Internet Information Services
Microsoft web server software.
1,584 questions
IIS ports, DNS, and firewalls
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 8%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Michael Mastro II
51
Reputation points
Good evening. I have been having an issue with IIS and Sophos UTM trying to access a site correctly. So the issue is I have multiple sites on the same IIS server, with two different sets of bindings. Site A is on 443, and Site B is on 444. When they communicate with each other the port bindings have been set within the appsettings.json so it would explicitly call SiteB:444 from SiteA. No problem, works fine internally.
I began to set up Sophos UTM to access SiteA and SiteB, it knows via DNS that they both share the same IP. I set up two real servers, pointing to the same host with different ports. I then set up the virtual servers via the SSL Certificates, and point them respectively to ports 443 and 444. Issue after issue, SiteB could not communicate with anything external to the UTM. Finally I was able see something in the logs, that had me make a change to the virtual server for SiteB and make that port 443. So now I have two Virtual Servers that both point to port 443 and each are bound to the name on the SSL certificate, and two Real Servers that have different ports both with the same host. I was then able to directly access SiteB.
So I now know I can access SiteA from external to the firewall, and SiteB external to the firewall (as long as I directly access SiteB). It was noticed that when SiteA made the call to SiteB it used the port 444 which started the firewall from working correctly again, since it could not distinguish SiteB:444 as a valid DNS name.
So I tried removing the port from the appsettings.json, cycled IIS and tried to access the sites internally. It all failed miserably when SiteA went to access SiteB without the port. Since it was failing internally, it still failed externally from the firewall. I know I am missing something within IIS to allow me to have SiteA call up SiteB when needed without having to explicitly put the port number in there.
So what can I do within IIS to another site look at the plain address SiteB.domain.com/* and make it SiteB.domain.com:444/*? I am sure this would make things work internally without having to explicitly put the port number in the browser address so that the Sophos UTM can find the correct IP address when it sees SiteB, since SiteB:444 does not register as a correct DNS entry.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 70%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYD%3C/text%3E%3C/svg%3E)
Yurong Dai-MSFT 2,781 Reputation points Microsoft Vendor2022-09-26T08:42:10.393+00:00 Hi @Michael Mastro II ,
According to your description, can I understand that you want to hide the port number when accessing SiteB? That is, you want to be able to access SiteB through SiteB.domain.com/, right? If so, you need to install the URL Rewrite and ARR (Application Request Routing) modules for IIS, then create a reverse proxy to do this. -
Michael Mastro II 51 Reputation points
2022-09-26T13:14:49.99+00:00 You are correct with what I am looking to do. Unfortunately the reverse proxy has broken the site completely. I get 500 errors with the url rewrite rule. It is very possible I have the reverse proxy done incorrectly.
From the logs of SiteA:
2022-09-26 12:47:40 192.168.x.x GET /Identity/Account/Login - 443 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 - https://sitea.domain.com/ 500 0 0 60136There is no corresponding entry for the call to siteb in the logs at this timeframe.
The X.X in the IP address above shows the correct address
See next reply for continued information.
-
Michael Mastro II 51 Reputation points
2022-09-26T13:17:56.327+00:00 I did make a change on the inbound rule and made the Stop Processing false. So now the logs show the following:
SiteA:
2022-09-26 12:57:14 192.168.x.x GET /Identity/Account/Login - 443 - 192.168.0.21 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.0.0+Safari/537.36+Edg/105.0.1343.42 - https://sitea.domain.com/ 500 0 0 296
SiteB:
2022-09-26 12:57:14 192.168.x.x GET /.well-known/openid-configuration X-ARR-CACHE-HIT=0 444 - 192.168.x.x Microsoft+ASP.NET+Core+OpenIdConnect+handler - - 400 605 0 4
2022-09-26 12:57:14 192.168.x.x GET /.well-known/openid-configuration X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6260712f-3e10-4cb6-95fc-569c840461dc&SERVER-STATUS=400 444 - 192.168.x.x Microsoft+ASP.NET+Core+OpenIdConnect+handler - - 400 0 0 21
2022-09-26 12:57:14 192.168.x.x GET /.well-known/openid-configuration X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6260712f-3e10-4cb6-95fc-569c840461dc&SERVER-STATUS=400 444 - 192.168.x.x Microsoft+ASP.NET+Core+OpenIdConnect+handler - - 400 0 0 23
<snipped to fit>
2022-09-26 12:57:14 192.168.x.x GET /.well-known/openid-configuration X-ARR-CACHE-HIT=0&X-ARR-LOG-ID=6260712f-3e10-4cb6-95fc-569c840461dc&SERVER-STATUS=400 444 - 192.168.x.x Microsoft+ASP.NET+Core+OpenIdConnect+handler - - 400 0 0 73The x.x in the IP address above shows the correct address
See next reply for continued information
-
Michael Mastro II 51 Reputation points
2022-09-26T13:44:29.117+00:00 My rule is as follows:
Outbound Rules:
rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1"
match filterByTags="A, Form, Img" pattern="^http(s)?://siteb.domain.com:444/(.*)"
action type="Rewrite" value="http{R:1}://siteb.domain.com/{R:2}"
preConditions
preCondition name="ResponseIsHtml1"
add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html"
InboundRules:
rule name="ReverseProxyInboundRule1" stopProcessing="false"
match url="(.*)"
conditions
add input="{CACHE_URL}" pattern="^(https?)://"
action type="Rewrite" url="{C:1}://siteb.domain.com:444/{R:1}"So this has not really fixed my problem but added another issue to the problem. What am I missing with the the URL Rewrite?
This would not take the xml code it failed to work on this forum. So I had to break it down
-
Yurong Dai-MSFT 2,781 Reputation points Microsoft Vendor
2022-09-27T09:33:33.74+00:00 Hi @Michael Mastro II ,
Try using Failed Request Tracing to Trace Rewrite Rules: https://learn.microsoft.com/en-us/iis/extensions/url-rewrite-module/using-failed-request-tracing-to-trace-rewrite-rules, FRT will reveal more information about the error for you. -
Michael Mastro II 51 Reputation points
2022-09-27T15:05:01.78+00:00 Ok I have enabled failed request tracing. On first pass with the rules as is. I looked at the trace logs and since IE was removed from the server and Edge added, nothing came up. Have had to export the logs from the server to a client computer so that they could be opened in Excel. But it was seen that the 400 code for SiteB was actually 400.605 (The request cannot be routed because it has reached the Max-Forwards limit. The server may be self-referencing itself in request routing topology.) The request could not be understood by the server due to malformed syntax.
I tried to correct this with ARR, using information from https://www.thebestcsharpprogrammerintheworld.com/2015/01/19/application-request-routing-arr-self-referencing-itself-400-or-502-3/. This completely broke SiteA and SiteB throwing 500 errors left and right. I removed all the ARR rules, and went back to the drawing board.
This time I have disabled the Inbound rule on SiteB. Now I am still getting a 500.52 status code, but am not throwing 400.605 codes anymore. Plus this has not fixed the issue with my external connection since it still presents it was SiteB.domain.com:444 to the firewall, which the DNS there does not understand so it fails to request the correct page.
I also tried the following: Enabling the Inbound rule and removing the :444 from the appsettings.json files. This led back to the 400.605 errors. So when SiteA calls SiteB it is just SiteB, the URL Rewrite is adding the :444 correctly, but then everything fails. for Max-Forward limits and malformed syntax.
-
Yurong Dai-MSFT 2,781 Reputation points Microsoft Vendor
2022-09-28T09:45:45.71+00:00 Hi @Michael Mastro II ,
Error code 400.605 (The request cannot be routed because it has reached the Max-Forwards limit. The server may be self-referencing itself in request routing topology)
From the error message it seems that when you use SiteA to call SiteB, ARR sends the request to the default 443 port, and the 443 port sends the request to itself again, there is no way to forward the request to the 444 port, causing a loopback. You need to bind your site A to another port number instead of using the default port 443, because you need to configure ARR on port 443.
-
Michael Mastro II 51 Reputation points
2022-09-28T10:54:39.897+00:00 The problem is that they are two distinct DNS names, with different content for each site. I am going to try binding SiteA to another port, but I have a distinct feeling this will not work the way it is supposed to.
-
Michael Mastro II 51 Reputation points
2022-09-28T12:14:39.97+00:00 Ok I have the bound SiteA to 442, SiteB to 444. I have the following rule in place for ARR:
rule name="ARR-SELF-REDIRECTION"
match url="Wildcards" pattern="*"
action type="Rewrite" value="https://{HTTP_HOST}/{R:0}"
stopProcessing="true"On SiteA I put a rule:
rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1"
match filterByTags="A, Form, Img" pattern="^http(s)?://sitea.domain.com:442/(.*)"
action type="Rewrite" value="http{R:1}://sitea.domain.com/{R:2}"
preConditions
preCondition name="ResponseIsHtml1"
add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html"
InboundRules:
rule name="ReverseProxyInboundRule1" stopProcessing="false"
match url="(.*)"
conditions
add input="{CACHE_URL}" pattern="^(https?)://"
action type="Rewrite" url="{C:1}://sitea.domain.com:442/{R:1}"No change to the URL Rewrite rule for SiteB
Now when I put https://sitea.domain.com in the browser it cannot find the site. There is no log information that shows for SiteA or SiteB, and there are no trace logs coming in because it is not working correctly.
Now if what I did is what you are saying it should do. If I input https://sitea.domain.com in the browser the url rewrite should say that is actually https://sitea.domain.com:442, but as far as I can tell nothing is happening, it just dead ends -
Yurong Dai-MSFT 2,781 Reputation points Microsoft Vendor
2022-09-29T09:32:26.03+00:00 I may not have understood what you meant correctly, it's not the same as mine. How does your website A call website B?
-
Michael Mastro II 51 Reputation points
2022-09-29T11:26:40.833+00:00 It is an OpenID Challenge. If SiteA is authorized, then it checks for a valid cookie, if no valid cookie, SiteB provides a Login. If it is not authorized yet, SiteB will provide the Login Screen and the Authorize Screen, before passing all that back to SiteA. Again the problem was that when it went to provide the SiteB/authorize/* or the SiteB/Login they had to be SiteB:444 which the external DNS did not understand so it failed, because of the port. So the Sophos UTM needs to pass it externally as SiteB/authorize or SiteB/Login instead of SiteB:444/authorize or SiteB:444/Login/ The UTM knows that SiteB and SiteA are the same IP Address, the external DNS knows that SiteA and SiteB are the external IP of the UTM. The UTM also knows that SiteA has it's own cert, and SiteB has a different cert. If remove all the ARR and URL Rewrite rules, and place SiteA back at 443, and add the port back into the appsettings.json. Internally every bit of communication works. Externally I can get to SiteA, I hit the Login button, and it challenges SiteB:444/authorize and attempts to serve that back, through the UTM (I can see this information correctly externally with the port) but that is where the external DNS says SiteB:444 does not exist so it hangs. So I need to server that back externally as SiteB so the DNS can work correctly. There are also other links from SiteB that are served externally, but those I have been able to access if I go straight to the link, without the port because the UTM knows that the SiteB traffic goes to this real server with port 444 appended.
-
Yurong Dai-MSFT 2,781 Reputation points Microsoft Vendor
2022-10-03T08:46:36.093+00:00 I'm back late, it's hard to reproduce this problem based on your description, if your situation is urgent, I suggest you open a case via: https://support.microsoft.com.
-
Michael Mastro II 51 Reputation points
2022-10-03T13:24:43.157+00:00 Ok, let me as this question then. Is it possible to only rewrite the outbound url if and only it if comes from a specific remote ip, say the IP address of the UTM? That way internally it shows as SiteB:444 and works, and if it comes from the UTM IP then it rewrites it as SiteB?
Sign in to comment