That would be great.

I appreciate it.

 - Eric

@████████I sent you an email with a couple questions as well.

what did you find wrong?  I am having the same issue.  I can't figure out what I am missing. 

Hi Tony, we ended up with the following working configuration at the IIS Server level. Especially note:

1. It requires HTTPS on both the IIS ARR proxy server and the internal Forms server
2. The external-facing IIS ARR proxy server must have a valid 3rd party trusted X.509 (TLS) certificate. I recommend LetsEncrypt via win-acme.
3. It forwards all traffic to the internal web server (not just Forms), which may have other applications on it that you don't want publicly accessible like LFDS or Web Client. For reasons still unclear to me, the IIS ARR configuration doesn't seem to work when you try to restrict it to only /Forms.
4. I strongly advise blocking access to web applications other than Forms (and sometimes LFDSSTS) on the internal web server using IIS IP Address and Domain Restrictions at the web application level, rules at the Site-level on the proxy server that catch all non /Forms traffic and throw a 401 Unauthorized, or similar.
5. The proxy server must have DNS resolution for the fully-qualified internal forms server's URL host (e.g. "internal-forms.example.com"), whether through internal DNS or a local host file entry.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="HTTPS Redirect" enabled="false" stopProcessing="true">
                    <match url="*" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                        <add input="{HTTPS}" pattern="off" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" appendQueryString="false" />
                </rule>
                <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
                    <match url="^(.*)$" negate="false" />
                    <action type="Rewrite" url="https://internal-forms-host.example.local/{R:1}" logRewrittenUrl="true" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value=" " />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1" enabled="true">
                    <match filterByTags="A, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://internal-forms-host.example.local/(.*)" negate="false" />
                    <action type="Rewrite" value="https://external-proxy.example.com//{R:2}" />
                </rule>
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding" enabled="true">
                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern=".*" />
                    <action type="Rewrite" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

Attached: IIS Server-level web.config file with the above content and a .txt extension to satisfy Answers' file upload type restrictions. Please back up your existing web.config file(s) before making any of these changes or replacing them. This example is provided as-is for educational purposes with no guarantees.

So I am doing this on a site below Default on site called LF.   I took your code and changed it to match my servers.  I now get a blank website but it now says New Submission which is better that what I have had.  Just can't see the forms page.   Do I need to enable ARR on the internal server. I seen posts where they did and didn't have "Enable proxy" checked.    When you say IIS server level, are you clicking on the IIS server and modifying the URL Rewrite rules there? 

You don't need to enable ARR on the internal server. Yes, you do need to set the rules (as I have them above) on the IIS Server-level node. They aren't set up to handle that "/lf/" path prefix.

In the IIS configuration hierarchy, the "lf" node in your screenshot is a "application-level" one that's under the Default Web Site and at the same level as the Laserfiche web apps. 

I am using my current DMZ server that runs Weblink. Should I not use this server since it forwards all traffic to my internal server?  Or do you think I can write a rule that it will still allow Weblink to function as normal and still do the reverse proxy to Forms? 

you mentioned you couldn't get it to restrict to just forms. For the pattern I used ^forms(.*)$  and in the rewrite https://server.domain.local/{R:0}    and it is working.  I am able to use the same Weblink server in the DMZ and reverse proxy to the forms server. 

I have it working but not with Outbound rules?  Do I need them? When I enable them it actually breaks my reverse proxy.  

Now that you mention it, I recall disabling the Outbound rule(s) later on because they were causing some trouble and didn't seem to be adding anything. They don't seem to be strictly necessary.

Are there any specific way that Forms needs to be configured to work with a reverse proxy?

Hi, sorry to butt into this late, but in response to Samuel - when we worked on my reverse proxy, there were outbound rules enabled and we tried disabling them but found an error when they were disabled, so we enabled them again.

There are 2 outbound rules on the URL rewrite: one to identify the response from the internal server and another to rewrite the url to the internet url.

As far as the forms configuration, nothing specific had to be done to the form itself, but we did have to allow some Java through to get certain items on the form to appear properly.

Eric can you share your outbound rules?  Curious on what they look like? 

Blake are you running 2 different Forms servers? One for internal and one for Portal?