I'd like to setup ARR to cache access to a live stream on azure media services so multiple users on site watching the same stream will only require one copy to be fetched from the internet. 

Unfortunately, I seem to be overlooking some step in the configuration.

* Blank Server 2012R2, Installed ARR via web pi.
* Server Name media.domain.local
* Sample URl for a stream: http://mediaservicename.origin.mediaservices.windows.net/67DB4EA0-B6C3-41D1-AFC7-19846819BC4A/10B287D7-2C5B-45A7-A2E1-579AFA977873.ism/manifest
* the azure media service requires a host header to be set.
* Created a server farm named "media", added server "mediaservicename.origin.mediaservices.windows.net", allowed creation of default rewriting Rule.

Now, for on-site clients, I'd like to access the stream using the URL "http://media.domain.local/67DB4EA0-B6C3-41D1-AFC7-19846819BC4A/10B287D7-2C5B-45A7-A2E1-579AFA977873.ism/manifest".

This, unfortunately doesn't work, clients get back an Error 503: Service unavailable,

Looking at the outgoing web request, I can see that the request going out to azure media services has a host header "media.domain.local"; obviously azure doesn't recogince that and returns an error.

Now the question: is there a way to get ARR or URL rewriting to send out the request with a host header matching the configured server in the farm instead of the original host header sent by the client?

Thanks for your help!

Hi Guys,

Hope someone can help me with this, its driving me crazy.

i have just setup a new ARR server for two websites, internal and exchange.

The Internal Websites is working fine and Exchange OWA is working without a problem.

The problem I am having is with Activesync. No matter what I try I cannot get it to work. 

It looks to be a certificate problem but the certificate works for OWA. 

If I try and connect with Touchdown. 

Server Cert not trusted

SSL handshake aborted SSL=0x7970dac0, I/O error during system call. 

If I try and test from Microsoft Activesync tester I can

The Microsoft Connectivity Analyzer is attempting to

obtain the SSL certificate from remote server mail.transamerica.com.au on port 443.  The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.Additional DetailsThe certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

I have remove compressing and increase buffer size. 

Check and double checked URL Rewrite.

Please note ARR server is Windows 2012 R2 back end is 2008. ARR server is step up to only use TLS 1.1, TLS 1.2, backend is setup to use TLS 1.0 and SSL 3.0 which is the limit of 2008. 

Just an added bit of information. The backend has two connection and looks as if the internet connection is not disabled then ActiveSync still works, if the internet connection is disabled then it stops working. Need a little bit more testing to confirm this.

Thanks for your help.

Craig

Hi,

I've been tasked with migrating the Reverse Proxy rules that currently sit on our aging and now EOL ISA server onto ARR.

Would anyone mind helping me with a few questions please as I'm a novice to IIS/ARR

Our current ISA server has a mixture of Reverse Proxy rules http and https (across different listeners and certs.) Public sites have their own hostnames and IP's which are NAT'd to individual IP's which are added to each listener.

Will ARR be able to host multiple sites like this ? As I understand it I can move the IP's from ISA to ARR but the URL rewrite is confusing me. I've followed the guide here http://improve.dk/setting-up-multiple-iis-application-request-routing-farms-on-the-same-server/ and successfully moved one simple http site.

I've since tried the same with an SSL using a wildcard cert site but I'm not having much luck. If I enable SSL Offloading on my new farm it seems to break my previously working http site.

Any help or tutorials greatly appreciated.

Hi All,

1. I have setup IIS + ARR in DMZ. Which do the SSL Offloading and redirect the https to http in BackEnd Servers.

2.I have enabled SSL + Client certificate Required.

3. This setup works fine with my Self-Sign client certificate. But always gives 403 - Forbidden: Access is denied for actual client certificates

Issued by Well known certificates authorities (Like Comodo, Steria etc.)

4. I have proprly Installed the Intermidate Certificates into "Intermidate Certificate Auth." and Root Certificates into "Root Certifiicate Autho."

Even it could work. It tried the Client Certificate (With Intermidate CA) as well Client Certificate (With only Root CA).

5. I also tried putting following Registry entry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel

REG_DWORD

Key name : ClientAuthTrustMode

Value : 2 (Decimal)

Even No Success.

Please can anybody help me wat's wrong.

Regards

Kundan

Hi,

I am curious as to why ARR is missing some of the algorithms. I have Installed ARR v3 via WebPI on server 2012 R2. 

I am banging my head for a very long time and gone through ur prev posts, But could not come up to any solution

We have an ARR in place which is pointing to 3 Content Server (IIS) . I have installed SAN symantec SSL on content as well as ARR server.

Now when I set Binding of web service to http and https on 80 and 443 (Require SSL unchecked). The webservice runs on both http and https

But the moment I configure it as Require SSL checked OR removing binding of http :80. The web service fails to run at https 443 and says permission is denied.

Already allowed permission for IIS_IUSER and IUSER

Hi All,

I am looking forward proxy. But reading some threads I found that IIS ARR can work as Forward proxy only for HTTP not for HTTPS.

What are the options for Forward Proxy for calling External web services through DMZ.

Regards

Kundan

Hello,

I'm hoping someone may be able to help me as I seem to be tying myself in knots!  My problem is as follows:

I have an internally hosted Web API that requires an Authorization header in order to function.  This Web API, for reasons outside of my control is not allowed direct access to theWWW.  Now this API also needs to receive webhook responses from Mandrill, to let it know when emails have been opened.  First problem is that Mandrill will let you set a webhook endpoint, but won't let you set any additional HTTP flags such as an Authorization header, they only allow a custom X-Mandrill-Signature header.  Secondly, Mandril don't supply a list of whitelisted IP's so I can simply allow their traffic through a firewall.  There suggestion is a Reverse Proxy.

Now investigating this, I was hoping that I could do something like the following.  Have IIS with ARR and URL Rewrite be the endpoint for the Mandrill, and when a request is received, use the matching functionality to check the custom X-Mandrill-Signature header.  If that matches, then I need to forward the POST onto the internal Web API, however I need to then set the Authorization header.  This seems quite convoluted, but keeps the internal API off the WWW (again, I have no control over this), while still authenticating valid Mandrill requests.

Is this possible, can anyone help?

Thanks

Hi All, I have been struggling with this problem for over a week.

I have an IIS server using ARR as a reverse-proxy with SSL offloading for a couple of websites (running on IIS and tomcat) that has been working fine. I have now added a Git server (Atlasslain Stash) behind the reverse-proxy. Browsing the website and making small Git posts works fine, but now I am having an issue trying to make a larger Git post of about 21.38 MB.

The Git command line seems to hang part way through writing the data to the server at around 950 kb. The value varies each run but it stays around this number. Eventually the post times out after about 2 minutes. It fails with the following error:

Unable to rewind rpc post data - try increasing http.postBuffer
error: RPC failed; result=56, HTTP code = 0
fWatal: The remote end hung up unexpectedly

Increasing the http.postBuffer does not change the behavior.

Here is the information I have gathered:

The IIS request log shows that request fails with an error 400.6 (Invalid Request Body). The sc-win32-status is 64 (The specified network name is no longer available).

The failed request log shows the following errors:

NOTIFY_MODULE_COMPLETION

ModuleName: ApplicationRequestRouting 
Notification: 128 
fIsPostNotificationEvent: false 
CompletionBytes: 0 
ErrorCode: 2147943395 
Notification: EXECUTE_REQUEST_HANDLER 
ErrorCode: The I/O operation has been aborted because of either a thread exit or an application request. (0x800703e3) 

MODULE_SET_RESPONSE_ERROR_STATUS

ModuleName: ApplicationRequestRouting 
Notification: 128 
HttpStatus: 400 
HttpReason: Bad Request 
HttpSubStatus: 6 
ErrorCode: 2147952454 
ConfigExceptionInfo:
Notification: EXECUTE_REQUEST_HANDLER 
ErrorCode: An existing connection was forcibly closed by the remote host. (0x80072746) 

If I post directly to the Git server, without going through the reverse-proxy, the post succeeds and does not take very long to complete.

My assumption is that the issue lies in the IIS configuration and how ARR is posting to the Git Server. It fails in writing to the server and reaches the 120 second ARR Proxy Timeout setting. If I increase this timeout, the operation still fails, it just takes longer to timeout. Perhaps this is buffer or request size related? The Request Filtering Maximum Content Length is currently set to 30000000 bytes (30 MB) so that is larger than my request, but I am not sure if that is the correct setting I need to change.

Any help or suggestions you can lend are greatly appreciated.

This surely shouldn't be so hard..!

I'm trying to do a simple redirect on an ARR server that will forward autodiscover URLs of secondary SMTP domains (using hybrid Exchange) to the primary autodiscover URL. Basically this:

Redirect http://autodiscoverredirect.domain.com/<something> to https://autodiscover.domain.com/<something> which is an entirely separate server on a different public IP address.

Here's the code I end up with in applicationHost.config:

<rule name="ARR_autodiscoverredirect_loadbalance" patternSyntac="Wildcard" stopProcessing="true">

<match url="*" />

<action type="Redirect" url="https://autodiscover.domain.com/{R:0}" />

<conditions>

<add input="{HTTP_HOST}" pattern="autodiscoverredirect.domain.com" />

<add input="{HTTP}" pattern="on" />

</conditions>

</rule>

The conditions are there because it has to respond only to requests for http://autodiscoverredirect.domain.com on port 80.

With this in place, when I try to access http://autodiscoverredirect.domain.com (I've tried from the local server and from an internet host) I get nothing in IE, just a blank page. Monitoring and Management shows 0 hits. Nada.

Am I doing something stupid? Do I need to enable the proxy bit in ARR?

Thanks.

Greetings all,

When I place ARR or webservers behind MS NLB, requests to the site do not use the cache controls.

When I access the site from the direct IP on either ARR or the webserver Cache control works correctly.

Only when I use the IP/DNS of the NLB Multicast address do I get the client reloading all resources from the webpage.

can someone point me in the right direction to fix the behavior of cache behind MS NLB?

NLB works, the site is slow because it is not using cache correctly.

Hi All,

I have setup a reverse proxy rule at site level which routes all request to DMZ server to internal server. This worked as expected until i switched to claim authentication using ADFS. In calim authentication, to authenticate the request SP sends request to adfs server, due to reverse proxy rule, the request to adfs server get routed to internal server. I want to prevent that from happening.

Here is the trace from failed request routing logs (section URL_CHANGED)

OldUrl
/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3a8099%3asharepoint&wctx=https%3a%2f%2finternalServer.mydoamin.com%3a8088%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F

NewUrl
https://internalServer.mydoamin.com:8088/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3a8099%3asharepoint&wctx=https%3a%2f%2finternalServer.mydoamin.com%3a8088%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F

This happens even after i have following setting in web.config file of site

<rewrite><rules><clear /><rule name="DoNotRouteADFS" stopProcessing="true"><match url="/adfs/" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false" /><action type="None" /></rule><rule name="ReverseProxyInboundRule1" stopProcessing="true"><match url="(.*)" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false"><add input="{CACHE_URL}" pattern="^(https?)://" /></conditions><action type="Rewrite" url="{C:1}://internal.mydomain.com:8088/{R:1}" /></rule></rules></rewrite>

What is  average ARR capacity of one server to handle multiple sites ? 

Good evening,

I have talked the internet without much success to try and work this out for myself but feel like I failed. What I would like to do is access my internally running server hosting Owncloud whenever I use the a url like https://myhome.Remotewebacess.Com/owncloud.

I have setup a reverse proxy using the wizard which gets me to the server but it is like scripts, images, css are blocked or not being returned.

I is server is
Wse 2012 R2
Iis
Arras (latest version)

Owncloud is
Apache 2.2
Running on free bad

I have turned on request tracking and see I am getting 404 errors to files that are there.

Any and all help is gratefully received.

I have added a screen shot of what I get with the redirect.

Thanks
Mo

I'm trying to work out the best way of sitting two external unrelated services to be accessible through the same url as such

example.com -> default web site

example.com/serviceA/abc/123 -> http://servA:3000/abc/123 

example.com/serviceB/abc/123  -> http://servB:4000/abc/123 

note the service name (serviceA/B is not to be passed to the external service but should be included in the human readable urls)

so far I have configured a server farm (Reverse rewrite host in response headers is enabled) for each service in IIS for each service a default rewrite rule has been created to match * and route to service farm with the path /{R:0}

This of course routes all requests whichever rule is higher. How can i add filtering based on the query string as above? im using IIS8.5 on 2012R2

(Partially taken from http://serverfault.com/questions/708000/wmi-query-of-arr-server-farm-returns-duplicate-entries-on-some-machines, where I posted several weeks ago but have gotten no response yet.)

I am working on integrating Application Request Routing's health checks (in Monitoring and Management) with Icinga, and to do so I've written a small C# web app that executes a WMI query and deployed it to the machine running ARR. I can then create Icinga services that call my app via HTTP. It's running under its own app pool and on most of our ARR machines everything works fine. Here's a code snippet with the relevant WMI query:

var scope = "\\\\.\\root\\cimv2";
var wmiQuery = string.Format(@"
	SELECT Name, Health, State, AverageResponseTimePerRequest
	FROM Win32_PerfFormattedData_ARRCounterProvider_ApplicationRequestRoutingServer
	WHERE Name LIKE '{0}\\%'", serverFarmName);
var searcher = new ManagementObjectSearcher(scope, wmiQuery);
var servers = searcher.Get().Cast<ManagementObject>();

When it doesn't work, we see two different problems, both of which we have "hacked" around, but one of them could potentially be concerning from a security (buffer overflow) perspective.  The first problem is the one I described on serverfault.com, where we occasionally see duplicate entries in our results.  In other words, the servers variable contains a list of four entries when there should be two:

MACHINENAME01\\farmName
MACHINENAME02\\farmName
MACHINENAME01\\farmName#1
MACHINENAME02\\farmName#1

It feels like a hack, but we've worked around that by adding 

AND NOT Name LIKE '%#%'

to the WMI query string above.  Any idea why those duplicates might appear and/or how I can prevent them without hacking?

The second (and more concerning) problem is that the value of Health, which I thought was supposed to be 0 or 1, sometimes comes back as a very large number.  As examples, I have seen the following (in no particular order):

4164354049, 811597825, 2182807553, 3284860929, 65537, 4189454337, 131073, 4206493697, 2589851649, 3203596289

After suffering from an Int32 overflow exception, I discovered that all the above numbers (1) fit into anunsigned 32-bit integer (UInt32), and (2) the bottom 16 bits are consistently 0000 0000 0000 0001.  That led us to our second hack:

foreach (var managementObject in servers)
{
    UInt32 rawHealth;
    var health = UInt32.TryParse(managementObject["Health"].ToString(), out rawHealth)
        ? rawHealth & 0xFFFF
        : 0;
    // ...
}

Any idea why those seemingly rogue large numbers might appear and/or how I can prevent them without hacking?

If it's relevant, we've seen both of these unexpected behaviors on Windows 2008 R2 / IIS 7.5 / ARR 3.0 and Windows 2012 R2 / IIS 8.5 / ARR 3.0.

Thanks in advance!

What's difference between site binding certificate in IIS 8.5 by Host name and by Host name with enabled Require Server Name Indication?

Hi,

i have deployed ARR 3.0 on Winsows server 2012 R2 using IIS Wb Platform Installer.

There is no Least current request algorithm in Load balance algorithm drop down list.

In Load Balance dropdown list i only have Weighted round robin, Server variable hash, Query string hash and Request hash.

Does anyone know what could be the reason.

Thank you.

In our production environment, we have 3 web servers routing the incoming requests to one of the 4 load balancers (LB), according
to consumers of the service. Earlier, only two WCF services were there whose requests were routed to only one LB configured in URL
Rewrite module and server farm.
Now, we want to host other WCF services whose requests need to be routed to different LBs. But when we added one of our LB to the
existing server farm, the service was not browsed through IIS(we are using IIS 8)- 404 error occured. Then we made another server farm for the second LB and used it in URL rewrite module using Reverse Proxy for the particular applications. But it also didn't worked.
Questions:
1. Is there any problem in our IIS or server farm configuration?
2. What is the correct approach for URL rewrite in the current scenario?
3. What can be the correct rule/ pattern for the applications? Example, pattern for URLs like
Publicly shared URL- http://111.11.11.11/ExampleWcfService/ExampleWcfService.svc to be converted in
URL redirected to LB- http://222.22.22.22/ExampleWcfService/ExampleWcfService.svc

I have two different application hosted in IIS on web server and their requests needs to be routed on different LBs.How should I do IIS configuration so that respective application request get routed to its dedicated LB.