IIRF 2.1 SSL Proxypass - SslStatusCallback 0x0104F288

Topics: Developer Forum, Project Management Forum, User Forum
Jan 5, 2011 at 11:36 AM

Hi!

First a little description what I want to do:

I've an IIS 6.0 Server connected the Internet, usig Port 80 and SSL on 443 with an official SSL certificate.
This Server has 2 LAN cards one to the Firewall one to the LAN side.
Inside the Network I've an Exchange Server using SSL on 8443 with a selfsigned certificate.

Now I want to proxypass the SSL Requests to /owa nd other folders of the exchange from IIS6 to my internal Exchange.

I've only one single IP from my ISP, so I cannnot use anothe WAN IP for my Exchange.
I must use port 443 because I need the Active Sync for the Smartphones (there is Active Sync hardcoded on Port 80 / SSL 443)

Here is my config File:

# Iirf.ini
RewriteLog C:\Inetpub\iirfLogs\exch
RewriteLogLevel 3
IterationLimit 5
#MaxMatchCount 10
RewriteEngine ON
StatusInquiry ON
#ProxyPass /owa https://srv:8443/owa
ProxyPass ^/owa(.*)$ https://srv:8443/owa$1
ProxyPassReverse /owa https://srv:8443/owa
ProxyPass /exchange https://srv:8443/exchange
ProxyPassReverse /exchange https://srv:8443/exchange
ProxyPass /exchweb https://srv:8443/exchweb
ProxyPassReverse /exchweb https://srv:8443/exchweb
ProxyPass /public https://srv:8443/public
ProxyPassReverse /public https://srv:8443/public
# Einstellungen um per OWA das Kennwort zu aendern
ProxyPass /iisadmpwd https://srv:8443/iisadmpwd
ProxyPassReverse /iisadmpwd https://srv:8443/iisadmpwd
# Einstellungen fuer ActiveSync
ProxyPass /Microsoft-Server-ActiveSync https://srv:8443/Microsoft-Server-ActiveSync
ProxyPassReverse /Microsoft-Server-ActiveSync https://srv:8443/Microsoft-Server-ActiveSync


here is the log File:

Wed Jan 05 12:07:21 -   992 - -------------------------------------------------------
Wed Jan 05 12:07:21 -   992 - Ionic ISAPI Rewriting Filter (IIRF) 2.1.1.23 x86 RELEASE
Wed Jan 05 12:07:21 -   992 - IIRF was built on: May 30 2010 13:26:57
Wed Jan 05 12:07:21 -   992 - Cached: DLL_PROCESS_ATTACH
Wed Jan 05 12:07:21 -   992 - Cached: Process ID: 3756
Wed Jan 05 12:07:21 -   992 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(23): Filter Priority is now: HIGH (0x80000)
Wed Jan 05 12:07:21 -   992 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(46): NotifyLog setting is now: OFF
Wed Jan 05 12:07:21 -   992 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(63): RewriteEngine setting is now: ON
Wed Jan 05 12:07:21 -   992 - Cached: DLL_PROCESS_ATTACH - complete
Wed Jan 05 12:07:21 -   992 - Cached: GetFilterVersion
Wed Jan 05 12:07:21 -   992 - GetLogFile: app:'/LM/W3SVC/1/ROOT'  new log:'C:\Inetpub\iirfLogs\exch.3756.log'
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: actual log file 'C:\Inetpub\iirfLogs\exch.3756.log'
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: ini file: 'c:\inetpub\wwwroot\Iirf.ini'
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: ini file timestamp: 2011/01/05 12:04:00 Mitteleuropäische Zeit  
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: cfg(0x01C642C8)
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: LogLevel = 3
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(13): IterationLimit 5
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(15): RewriteEngine will be enabled.
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(16): StatusInquiry ON (--) (--)
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(16): IIRF Status Inquiry is enabled at path '/iirfStatus' for local requests only.
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(22): ProxyPass (rule 1)  '^/owa(.*)$'  'https://srv:8443/owa$1'   (null)
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(23): ProxyPassReverse   /owa  https://srv:8443/owa
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(25): ProxyPass (rule 2)  '/exchange'  'https://srv:8443/exchange'   (null)
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(26): ProxyPassReverse   /exchange  https://srv:8443/exchange
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(30): ProxyPass (rule 3)  '/exchweb'  'https://srv:8443/exchweb'   (null)
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(31): ProxyPassReverse   /exchweb  https://srv:8443/exchweb
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(33): ProxyPass (rule 4)  '/public'  'https://srv:8443/public'   (null)
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(34): ProxyPassReverse   /public  https://srv:8443/public
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(38): ProxyPass (rule 5)  '/iisadmpwd'  'https://srv:8443/iisadmpwd'   (null)
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(39): ProxyPassReverse   /iisadmpwd  https://srv:8443/iisadmpwd
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(42): ProxyPass (rule 6)  '/Microsoft-Server-ActiveSync'  'https://srv:8443/Microsoft-Server-ActiveSync'   (null)
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(43): ProxyPassReverse   /Microsoft-Server-ActiveSync  https://srv:8443/Microsoft-Server-ActiveSync
Wed Jan 05 12:07:21 -   992 - ReadVdirConfig: Done reading INI for the root vdir, found 6 rules (0 errors, 0 warnings) on 48 lines
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: SF_NOTIFY_URL_MAP
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: cfg= 0x01C642C8
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: SF_NOTIFY_AUTH_COMPLETE
Wed Jan 05 12:07:21 -   992 - DoRewrites
Wed Jan 05 12:07:21 -   992 - DoRewrites: Url (no decoding): '/owa'
Wed Jan 05 12:07:21 -   992 - EvaluateRules: depth=0
Wed Jan 05 12:07:21 -   992 - EvaluateRules: no RewriteBase
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 1: 2 match
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Result (length 20): https://srv:8443/owa
Wed Jan 05 12:07:21 -   992 - EvaluateRules: returning 999
Wed Jan 05 12:07:21 -   992 - DoRewrites: Proxy to: 'https://srv:8443/owa'
Wed Jan 05 12:07:21 -   992 - IirfProxy_SendRequest: https://srv:8443/owa
Wed Jan 05 12:07:21 -   992 - ParseAllRaw: found 8 headers
Wed Jan 05 12:07:21 -   992 - GenProxyRequestHeadersString: rh(0x01C652F0) nh(srv) sn(egov.engerwitzdorf.at) la(192.168.1.5) ra(85.125.75.178) ts(0)
Wed Jan 05 12:07:21 -   992 - Iirfproxy: SslStatusCallback: status = 0x0104F288
Wed Jan 05 12:07:21 -   992 - IirfProxy_SendRequest: Error in WinHttpSendRequest(): 12175
Wed Jan 05 12:07:21 -   992 - DoRewrites: Proxy complete: 0 chunks, 0 bytes'
Wed Jan 05 12:07:21 -   992 - DoRewrites: Finish. SF_STATUS_REQ_ERROR  LastError=12175
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: SF_NOTIFY_URL_MAP
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: cfg= 0x01C642C8
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: SF_NOTIFY_AUTH_COMPLETE
Wed Jan 05 12:07:21 -   992 - DoRewrites
Wed Jan 05 12:07:21 -   992 - DoRewrites: Url (no decoding): '/favicon.ico'
Wed Jan 05 12:07:21 -   992 - EvaluateRules: depth=0
Wed Jan 05 12:07:21 -   992 - EvaluateRules: no RewriteBase
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 1: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 2: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 3: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 4: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 5: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 6: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: returning 0
Wed Jan 05 12:07:21 -   992 - DoRewrites: No Rewrite
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: SF_NOTIFY_URL_MAP
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: cfg= 0x01C642C8
Wed Jan 05 12:07:21 -   992 - HttpFilterProc: SF_NOTIFY_AUTH_COMPLETE
Wed Jan 05 12:07:21 -   992 - DoRewrites
Wed Jan 05 12:07:21 -   992 - DoRewrites: Url (no decoding): '/favicon.ico'
Wed Jan 05 12:07:21 -   992 - EvaluateRules: depth=0
Wed Jan 05 12:07:21 -   992 - EvaluateRules: no RewriteBase
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 1: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 2: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 3: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 4: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 5: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: Rule 6: -1 (No match)
Wed Jan 05 12:07:21 -   992 - EvaluateRules: returning 0
Wed Jan 05 12:07:21 -   992 - DoRewrites: No Rewrite

When I browse to the URL:
Firefox shows me : 12175 (0x00002f8f)
IE shows me: HTTP 500 Error - Internal Server Error

 

Please help me to solve this problem

 

Regards

Chris

 

Coordinator
Jan 6, 2011 at 1:49 PM

Thanks for your very clear question.

The IIRf log file is very helpful in diagnosis. 

The 12175 indicates an error in the SSL layer, which you probably guessed. From http://msdn.microsoft.com/en-us/library/aa383770(v=VS.85).aspx :

ERROR_WINHTTP_SECURE_FAILURE   12175

One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server. To determine what type of error was encountered, check for a WINHTTP_CALLBACK_STATUS_SECURE_FAILURE notification in a status callback function. For more information, see WINHTTP_STATUS_CALLBACK.

The WinHttp layer provides a way to get more detailed information about the error, via something called the WinHttpSslStatusCallback.  You can see in the logfile the output of that callback: 0x0104F288.  This is as unhelpful to me as it is to you. 

The IIRF code expects this value to be an error code, according to the documentation for WinHttpSslStatusCallback: http://msdn.microsoft.com/en-us/library/aa383917.aspx  Unfortunately, it is none of the expected values.  It appears to be a memory pointer.

I'm not sure of the bestr way to diagnose the problem you're experiencing.  One suggestion I can make - I can produce a modified IIRF that emits better diagnostic information in that error case.  You would have to install this modified IIRF, reproduce the problem, then post a new logfile.  This won't fix the problem immediately but it could lead to better insights on how to fix it. 

Regarding the unexpected value: in other cases like this, the error code was one of the expected values. One possibility is that in the case of multiple errors, it's possible that there's an array of codes presented, instead of just one value.  Unfortunately the documentation is not as clear on this point as I would like, and I don't have a good source of reference information on the API call.  There's no guarantee my guess is correct.  The best way I know of to figure this out is to test it.  I could modify the code to handle this possibility, and then you could see what happens. 

Let me know what you'd prefer to do.  If you agree to run the modified IIRF, I'll provide it for you as quickly as I can.  You need to tell me what hardware platform you're running, x86 or x64.

 

Jan 6, 2011 at 2:55 PM

Hi!

Testing is no problem

the IIS 6.0 machine is a server 2003 x68

the Exchange is a Server 2008 R2 x64 with IIS 7 and Exchange 2010

If it could help, I can draw a Network plan of the Servers because the Exchange have a different default gateway than the IIS6.0 machine

 

regards

Chris

Coordinator
Jan 6, 2011 at 3:05 PM

ok, and you are running IIRF only on the x86 machine - the WS2003/IIS6 machine.  Is that correct?

I will produce a binary and let you know shortly.

Coordinator
Jan 6, 2011 at 3:11 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Coordinator
Jan 6, 2011 at 3:29 PM

Ok, Chris,

I created a workitem, to track this.  I've produced an interim build of IIRF for you, it's attached to the workitem. Download and try it, following these steps: (1) Stop IIS.  (2) copy the iirf.dll and the iirf.pdb into your iirf installation directory.   you may want to preserve the original iirf.dll, to replace it later.  (3) restart IIS.  (4) verify that IIRF is running.  (5) run another proxy request through the filter.  (6) post the new IIRF logfile to this discussion thread. 

I figure we will use the discussion thread for the discussion, and the workitem to exchange files.

I hope that the new DLL will provide additional diagnostic information if the error occurs in the same way. 

While you're doing that, I will do some further research.

Jan 6, 2011 at 3:46 PM

yes, IIRF is running on the X86 machine

I've downloaded the zip-File, but it is empty...

regards

Chris

Coordinator
Jan 6, 2011 at 3:54 PM

whoops!  ok, try again please.

Jan 6, 2011 at 4:05 PM

here is the new log File:

Thu Jan 06 17:03:42 -  3420 - -------------------------------------------------------
Thu Jan 06 17:03:42 -  3420 - Ionic ISAPI Rewriting Filter (IIRF) 2.1.1.24 x86 DEBUG
Thu Jan 06 17:03:42 -  3420 - IIRF was built on: Jan  6 2011 10:20:30
Thu Jan 06 17:03:42 -  3420 - Cached: DLL_PROCESS_ATTACH
Thu Jan 06 17:03:42 -  3420 - Cached: Process ID: 1268
Thu Jan 06 17:03:42 -  3420 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(23): Filter Priority is now: HIGH (0x80000)
Thu Jan 06 17:03:42 -  3420 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(46): NotifyLog setting is now: OFF
Thu Jan 06 17:03:42 -  3420 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(63): RewriteEngine setting is now: ON
Thu Jan 06 17:03:42 -  3420 - Cached: DLL_PROCESS_ATTACH - complete
Thu Jan 06 17:03:42 -  3420 - Cached: GetFilterVersion
Thu Jan 06 17:03:42 -  3420 - GetLogFile: app:'/LM/W3SVC/1/ROOT'  new log:'C:\Inetpub\iirfLogs\exch.1268.log'
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: actual log file 'C:\Inetpub\iirfLogs\exch.1268.log'
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: ini file: 'c:\inetpub\wwwroot\Iirf.ini'
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: ini file timestamp: 2011/01/05 12:04:00 Mitteleuropäische Zeit  
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: cfg(0x01CA6998)
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: LogLevel = 3
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(13): IterationLimit 5
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(15): RewriteEngine will be enabled.
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(16): StatusInquiry ON (--) (--)
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(16): IIRF Status Inquiry is enabled at path '/iirfStatus' for local requests only.
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(22): ProxyPass (rule 1)  '^/owa(.*)$'  'https://srv:8443/owa$1'   (null)
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(23): ProxyPassReverse   /owa  https://srv:8443/owa
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(25): ProxyPass (rule 2)  '/exchange'  'https://srv:8443/exchange'   (null)
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(26): ProxyPassReverse   /exchange  https://srv:8443/exchange
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(30): ProxyPass (rule 3)  '/exchweb'  'https://srv:8443/exchweb'   (null)
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(31): ProxyPassReverse   /exchweb  https://srv:8443/exchweb
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(33): ProxyPass (rule 4)  '/public'  'https://srv:8443/public'   (null)
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(34): ProxyPassReverse   /public  https://srv:8443/public
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(38): ProxyPass (rule 5)  '/iisadmpwd'  'https://srv:8443/iisadmpwd'   (null)
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(39): ProxyPassReverse   /iisadmpwd  https://srv:8443/iisadmpwd
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(42): ProxyPass (rule 6)  '/Microsoft-Server-ActiveSync'  'https://srv:8443/Microsoft-Server-ActiveSync'   (null)
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(43): ProxyPassReverse   /Microsoft-Server-ActiveSync  https://srv:8443/Microsoft-Server-ActiveSync
Thu Jan 06 17:03:42 -  3420 - ReadVdirConfig: Done reading INI for the root vdir, found 6 rules (0 errors, 0 warnings) on 48 lines
Thu Jan 06 17:03:42 -  3420 - HttpFilterProc: SF_NOTIFY_URL_MAP
Thu Jan 06 17:03:42 -  3420 - HttpFilterProc: cfg= 0x01CA6998
Thu Jan 06 17:03:42 -  3420 - HttpFilterProc: SF_NOTIFY_AUTH_COMPLETE
Thu Jan 06 17:03:42 -  3420 - DoRewrites
Thu Jan 06 17:03:42 -  3420 - DoRewrites: Url (no decoding): '/owa'
Thu Jan 06 17:03:42 -  3420 - EvaluateRules: depth=0
Thu Jan 06 17:03:42 -  3420 - EvaluateRules: no RewriteBase
Thu Jan 06 17:03:42 -  3420 - EvaluateRules: Rule 1: 2 match
Thu Jan 06 17:03:42 -  3420 - GenerateReplacementString: URL too long after substitution: delta(20) s(https://srv:8443/owa)
Thu Jan 06 17:03:42 -  3420 - EvaluateRules: Result (length 20): https://srv:8443/owa
Thu Jan 06 17:03:42 -  3420 - EvaluateRules: returning 999
Thu Jan 06 17:03:42 -  3420 - DoRewrites: Proxy to: 'https://srv:8443/owa'
Thu Jan 06 17:03:42 -  3420 - IirfProxy_SendRequest: https://srv:8443/owa
Thu Jan 06 17:03:42 -  3420 - ParseAllRaw: found 6 headers
Thu Jan 06 17:03:42 -  3420 - GenProxyRequestHeadersString: rh(0x01CA8918) nh(srv) sn(egov.engerwitzdorf.at) la(192.168.1.5) ra(84.115.76.70) ts(0)
Thu Jan 06 17:03:43 -  3420 - Iirfproxy: SslStatusCallback: stat(0x0104F138) len(4) e[17101112]=00000004 e[17101112]=00000004 e[17101112]=00000004 e[17101112]=00000004
Thu Jan 06 17:03:43 -  3420 - IirfProxy_SendRequest: Error in WinHttpSendRequest(): 12175
Thu Jan 06 17:03:43 -  3420 - DoRewrites: Proxy complete: 0 chunks, 0 bytes'
Thu Jan 06 17:03:43 -  3420 - DoRewrites: Finish. SF_STATUS_REQ_ERROR  LastError=12175

 

Regards

Chris

Coordinator
Jan 6, 2011 at 4:18 PM

Ah, thanks Chris,

I've modified the DLL again.  Can you try the new binary?  It's available on the workitem.

Jan 6, 2011 at 4:39 PM

and here is the log again....

Thu Jan 06 17:38:21 -  1096 - -------------------------------------------------------
Thu Jan 06 17:38:21 -  1096 - Ionic ISAPI Rewriting Filter (IIRF) 2.1.1.24 x86 DEBUG
Thu Jan 06 17:38:21 -  1096 - IIRF was built on: Jan  6 2011 11:16:56
Thu Jan 06 17:38:21 -  1096 - Cached: DLL_PROCESS_ATTACH
Thu Jan 06 17:38:21 -  1096 - Cached: Process ID: 2144
Thu Jan 06 17:38:21 -  1096 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(23): Filter Priority is now: HIGH (0x80000)
Thu Jan 06 17:38:21 -  1096 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(46): NotifyLog setting is now: OFF
Thu Jan 06 17:38:21 -  1096 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(63): RewriteEngine setting is now: ON
Thu Jan 06 17:38:21 -  1096 - Cached: DLL_PROCESS_ATTACH - complete
Thu Jan 06 17:38:21 -  1096 - Cached: GetFilterVersion
Thu Jan 06 17:38:21 -  1096 - GetLogFile: app:'/LM/W3SVC/1/ROOT'  new log:'C:\Inetpub\iirfLogs\exch.2144.log'
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: actual log file 'C:\Inetpub\iirfLogs\exch.2144.log'
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: ini file: 'c:\inetpub\wwwroot\Iirf.ini'
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: ini file timestamp: 2011/01/05 12:04:00 Mitteleuropäische Zeit  
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: cfg(0x01CA6998)
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: LogLevel = 3
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(13): IterationLimit 5
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(15): RewriteEngine will be enabled.
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(16): StatusInquiry ON (--) (--)
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(16): IIRF Status Inquiry is enabled at path '/iirfStatus' for local requests only.
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(22): ProxyPass (rule 1)  '^/owa(.*)$'  'https://srv:8443/owa$1'   (null)
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(23): ProxyPassReverse   /owa  https://srv:8443/owa
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(25): ProxyPass (rule 2)  '/exchange'  'https://srv:8443/exchange'   (null)
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(26): ProxyPassReverse   /exchange  https://srv:8443/exchange
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(30): ProxyPass (rule 3)  '/exchweb'  'https://srv:8443/exchweb'   (null)
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(31): ProxyPassReverse   /exchweb  https://srv:8443/exchweb
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(33): ProxyPass (rule 4)  '/public'  'https://srv:8443/public'   (null)
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(34): ProxyPassReverse   /public  https://srv:8443/public
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(38): ProxyPass (rule 5)  '/iisadmpwd'  'https://srv:8443/iisadmpwd'   (null)
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(39): ProxyPassReverse   /iisadmpwd  https://srv:8443/iisadmpwd
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(42): ProxyPass (rule 6)  '/Microsoft-Server-ActiveSync'  'https://srv:8443/Microsoft-Server-ActiveSync'   (null)
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(43): ProxyPassReverse   /Microsoft-Server-ActiveSync  https://srv:8443/Microsoft-Server-ActiveSync
Thu Jan 06 17:38:21 -  1096 - ReadVdirConfig: Done reading INI for the root vdir, found 6 rules (0 errors, 0 warnings) on 48 lines
Thu Jan 06 17:38:21 -  1096 - HttpFilterProc: SF_NOTIFY_URL_MAP
Thu Jan 06 17:38:21 -  1096 - HttpFilterProc: cfg= 0x01CA6998
Thu Jan 06 17:38:21 -  1096 - HttpFilterProc: SF_NOTIFY_AUTH_COMPLETE
Thu Jan 06 17:38:21 -  1096 - DoRewrites
Thu Jan 06 17:38:21 -  1096 - DoRewrites: Url (no decoding): '/owa'
Thu Jan 06 17:38:21 -  1096 - EvaluateRules: depth=0
Thu Jan 06 17:38:21 -  1096 - EvaluateRules: no RewriteBase
Thu Jan 06 17:38:21 -  1096 - EvaluateRules: Rule 1: 2 match
Thu Jan 06 17:38:21 -  1096 - GenerateReplacementString: URL too long after substitution: delta(20) s(https://srv:8443/owa)
Thu Jan 06 17:38:21 -  1096 - EvaluateRules: Result (length 20): https://srv:8443/owa
Thu Jan 06 17:38:21 -  1096 - EvaluateRules: returning 999
Thu Jan 06 17:38:21 -  1096 - DoRewrites: Proxy to: 'https://srv:8443/owa'
Thu Jan 06 17:38:21 -  1096 - IirfProxy_SendRequest: https://srv:8443/owa
Thu Jan 06 17:38:21 -  1096 - ParseAllRaw: found 6 headers
Thu Jan 06 17:38:21 -  1096 - GenProxyRequestHeadersString: rh(0x01CA8918) nh(srv) sn(egov.engerwitzdorf.at) la(192.168.1.5) ra(84.115.76.70) ts(0)
Thu Jan 06 17:38:21 -  1096 - Iirfproxy: SslStatusCallback: stat(0x0104F138) len(4) e[0]=00000008 e[1]=01CE0000 e[2]=00000000 e[3]=00000010
Thu Jan 06 17:38:21 -  1096 - IirfProxy_SendRequest: Error in WinHttpSendRequest(): 12175
Thu Jan 06 17:38:21 -  1096 - DoRewrites: Proxy complete: 0 chunks, 0 bytes'
Thu Jan 06 17:38:21 -  1096 - DoRewrites: Finish. SF_STATUS_REQ_ERROR  LastError=12175

Coordinator
Jan 6, 2011 at 6:14 PM

ok, Can you do it one more time?    There's a new DLL on the workitem.

This may be the last one.

Jan 6, 2011 at 6:29 PM

its still not working, here is the log file:

Thu Jan 06 19:27:35 -  3740 - -------------------------------------------------------
Thu Jan 06 19:27:35 -  3740 - Ionic ISAPI Rewriting Filter (IIRF) 2.1.1.24 x86 DEBUG
Thu Jan 06 19:27:35 -  3740 - IIRF was built on: Jan  6 2011 13:12:38
Thu Jan 06 19:27:35 -  3740 - Cached: DLL_PROCESS_ATTACH
Thu Jan 06 19:27:35 -  3740 - Cached: Process ID: 3440
Thu Jan 06 19:27:35 -  3740 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(23): Filter Priority is now: HIGH (0x80000)
Thu Jan 06 19:27:35 -  3740 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(46): NotifyLog setting is now: OFF
Thu Jan 06 19:27:35 -  3740 - Cached: ReadServerConfig: C:\Programme\Ionic Shade\IIRF 2.1\IirfGlobal.ini(63): RewriteEngine setting is now: ON
Thu Jan 06 19:27:35 -  3740 - Cached: DLL_PROCESS_ATTACH - complete
Thu Jan 06 19:27:35 -  3740 - Cached: GetFilterVersion
Thu Jan 06 19:27:35 -  3740 - GetLogFile: app:'/LM/W3SVC/1/ROOT'  new log:'C:\Inetpub\iirfLogs\exch.3440.log'
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: actual log file 'C:\Inetpub\iirfLogs\exch.3440.log'
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: ini file: 'c:\inetpub\wwwroot\Iirf.ini'
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: ini file timestamp: 2011/01/06 18:00:50 Mitteleuropäische Zeit  
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: cfg(0x01CA6998)
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: LogLevel = 3
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(13): IterationLimit 5
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(15): RewriteEngine will be enabled.
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(16): StatusInquiry ON (--) (--)
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(16): IIRF Status Inquiry is enabled at path '/iirfStatus' for local requests only.
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(22): ProxyPass (rule 1)  '^/owa(.*)$'  'https://srv:8443/owa$1'   (null)
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(23): ProxyPassReverse   /owa  https://srv:8443/owa
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(28): ProxyPass (rule 2)  '/exchange'  'https://srv:8443/exchange'   (null)
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(29): ProxyPassReverse   /exchange  https://srv:8443/exchange
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(33): ProxyPass (rule 3)  '/exchweb'  'https://srv:8443/exchweb'   (null)
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(34): ProxyPassReverse   /exchweb  https://srv:8443/exchweb
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(36): ProxyPass (rule 4)  '/public'  'https://srv:8443/public'   (null)
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(37): ProxyPassReverse   /public  https://srv:8443/public
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(41): ProxyPass (rule 5)  '/iisadmpwd'  'https://srv:8443/iisadmpwd'   (null)
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(42): ProxyPassReverse   /iisadmpwd  https://srv:8443/iisadmpwd
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(45): ProxyPass (rule 6)  '/Microsoft-Server-ActiveSync'  'https://srv:8443/Microsoft-Server-ActiveSync'   (null)
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: c:\inetpub\wwwroot\Iirf.ini(46): ProxyPassReverse   /Microsoft-Server-ActiveSync  https://srv:8443/Microsoft-Server-ActiveSync
Thu Jan 06 19:27:35 -  3740 - ReadVdirConfig: Done reading INI for the root vdir, found 6 rules (0 errors, 0 warnings) on 51 lines
Thu Jan 06 19:27:35 -  3740 - HttpFilterProc: SF_NOTIFY_URL_MAP
Thu Jan 06 19:27:35 -  3740 - HttpFilterProc: cfg= 0x01CA6998
Thu Jan 06 19:27:35 -  3740 - HttpFilterProc: SF_NOTIFY_AUTH_COMPLETE
Thu Jan 06 19:27:35 -  3740 - DoRewrites
Thu Jan 06 19:27:35 -  3740 - DoRewrites: Url (no decoding): '/owa'
Thu Jan 06 19:27:35 -  3740 - EvaluateRules: depth=0
Thu Jan 06 19:27:35 -  3740 - EvaluateRules: no RewriteBase
Thu Jan 06 19:27:35 -  3740 - EvaluateRules: Rule 1: 2 match
Thu Jan 06 19:27:35 -  3740 - GenerateReplacementString: URL too long after substitution: delta(20) s(https://srv:8443/owa)
Thu Jan 06 19:27:35 -  3740 - EvaluateRules: Result (length 20): https://srv:8443/owa
Thu Jan 06 19:27:35 -  3740 - EvaluateRules: returning 999
Thu Jan 06 19:27:35 -  3740 - DoRewrites: Proxy to: 'https://srv:8443/owa'
Thu Jan 06 19:27:35 -  3740 - IirfProxy_SendRequest: https://srv:8443/owa
Thu Jan 06 19:27:35 -  3740 - ParseAllRaw: found 7 headers
Thu Jan 06 19:27:35 -  3740 - GenProxyRequestHeadersString: rh(0x01CA8940) nh(srv) sn(egov.engerwitzdorf.at) la(192.168.1.5) ra(84.115.76.70) ts(0)
Thu Jan 06 19:27:35 -  3740 - Iirfproxy: SslStatusCallback: stat(0x0104F138) len(4) e[0]=00000008 e[1]=01CE0000 e[2]=00000000 e[3]=00000010
Thu Jan 06 19:27:35 -  3740 - IirfProxy_SendRequest: Error in WinHttpSendRequest(): 12175
Thu Jan 06 19:27:35 -  3740 - DoRewrites: Proxy complete: 0 chunks, 0 bytes'
Thu Jan 06 19:27:35 -  3740 - DoRewrites: Finish. SF_STATUS_REQ_ERROR  LastError=12175

Regards

Chris

Coordinator
Jan 6, 2011 at 6:52 PM

Hey Chris - I didn't figure it would start working. This was just a diagnostic exercise.

There's a problem happening in the SSL layer, and there's a second problem that the diagnostics being generated by IIRF for that first problem are not helpful.  I'm working on the second problem - getting the diagnostics right.  My thought was: If we get helpful diagnostics, then we can better resolve the original problem.  I hope that makes sense.

I'm still not really happy with the diagnostics here, because the behavior I see is not agreeing with the documented behavior for this part of the WinHttp library in Windows.  This could be due to a documentation bug on Microsoft's part, but I'm hesitant to jump to that conclusion.  It seems unlikely - this function is used by many many applications.  In any case, supposing that it is a doc problem, the actual error code is 0x08 - that is what I got out of the logfile with the improved IIRF diagnostics.  The SSL error mnemonic for 0x08  is WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA , which, in English, means the sending machine does not trust the Certificate Authority that generated the server's certificate.

I'm not an expert on SSL configuration, but I think the hostname you use must also match the certificate.  If you are using the internal hostname (srv), and the certificate is for the fully-qualified domain name (eg, srv.exchange.domain.com), then I believe that would result in a problem, too.

Can you please check those 2 things - verify that the CA that signed the cert for the exchange server is trusted on the IIS6 machine, and verify that you're using the correct hostname that matches the cert. 

Let me know if that fixes things.

 

Jan 6, 2011 at 7:32 PM

Hey! That was great!

The certificate was correct, the CA was correct, but: the CA certificate was in the trusted CA of the User and not in the trusted CA oft the machine!

now it works!

 

THANK YOU!

Regards

Chris

Coordinator
Jan 6, 2011 at 7:40 PM

Chris, I'm glad to hear you got it worked out.

Regarding the IIRF dll you have now - you can continue to use the interim build you downloaded - it has minimal changes from the regular IIRF v2.1.1.23, only a few bug fixes.

you can also revert to the "official" v2.1.1.23 if you like.  Either way is fine.

 

Jan 6, 2011 at 9:53 PM
Edited Jan 6, 2011 at 11:58 PM

Hi!

now I've new problems:

when I call the /owa the site opens

when I press the login the page /owa/auth.owa should open but I get an HTTP 404 Error
If I add a '/' at the end, the site opens....

here is my rule:

ProxyPass ^/owa(.*)$ https://srv/owa/$1
ProxyPassReverse /owa/ https://srv/owa/

 

A Redirect does not help because the this destroy the login credentials

 

Regards

Chris 



Coordinator
Jan 6, 2011 at 11:21 PM

Hmmmm.....

Well I don't know the OWA transaction flow, so I Cannot say.   if I were you I would get a Fiddler2 hooked up to your IE, and then examine the HTTP transactions back and forth.  You could also look in the IIRF log for some of this, but the Fiddler tool will be more searchable, as it will keep each HTTP request and response separate. That will make it easier to interpret the results.

Comparing the proxied flow against the normal flow will give you some insight into the differences and what you need to do differently.

your Rules look mostly pretty good, but there might be edge cases you are missing - for example, suppose the URL you request is /owa.  This gets proxied to https://srv/owa/ , because $1 is empty.  Do you see that though the original URL has no trailing slash, the proxied URL *does* have a trailing slash?  That edge case might be affecting the overall flow.

Your ProxyPassReverse looks fine.

Good luck.