IIS 7 Reverse Proxy based on domain name host?

Question

How would I configure IIS 7.0's ARR and URL Rewrite to reverse proxy based on a host.

For example:

http://website1.mydomain.com gets routed internally to internalserver\website1

http://website2.mydomain.com gets routed internally to internalserver2\website2

http://website3.mydomain.com gets routed internally to internalserver2 (default website)

FYI - The public DNS website1.mydomain.com and the rest are all actually pointing to the public IP of mydomain.com.

Note that this is not all the same server. There are multiple web servers INSIDE the firewall and one plain default web server whose port 80 and 443 are exposed to the outside. I have one IP Address and one domain name. Thus, since I have multiple web servers inside my firewall, I need to route hostname subdomains to different web servers on the inside.

Any detailed steps would help tremendously.

score 6 · Accepted Answer · edited Sep 28 '11 at 18:28

Since you're relying on the domain name rather than IP (which is easier in this situation), here's the most straight forward way of doing this:

make sure that your outside-facing server has bindings for the 3 sites based on the host header (website1.mydomain.com, etc). You can leave the IP address as (All unassigned). You probably have this done already. -- Basically what I mean is to add a binding to the first site that is "website1.mydomain.com", and to the other two sites in a similar way. Here's a walkthrough on bindings.
create 2 Web Farms in ARR on the ARR server. One to internalserver and the other to internalserver2. Use the primary IPs of those servers. You can setup 3 different Web Farms if you want unique health checks for each website. It's ok that two of them point to the same server. -- Steps: Create a new Server Farm called InternalServer and add a single server to it, which is "internalserver". Then create another Server Farm called InternalServer2, and add just "internalserver2" to it.
on the last step of the wizard when creating the site, when it asks if you want ARR to create a rule for you, only say 'yes' the first time. Take note of the rule that it creates so that you can learn from it. Then delete it. You want to manage your own rules. -- I'll explain the rules in the next step.
you should then set 3 URL Rewrite rules at the global level (IIS Server node, not the website node). URL = .*, use a condition with {HTTP_HOST} for your domain name, and the action should route to the corresponding webfarm. -- Here's an intro to URL rewrite. Follow those steps and enter a rule like the one below:

Example URL Rewrite:

<rule name="site1" patternSyntax="ECMAScript" stopProcessing="true">
  <match url=".*" />
  <conditions logicalGrouping="MatchAll">
    <add input="{HTTP_HOST}" pattern="^website1\.mydomain\.com$" />
  </conditions>
  <action type="Rewrite" url="http://InternalServer1/{R:0}" />
</rule>

I'm having a hard time following this. Can you add a little more detail and clarification to each step? — Matias Nino, May 23 '11 at 21:06
Hi Matias. Sure, I'll edit my reply and add in more details. — Scott Forsyth, May 24 '11 at 13:29
Scott - thank you for your explanation and clarifications. I watched the videos and did this step-by-step and got it working perfectly! I am ecstatic! You are THE MAN! — Matias Nino, Sep 28 '11 at 18:22
As a slight corollary to this. Is ARR able to route NTML authentication creds through https? Reason I ask is I am thinking of using this method to route Outlook Anywhere https traffic to an internal Exchange 2010 Client Access Server (CAS). — Matias Nino, Dec 17 '11 at 05:31
@ScottForsyth-MVP - What's the reason to use a) Web Farms & b) Global Rewrite Rules? Does it offer any advantage over just having three URL Rewrite Rules on a WebSite? — Rory, Oct 04 '20 at 20:35
@Rory, I agree, just a rule on the site would be easier to set up, and fully functional. I wrote my reply way back in '11 when I was spending more time on webfarms, so that's what I was on my mind at the time, but I fully agree with you that it's overkill. Today I would recommend what you did, URL Rewrite rules directly on the site, without the webfarm component. — Scott Forsyth, Oct 05 '20 at 02:42

score 1 · Answer 2 · answered May 23 '11 at 23:58

1

If you are using a SonicWALL, you can do this:

Create a Network>Address Object of the FQDN type on the WAN.
Add a Network>NAT Policy to translate that Address Object to the internal web server.
Add the rule under Firewall>Access Rules to allow HTTP traffic in to each server.

If you use a different firewall, see if you can do something similar with yours.

answered May 23 '11 at 23:58

KCotreau

3,361
3
19
24

If only! I hoped this would work for us, but on a TZ100 running SonicOS Enhanced 5.9, the NAT Policy settings do not offer translation of FQDN Address Objects :( – Alex Leach Nov 08 '16 at 10:59

score 0 · Answer 3 · answered May 23 '11 at 19:27

0

Since it's all on the same server, why not just create three separate web sites with bindings to the specified subdomains?

answered May 23 '11 at 19:27

Hyppy

15,458
1
37
59

It's not all the same server. There are multiple web servers INSIDE the firewall. I have one IP Address and one domain name, but I have multiple web servers inside my firewall. I need to route hostname subdomains to different web servers on the inside. – Matias Nino May 23 '11 at 21:04

IIS 7 Reverse Proxy based on domain name host?

3 Answers3

Linked