You are viewing limited content. For full access, please sign in.

Question

Question

forms portal reverse proxy

asked on July 17, 2020

Hi all,

Wondering if anyone might be able to help me troubleshoot an issue.

let me preface this by saying I'm new to forms, not a coder and not real familiar with iis.

I opted to setup my forms portal inside my firewall using an iis server in a DMZ.

I've gone through all the setup for Laserfiche and have it so I can access public forms inside the firewall using http://(servername)/forms/(formname)  - the form comes up and is fillable and processes properly.

I have my firewall setup to pass traffic using http and https through to the iis server in the firewall and traffic is hitting the laserfiche web portal inside the firewall.

The issue is that when you go to a link, it opens an new tab, titles it New Submission, but remains blank and doesn't load the form.

I've looked at the iis reverse proxy settings and they all "seem" to be correct and I've tried playing with changing paths and I make it connect or not connect (404 and 500 errors?) but I just can't get the forms to load through the iis server.

The issue appears to be at the header part of loading the page when comparing the data from the page that works to the page that doesn't, but I'm stumped as to exactly where the problem lies.

The connection is really close to working, but this one issue has me beating my head against the wall.

Any insight would be greatly appreciated.

If someone would like to PM me, my email is eric@southholland.org

Thanks in advance.

 

 - Eric

0 0

Answer

SELECTED ANSWER
replied on July 17, 2020

Hi Eric,

I'll reach out to you over email.

1 0
replied on July 17, 2020

That would be great.

I appreciate it.

 

 - Eric

0 0
replied on July 21, 2020

@████████I sent you an email with a couple questions as well.

0 0
replied on April 16

what did you find wrong?  I am having the same issue.  I can't figure out what I am missing. 

0 0
replied on April 16

Hi Tony, we ended up with the following working configuration at the IIS Server level. Especially note:

  1. It requires HTTPS on both the IIS ARR proxy server and the internal Forms server
  2. The external-facing IIS ARR proxy server must have a valid 3rd party trusted X.509 (TLS) certificate. I recommend LetsEncrypt via win-acme.
  3. It forwards all traffic to the internal web server (not just Forms), which may have other applications on it that you don't want publicly accessible like LFDS or Web Client. For reasons still unclear to me, the IIS ARR configuration doesn't seem to work when you try to restrict it to only /Forms.
  4. I strongly advise blocking access to web applications other than Forms (and sometimes LFDSSTS) on the internal web server using IIS IP Address and Domain Restrictions at the web application level, rules at the Site-level on the proxy server that catch all non /Forms traffic and throw a 401 Unauthorized, or similar.
  5. The proxy server must have DNS resolution for the fully-qualified internal forms server's URL host (e.g. "internal-forms.example.com"), whether through internal DNS or a local host file entry.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="HTTPS Redirect" enabled="false" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{HTTPS}" pattern="off" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
                </rule>
                <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
                    <match url="^(.*)$" negate="false" />
                    <action type="Rewrite" url="https://internal-forms-host.example.local/{R:1}" logRewrittenUrl="true" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value=" " />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1" enabled="true">
                    <match filterByTags="A, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://internal-forms-host.example.local/(.*)" negate="false" />
                    <action type="Rewrite" value="https://external-proxy.example.com//{R:2}" />
                </rule>
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding" enabled="true">
                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern=".*" />
                    <action type="Rewrite" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Attached: IIS Server-level web.config file with the above content and a .txt extension to satisfy Answers' file upload type restrictions. Please back up your existing web.config file(s) before making any of these changes or replacing them. This example is provided as-is for educational purposes with no guarantees.

web.config.txt (2.35 KB)
1 0
replied on April 19

So I am doing this on a site below Default on site called LF.   I took your code and changed it to match my servers.  I now get a blank website but it now says New Submission which is better that what I have had.  Just can't see the forms page.   Do I need to enable ARR on the internal server. I seen posts where they did and didn't have "Enable proxy" checked.    When you say IIS server level, are you clicking on the IIS server and modifying the URL Rewrite rules there? 

reverse proxy.JPG
0 0
replied on April 19

You don't need to enable ARR on the internal server. Yes, you do need to set the rules (as I have them above) on the IIS Server-level node. They aren't set up to handle that "/lf/" path prefix.

In the IIS configuration hierarchy, the "lf" node in your screenshot is a "application-level" one that's under the Default Web Site and at the same level as the Laserfiche web apps. 

1 0
replied on April 20

I am using my current DMZ server that runs Weblink. Should I not use this server since it forwards all traffic to my internal server?  Or do you think I can write a rule that it will still allow Weblink to function as normal and still do the reverse proxy to Forms? 

0 0
replied on April 20

you mentioned you couldn't get it to restrict to just forms. For the pattern I used ^forms(.*)$  and in the rewrite https://server.domain.local/{R:0}    and it is working.  I am able to use the same Weblink server in the DMZ and reverse proxy to the forms server. 

1 0
replied on April 21

I have it working but not with Outbound rules?  Do I need them? When I enable them it actually breaks my reverse proxy.  

0 0
replied on April 21

Now that you mention it, I recall disabling the Outbound rule(s) later on because they were causing some trouble and didn't seem to be adding anything. They don't seem to be strictly necessary.

0 0
replied on April 21

Are there any specific way that Forms needs to be configured to work with a reverse proxy?

0 0
replied on April 21

Hi, sorry to butt into this late, but in response to Samuel - when we worked on my reverse proxy, there were outbound rules enabled and we tried disabling them but found an error when they were disabled, so we enabled them again.

There are 2 outbound rules on the URL rewrite: one to identify the response from the internal server and another to rewrite the url to the internet url.

 

As far as the forms configuration, nothing specific had to be done to the form itself, but we did have to allow some Java through to get certain items on the form to appear properly.

0 0
replied on April 23

Eric can you share your outbound rules?  Curious on what they look like? 

Blake are you running 2 different Forms servers? One for internal and one for Portal? 

0 0
replied on April 23

In some cases, yes two different Forms servers. In others, just a single. Just want to know what the proper way to configure Forms is in both scenarios.

0 0
replied on April 23

what's a good way to contact you?   might be easier over a webex or phone call. 

0 0
replied on April 23

Hi Tony,

Send me an email at eric@southholland.org and I'll send you my contact info.

 

 - Eric

0 0

Replies

You are not allowed to reply in this post.
You are not allowed to follow up in this post.

Sign in to reply to this post.