Windows reverse proxy installation - SSO

This installation procedure is made using the following Windows Server versions: 2012 r2 and 2019 Standard. Some installation steps might differ in other Windows versions. This is not production setup guide. This guidance can be used in restricted test environment installation.

Note that since v. 8.4 also the Accounting Service URLs configured in win32.config needs to be taken into account when configuring the reverse proxy. New step 4 has been added for guidance.


Step 1: Add Internet Information Service - Feature into Windows Server 2012/2019

  1. Use Server manager for installing IIS: Manage → Add Roles and Features
  2. Click Add roles and features.

  3. Select IIS feature and accept all additional component that is suggested.

  4. Before installing, setup shows confirmation where components are listed. Click Install.

  5. After Installation, IIS is shown in Server Management view.

Microsoft IIS does not support server farms by default and to make this feature work, an update packages have to be installed.

For installing additional extensions or plugins, Microsoft Web Platform Installer is convenient way to do it.

Web Platform installer can be found from https://www.microsoft.com/web/downloads/platform.aspx

If that is not an option:

Web Farm extension can be found from https://www.iis.net/downloads/microsoft/web-farm-framework

Application Request Routing 3.0 extension can be found from https://www.iis.net/downloads/microsoft/application-request-routing

Step 2. Configure Firewall


If port 8080 is used for the SSO HTTP traffic an outbound rule has to be created for the firewall to pass the traffic.

Since v. 8.4 add to the list of the ports the configured Accounting Service local port, e.g. "8080, 8084", and name the rule accordingly.

  1. Open the Firewall advanced settings: click the Windows button → type: firewall → select Windows Firewall with Advanced Security.

  2. Create a new Outbound rule:
    1. Under the Windows Firewall with Advanced Security on Local Computer field, click the Outbound Rules
    2. Under the Actions field, click New Rule...

  3. Under the Rule Type page, select the option Port and click the Next button.

  4. Under the Protocols and Ports page, choose the following:
    1. Does this rule apply to TCP or UDP: TCP
    2. Specific remote ports: 8080
    3. Click the Next button.

  5. Under the Action page:
    1. Choose the option: Allow the connection.
    2. Click the Next button.

  6. Under the Profile page:
    1. Choose that the rule applies with Domain, Private and Public.
    2. Click the Next button.

  7. Under the Name page:
    1. Assign a name for the rule.
    2. Click the Finish button.

Step 3. Configure Reverse Proxy for SSO

This is an example configuration for an IIS Server to function as a reverse proxy in front of two SSO-servers. This configuration example is not intended for production environments. In production, encrypted communication between the proxy and the SSO server is strongly recommended.

Reverse proxy configuration consists of the following operations:

  • Open the Internet Information Services (ISS) Manager
  • Create a self-signed certificate
  • Add a website
  • Add a server farm
  • Verify the Routing rule and URL Rewrite Rule
  • Configure the Server Affinity
  • Configure the Proxy settings
  • Configure the load balancer


  1. Open the Internet Information Services (ISS) Manager:
    1. Windows button → Type and click Server Manager.
    2. Under the Servers field, highlight the IIS on the left.
    3. Right click the Proxy Server name.
    4. Select Internet Information Services (IIS) Manager.

  2. Create a self-signed certificate:
    1. Go to IIS Manager
    2. Under the Connections field, left-click the server name
    3. Double-click the Server Certificates icon.

    HTTPS connections require a web certificate. Either self-signed or trusted certificate can be used. In this example, a self-signed certificate is used.

    You can also use for testing the self-signed certificate created during SSO installation process by importing C:\Program Files\Ubisecure\ubilogin-sso\ubilogin\custom\tomcat\keystore.pfx. This certificate has as alternative subjects both SSO and Accounting Service host names.

  3. Click the Self-Signed Certificate under the Actions field.
    1. Assign a name for the certificate.
    2. Use value Personal for the certificate store.

  4. Under the Connections field, right-click the Sites → Select Add Website...

  5. In the Add Website dialog, define the following parameters:

    1. Site name: <your site name>

    2. Physical Path: C:\inetpub\wwwroot

    3. Type: https

    4. Host name: <uas.url from win32.config>

    5. SSL certificate: <certificate created before>

  6. Click the OK button.
  7. Under the Connections field, right-click the Server Farm.
    1. Select Create Server Farm...

  8. Assign a name for the server farm

    1. Click the Next button

  9. Add the SSO servers to the server farm.

    1. Define the Server address (host name or IP address).

    2. Under the advanced settings, verify that you have the correct HTTP and HTTPS port numbers. In this example, the default HTTP port 80 is changed to 8080 (from proxy.local.url in win32.config).

    3. Click the Finish button.

  10. Click Yes to create a URL rewrite rule to automatically route all incoming requests to your server farm.

  11. Under the Connections field, select your Server Farm name
    1. Double-click the Routing Rules icon.

  12. Verify that the Use URL Rewrite to inspect incoming requests checkbox is enabled.
  13. Under the Actions field, click the URL Rewrite... link.

  14. The URL Rewrite name has to use the syntax: ARR_< Server Farm Name >_loadbalance.

    If you rename the rule it will break the link between ARR (Application Request Routing) and URL Rewrite rule.

  15. To open the rule: Right-click the rule name → Select Inbound Rules → Select Edit...

  16. Verify the following values:

    1. Action type: Route to Server Farm

    2. Scheme: http://

    3. Server Farm: <Your Server Farm Name>

    4. Path: /{R:0}

  17. Click the Conditions drop-down list → Click the Add... button and specify the following values:

    1. Input: {HTTP_HOST}

    2. Check if input string: Matches the Pattern

    3. Pattern: <uas.url from win32.config>

  18. Under the Connections field, select your Server Farm name → Double-click the Server Affinity icon.

  19. Check the Client affinity checkbox.

  20. Under the Actions field, click the Apply.

    "Sticky Sessions and client affinity are ways of maintaining a persistent connection to a specific webfarm node until the client session ends. When a client connects to a website, the load balancer starts a session on a specific node:  as long as the client is connected, all requests are sent back to that node."

  21. Under the Connections field, Select your Server Farm name → Double-click the Proxy icon.

  22. Check the Reverse rewrite host in response header checkbox and uncheck the Include TCP port from client IP checkbox.

  23. Under the Actions field, click Apply.
  24. Under the Connections field, select your Server Farm name → Double-click the Load Balance icon.

  25. Under the Load Balance field, configure the parameters:

    1. Load balance algorithm: Weighted round robin

    2. Load distribution: Custom distribution

    3. Relative Weight of SSO Server 1: 1000000000

    4. Relative Weight of SSO Server 2: 1

  26. Click Apply under Actions.

    For High-Performance setup, only proxy related setting is "Load Balance". In High-Performance setup, requests are distributed equally.

    For High-Performance setup, SSO has to be setup for REDIS in-memory database for session management.

Step 4. Configure Reverse Proxy additionally for the Accounting Service

This is an example configuration for an IIS Server to function as a reverse proxy additionally in front of the two Accounting Service instances on the SSO servers. This configuration example is not intended for production environments. In production, encrypted communication between the proxy and the  server is strongly recommended.

Reverse proxy configuration consists of the following operations

  • Add binding to the website
  • Create another server farm
  • Verify the Routing rule and URL Rewrite Rule
  • Create a specific Inbound rule
  • Configure the Server Affinity
  • Configure the Proxy settings
  • Configure the load balancer
  1. Add binding to the website: choose the site created in the previous step (let's assume it was sso.example.com and not www.example.com like in the screen captures above), select Bindings... from Actions, and click Add.., enter following parameters:

    1. Type: https

    2. Port: 443

    3. Host name: <accounting.url from win32.config>

    4. SSL certificate: <certificate selected above>

  2. Create another server farm with name e.g. "Acc Cluster Farm", and add the same servers as to the SSO server farm but with different http port numbers (port number from accounting.proxy.local.url in win32.config):

  3. Click Yes to create a URL rewrite rule to automatically route all incoming requests to your server farm.

  4. Verify the Routing rule and URL Rewrite Rule for the new server farm in the same way as with SSO configuration above.
  5. Create a specific Inbound rule on top of the routing rules: choose Add Rule(s)... from Actions:

  6. Choose Blank rule and enter the following parameters:

    1. Name: add-forward-headers

    2. Match URL Pattern: (.*)

    3. Server Variables:

      1.   Name: HTTP_X_FORWARDED_PROTO Value: https

    4. Action Rewrite URL: {R:0

  7. Click Apply to confirm and click Move Up to move the new rule on top of the rules. This rule is needed for Accounting Service OAuth2 authentication flow to provide both X-Forwarded-For and X-Forwarded-Proto headers when redirecting back from SSO to Accounting Service.

    1. The outcome is shown in the following screen capture:

  8. Configure the Server Affinity the same way as with SSO configuration above except use a different cookie name.

  9. Configure the Proxy settings otherwise the same way as with SSO configuration above except disable the Reverse rewrite host in response headers checkbox. Otherwise redirecting from Accounting Service to SSO for OAuth2 login does not work.

  10. Configure the load balancer as you wish to - there is no server side session in the Accounting Service.