Hi,

As some of you might now, with ARR 3.0 some algorithms have been removed (compared to ARR 2.0).

I was interested in the "least current request" algorithm of ARR 2.0 which seems to be the "smartest" option, smarter than the current default round robin at least.

Does anyone have an idea why some of the algorithms have been removed? And which is the best alternative in combination with Exchange (2016) ? I would prefer something more intelligent than round robin. For round robin I could use DNS as well or is there still a difference?

Many thanks for the help!

Hi,

I'm having real problems setting up reverse proxy for 2 internet DNS names to 2 internal IIS servers.

test1.externaldnsname.com:80 >> testA.internaldnsname.local:80

test2.externaldnsname.com:80 >> testB.internaldnsname.local:80

I have IIS 8.5 with ARR.

I've enabled ARR and set the reverse proxy to testA.internaldnsname.local

This works ok, but how do I reverse proxy for testB.internaldnsname.local?

I've tried editing the auto-generated re-write rule, and setting a condition (HTTP_HOST,test1.externaldnsname.com)

This continues to work, although strangely, the first time I access this page externally, it shows the default website IIS page, refreshing it then brings up the correct page.

Then I created another URL Rewrite rule for test2.externaldnsname.com (pattern:test2.externaldnsname.com, similar condition as before, rewrite rule: http://testB.internaldnsname.local/{R:0}

So in summary=====================
DEFAULT AUTO-GENERATED RULE:
pattern: *
Condition: HTTP_HOST, test1.externaldnsname.com
action: rewrite testA.internaldnsname.local/{R:0}
stop processing subsequent rules: unchecked

SECOND RULE:
pattern: test2.externaldnsname.com
Condition: HTTP_HOST, test2.externaldnsname.com
action: rewrite testB.internaldnsname.local/{R:0}

Now, the first one still has the same behaviour as before (first goes to default website IIS test page, when refreshed goes to correct internal site).
However, the second site just goes to the default website IIS test page, regardless of how many times I refresh.

Any help appreciated.

I have an asp.net mvc site and want paths starting with x/ to reverse proxy to another iis website installed on same server with a url ofhttp://localhost:8100.    So basically if I go to mydomain.com/x/  it should re-write tohttp://localhost:8100/

When I type the url though I get a 404 error saying url cannot be found: Requested url /x/

. I turned on failed request routing and it shows that the rewrite succeeded:

RULE_EVALUATION_END

the rewrite rule thus appears to be doing the right thing and rewriting to http://localhost....

but then after this section in the log I get

Handler_Change

<div id="section_detail_19_details">

</div>

....

URL_Changed

It's as if ARR is undoing the rewrite and the new url is consistent with the 404 error I receive.

Why is ARR undoing the rewrite ?

It's worth noting that if I change the rule to redirect and run it on the server, it works.

Hello all,

we ran into a problem with ARR and HTTP GET requests which have a query over 4k.

Other solutions (e.g. http://stackoverflow.com/questions/35949278/event-log-warning-url-for-this-request-exceeds-the-configured-maxurllength-des) seems to only affect IIS itself but according to the failed request tracing the problem comes from ARR:

At the moment the installed version of the requestRouter.dll is 7.1.1630 but I guess that problem might also exists on other versions.

Has anyone else that problem? How can we workaround ?

(The problem is that these large requests are generated by a software which could not be changed)

Regards

Hi All- 

I have made below rule which works fine. It uses server variable to construct the substitute url. 

<rule name="Reverse Proxy to Rest" enabled="true" stopProcessing="true">
<match url="^rest/.*" />
<action type="Rewrite" url="{TESTARRDOMAIN}/{C:4}/{C:5}" />
<conditions>
<add input="{HTTP_HOST}{HTTP_URL}" pattern="^gateway(.*?)(\.internal\.test\.com|\.test\.com)/(rest)/(.+?)/(.*)" />
</conditions>
<serverVariables>
<set name="TESTARRDOMAIN" value="https://arr.test.com" />
</serverVariables>
</rule>

Now what i am trying to achieve is that - i want to pass server variable as back reference and at run time i want to use {C:X} to construct the substitute url. 

In a simpler way i am trying to identify the domain based on the value of one of the back reference which is passed in url. 

example : 

http://gateway.internal.test.com/rest/api/TESTARRDOMAIN/core/v3/places/18632

so here TESTARRDOMAIN is my {C:4} which i would like to use to getting domain "https://arr.test.com" and make substitute url. 

I am not sure if there is any other way to to achieve the same. 

Thanks in advance!!

Hello all,

I was put in charge of using ARR as a proxy and setting up a new web application to run simultaneously with our old one.  I am simply a programmer that was put in charge of this, so I am struggling a little bit and could really use some help.

My set up:  I have two server farms and they each have 2 servers in them: tomcat2 and weblogic2

So to avoid everyone at our organization having to change bookmarked links we decided to use a cookie to determine whether the request should go to tomcat server farm or weblogic server farm. 

Currently I can get the url rewrite to work, but for whatever reason it seems like the "stop processing of subsequent rules" doesn't work.  I end up getting a ERR_TOO_MANY_REDIRECTS error.

I am not sure what information would be beneficial to you, but I can provide anything needed and I will do it as quickly as possible.  Thank you in advance for your help.

Before, I installed the ARR helper on windows server 2012 R2 and IIS 8.5. And It'll change the LB ip address with X-Forwarded-For from the header.

But For server 2016 and IIS 10, I installed the ARR 3.0 and it doesn't do this any more.

Is there any setting I need to do to make it works?

I have inherited administration of an IIS 8.5 server. Totally not a competency of mine but one of those cases where I am the best qualified to own it.

AAR was configured on the IIS machine root to act as a reverse proxy to SSRS (in Native Mode) on another server (URL rewrite configured for /reports and /reportserver).

A new need arose to host some static files and this morning I added a Virtual Directory under the Default Web Site for this purpose. It wasn't until later in the afternoon that I learned that the reverse proxy to SSRS was no longer working - the obvious conclusion is that this is related to the change made earlier in the day.

Nothing I have tried (including removing the Virtual Directory) has been able to correct this. Neither have I been able to find anything to suggest why;

- Adding the VD under Default Web Site might have wrecked the AAR/URLRewrite configuration on the host node.
- Why the reverse proxy continues not to work.

Attempts to reach the rewritten address yield IIS log entries like;

2017-09-01 18:04:00 192.168.55.101 GET /reports X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=27a732e2-733b-49af-b08e-88ef9a49f05f&SERVER-STATUS=400 443 - 95.148.150.28 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/60.0.3112.113+Safari/537.36 - 400 0 0 79

The same attempts do not appear to create entries in the Failed Request Trace Logs (All Content, 400-999, WWW Server, Verbose, All).

The response header looks like;

date: Fri, 01 Sep 2017 18:24:41 GMT
server: Microsoft-IIS/8.5
x-powered-by: ARR/3.0
content-length: 0

400 Bad Request

The report server itself is happy (can be reached internally using its hostname).

The following image describes the AAR configuration as I found it after being alerted to the issue. The warning about "Server routing rules have not been created." seems wrong but I don't know what I'd enter for 'Reverse Proxy' which is required when enabling"Use URL Rewrite to inspect...";

https://ionwerks.net/iis_aar.jpg

I would be immensely grateful for any advice or insights from an IIS expert. Thanks.

Hi all,

I need help. I am having this issue setting up our ASP.NET application with ADFS SSO behind a Reverse Proxy. I'm getting the exeption:Exception message: The length of the query string for this request exceeds the configured maxQueryStringLength value.

I have tried setting the IIS Request Filtering Settings. Maximum URL Length (Bytes)&Maximum query string (Bytes) to 4028 but it does not work.

Our client requires a 3 tier network architecture (Web, App & DB Zone)

Sample Design:

Workflow:

1. Public user will hit https://application.domain.com and the F5 LB will redirect to either Reverse Proxy 1 or 2
2. The Reverse Proxy will URL Rewrite to http://application-internal.domain.com which is mapped to another load balancer. This LB will direct to either APP Server 1 or 2
3. Upon first hit, the APP Servers will need to authenticate and Redirect the user to an ADFS Server hosted outside the network. Example: https://application.domain.com/adfs/ls/?wtrealm=<some string>&wctx=<some string>&wa=<some string>&wreply=<some string>
4. Since it's behind a reverse proxy. I have setup a Redirect Rule on the proxy servers to detect */adfs/ls/* and redirect it to the correct ADFS URL. adfsserver.domain.com instead of application.domain.com

<rule name="RedirectRule" enabled="true" patternSyntax="Wildcard" stopProcessing="true"><match url="*" /><conditions logicalGrouping="MatchAll" trackAllCaptures="false"><add input="{QUERY_STRING}" pattern="*/adfs/ls/*" /></conditions><action type="Rewrite" url="https://adfsserver.domain.com/{C:2}" /></rule>

Here's the sample ADFS URL. more than 2700 characters

https://application.domain.com/adfs/ls/?wtrealm=https%3a%2f%2fapplication.domain.com&wctx=WsFedOwinState%3dt6D2yI_K5lgyI1DmxSli1XamLn88VWW4Miav8IygUhES5WwEdx6SbjFF-As3CVKyJjyVeYIIEgDblZajSrrfP5tjbeYuxL6soxJaosPNUfII4qmQ_ZV2qZpwh_dT-CWsaG43JfzZw7LZzsxyTaBBs3Qqsy45mVl2YHiqtKJxAjhZZ-9Rx55Ak7bTAysMJeiNwF1iYz5TpVTqI0q-2KJq7jGnoBugg3pTrFtKNYA_Wlqh9jyDVMucjmjj-dJ1JIyQMZsdA0Z7WR5fm2Afz8tHVOsrX_UcWSEXtUmIIfEjL0mCDPosFZFQjOKEowx-rFrfmPAxESi68eGA7c49tomJ1-vdKfxphsJ3vapwEAmOFJAxd8DzFsZ4w4Cy9hVRZNyKNWBgaHFtcaGBtNDqW-WIGOehVZV-mAOe7m3eZhKTbtDoZwRh3w_BvKNkv6BJrGPLbYCmIrk-tRl_BaMVqH33cC1sIwqAJQVwrg-yCXQkhhH59GsMEky3Ck0gDIILX0el9FL2Q9bdUzrGMIxNoUdIcmtmPcM_ExrPLqBvecwd9m4-Pk5neK1BStHr5EoSD0YWZjXdR1z_cGaBWDKxCPVtVyZX-gq3MthpPcfnV8Dl--Ggl_C3sT18APh_QEt0uPGU3mPv_3WfN6cHUtq8kUqmSMONRC3MdpSTOtGah5iroyTwBZORcjdIujj5TZlWpJyoGTtaqg8-_TfrSqNJ1ZP4B6qj0djWVpBQK4cYYE6U6d3dAuBunUJJrliK0DtLdaUmqfiF1MRck42RnCNgzSt6t5HBgm4JdGVVSg6WVh82kfxp7Ftj4Xd_4gUrzVTDrmL8MEsBk1LqSz3juK311grXQ48R9oHqlmqPmYXRc5PHSZ810hY6BVEN8jfXWikuO5sImu1_Hca6lAYZleuNQjVTelPm7uhO-uZPZhtPNUe5B_EC8ZVX69z-dvl5hLRkNUvA-XEl4oKS6twQo3xtmLJuaXH9gvaTCGkFgRsqNdCsFg9RbbBrqYwRW0tUThkJyC6N0ebhEzrknI7WKh7H9ytJQwXx7tX2isKnbyjc-2O-ISfyEV7T6yjxlzJepZHy9yVrFJn1ewXYgzGkpYMJMX-vTEIcTE4b3-1Q2aXVtuXliAaLysBk7DFn7GC4PNEBzDx0adsIEhn16sMe1nxYhHoLckI5xCeFBbdHNSL8NUumBbC4w5CBRWEshpZlqMKOStQa0VzCeMLcCYqgCOW1K7jjWV5-OkdWxZfnoI-uD_td208fStzi5WDZy5YwgsxfaXoGwrWyv9484zR-JcclW4sA9pGIG9R8sF7SaoOUmKsHemLWF8Xjf0VXpqcjlrW15IkevUAxeoEhwtHx9iWaO42AHYncbCnM7BXjvrTLDm8rsNck4Chj7brIjx1O_6kJurUkqiCuioRnkTjl1JcsIVvgBbQCRLxJIST-7K4K1cc8UsQ7EfviUdL5szI1rHmPhSu7vTu47bb8DDj6d2txws37hTzOA45iNX7y8VS7ffEOHsVcRbTwgqMzLGhKaiD66GuG3cbtpEpcRvkkj_dunyWCT3nFIRF-YyWRs5vhQ0w5Y6wUlT5cAW2xchcxKhFPKNCqZ6vC47111IdMZkoGgBuIxXe0eZC5_bBViynjmwDdcC9z-AFVEoZ8TS6r-X3wKQebyqPgrMyvDBr4InsNL3JkyeJjgCzOy4ukfZisPXVaDHjfhT0u-jx08ps1Jm4UfpFJEBEt4aestxqI-iVdGP8Mf6RpYKGPWrAzkk1LCBTLO2-7mG_lGGUIr7ZGTbNAEhSJUWD8YL6dpaotbSeejPmxraeupvtGA4IuuZ154ZPg4qI_m2-WZru1jfVSLQ8SlJhI-3mFvl5ANyu6MjAaEEpHhInXA4s6pNNePHEK8ECBpTHtr67WiAEfWWZBkmxPDSgBPuNfq36h43OIof3C0Sk0U50O306E-n8xTGAgEhKgSUM2_QFhkr-Ym5AtZ8aGE8qT81p-qvIf04uxY3r3Vn0tkpEK1HL0IkHWrdqxS-X26V7blnM2oJq2SASyI0tbty1TIO9_l5tz1Ksj48vwJevgHs9Xpx0T5lFuGKePG56cPU_N1iASGxdBuTDulfvRXnTrhb8iR56zDu6aP_M_TbHd_339gfym8aCFuX8k6YurzzrzBFUC5w7LMl-O6JIR_EnogA3kIQ5Oi6KRcm7ErE30ZRBaTWasDzJIkBTunzgk4rhm6se9x6tZ_oLZUYkRFPjn4MsKth4BYrOvlVZGC65eK4_Zai4D6Mp-t6HP79sxGDHtaMG3K-dJ2fl86BpLLj1qBEl3RfEnp8OZtd_7eLKES3gxQoddhXNKsrCmpAc6IZloTB7_mzZ9-pZrdaHlK3wvxVbP8me8v1CsLGb4xYo-_rhWtsOCqwC9XqP6SV9mMAhjxB_4PSAkpMyW8ofk_bPuB4Bq2YD6oXbmfVr_Kb9piZ3EZTXJd8uCwPHejY9snr5E2N6NjfiimjnUuY_kB0sdtokUeNcR5eZ-FnYrq-onzY_3_NTyxU7m1D4skmbb0ng&wa=wsignin1.0&wreply=https%3a%2f%2fapplication.domain.com

Hi all,

We have a serious issue on our ARR+NLB webfarm. Responding to the first request (the one that actually starts the application) is very slow.

More specific: Each webserver in the farm responds very slow to the first request for an application that was just started. It takes 60 seconds and up to respond to a simple MVC page.

Is there any logical explanation for why an initial request on an ARR+NLB webfarm takes much longer than on one of the webservers directly? I can't seem to find the cause of this. Anyone have any ideas/pointers?

Best regards,
Raymond

Hello,

Hoping you can answer a question for me regarding the rule priority in ARR.

Would I be correct in thinking that the most efficient way to order the rules would be to start with the most likely to be met, then decreasing in likelihood?

We have inherited a configuration which I believe needs to be changed to the above.

Many thanks

Hi,

I'm not great with computers, but I'm doing a on-line class and when I try to log into webadvisor, it tells me that the maximum number of cookie values has been reached? It won't let me in Any suggestions on what I can do?

I have the same issue as OP in https://forums.iis.net/t/1160195.aspx.

One of the answers was : 'You lose the fixup of Set-Cookie and Location headers that ARR does - the next beta of URLRewrite v2 will include the capability to have rules to rewrite response headers, so at that point, you should be able to not use reverseRewriteHostInResponseHeaders'

My questions:

1. Since the answer is pretty old, can someone confirm that reverseRewriteHostInResponseHeaders ONLY fixes the Set-Cookie and Location headers and no others ?
2. Can someone post an efficient rewrite rule(s) which replicates reverseRewriteHostInResponseHeaders ?

I have spent hours trying to figure out how to setup AAR to do what I want and I can't find a way, help would be greatly appreciated. We basically have 3 servers like this:

• SERVER01.mydomain.com: IIS with AAR, Website01 (website01.mydomain.com), Public-facing IP
• SERVER02.mydomain.com: IIS, Website02 (website02.mydomain.com), Internal IP
• SERVER03.mydomain.com: IIS, Website03 (website03.mydomain.com), Internal IP

Because SERVER01 is public-facing, it receives all requests. I want:

• SERVER01 to serve requests for website01.mydomain.com.
• SERVER01 to redirect requests for website02.mydomain.com to SERVER02.
• SERVER01 to redirect requests for website03.mydomain.com to SERVER03.

So far, I have achieved part of this by doing the following:

• Set AAR on SERVER01 as a reverse proxy to SERVER02.mydomain.com.
• Created an empty, dummy website on SERVER01 with bindings to website02.mydomain.com.
• Added a URL Rewrite rule at the server level on SERVER01. When HOST_NAME matches website02.mydomain.com, URL is rewritten to http://SERVER02.mydomain.com/{R:0}.

This works for the redirect to SERVER02 for website02, and SERVER01 can still server its own websites. But I am struggling to achieve the same thing for the redirect to SERVER03 for website03, since reverse proxy may only specify a single server address. Also, why is the need to create a dummy website for each address that must be redirected? Please note that multiple IPs are not an option, merging all websites on the same server is not an option either, as is having different ports for each websites.

There gotta be a way to do this?

Thank you

We have implemented a Reverse Proxy to  WebSphere back-end servers using ARR 2.0 and URL rewrite 2.0.  The public facing IIS website was using Forms Authentication and everything worked normal so far, but now the public facing IIS website's authentication mechanism is changed to integrate with OKTA SSO using WS-FED. As soon as the OKTA SSO integration  was done, the reverse proxy failed. The http GET requests are OK but as soon as  the traffic encounters a http POST, it fails with a socketTimeout exception. The socketTimeout exception is logged in WebSphere logs. Looking at the exception it looks like WebSphere has been waiting for the response from some where(I presume ARR) and timed-out.

Enabled FRT on IIS and it shows the error below:

MODULE_SET_RESPONSE_ERROR_STATUS 

And also two steps up, the General_Read_entity_end shows Bytes received as zero.

195. -GENERAL_READ_ENTITY_END 

Searching thru multiple forums, found this one - https://forums.iis.net/p/1176872/1976974.aspx#1976974 but here ARR clearly throwed a 502.3, it looks similar but may not be exactly the same.

Also, I tried  request.InsertEntityBody() on Application_BeginRequest in my global.asax file, but didn't help.

So, what could be the issue? and is InsertEntityBody is the right thing to do and if yes, am I doing it in the wrong event ?

Thanks.

Good afternoon, how do you think it is the best health checkup agreement for an ARR farm? I have a farm of 10 real servers to which I want to apply live traffic test. I understand that the only way out of the unhealth state is through a URL test check. I assume that I have 10 servers. What do you think of this configuration:
Failiured Code: 500-600 
Maximum Failiured: 20 
FailOrver Period: 10 
Minimum Servers: 5 
Check by URL every 14400 seconds, or 4 hours.
I assume if wrong I did not understand that before repeated errors 500 even if the 10 fail I will always have 5 assets and at 4 hours in case the 500 code has been temporary or false positive the fallen will return to service. I'm fine?

Thank you so much. regards

Hi Guys,

We have an ARR 3 box in front of a Skype for Business server. The SFB server had a web service which is expecting, and requires anonymous authentication. If we point our client directly at SFB it works as expected. However pointing the client to ARR to proxy the request returns a 401.

Looking at the IIS trace log, the request comes into ARR with these headers:

Content-Length: 271
Content-Type: text/xml; charset=utf-8
Accept-Encoding: gzip, deflate
Expect: 100-continue
Host: sfb.domain.com
SOAPAction: "http://schemas.microsoft.com/OCS/AuthWebServices/GetRootCertChains"
X-Original-URL: /CertProv/CertProvisioningService.svc/anon

However when leaving ARR to go to the SFB server the following is sent:

Content-Length: 1293
Content-Type: text/html
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-MS-Server-Fqdn: SFB.domain.com
X-MS-Correlation-Id: 2147491040
client-request-id: 3d8d3f2f-1354-4703-86fd-d557c7d4fc0e
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Powered-By: ARR/3.0

The full error message from the test client is:

Error Message : No response received for getting root certificate chain.
                Inner Exception:The HTTP request is unauthorized with client
                authentication scheme 'Anonymous'. The authentication header
                received from the server was 'Negotiate,NTLM'.
                Inner Exception:The remote server returned an error: (401)
                Unauthorized.

Diagnosis     :
                Inner Diagnosis:Content-Length : 1293
                Content-Type : text/html
                WWW-Authenticate : Negotiate,NTLM
                X-MS-Server-Fqdn : SFB.domain.com
                X-MS-Correlation-Id : 2147489814
                client-request-id : bdce91db-9aed-455f-810d-138f77f77058
                Strict-Transport-Security : max-age=31536000; includeSubDomains
                X-Powered-By : ARR/3.0
                Date : Thu, 02 Nov 2017 17:07:15 GMT

To me, a simple sysadmin, it looks like ARR is adding in some Authentication headers in the HTTP request being sent to the SFB server, essentially forcing the connection between ARR and the SFB server to use NTLM. This isn't supported and it needs to be anonymous.

Can anyone shed any light at all on what's going on here? ARR itself only had Anonymous authentication installed / enabled on the default site, and I can't seem to see any option where I can tell ARR to NOT add these headers.

Any help greatly appreciated.

Thanks - Steve

I have an ssl enabled website that needs to require client certificates on a specific page. All other pages of the website do no require client certificates (however are still ssl enabled).

I have an ARR server that handles SSL and routes requests to the content server. My problem is that I can not require client certificates on individual pages of the content server. I can require client certificates for the entire site via the ssl settings on the ARR server, but this doesn't work for me because I only need one page to require client certificates. Any ideas how to go about this?

In my routing rules, I have entries in "Requests with the following patterns are not forwarded". ie, I am blocking certain site patterns. However, I want to allow certain external IP's in, essentially bypassing the routing rule. Is this even possible?