[stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit

J. Michael Drew jmichaeldrew at hotmail.com
Tue Jun 21 01:00:57 CEST 2016


.Jose,

 

I appreciate your patience. 

 

Internet -  Clients : 443 ->  : https://website.company.com/website/

 

________Firewall___________

 

Web\Presentation Layer

 

2 Win 2012 Webservers (443) not currently connected to the production LB, application needs to work before connecting to LB. This configuration is first time on 64 bit OS… Win 2012.

IIS 8 running Jakarta ISAPI Filter\Stunnel to redirect 9001 to 9009:

 

_________Firewall\App Layer________

Port 9009

 

Connects to App server running Apache

 

 

 

Application is working as expected as long as I am logged in to the IIS 8 server. I can telnet to the APP layer over 9009 and I can reach these websites externally as expected. Firewalls are good.

 

Please let me know any other information you need.

 

Thank you again,

 

Michael 

 

 

 

 

From: Jose Alf. [mailto:josealf at rocketmail.com] 
Sent: Monday, June 20, 2016 4:32 PM
To: J. Michael Drew
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit

 

Michael,

 

Please take this in constructive way. I am trying to help, but it looks like you need to do some reading and homework. 

Please check http://catb.org/~esr/faqs/smart-questions.html <http://catb.org/%7Eesr/faqs/smart-questions.html> 

 

I suggest you draw a picture of your environment and explain well what you're trying to achieve.  Show your client, your backend server, your stunnel server, include the IPs and ports they're listening to and everything should be easier. Don't forget any firewalls thay may be in the way.

 

Regards,

Jose.

 

  _____  

From: J. Michael Drew <jmichaeldrew at hotmail.com>
To: 'Jose Alf.' <josealf at rocketmail.com> 
Sent: Monday, June 20, 2016 1:00 PM
Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit

 

Hi Jose,

 

I made the changes you suggested, but I am still getting the same behavior.

 

My external address is: https://website.company.com/website

 

I am not adding any ports to the address.

 

Thanks so much for your help!

 

Michael

 

From: Jose Alf. [mailto:josealf at rocketmail.com] 
Sent: Monday, June 20, 2016 12:10 PM
To: J. Michael Drew; stunnel-users at stunnel.org
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit

 

Michael,

 

I guess what you want to do is to be able to connect to your internal Webserver via your Win2012 stunnel proxy using a URL like:

 

https://yourwin2012dnsname:9001/ <https://yourwin2012dnsname:9009/> 

 

if that is correct, I suggest to adjust your configuration as follows:

 

1. Your stunnel mode must be server, not client. So adjust your service stanza as follows:

 

[CLI9F529A0A]

accept=9001

connect=10.xxx.xxx.xxx:9009

client=no

 

2. In your current configuration stunnel is listening only in the localhost ipv4 address (127.0.0.1). Therefore, you can only connect when you are logged on the server, you can't connect from a remote client. 

 

Hope this helps you clarify what's going on.

 

 

Regards,

Jose

 

From: J. Michael Drew [mailto:jmichaeldrew at hotmail.com] 
Sent: Monday, June 20, 2016 9:54 AM
To: 'Josealf.rm'
Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit

 

Jose,

 

Once logged in to the server I can open a browser on the server and connect through https://localhost/website and I can log in to the site externally as expected.

 

Here are the log files from IIS and stunnel where stunnel is running as a service on the Windows 2012 server:

 

When I am not logged in to the server it fails:

 

#Software: Microsoft Internet Information Services 8.5

#Version: 1.0

#Date: 2016-06-20 00:30:21

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD / - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218

#Software: Microsoft Internet Information Services 8.5

#Version: 1.0

#Date: 2016-06-20 05:41:01

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 500

2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 46

2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 218

2016-06-20 05:41:16 10.xxx.xxx.xxx PROPFIND /patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 - 159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 62

2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 62

2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296

 

Stunell.conf:

 

cert = extwebsvr_ver.pem

 

; Some performance tuning

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1

 

; Peer Authentication

verify = 2

CAfile = extwebsvr_root.pem

 

; Debug mode - useful for troubleshooting

debug = 7

output = stunnel.log

 

 

; Client mode

client = yes

 

; Setup tunnels to each EMS node

 

[CLIxxxxxxxx)]

accept=127.0.0.1:9001

connect=10.xxx.xxx.xxx:9009

 

Stunnel.log:

 

2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of clients

2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500 platform

2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 2015

2016.06.20 09:17:39 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

2016.06.20 09:17:39 LOG7[main]: errno: (*_errno())

2016.06.20 09:17:39 LOG5[main]: Reading configuration from file stunnel.conf

2016.06.20 09:17:39 LOG7[ui]: GUI message loop initialized

2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized

2016.06.20 09:17:39 LOG5[main]: UTF-8 byte order mark detected

2016.06.20 09:17:39 LOG6[main]: Initializing service [CLI9F529A0A]

2016.06.20 09:17:39 LOG6[main]: Loading certificate from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Certificate loaded from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Loading private key from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Private key loaded from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG7[main]: Private key check succeeded

2016.06.20 09:17:39 LOG4[main]: Service [CLIxxxxxxxx] uses "verify = 2" without subject checks

2016.06.20 09:17:39 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates

2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000)

2016.06.20 09:17:39 LOG5[main]: Configuration successful

 

Thanks for your help,

 

Michael

 

 

 

 

From: Josealf.rm [mailto:josealf at rocketmail.com] 
Sent: Monday, June 20, 2016 8:01 AM
To: J. Michael Drew
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit

 

Michael,

 

Is your stunnel running as a service?

Please post sanitized logs and configuration for a better diagnostic ...

Regards 

Jose


El 20 jun 2016, a las 6:39, J. Michael Drew <jmichaeldrew at hotmail.com> escribió:

Hi,

 

I have a website on IIS8 and am using stunnel to forward requests over 9009 inside to my application server.  When I log in to the IIS server and stay logged in everything works as expected. When I log off the IIS 8 web server my site is unreachable with a “service is unavailable”.

 

Can someone help me?

 

Sincere thanks,

 

Michael

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users


_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160620/eb847020/attachment.html>


More information about the stunnel-users mailing list