SharePoint 2010 - Reverse Proxy

by Aaron 18. January 2012 00:23

We have two web servers.  One server accepts traffic from the WAN on port 80.  The other accepts traffic from the WAN on port 443.  Our SharePoint 2010 instance lives on the former, but we only want public traffic coming to the SharePoint server over SSL.  Which, as you probably know, is port 443 by default.

What to do, what to do?

We had several options including opening up another port and allowing SSL traffic over a different port to the port 80 server.  I didn't like that idea.  In the past, for various things, I've used the IIS URL Rewrite module for various things, so I decided to see if I could put some rules in place with that.

What I found is that URL Rewrite has a template for doing a reverse proxy.  Brilliant!  Fortunately for me, it's a common enough scenario that Microsoft decided to add a rules template to version 2 of the Rewrite Module.

If you haven't done so already, and I recommend doing it regardless of whether or not you're doing a reverse proxy, download and install the URL Rewrite module.  If you already have the IIS Manager open, you'll need to close it and reopen it for the extension to show up.

image

Select your site in the Sites under your server on the left.  Open the URL Rewrite extension, and click Add Rule from the Actions bar on the right-hand side.  You'll be presented with a dialog.  Choose Reverse Proxy from the Inbound and Outbound Rules category.

image

You are likely to be presented with a dialog saying that you need Application Request Routing installed to do the reverse proxy.  Not a problem, just follow the instructions and install it.

image

This one doesn't have a standalone installer.  At least not one that I could find.  You'll need to install it using the Microsoft Web Platform Installer.  I didn't care for that because I wanted to keep the number of components on the server to a minimum, but I didn't have much choice.

After installing it, closing IIS Manager, and opening it again, I repeated the previous steps and this time, I was presented with a dialog related to ARR, but asking if I wanted to enable it.  Of course I clicked OK.

image

Finally, I was presented with a simple data entry screen to configure some server and routing  information.  I filled it out similar to this:

image

If you're doing what I'm doing and taking an HTTPS connection and forwarding it to an internal URL over HTTP, then make sure that the Enable SLL Offloading checkbox is checked.  Also, if SharePoint is configured properly, as I'll explain below, you won't need an Outbound Rule for rewriting URLs in the response.

Now SharePoint needs to be configured properly.  The internal domain that you use needs to be configured as an internet address in the Alternate Access Mappings, and the public URL needs to be the primary internet URL for the site.  Let me show you what I'm talking about.

In Central Administration, go to Application Management and select Configure alternate access mappings.  On the top right, there's a drop down named Alternate Access Mapping Collection.  Choose the SharePoint site that you're putting the reverse proxy in front of.

Whatever you used as the server name in the Inbound Rules for the reverse proxy, this needs to be an internal URL for the internet zone.  If it's not already, click on Add Internal URLs and add it.

image

If the URL that you're using is one of your public URLs for the SharePoint site, like mine was the public URL for the intranet zone, you'll need to either choose a different internal URL for your inbound rule, or you'll need to change the public URL.  I changed the public URL.

The internet URL is what your HTTPS web server is using.  So if the URL that you're using on the receiving web server is https://sharepoint.domain.com, then the internet zone in the public rules for your SharePoint site should be https://sharepoint.domain.com.

I believe that's it!  Because of the alternate access mapping, SharePoint 2010 will do the work for you of updating all of the URLs in the responses to use the internet URL for any requests coming in on http://sharepoint.internaldomain.internal alleviating you of the need to have an outbound rule to rewrite responses.

Tags: , , , , ,

Comments

Comments are closed