You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Web Access 10 in reverse proxy with IIS in DMZ

posted on February 26, 2016 Show version history

I wanted to share my solution for getting Web Access 10 to work with a reverse proxy in the DMZ because it took me a long time to find the solution.

 

The reason for this is to give access to Laserfiche Web Access to external users in a secure way and allow windows authetification even if the server is in the DMZ. The only way specified in the documentation for getting Web Access to work with windows authetification in the DMZ is to setup a read-only domain controller in the DMZ and join the server hosting web access in the DMZ to that domain. That's a lot of work, setting up a revese proxy is much simpler once you know how to do it.

 

In this scenario I have a server hosting Web Access in my domain not in the DMZ and I have another server that reside in the DMZ and IIS is installed on that server. The goal is to setup a reverse proxy between the two server.

 

First step is to install URL Rewrite and Application Request Routing on both server.

http://www.iis.net/downloads/microsoft/url-rewrite

http://www.iis.net/downloads/microsoft/application-request-routing

(some detail instruction here:http://www.wrapcode.com/infrastructure/configure-reverse-proxy-with-url-rewrite-and-arr-for-iis/ )

 

Second step is to activate ARR on both server.

Open IIS manager. Double click on  Application Request Routing Cache menu in center pane. If you don’t see it, you’ve not installed it properly. Repeat the above steps or reboot the system, sometimes it helps. You’ll find Server Proxy Settings on right pane. Open it and check Enable Proxy option.

 

All the other steps are done on the server in the DMZ:

Next step is to change the default web proxy configuration  (If you do not change this you will get a popup for authetification on the login screen and you will get an access denied):

Open a command prompt as admin and run the following commands:

C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webServer/proxy /preserveHostHeader:"True" /commit:apphost
C:\Windows\System32\inetsrv\appcmd.exe set config -section:system.webServer/proxy /reverseRewriteHostInResponseHeaders:"False" /commit:apphost

iisreset

 

Next you need to set up the server variables in the URL Rewrite:

You’ll find URL Rewrite option in root level (computer name) as well as in added website. If you want to configure reverse proxy for all the requests coming to IIS, follow next procedure on root level URL rewrite otherwise do it on per website level. Open URL Rewrite by double clicking on it.

If you look at right pane in URL Rewrite settings, you’ll find server variables option. Open it and add following variables to avoid gzip and https related issues.

HTTP_ACCEPT_ENCODING

HTTP_X_ORIGINAL_ACCEPT_ENCODING

HTTP_CUSTOM

HTTP_HOST

HTTP_MAX_FORWARDS

HTTP_X_ORIGINAL_SERVER_PORT

HTTPS

 

Next step is to configure the rule in URL rewrite for the reverse proxy. Your web.config file should look something like  this: 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" stopProcessing="false">
                    <match url="^laserfiche/(.*)" />
                    <action type="Rewrite" url="http://IP_ADRESSE_OF_THE_REMOTE_SERVER/laserfiche/{R:1}" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern=".*" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                </rule>
                <rule name="ReverseProxyInboundRule2" stopProcessing="false">
                    <match url="^mobile/(.*)" />
                    <action type="Rewrite" url="http://IP_ADRESSE_OF_THE_REMOTE_SERVER/mobile/{R:1}" />
                    <conditions>
                        <add input="{HTTP_HOST}" pattern=".*" />
                    </conditions>
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="Out" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://IP_ADRESSE_OF_THE_REMOTE_SERVER/laserfiche/(.*)" />
                    <action type="Rewrite" value="http{R:1}://MYWEBSITE/laserfiche/{R:2}" />
                </rule>
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                    <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Area, Base, Form, Img, Input, Link, Script" pattern="^http(s)?://IP_ADRESSE_OF_THE_REMOTE_SERVER/mobile/(.*)" />
                    <action type="Rewrite" value="http{R:1}://MYWEBSITE/mobile/{R:2}" />
                </rule>
                <preConditions>
                    <preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                    <preCondition name="ResponseIsHtml1" logicalGrouping="MatchAny">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^application/json" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

 

 

9 0
replied on August 22 Show version history

A couple things I found while implementing this:

 

1. The command prompt commands at the beginning of the article didn't work for me in Windows Server 2016 Standard. I got errors about it not finding that attribute. I found that the following commands worked:

c:\windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -preserveHostHeader:true /commit:apphost
c:\windows\system32\inetsrv\appcmd.exe set config -section:system.webServer/proxy -reverseRewriteHostInResponseHeaders:false /commit:apphost
iisreset

2. I did NOT install URL Rewrite or ARR on the Web Access server inside the LAN. Did the configuration steps only on the DMZ server. So far so good!

 

Thanks for the guide my friend.

UPDATE: edited a typo in the code snippet.

1 0

Web Access using a Read Only Domain Controller

LF Forms: Notification of task

Version 9.2

Thanks!

awesome!

Sign in to reply to this post.