locked
ARR 3.0 - Not Proxying correctly RRS feed

  • Question

  • User1452022761 posted

    Hey forum

    I got an IIS farm consisting on the following setup

    1 Server for ARR - all public DNS points to this server, and it is not participating in the shared config.

    3 Farm Servers

    2 Servers with DFS

    1 AD Server

    All servers are 2016 Standard with the latest updates

    There are no error reports as my question question is how does it route.

    The shared config has 2 sites.

    Default (Default that IIS create during installation)

    Mytest site with two files

    index.html - which basically is just a html site with 0 formatting etc, just text.

    web.config is just a very plain file.

    <?xml version="1.0" encoding="UTF-8"?>
    <configuration>
        <system.webServer>
            <defaultDocument>
                <files>
                    <clear />
                    <add value="index.html" />
                    <add value="Default.htm" />
                    <add value="Default.asp" />
                    <add value="index.htm" />
                    <add value="iisstart.htm" />
                </files>
            </defaultDocument>
            <directoryBrowse enabled="false" />
        </system.webServer>
    </configuration>

    I am expecting that ARR reads the binding set on the 3 servers - shared config - but it does not?

    How does ARR 3.0 read the binding, I expect it to do it automatically.

    When I do a performance test or monitor test - the farm responds as expected.

    The logs give me a clear 200 0 0 0 but points to the default IIS page

    How do I solve this benign configuration error?

    Monday, November 12, 2018 10:44 AM

Answers

  • User1452022761 posted

    The keyword for getting HTTPS to work and "route" properly with wildcard certificate in ARR 3.0 with default settings is getting the following settings.

    Disable Centralized Certificates.

    Disable offload SSL, this will produce a default ARR 3.0 Route rule for HTTPS with "on" as a default.

    Install the certificate (Local machine / Webhosting) on the ARR server and attach it to the "Default Web Site" and in bindings add the certificate as
    Type = https

    Host Name = (Do not write anything)

    Port = 443

    IP Address = (Type the ARR Servers IP)

    Binding info = (Do not write anything)

    Select the correct SSL Certificate in the drop down menu.

    On the "Farm servers" (everything can be done from the IIS Gui, the above video from Windows 7/2008 R2 shows that you should type a complicated command - this is not needed in 2016 Server LTSB)

    Install the certificate (Local machine / Webhosting) and apply the certificate as you would on a single Server on every server.

    The bindings have to the following

    Type = https

    Host Name = Write the correct public URL example.com

    Require Server Name Indication = Yes, put a true statement here.

    Port = 443

    IP Address = (Create x amounts of binding for each FARM Servers IP, one binding/ip for each server in the farm)

    Binding info = (Do not write anything)

    Select the correct SSL Certificate in the drop down menu and look on every Farm Server to see if the certificate you applied on one server in the FARM is applied to other servers in the FARM.

    This seems to work for a Windows 2016 LTSB - for one Certificate - for one company.

    This guide does not include a setup for ARR in a NLB Setup, and it does not show how you can add a second or third digital certificate for use as a true webhosting company.

    Nor does this guide set the tasks on what you should do with the lets encrypt certificates.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Tuesday, November 13, 2018 9:58 AM

All replies

  • User-2064283741 posted

    "1 Server for ARR - all public DNS points to this server, and it is not participating in the shared config."

    "I am expecting that ARR reads the binding set on the 3 servers - shared config - but it does not?"

    ARR doesn't read the shared configs from the backend servers.

    And I think you misudnerstand about shared configs.

    It is for the applicationhost.config for the webserver not the web.config for the websites.

    The apphost config will contain all your farm rules so they are different to the websites apphost configs

    ARR is a powerful tool but it really pays to understand it properly. I would recommend looking at Scott Forsyth's videos about here from:

    https://www.youtube.com/playlist?list=PLG2EHzEbhy087YTxXULOGtx6VLMQriVVi

    Monday, November 12, 2018 8:45 PM
  • User1452022761 posted

    Hey thanks for the answer

    I found out that I mistyped the public DNS on the iis bindings and therefor (url rewrite within) ARR could not forward the request to the farm and that is why I got the default IIS webpage from the default ARR.

    Now I learn that https:// does not want to forward and the link is very helpfull, but I am pressed for time and I need to get https url rewrite to function.

    I do see the that ARR is a powerfull tool, and it would not be meant to use for someone who cannot understand application development requirements for its use.

    My wish is simply to simple for ARR to understand - forward https - in the same way it does http, but I understand that IIS cannot read an encrypted host header.

    There is a solution and it is proberly very easy to implement, using wild card certificate.

    Clearly ARR is for application developers who can spend months understanding the tool, system administrators that have hours to complete this cannot find out what is needed to complete the task.

    Tuesday, November 13, 2018 7:57 AM
  • User1452022761 posted

    The keyword for getting HTTPS to work and "route" properly with wildcard certificate in ARR 3.0 with default settings is getting the following settings.

    Disable Centralized Certificates.

    Disable offload SSL, this will produce a default ARR 3.0 Route rule for HTTPS with "on" as a default.

    Install the certificate (Local machine / Webhosting) on the ARR server and attach it to the "Default Web Site" and in bindings add the certificate as
    Type = https

    Host Name = (Do not write anything)

    Port = 443

    IP Address = (Type the ARR Servers IP)

    Binding info = (Do not write anything)

    Select the correct SSL Certificate in the drop down menu.

    On the "Farm servers" (everything can be done from the IIS Gui, the above video from Windows 7/2008 R2 shows that you should type a complicated command - this is not needed in 2016 Server LTSB)

    Install the certificate (Local machine / Webhosting) and apply the certificate as you would on a single Server on every server.

    The bindings have to the following

    Type = https

    Host Name = Write the correct public URL example.com

    Require Server Name Indication = Yes, put a true statement here.

    Port = 443

    IP Address = (Create x amounts of binding for each FARM Servers IP, one binding/ip for each server in the farm)

    Binding info = (Do not write anything)

    Select the correct SSL Certificate in the drop down menu and look on every Farm Server to see if the certificate you applied on one server in the FARM is applied to other servers in the FARM.

    This seems to work for a Windows 2016 LTSB - for one Certificate - for one company.

    This guide does not include a setup for ARR in a NLB Setup, and it does not show how you can add a second or third digital certificate for use as a true webhosting company.

    Nor does this guide set the tasks on what you should do with the lets encrypt certificates.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Tuesday, November 13, 2018 9:58 AM