Windows reverse proxy installation - SSO

This installation procedure is made using Windows Server 2012 r2. Some installation steps might differ in other Windows versions. This is not production setup guide. This guidance can be used in restricted test environment installation.

Step 1: Add Internet Information Service - Feature into Windows Server 2012

Use Server manager for installing IIS: Manage → Add Roles and Features

Add roles and features


Select IIS feature and accept all additional component that is suggested.


Before installing, setup shows confirmation where components are listed. Install.


After Installation, IIS is shown in Server Management view


Microsoft IIS does not support server farms by default and to make this feature work, an update packages have to be installed.

For installing additional extensions or plugins, Microsoft Web Platform Installer is convenient way to do it.

Web Platform installer can be found from https://www.microsoft.com/web/downloads/platform.aspx

If that is not an option:

Web Farm extension can be found from https://www.iis.net/downloads/microsoft/web-farm-framework

Application Request Routing 3.0 extension can be found from https://www.iis.net/downloads/microsoft/application-request-routing

Step 2. Configure Firewall


If port 8080 is used for the HTTP traffic an outbound rule has to be created for the firewall to pass the traffic.

Open the firewall advanced settings: click the Windows button → type: firewall → select Windows Firewall with Advanced Security


Create a new Outbound rule: Under the Windows Firewall with Advanced Security on Local Computer field, highlight the Outbound Rules → under the Actions field, click select New Rule.. 


Under the Rule Type page, select the option Port and click the Next button


Under the Protocols and Ports page, choose the following:

Does this rule apply to TCP or UDP: TCP

Specific remote ports: 8080

Click the Next button


Under the Action page, choose the option: Allow the connection. Click the Next button.


Under the Profile page, choose that the rule applies with Domain, Private and Public. Click the Next button.


Under the Name page, assign a name for the rule. Click the Finish button.

Step 3. Configure Reverse Proxy

This is an example configuration for an IIS Server to function as a reverse proxy in front of two SSO-servers. This configuration example is not intended for production environments. In production, encrypted communication between the proxy and the SSO server is strongly recommended.

Reverse proxy configuration consists of the following operations

  • Open the Internet Information Services (ISS) Manager
  • Create a self-signed certificate
  • Add a website
  • Add a server farm
  • Verify the Routing rule and URL Rewrite Rule
  • Configure the Server Affinity
  • Configure the Proxy settings
  • Configure the load balancer


Open the Internet Information Services (ISS) Manager: Windows → Type and click Server Manager →  Under the Servers field, highlight the IIS on the left and right click the Proxy Server name → Select Internet Information Services (IIS) Manager. 


Create a self-signed certificate: IIS Manager → Under the Connections field, left-click the server name → Double-click the Server Certificates icon

HTTPS connections require a web certificate. Either self-signed or trusted certificate can be used. In This example, a self-signed certificate is used.


Click the Self-Signed Certificate under the Actions field → Assign a name for the certificate. Use value Personal for the certificate store.


Add a website: Under the Connections field, right-click the Sites  → Select Add Website...


In the Add Website dialog, define the following parameters:

Site name: <your site name>

Physical Path: C:\inetpub\wwwroot

Type: https

Host name: <your host name>

SSL certificate: <certificate created before>

Click the OK button.


Add a server farm: Under the Connections field, right-click the Server Farm → Select Create Server Farm...


Assign a name for the server farm → Click the Next button.


Add the SSO servers to the server farm. Define the Server address (host name or IP address). Under the advanced settings, verify that you have the correct HTTP and HTTPS port numbers. In this example, the default HTTP port 80 is changed to 8080. Click the Finnish button.


Click Yes to create a URL Rewrite rule to automatically route all incoming requests to your Server Farm.


Verify the Routing rule and URL Rewrite Rule: Under the Connections field, select your Server Farm name → Double-click the Routing Rules icon.


Verify that the Use URL Rewrite to inspect incoming requests checkbox is enabled. Under the Actions field, click the URL Rewrite... link.


The URL Rewrite name has to use the syntax: ARR_< Server Farm Name >_loadbalance. Notice! if you rename the rule it will break the link between ARR (Application Request Routing) and URL Rewrite rule.

To open the rule: Right-click the rule name → Select Inbound Rules → Select Edit...


Verify the following values:

Action type: Route to Server Farm

Scheme: http://

Server Farm: <Your Server Farm Name>

Path: /{R:0}


Add Condition:  Click the Conditions drop-down list → Click the Add... button and specify the following values:

Condition input: {HTTP_HOST}

Check if input Matches the Pattern: Does Not Match the Pattern

Pattern: <site url>


Configure the Server Affinity: Under the Connections field, select your Server Farm name → Double-click the Server Affinity icon


Enable the Client affinity checkbox → Under the Actions field, click the Apply.

"Sticky Sessions and client affinity are ways of maintaining a persistent connection to a specific webfarm node until the client session ends. When a client connects to a website, the load balancer starts a session on a specific node:  as long as the client is connected, all requests are sent back to that node."



Configure the Proxy settings: Under the Connections field, Select your Server Farm name → Double-click the Proxy icon.


Enable the Reverse rewrite host in response header checkbox and disable the Include TCP port from client IP checkbox. Under the Actions field, click the Apply.


Configure the load balancer: Under the Connections field, select your Server Farm name → Double-click the Load Balance icon.


Under the Load Balance field, configure the parameters:

Load balance algorithm: Weighted round robin

Load distribution: Custom distribution

Relative Weight of SSO Server 1: 1000000000

Relative Weight of SSO Server 2: 1

Click the Apply under the Actions field

For High-Performance setup, only proxy related setting is "Load Balance". In High-Performance setup, requests are distributed equally.

For High-Performance setup, SSO has to be setup for REDIS in-memory database for session management.