Using the IIS Reverse Proxy with Reflection ZFE

  • 7021344
  • 29-Apr-2016
  • 02-Mar-2018

Environment

Reflection ZFE version 1.3 or higher

Situation

This technical note describes how to use the IIS Reverse Proxy with Reflection ZFE. Placing the Reflection ZFE server behind a proxy this way is necessary for compliance with Common Criteria security requirements.

Prerequisites

Resolution

Configure the IIS Reverse Proxy for Reflection ZFE

This example illustrates configuring an IIS server with the IP address of 192.168.1.1 to proxy connections to the Reflection ZFE Session Server at http://10.10.10.1:7070.

Configuring IIS

  1. Launch the Internet Information Services Manager and open the “URL Rewrite” feature.
Figure 1 - Internet Information Services Manager
  1. Choose the “Add Rule(s)” action and add a Reverse Proxy rule.
Figure 2 - Add Rule(s) dialog box
  1. For the inbound rule, enter the Reflection ZFE server’s IP address or host name and port.
  2. Enable the outbound “Rewrite” checkbox and enter the host name or IP address of the IIS server in the To: box.
Figure 3 - Add Reverse Proxy Rules dialog box
  1. Click OK to create the new Reverse Proxy Rule.

Configure Reflection ZFE

In order to proxy connections, the IIS “URL Rewrite” module must inspect and rewrite the web pages and WebSocket connections that pass through the proxy. For rewriting to succeed, these items must be sent in an uncompressed form. Note that compression will still occur from the IIS server to the client’s browser, if configured. The Reflection ZFE Session Server must also be configured to allow WebSocket connections to originate from the proxy.

Steps 1 and 2 vary depending on what version of Reflection ZFE you are using. Follow the steps for the version you are using and then proceed to step 3.

For Reflection ZFE version 2.1.1 and later:

  1. Locate the jetty-web.xml file. The default location for this file is:
<install dir>/sessionserver/webapps/zfe/WEB-INF
  1. Rename the file. For example, from jetty-web.xml to jetty-web-disabled.xml.

For versions 1.3 through 2.1:

  1. Open the Reflection ZFE session server’s web xml file in a text editor. The default location is: <install dir>/sessionserver/webapps/zfe/WEB-INF.
  2. Disable the GzipFilter mapping by removing or commenting out the filter mapping element. Comment out this filter mapping as shown:
<!--
<filter-mapping>
<filter-name>GzipFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
  1. Save your changes, then open container.properties in a text editor. The default location for this file is:
<install dir>/sessionserver/conf
  1. Add the following lines to container.properties:
websocket.compression.enable=false
websocket.allowed.origins=http://192.168.1.1

Save changes to the file. Note: the “Allowed Origins” property is a comma-delimited list of URLs. If web clients will be connecting to your website using an HTTPS connection, adjust the URL accordingly. If both secure and non-secure connections will be used, use both URLs as the value:

websocket.allowed.origins=http://192.168.1.1,https://192.168.1.1
  1. Restart the website and restart the Reflection ZFE Session Server and test the proxy by connecting to:
http(s)://192.168.1.1/zfe.

Troubleshooting

If you receive web server errors, enabling detailed errors may help diagnose the problem. In the IIS Manager, open the “Error Pages” feature and enable “Detailed errors”:

Figure 4 - Edit Error Page Settings dialog box

In general, errors in the 5XX range are caused by issues with compression being enabled or mistakes in the “Allowed Origins” value.

Note: if the IIS proxy will be connecting to the Reflection ZFE Session Server with HTTPS, then the certificate used with the Session Server must be trusted by the IIS Server. If the Reflection ZFE Session Server is using a self-signed certificate, this certificate must be added to the Windows trust store. If the Reflection ZFE Session Server is using a signed certificate, then the signer must be a trusted CA.

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 2859.