We have legacy SOAP Web Services (https://dev-ms01/Services/default.asmx
) which are written in asp.net 1.1 hosted on IIS7(win server 2008 standard),web services consumed by clients by providing Client Certificate. For the SSL Certificates
settings we have Accept
on this IIS
`Client(Request with SSL Client Certificate)--> IIS7 (on host dev-ms01)--> Asp.Net SOAP WebServices`
Now I'm trying to set up proxy IIS(IIS10 on win server 2016 64bit host secure-dev-ms01
) with revere proxy for the IIS7. I've followed msdn article https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/ to configure URL rewrite with ReverseProxy as below
`Client(Request with SSL Client Certificate)--> Proxy IIS10 Server with ReverseProxy (on host secure-dev-ms01)--> IIS7 (on host dev-ms01) --> Asp.Net SOAP WebServices`
On the IIS10
(host secure-dev-ms01
) for the SSL Certificates
settings I've chosen Accept
and I've tried the below ReverseProxy configuration . When I'm trying to browse the proxy web services URL as https://secure-dev-ms01/Services/default.asmx
it is prompting the client certificate but after providing the client certificate am seeing below error
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
I've tried using below RevereProxy
as well and tried browsing the proxy web services URL https://secure-dev-ms01/Services/default.asmx
and provided the client certificate but still am seeing below error. I've also tried unchecking the option Enable SSL Offloading
for both of the above RevereseProxy configurations, but that didnt work either
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
I found this msdn article https://blogs.msdn.microsoft.com/asiatech/2014/01/27/configuring-arr-with-client-certificate/ which suggests changingSSL Certificates
settings to Ignore
on the backend server(but we can not adopt this for our organization) and try using the certificate from the headers X-ARR-ClientCert
but we are trying to avoid making any code changes to the legacy asp.net 1.1 services
I couldnt find any relevant articles that could make IIS ARR ReverseProxy with Client Certificate Authentication work for backend IIS with just configuration tweaks on the IIS10 with ReverseProxy instead of code/config change on the backend IIS7, can someone please help me to make this work?
Best Answer
I assume you have
IIS7 (on host dev-ms01)
machine in a secured network with no direct access from the Internet.In this case, you need to enable SSL offloading and client certificate authentication on
Proxy IIS10 Server with ReverseProxy (on host secure-dev-ms01)
only and disable SSL offloading and certificate auth in IIS7.In this scheme, IIS10 is responsible for the SSL handshake and certificate validation. It places the certificate (POM) into
X-ARR-ClientCert
header and proxy-passes requests to IIS7 via plain HTTP including this header. Probably you need to setup by-passing ofX-Forwarded-For
,X-Forwarded-Proto
,X-Forwarded-Schema
andX-Forwarded-Host
headers on IIS10, in the rewrite URL rule, if your ASP services have any use for them.So, for your IIS10 server:
For the IIS7 server:
Hopefully, you'll get the next scheme working
Browser ---[HTTPS]---> IIS10 --[HTTP + headers]--> IIS7
where
headers
are X-ARR-ClientCert, X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Schema, and X-Forwarded-Host.