IIS as reverse proxy with SSL offloading

Windows_logo_-_2012I recently set up a microsoft IIS 7.5 as reverse proxy. The setup is straight forward, but there can be an issue if you want to send all the traffic from the reverseproxy encrypted via SSL to the actual webserver. Especially with self signed certificates on your backend servers it becomes a bit of a hassle. This will be a problem if you use SSL offloading which means that ISS is terminating SSL client request and forwards the HTTP request in a new SSL session protected by the destination servers self signed SSL certificate.

Everything you have to know is that the self signed SSL certificate has to be imported to your computer certificate store (not the user store!). Plus the certificate has to be valid: make sure it is not expired. And last but not least: the server has to be resolved with the certificates subject name – it will not work if you enter the IP-Adress of your HTTPs server or your server is called server1.local and your certificate says server1!

If that information already solved your problem you do not have to read further, everyone else gets a bit more of a detailed explanation:

 

Set up IIS as a reverse proxy

All you have to do is install the Application Request Routing module to your IIS. The ARR module has to be downloaded from microsoft.com and can not be added as a role service for IIS.

 

Configure IIS as a reverse proxy

Bind SSL to your IIS website

First your IIS website has to be bound on port 443 HTTPs. You can use a self signed certificate or buy one from a well known certificate authority. If you use a self signed, please make sure your certificate subject matches with your website URL. This link may be helpful: How to create self signed certificates with alternate host name.

To edit the sites binding open IIS manager and click with your right mouse button on the website and go to edit bindings. Then you have to select an IP-Adress and a certificate which your proxy will present when a client requests HTTPs.

Your site binding should look like the configuration on the picture:

SSL_binding_iis

Configure the rewrite rule

To configure the rewrite rule to achive the functionality of a reverse proxy, go to your website in the IIS management tool. Then click on the “URL Rewrite” module as shown on the next picture. (on the right side you can see the Browse Website – make sure it is bound to 443)

iis_setup

 

 

Choose “reverse Proxy” rule:

reverse_proxy_config1

Now the actual configuration starts. Enter your server name and the port where SSL is bound to. In my case it is 443. Please do not get confused by the SSL offloading explaination. HTTP requests are not necessarily transported over plain HTTP, if you specify the port an SSL tunnel will be established to transport your HTTP pakets encrypted. If you untick SSL offloading the ARR module just forwards your packets to the backend server – then the SSL certificate of your backend server will be presented to client!

reverse_proxy_config2

When you edit the rule later in expert view it should look like on this picture:

reverse_proxy_config3

Import certificates:

Unless you have public signed certificates or you already trusted your private certificate authority you have to import the SSL certificates of your backend servers to the local computer store. If you run a lot of backend HTTPs servers I suggest to create a private CA. If you run 2-3 servers you can easily do it manually or in case you set it up for testing purposes, a self signed certificate is perfectly fine.

  1. Run certmgr.msc
  2. add Snap-in certificates
  3. select computer account
  4. import the self signed certificate into “trusted root store”

Possible error:

If the IIS is not able to verify the certificate of the backend HTTPs server it will deliver an error message to the requesting client. The error message contains “HTTP Error 502.3 – Bad Gateway, A security error occurred, Error Code 0x80072f8f”. Remember: The server name you send the request to has to be the same as the subject name of your self signed SSL certificate and the certificate has to be valid – it must not be expired!

error_502_badgateway_certificate_chain