IIS Reverse Proxy to a subdirectory only and block other paths

Jason Munsterteiger 21 Reputation points
2021-01-06T16:23:16.39+00:00

I have read several articles and am able to successfully use the reverse proxy server with ARR and URL Rewrite but it gets me to the main landing page of our internal server. This allows logon to the appliance or admin console. Internal Server address is oneprime.XXXXX.XXXX and I need to make sure that all of the proxied requests get to oneprime.XXXXX.XXXX/sso/(various subdirectories for images and pages). I am not offloading SSL as the internal site is HTTPS.

With the easy to setup Reverse Proxy rules, I can get the site working and accessible but as I said it lands on the default page. I need all proxied requests to get to the /sso/ directory and all its sub contents.

Is there anyone out there that could help me get this setup? I have attached an image of what Imprivata said is needed to be accessed by the external clients.

54064-capture.png

Thanks,
Jason

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,570 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,346 questions
0 comments
Accepted answer
  1. Bruce Zhang-MSFT 3,736 Reputation points
    2021-01-11T02:38:18.89+00:00

    Hi @Jason Munsterteiger ,

    I tried to make it work with one rule but it is impossible, so it is better to use two rule.

    One rule determines whether the URI is empty. If it is empty, it will proxy to the passwordhelp page. If it is not empty, then another rule will proxy the request to the specific page. 

               <rule name="To passwordhelp Page" stopProcessing="true">  
                    <match url=".*" />  
                    <conditions>  
                        <add input="{REQUEST_URI}" pattern="([\w]+)" negate="true" />  
                    </conditions>  
                    <action type="Rewrite" url="https://xxxxxx/sso/passwordhelp" />  
                </rule>  
                <rule name="To other Page">  
                    <match url=".*" />  
                    <conditions>  
                        <add input="{REQUEST_URI}" pattern="([\w\/]+)" />  
                    </conditions>  
                    <action type="Rewrite" url="https://oneprime.gonzaba.local/sso{C:0}" />  
                </rule>

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce Zhang-MSFT 3,736 Reputation points
    2021-01-07T02:23:43.083+00:00

    Hi @Jason Munsterteiger ,

    The image shows that the application startup URL is https://%ONESIGN_APPLIANCE_HOST_NAME%/sso/passwordhelp, so I think you can set the URL of action to "https://xxxxxx/sso/passwordhelp" in reverse proxy rule, not "https://xxxxxxx". If requests want to get to other sub directories, you can set links in passwordhelp page.

    Or let users enter directories at the end of initial URL. Assuming that initial URL is https://example.com, it proxy to https://oneprime.gonzaba.local. You can set rule like this. 

    <rule name="Reverse Proxy to webmail" enabled="false" stopProcessing="true">  
        <match url="(.*)" />  
        <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />  
        <action type="Rewrite" url="https://oneprime.gonzaba.local/sso/{R:1}" />  
</rule>

    So that if one request wants to get to /sso/images/sspw/....., add this at the end of initial url: https://example.com/images/sspw/....., {R:1} is images/sspw/...... .

    If the answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our  documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang

    0 comments
  2. Jason Munsterteiger 21 Reputation points
    2021-01-08T22:48:32.577+00:00

    Ah, I see!
    Now I do have it working once I get to the https://www.xxxxxx.com/sso/passwordhelp.
    All the links work.

    The only problem is I have to type in passwordhelp. Is there a way I can detect that {R:1} is empty?
    Essentially that the user has not supplied anything passed /sso ?
    I would like to have the system forward the users to the PasswordHelp page if there is nothing after xxxxx.com/sso.
    Is that possible?

    Thanks,
    Jason

    0 comments
  3. Jason Munsterteiger 21 Reputation points
    2021-01-11T14:32:17.173+00:00

    Thank you so much for the reply, Bruce!
    I am going to try this pattern. I could not locate a definition in Microsoft's TechNet concerning IIS and the pattern to detect an empty URI string.

    Is there a specific link you would suggest to reference the pattern entry for empty detection?

    Thanks,
    Jason

  4. Jason Munsterteiger 21 Reputation points
    2021-01-12T15:30:43.61+00:00

    Wonderful, thank you for the support.
    I have the system working as I needed now.

    Jason

    0 comments