Public DMZ IIS to Private DMZ IIS reverse proxy

Topics: Developer Forum, User Forum
Jul 20, 2011 at 7:33 PM

I would like to know whether IIRF would be a solution to my situation.  I have spent very little time working with IIS (and less with reverse proxy) but am installing a vendor product.  I have two physical DMZ servers (WS 2003, IIS 6) and my internal network all separated by firewalls.  My solution for my private DMZ is the installation of the IIS redirect from the jakarta project communicating with Tomcat using AJP on port 8009 on my internal network.  My need is a simple solution for a reverse proxy from the public to the private DMZ servers along with whatever configuration is necessary.  Any help with this would be appreciated.

Jul 21, 2011 at 2:12 PM
Edited Jul 21, 2011 at 2:32 PM

yes, it might work - try it.


Jul 21, 2011 at 2:41 PM

After again rereading the documentation it appears as though a simple redirect rule (to the Private DMZ server) might do the trick.  This would be on the on the web site for this new application.  And just for my understanding, all of this would happen 'under the covers' and when the content is retrieved from the internal network it would then be magically passed back to the Public DMZ that would then be returned to the client, correct?

Jul 21, 2011 at 3:08 PM

Yes, that's the idea behind a transparent (aka Reverse) proxy.

Jul 21, 2011 at 6:50 PM

It appears to me that the only thing necessary would be a ProxyPass.  The target is a local server (Private DMZ) - how would this be formed?  I am not sure that Iunderstand [PH] and its implications.

Jul 23, 2011 at 12:16 PM

It's explained in the documentation.  Check it out.

When an HTTP application sends a request, one of the headers is the Host header. It carries the name of the server the client (usually a browser) thinks it is contacting. When I post a message to IIRF's site, the Host header will carry "" .  A Proxy operation is essentially a relayed communication. The proxy app, in this case iirf itself, sends an HTTP message out to a different server.  Normally that HTTP message follows the usual rules - the Host header will carry the name of the host the proxy app thinks it is contacting. With the [PH], the proxy app will use a Host header that mirrors the Host header used on the incoming HTTP message.