amol,
Check the passthrough parameter in your form scheme. If this is set to yes, what you are asking OAM to do is to pass through to the form action instead of the URL the user originally requested. I know this still does not explain why things work when the reverse proxy is not used - but it might make sense if you actually have 2 form schemes and when you access the resource via the reverse proxy, the policy domain/policy in question actually invokes the scheme which has passthrough enabled. You could ascertain this via the access tester by trying the reverse-proxied URL and direct URL.
-Vinod

Apache Reverse proxy issue

Dear all,
I am in the process of implementing SRM portal as an external facing portal.
The scenario is LB-> Apache-> SAP Portal-> SRM
I am terminating the SSL on the LB itself and the rest of the backend applications are accessed via http.
Most of the applications are accessed using the ReWrite Rules in Apache, but the Technical RFx is not giving a pop-up to open in a new window.On the contrary, the same set up without the certificate on the LB, the scenario on http works fine.
This is a copy of the http.conf file I am using.Could you please guide, if I am missing something.
<VirtualHost *:80>
    ServerAdmin webmaster@MDCLINUXVIRT
    ServerName etender.abc.co.in
    DocumentRoot /var/www/html/irjq
    ProxyRequests Off
    ProxyPreserveHost On
    RequestHeader set ClientProtocol https
    RewriteEngine On
    RewriteRule ^/(.*)$ http://portal.abcdev.com:50000/$1 [P,NC,L]
#    RewriteCond %{HTTP_HOST} ^.*?portal.abcdev.com:50000.*
#    RewriteRule ^/(.*) http://etender.abc.co.in/$1?%{QUERY_STRING} [P,L]
      ProxyPass /irj http://portal.abcdev.com:50000/irj
    ProxyPassReverse /irj http://portal.abcdev.com:50000/irj
</VirtualHost>
<VirtualHost *:8000>
    ServerAdmin webmaster@MDCLINUXVIRT
    ServerName etendersrm.abc.co.in
    DocumentRoot /var/www/html/srmq
    ProxyRequests Off
    ProxyPreserveHost On
    RewriteEngine On
    RequestHeader set ClientProtocol http
    RewriteRule ^/(sap\(.*)$ http://srm.abcdev.com:8000/$1 [P,NC,L]
    ProxyPass /sap http://srm.abcdev.com:8000/sap
    ProxyPassReverse /sap http://srm.abcdev.com:8000/sap
    ProxyPass /sap/bc/webdynpro http://srm.abcdev.com:8000/sap/bc/webdynpro
    ProxyPassReverse /sap/bc/webdynpro http://srm.abcdev.com:8000/sap/bc/webdynpro
    </VirtualHost>
Regards,
SK

Hi,
Maybe this help you :
RewriteRule ^/(irj*) http://internalportal.com:50000/
RewriteRule ^/(irj*) http://internalportal.com:50000/$1?User=%{LA-U:REMOTE_USER} [P]
ProxyPass /irj http://internalportal.com:50000/irj
ProxyPassReverse /irj http://internalportal.com:50000/irj
?User=%{LA-U:REMOTE_USER} [P]
ProxyPass /irj http://internalportal.com:50000/irj
ProxyPassReverse /irj http://internalportal.com:50000/irj
Best Regadrs,
Jakub Krecicki

Solution: iPad/iPhone Login issues with IIS as Reverse Proxy (Android and Windows Phone works)

Hi,
I had issues with iPad/iPhone access from external and tried a lot. Now I found my solution I like to share.
I setup a IIS on Windows Server 2012 with ARR 2.5 and Android and Windows Phone could login but not iPad and iPhone.
The IIS Log on the reverse proxy showed:
2013-02-26 12:03:31 <IP> POST /webticket/webticketservice.svc X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=1996c8d7-09d0-4310-8da4-a8dfb7940e28 443 - <ClientIP> Lync%202010/1.6+CFNetwork/609+Darwin/13.0.0 - 401 0 0 124
2013-02-26 12:03:31 <IP> POST /webticket/webticketservice.svc X-ARR-CACHE-HIT=0 443 - <ClientIP> Lync%202010/1.6+CFNetwork/609+Darwin/13.0.0 - 502 3 12018 93
First Request gets a 401 while anonymous. Second try would be with authentication but it never reached the internal front end server.
After I installed a fix for ARR
http://forums.iis.net/t/1195560.aspx/1?ARR+502+3+Bad+Gateway+0x80072ef2+2147954418+The+supplied+handle+is+the+wrong+type+for+the+requested+operation the Apple Devices could login.

Hi,
This resolved our problem too!! So happy after 2 weeks of messing around with just about every setting recommended from all types of forums and rebuilding our reverse proxy I was at a loose end.
Our environment is Lync 2013 Enterprise, Lync 2013 Edge, IIS as Reverse Proxy on Server 2012 using ARR 2.5
We had Android and Windows clients working but no iOS devices at all. In the iOS log we were seeing
<h1>Server Error</h1></div><div id="content"> <div class="content-container"><fieldset> <h2>502 - Web server received an invalid response while acting as a gateway or proxy server.</h2> <h3>There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.</h3> </fieldset></div></div></body></html>
When the client was trying to retrieve from the webticketservice.svc
2013-04-11 17:19:44.659 Lync[4970:6c61000] INFO TRANSPORT TransportUtilityFunctions.cpp/907:<ReceivedResponse>
POST https://lyncwebext.contoso.com/webticket/webticketservice.svc
Request Id: 0x72cfc18
HttpHeader:Content-Length 1477
HttpHeader:Content-Type text/html
HttpHeader:Date Thu, 11 Apr 2013 16:22:25 GMT
HttpHeader:Server Microsoft-IIS/8.0
HttpHeader:StatusCode 502
Installed the HotFix from here:-
Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64)
Rebooted the Reverse Proxy and iOS clients worked straight away for both Lync 2010 and Lync 2013 on both iPhone 5 and iPad both.
I hope this helps others as I was losing the plot :-)
Cheers
Sam

Printing Issue from ITS with a Reverse Proxy Configured

Hi experts,
We have an enterprise portal landscape which can be accessed from the internet. The URLs are mapped using apache server as a reverse proxy. Also, we have configured the reverse proxy settings for accessing R/3 systems.
When the users try to take the print out from the ITS Web GUI accessed through the enterprise portal, the page redirects itself to an only internally resolvable host name of the R/3 ITS.
Due to this issue, users are not able to take prints from internet.
I would like to know if there is any way by which i can change this to my externally resolvable reverse proxy host address, which in turn can be mapped internally to the original host name at the reverse proxy level.
Can any one help me out in this?
Thanks a lot
Shobin

Hi Shobin,
SAP note 1145306 might provide some help about directives to be used.
Regards,
Dieter

ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

Hi All,
I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
The customer wants the following:
They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
Anyone have an idea how to build this?

Hi,
It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
As per the below example:
I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
serverfarm host 1313-GIN-GWAP-SDC-80
rserver RSERVER1
    backup-rserver test1
    inservice
rserver test1
    inservice standby
rserver test2
    inservice standby
regards,
Ajay Kumar

ACE behind Reverse Proxy - performance issue

Hi,
I've got a config working to accommodate the required use of reverse proxy servers infront of my application servers. Traffic comes into the Front ACE and I insert a header "SRCIP" with the original client IP address which is preserved through the Rev Proxy servers and is then inspected on the Back ACE to create a sticky to a given application server/SRCIP pairing. The use of the RP's appears to require using the persistence-rebalance option otherwise the traffic get stuck to the wrong app server. The app functions perfectly with this config; however, there is a severe performance impact. Using load-runner, we see response times go from 1.5 seconds to 16 seconds for the same transactions comparing this config to a previous config which used static sticky to bind the RP to the app servers..
Question: Is there a better way to do this and remain dynamic, or some way to optimize this approach to reduce the performance impact.
Relevant Config for both ACE's here:
!!Front ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky ip-netmask 255.255.255.255 address source ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm ALPHA
policy-map type loadbalance first-match vip-R1A-ALPHA
class class-default
    sticky-serverfarm ALPHA-SRCIP-sticky
    insert-http SRCIP header-value "%is"
policy-map multi-match PREP-VIP
class VIP-ALPHA-R1A
    loadbalance vip inservice
    loadbalance policy vip-R1A-ALPHA
    appl-parameter http advanced-options HTTP_REBAL
    ssl-proxy server SSL_ALPHA_R1A
!!Back ACE
parameter-map type http HTTP_REBAL
persistence-rebalance
length-exceed continue
sticky http-header SRCIP ALPHA-SRCIP-sticky
timeout 60
replicate sticky
serverfarm coresoms-ALPHAfarm
class-map type http loadbalance match-all SRCIP-MAP
2 match http header SRCIP header-value ".*"
policy-map type loadbalance first-match vip-lb-ALPHA
class SRCIP-MAP
    sticky-serverfarm ALPHA-SRCIP-sticky
policy-map multi-match lb-vip
class VIP-ALPHA
    loadbalance vip inservice
    loadbalance policy vip-lb-ALPHA
    appl-parameter http advanced-options HTTP_REBAL

Hi Joseph,
To achieve this you need to do stickiness based on some L7 parameter (either the header you are currently using or some cookie), so, whatever you do you will have to use persistence rebalance.
I have one possible theory for your issue.
The ACE has two different ways of treating the L7 connections internally, that we call "proxied" and "unproxied". In essence, the proxied mode means that the traffic will be processed by one of the CPU (normally to inspect/modify the L7 data), while, on the unproxied mode, the ACE sets up a hardware shortcut that allows forwarding traffic without the need to do any processing on it.
For a L7 connection, the ACE will proxy it at the beginning, and, once all the L7 processing has been done it will unproxy the connection to save resources. Before it goes ahead with the unproxying, it needs to see the ACK for the last L7 data sent. This wait, on a Internet environment can introduce around 100-200ms of delay for each HTTP request, which can end up adding into a very big delay. By default, if the ACE sees that the RTT to the client is more than 200ms, the connection will never be unproxied to avoid these delays, so I think we could fix your issue by tweaking this threshold.
From what you described, I asssume you don't have many connections (because they all come through a proxy) and that the connections will have a lot of HTTP requests inside. With that in mind, I would suggest setting the threshold to 0 to ensure to keep connections always proxied. To do this, you would nee to configure a parameter map like the one below and add it to your VIP
    parameter-map type connection
      set tcp wan-optimization rtt 0
Even though this setting may avoid your issue, it also has some drawbacks. The main one is that the ACE20 only supports up to 512K simultaneous L7 connections in proxied state (which includes also the connections towards the servers, so, it would be 250K for client connections), so, if the amount of simultaneous connections reaches that limit, new connections would be dropped. The second issue, although not so impacting, would be that the maximum number of connections per second supported would also go down slightly due to the increased processing needed.
I hope this helps
Daniel

Reverse proxy j_security_check issue

Hi,
We have a Web Dynpro for Java application. It is accessed in the intranet as
http://intra.abc.com:50000/webdynpro/dispatcher/abc.com/wdapp/WDApp1
The same application is being accessed from internet as
http://inter.abc.com/app1
We use Apache Reverse Proxy. The settings defined are:
ProxyPass /app1 http://intra.abc.com:50000/webdynpro/dispatcher/abc.com/wdapp/WDApp1
ProxyPassReverse /app1 http://intra.abc.com:50000/webdynpro/dispatcher/abc.com/wdapp/WDApp1
This was working fine in NW04 version. In Netweaver 7.1 version, we get a 404 error -
http://inter.abc.com/j_security_check
What could be the reason for the error? Is there anything required to be done in Reverse Proxy server? Or anything needed to be configured in Netweaver Administrator?
Please revert immediately.
Thanks and regards,
Ravi

"Michael Young" <[email protected]> wrote in message
news:[email protected]..
Hi.
FWIW you might try posting your issue to theweblogic.developer.interest.plug-in newsgroup -
folks there may be more familiar with this issue.
Your configuration looks ok to me. You might try turning Debug to On inyour setup and take a
look at the generated /tmp/wlproxy.log file to confirm your suspicions.If the log file
confirms this then you may want to open a case with support.
Thanks,
Michael
Kevin Taylor wrote:
I am using Solaris 8, WebLogic 6.1sp2 and Apache 1.3.12. I am trying to
get j_security_check
posts to get proxied to WL. The *.jsp and *.html requests are currentlybeing
proxied correctly.
When my html login form posts to action="j_security_check" and I gothrough Apache,
Apache throws a 404 error. If I bypass Apache by using port 7001 in theURL, WL
throws a 505 error. So, it is apparent that Apache is not attempting toproxy
the j_security_check requests to WL. I have attached my settings fromhttpd.conf:
>>
<IfDefine SSL>
<Location /j_security_check>
SetHandler weblogic-handler
PathTrim /j_security_check
</Location>
</IfDefine>
<IfModule mod_weblogic.c>
WebLogicHost sun01
WebLogicPort 7001
MatchExpression *.jsp
MatchExpression *.html
</IfModule>
TIA.
--kevin--
Michael Young
Developer Relations Engineer
BEA Support

Issues in ssl configuration with apache server (using reverse proxy)

Hi,
I am able to use apache server as a reverse proxy to connect to Portal. When I enter the web server url as https://mywebserver.com, I am able to connect to the http url of the Portal. But the moment I try to connect to the https url of Portal with this https url, I am not able to connect to the Portal. Thus I am not able to use apache as a proxy server for https connections it makes. What must I do. I read that mod_proxy_connect needs to be used, but how do I use this?
The second problem is that I need to use more than one kind of mapping.
For example I must be redirected to the Portal even if I use http://webserver.com , or even if I use https://webserver.com or even if I use http://webserver.com/irj or https://webserver.com/irj or http://ipaddress-websserver/irj etc

I have SSLCertificateFile and
and SSLCertificateKeyFile .
My problem is with regard to ssl/CertificateChainFile?
what is this? Also how do I upload my J2EE Certificate into apache.
The problem is with Apache handshake is not happening.
I am forwarding the entire log during . I have put what I consider important in bold.Please have a look.
<b>----
</b>
Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1769): OpenSSL: Handshake: start
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: before/connect initialization
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv2/v3 write client hello A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 7/7 bytes from BIO#629160 [mem: 47855a8] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 16 03 01 04 1a 02                                ......           |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1488): | 0007 - <SPACES/NULS>
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 1048/1048 bytes from BIO#629160 [mem: 47855af] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 00 36 03 01 44 74 67 cb-38 b5 8e 42 3b 59 c3 6c .6..Dtg.8..B;Y.l |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0010: 23 5c 07 d0 8b 24 89 89-11 2e 0d 80 ed 1a 06 ea #
...$.......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0020: 1d 10 b0 59 10 28 7c b4-02 cb d6 08 a8 e4 ea 5a ...Y.(|........Z |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0030: e5 88 5c 5d 90 00 39 00-0b 00 01 cc 00 01 c9 00 ..
]..9......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0040: 01 c6 30 82 01 c2 30 82-01 2b a0 03 02 01 02 02 ..0...0..+...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0050: 04 36 0b 23 72 30 0d 06-09 2a 86 48 86 f7 0d 01 .6.#r0...*.H.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0060: 01 04 05 00 30 14 31 12-30 10 06 03 55 04 03 13 ....0.1.0...U... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0070: 09 6c 6f 63 61 6c 68 6f-73 74 30 1e 17 0d 30 33 .localhost0...03 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0080: 31 30 30 32 30 37 32 35-30 30 5a 17 0d 30 35 31 1002072500Z..051 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0090: 30 30 32 30 37 32 35 30-30 5a 30 14 31 12 30 10 002072500Z0.1.0. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00a0: 06 03 55 04 03 13 09 6c-6f 63 61 6c 68 6f 73 74 ..U....localhost |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00b0: 30 81 9f 30 0d 06 09 2a-86 48 86 f7 0d 01 01 01 0..0...*.H...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00c0: 05 00 03 81 8d 00 30 81-89 02 81 81 00 ef d6 ff ......0......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00d0: a6 39 e1 64 a5 d3 fb 16-de 4e ee 1d 81 84 31 bc .9.d.....N....1. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00e0: e6 b7 96 07 3e 81 b9 94-d1 c1 e0 f9 00 3a 84 e8 ....>........:.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00f0: 7a 30 11 cd 41 26 d6 6c-95 90 93 95 17 e0 1a b7 z0..A&.l........ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0100: 00 0f 59 33 7d 1d f3 a0-83 17 c5 f3 7e b3 ad ed ..Y3}.......~... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0110: c9 60 ac af 9e 31 d2 ec-42 71 f9 c3 98 2e 93 f9 .`...1..Bq...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0120: 9d c3 c4 3d b3 7d 9b 97-83 1c 6b bd c0 75 cc 96 ...=.}....k..u.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0130: dc b9 a0 1b 00 79 85 e4-19 1f 61 42 54 db 91 94 .....y....aBT... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0140: d8 1d 72 13 08 36 22 49-3b fb 05 dc 33 02 03 01 ..r..6"I;...3... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0150: 00 01 a3 21 30 1f 30 1d-06 03 55 1d 0e 04 16 04 ...!0.0...U..... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0160: 14 ed ed 02 af 94 13 59-1c 42 e6 69 40 e5 80 dd .......Y.B.i@... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0170: a4 e9 33 91 02 30 0d 06-09 2a 86 48 86 f7 0d 01 ..3..0...*.H.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0180: 01 04 05 00 03 81 81 00-2c 22 08 bd 71 b6 80 43 ........,"..q..C |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0190: 5a 2a 8b e8 62 34 b4 b4-84 8a 47 4b 97 5e bf dd Z*..b4....GK.^.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01a0: 17 4c 0a 1c b7 0e cd c5-d1 cc d8 77 cd 38 10 ef .L.........w.8.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01b0: 22 02 f0 02 7f a2 39 2b-53 eb 31 b6 18 49 37 a0 ".....9+S.1..I7. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01c0: 50 47 f2 34 ab 33 eb 5f-ec 5a f9 f7 53 5f 27 eb PG.4.3._.Z..S_'. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01d0: 02 7f b4 28 3e e8 b1 c7-59 df 2c 93 25 c5 34 14 ...(>...Y.,.%.4. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01e0: 7a 34 7c 45 b4 eb 6b 34-93 26 98 51 37 d3 e6 b0 z4|E..k4.&.Q7... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01f0: 7f 83 e3 a9 04 d3 47 b3-3d de 43 57 27 45 82 c0 ......G.=.CW'E.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0200: 4d 48 bf c0 a7 2f 66 0c-0c 00 02 08 00 80 af 76 MH.../f........v |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0210: 1f f5 f6 48 a0 01 0f ed-55 4c 53 9a 7c 07 7a ba ...H....ULS.|.z. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0220: c7 9d 77 e8 8b c7 66 8f-80 03 18 c5 1f 4f 2a a0 ..w...f......O*. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0230: 08 6f 9f e3 13 94 30 56-e7 2f 96 7c 26 97 ba 12 .o....0V./.|&... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0240: aa fd 3e 43 e1 46 c2 d1-32 94 56 45 52 c0 24 6f ..>C.F..2.VER.$o |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0250: 38 e0 93 0f 3a f8 0a 7c-41 0e 4c 54 4f 5a 7e d4 8...:..|A.LTOZ~. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0260: 62 e6 71 cd a0 dc 1e 9b-17 e5 10 71 3c 9d c6 39 b.q........q<..9 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0270: 05 50 b6 15 37 0b 68 4f-24 50 74 47 13 1c 74 d8 .P..7.hO$PtG..t. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0280: 81 27 81 71 3a 4a c5 26-7d b8 e6 21 b3 d9 00 80 .'.q:J.&}..!.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0290: 4f 6f 5d e6 2d dc 77 46-e6 77 b1 94 3d 65 5b b0 Oo].-.wF.w..=e[. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02a0: 3d 39 7a 6c a2 c7 0b e3-27 08 fa 48 8d 75 1a fe =9zl....'..H.u.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02b0: 32 e6 13 d1 31 65 7d d5-11 34 21 78 38 d1 11 fb 2...1e}..4!x8... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02c0: ea 59 8e 24 79 5a 4b c2-f7 98 22 51 9f a7 4d 2b .Y.$yZK..."Q..M+ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02d0: 15 98 fe d4 43 4b 34 25-b3 9b b3 ae 57 d1 ea 69 ....CK4%....W..i |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02e0: 6e 02 7e 61 d7 80 b6 73-6a 3e ac eb 69 38 67 8f n.~a...sj>..i8g. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02f0: a9 2a dc 93 3d 22 f3 6e-6a 5d 51 1f b1 b1 10 5e .*..=".nj]Q....^ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0300: 82 28 48 0d 5a 78 f8 17-61 e0 c5 43 61 7a 42 6a .(H.Zx..a..CazBj |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0310: 00 80 42 fa 7e 11 b2 77-3a 8c de f1 52 5a e1 18 ..B.~..w:...RZ.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0320: d4 e7 8f ee 2c e0 06 ef-d5 37 87 62 07 14 d1 5a ....,....7.b...Z |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0330: ca 30 be fd dd 76 47 8f-ed f4 5f f3 64 6c 32 a9 .0...vG..._.dl2. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0340: d5 07 e2 9b f1 29 a3 bf-33 4a ed 72 6b 2e c3 0f .....)..3J.rk... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0350: 30 bd 13 a1 42 d8 f7 1d-58 8a 1c 53 d6 c3 c8 6e 0...B...X..S...n |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0360: 0e 51 e3 f5 a0 37 68 0d-04 c6 0e c4 4d cc ed 7c .Q...7h.....M..| |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0370: ef 8f 81 b3 52 34 0c 60-eb f8 01 19 cc 95 31 55 ....R4.`......1U |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0380: 7d 16 bf 0c df b8 e0 3d-8f 7c 7a 4a 64 98 93 59 }......=.|zJd..Y |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0390: eb ae 00 80 ef cb bc 38-ab 16 0e a2 b2 2d fa 0f .......8.....-.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03a0: da 55 2d 67 a8 b8 34 1b-bf 39 d9 d6 da 65 f2 8f .U-g..4..9...e.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03b0: 6f a2 b1 1d db bb d5 dd-ab cf 9e 63 00 e4 57 a5 o..........c..W. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03c0: 18 4a dc 60 b0 97 5d 67-34 96 bf a2 43 2b 7d 70 .J.`..]g4...C+}p |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03d0: d6 99 d2 31 d2 11 f4 f2-19 b8 0c 41 7d bf b1 7c ...1.......A}..| |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03e0: fb 31 cb 3e c2 0a e2 26-1a 7e 63 50 9b 62 c3 82 .1.>...&.~cP.b.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03f0: ca cd 36 82 0c 56 5f 26-f6 cc c6 6f 03 92 cc f5 ..6..V_&...o.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0400: 6b 55 1a d6 92 f9 5b 59-18 c2 62 21 eb d8 a4 ea kU....[Y..b!.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0410: fd b6 3e f7 0e                                   ..>..            |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1488): | 1048 - <SPACES/NULS>
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server hello A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server certificate A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server key exchange A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server done A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write client key exchange A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write change cipher spec A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write finished A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 flush data
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 5/5 bytes from BIO#629160 [mem: 47855a8] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 15 03 01 00 02                                   .....            |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 2/2 bytes from BIO#629160 [mem: 47855ad] (BIO dump follows)
Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 02 28                                            .(               |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1782): OpenSSL: Read: SSLv3 read finished A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1801): OpenSSL: Exit: failed in SSLv3 read finished A
[Wed May 24 07:03:54 2006] [info] SSL Proxy connect failed
[Wed May 24 07:03:54 2006] [info] SSL Library Error: 336151568 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Wed May 24 07:03:54 2006] [info] Connection to child 249 closed with abortive shutdown(server apacheserver:443, client j2eeserver)
[Wed May 24 07:03:54 2006] [error] (20014)Error string not specified yet: proxy: pass request body failed to j2eeserver:50001 (j2eeserver)
[<b>Wed May 24 07:03:54 2006] [error] (20014)Error string not specified yet: proxy: pass request body failed to j2eeserver:50001 (j2eeserve) from apacheserver ()
[Wed May 24 07:04:10 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 5 bytes expected to read on BIO#612610 [mem: 62ac80]
[Wed May 24 07:04:10 2006] [info] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : SSL input filter read failed.
[Wed May 24 07:04:10 2006] [debug] ssl_engine_kernel.c(1787): OpenSSL: Write: SSL negotiation finished successfully
[Wed May 24 07:04:10 2006] [info] Connection to child 249 closed with standard shutdown(server apacheserver:443, client apacheserver)
</b>

Issue in configuring TMG as Forward/Reverse Proxy

I am trying to setup reverse and forward proxy using TMG 2010. I have following networks:
Internal Networks:
10.2.1.0/24
10.3.1.0/24
DMZ (Perimeter) Network:
10.7.1.0/24   NAT relationship with external network e.g. Public IPs
I've setup one TMG node and selected "Back Firewall" as topology.
NIC 1 Config: (Internal)
IP:   10.2.1.20
Subnet: 255.255.255.0
DW:    Not defined
DNS:   10.2.1.5
NIC 2 Config: (Perimeter)
IP:   10.7.1.20
Subnet: 255.255.255.0
DW:    10.7.1.5
DNS:   Not Defined
During setup when wizard asked me to define internal IP ranges, I defined 10.2.1.1 - 10.2.1.255 instead of selecting Adaptor.
Setup Completed successfully.
I created Allow rule from internal to local host.
From Client-end:
From client machines i can not access TMG internal interface IP (because gateway is not defined on TMG internal interface i guess)
while i can access DMZ interface IP i.e. 10.7.1.20 and can telnet port 8080.
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in client-side browser, that throws an error "10061 no connection could be made because the target machine actively refused it"
Failed Connection Attempt
Log Type: Web Proxy (Forward)
Status:10061 No connection could be made because the target machine actively refused it.
Rule: Allow
Source: Internal (10.2.1.39)
Destination:LocalHost (10.7.1.20:8080)
Request:Get http://www.google.com
Protocol:http
On TMG server:
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in browser that still throws an error "10061 no connection could be made because the target machine actively refused it"
But when i define internal interface IP as proxy in browser i.e. 10.2.1.20:8080 it works.
Allowed Connection
Log Type: Web Proxy (Forward)
Status:303 Not Modified
Rule: [System] Allow all HTTP traffic from forefront TMG to all networks (for CRL downloads)
Source: LocalHost (10.7.1.20:10082)
Destination: External (94.245.34.74:80)
Request:Get http://someurl
Protocol:http
What am i missing please advise and what could be the work around to get this work from internal network.
Regards,

Hello Quan,
Thanks for your reply..
No it didn't work. I'm still using that as reverse proxy and unable to configure that as forward. :-)
Regards,
Farrukh

Issues using IIS 8.5 with ARR 3.0 as Reverse Proxy for Lync 2013

Dear reader, after searching for a day without finding a solution to my problem I end up here ;-)
Working Lync 2013 environment (gradually adding functionality) consisting of 2 FE servers, Persistent Chat Server, Web Apps server, Edge Server, Reverse Proxy Server (IIS 8.5/ARR 3.0), SQL Server.
Set up a fresh Windows 2012 R2 with IIS 8.5, installed ARR 3.0 and followed along this
TechNet article.
So far so good, external clients (incl. mobile phone apps) can all connect.
Now trying to add Web Apps to the reverse proxy, which is slightly different from the others by not forwarding 80/8080 and 443/4443, but just 80 and 443 to internal Web Apps server.
After creating the server farm/URL rewrite, browsing to the webapps.FQDN/hosting/discovery ends up with a 404 error (instead of XML, which is shown when try from the LAN).
After moving this rewrite rule to the top, it started working, but now my lyncdiscover.FQDN stops working.
Ofcourse moving the webapps rule down restores the lyncdiscover.
Any ideas? (everything setup as described in above mentioned TechNet article, so using wildcards. Tried fiddling around with webext.* and lyncdiscover.* and so, but no luck. (I'm completely new to ARR)
Thanks,
Barry

Can you confirm that for each URL Rewrite Rule, you have an {http_host} record that matches something like webext.* as you referenced above and as seen in step 15 here:
http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx
It might help if you posted a screenshot of your URL rewrite rules.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications

SJSWS 7.0 Reverse Proxy Issue

Similar Messages

Maybe you are looking for