on 08-23-2005 10:19 AM
Hi
I am facing problems during installation of IISProxy . From IIS we are not able to redirect to Portal page and i am getting "page cannot be displayed error" . We are using IIS 5.0 and IISPROXY 1.6 . Filter name i gave in IIS is IisProxy and created virtual directory "irj",added application mapping "iisproxy.dll" in virtual directory.
Below is the IISPROXY.xml
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE ISAPI-config[
<!ELEMENT ISAPI-config ( filter, extension, ( mapping | config )* )>
<!ATTLIST ISAPI-config
version CDATA #REQUIRED
>
<!ELEMENT filter (log-path?)>
<!ATTLIST filter
name CDATA #IMPLIED
keepalive CDATA "true"
log-level CDATA "1"
log-flags CDATA "0"
debug-flags CDATA "0"
priority ( high | medium | low ) "high"
extension-url CDATA "/scripts/IisProxy.dll"
authentication ( skip | normal | forward ) "normal"
remote-address ( skip | forward ) "forward"
>
<!ELEMENT extension (
keystore-dir?,
log-path?,
data-path?,
trace-path? )>
<!ATTLIST extension
name CDATA #IMPLIED
log-level CDATA "1"
log-flags CDATA "0"
debug-flags CDATA "0"
access ( filter | direct | both ) "filter"
>
<!ELEMENT keystore-dir (#PCDATA)>
<!ELEMENT log-path (#PCDATA)>
<!ELEMENT data-path (#PCDATA)>
<!ELEMENT trace-path (#PCDATA)>
<!ELEMENT mapping (
source+,
target,
compress-types*,
protocol-header?,
certificate-header?,
cert-chain-header?,
cipher-header?,
keysize-header?,
keystore-path?,
log-path?,
data-path? )>
<!ATTLIST mapping
name CDATA #IMPLIED
log-level CDATA "1"
log-flags CDATA "0"
debug-flags CDATA "0"
keepalive ( true | false ) "true"
use-continue ( true | false ) "true"
close-socket ( true | false ) "true"
close-socket-delay CDATA "1000"
thread-count CDATA "100"
max-socket-age CDATA "37"
>
<!ELEMENT source (protocol, host?, port?, prefix, new-prefix?)>
<!ATTLIST source
access ( filter | direct | both ) "filter"
>
<!ELEMENT protocol (#PCDATA)>
<!ELEMENT host (#PCDATA)>
<!ELEMENT port (#PCDATA)>
<!ELEMENT prefix (#PCDATA)>
<!ELEMENT new-prefix (#PCDATA)>
<!ELEMENT target (protocol, host, port)>
<!ELEMENT compress-types (#PCDATA)>
<!ATTLIST compress-types
min-size CDATA "1024"
>
<!ELEMENT protocol-header (#PCDATA)>
<!ELEMENT certificate-header (#PCDATA)>
<!ELEMENT cert-chain-header (#PCDATA)>
<!ELEMENT cipher-header (#PCDATA)>
<!ELEMENT keysize-header (#PCDATA)>
<!ELEMENT keystore-path (#PCDATA)>
<!ELEMENT config ( source+ )>
]>
<ISAPI-config version="1.6">
<filter name="IisProxy" authentication="forward" />
<extension name="IisProxy" />
<mapping name="irj" keepalive="true" log-level="3" use-continue="false" >
<source>
<protocol>http</protocol>
<prefix>/irj/</prefix>
</source>
<target>
<protocol>http</protocol>
<host>devsep1</host>
<port>50000</port>
</target>
<compress-types>text/html, text/plain, text/css</compress-types>
<protocol-header>ClientProtocol</protocol-header>
</mapping>
<config>
<source>
<protocol>http</protocol>
<host>localhost</host>
<prefix>/IisProxy</prefix>
</source>
<source>
<protocol>https</protocol>
<host>localhost</host>
<prefix>/IisProxy</prefix>
</source>
</config>
</ISAPI-config>
Below is the Log File
================================================================================
17:05:21 Global E-Init IisProxy Extension 1.6.2.0 initializing.
17:05:21 2284 E-Init W SapInit(): SapSSLInit() failed: -1 (SSSLERR_LIB_NOT_FOUND)
17:05:21 Global E-Init IisProxy Extension 1.6.2.0 initialized.
17:05:21 2284 Config IisProxy Extension configuration:
================================================================================
Extension configuration
log-level = "1"
log-flags = "0x00111330"
debug-flags = "0x00000000"
keystore-dir = "C:\sec"
log-path = "C:\Inetpub\scripts\IisProxy_%y%m%d.log"
data-path = "C:\Inetpub\scripts\IisProxy_%y%m%d.data"
trace-path = "C:\Inetpub\scripts\IisProxy.trace"
Source mappings:
Target mappings:
Mapping "irj"
log-level = "3"
log-flags = "0x8031F33E"
debug-flags = "0x00000000"
keep-alive = "true"
use-continue = "false"
close-socket = "true"
close-socket-delay = "1000"
thread-count = "100"
max-socket-age = "37"
target http://devsep1:50000
Compressible content types:
"text/html" (> 1024 bytes)
"text/css" (> 1024 bytes)
"text/plain" (> 1024 bytes)
protocol-header = "ClientProtocol"
certificate-header = "SSL_CLIENT_CERT"
cert-chain-header = "SSL_CLIENT_CERT_CHAIN_%d"
cipher-header = "SSL_CIPHER_SUITE"
keysize-header = "SSL_CIPHER_USEKEYSIZE"
keystore-path = "C:\sec"
log-path = "C:\Inetpub\scripts\IisProxy_%y%m%d.log"
data-path = "C:\Inetpub\scripts\IisProxy_%y%m%d.data"
================================================================================
Message was edited by: Vasudevan Gopalan
The extension-url piece on the XML has to match the file path where you put the iisproxy.dll file.
The <prefix> in the config source element has to match the name of the alias for the virtual folder that you created.
I have found (on IIS6 though) that iisproxy does not start up with the IIS until you browse to it. For example,
new virtual folder <b>alias irj_proxy</b>, file path <b>c:\inetpub\scripts</b>, store iisproxy.* there.
Then the extension-url CDATA "/scripts/IisProxy.dll" will match. IISPROXY has to be able to find its own dll.
Then this bit took me a while to catch on to
<config>
<source>
<protocol>http</protocol>
<host>localhost</host>
<b><prefix>/irj_proxy</prefix></b>
</source>
</config>
will let you browse to http://localhost/irj_proxy (assuming your web site is on port 80) and you should then see the configuration report from iisproxy.dll
You can also set debug-flags = -1 (it's a bit mask) to switch on more trace information that might help you. You can specify log-level and debug-flags in 3 places, for the extension, for the filter and for each mapping.
You should see from the trace or log files where the routing is breaking down.
Hope that helps
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
James,
the integrated windows authentication does only indeed work via iisproxy if you are already authenticated on the local windows domain (vpn or direct).
If you are not already authenticated, i.e.. coming from the internet, the login module stack would take care of that and a login prompt should appear.
Stuart,
Thanks. Would the Login Module Stack be configured as such;?
Is important the order to the modules:
Login Modules Flag Options
EvaluateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
HeaderVariableLoginModule OPTIONAL {ume.configuration.active=true, Header=<header_name>}
CreateTicketLoginModule SUFFICIENT {ume.configuration.active=true}
BasicPasswordLoginModule REQUISITE {}
CreateTicketLoginModule OPTIONAL {ume.configuration.active=true}
Would this not be a security risk in allowing an external (internet) user into the secured WAS/EP server behind the IIS Server?
Thanks.
James
It is only a security risk if you are letting those users directly access internal network file shares.
We have builders that we do business with that need to see PDF and DWG files. I have a repository for each builder the Portal. Our drawing guys save their files on their server and I have it copied forwarded via DFS on Windows 2003. If they add or change a file it is copied to the directory on the Portal server. From there the builders have read only rights to the files in the repository, they can't see or do anything else.
Stuart,
LAN users are authenticated by the Corporate Domain. I am speaking of External (Web) internet users logging into our https://FQDN (IIS) webserver link, which redirects to the WAS, which is not located in the DMZ, but behind another inner firewall.
James
Stuart,
SAP Passports work with Trust Center Service, which uses ITS, and SAP Workplace. Does this work for SR1?
http://help.sap.com/saphelp_nw04/helpdata/en/9e/f4073999eb5d72e10000000a11402f/frameset.htm
James
See:
This sounds more like SAP Note 734462:
https://websmp103.sap-ag.de/~sapidb/012006153200000213912004E.ITF
Do chk Microsoft Link (also avilable in the note):
http://support.microsoft.com/default.aspx?scid=kb;en-us;820129
The value to change is UrlSegmentMaxLength (We changed from 260 to 1000).
A restart to the whole server is required for the change to take affect (since it's a change to the registry).
Hope it helps,
Senthil
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
76 | |
9 | |
7 | |
6 | |
6 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.