[stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
J. Michael Drew
jmichaeldrew at hotmail.com
Tue Jun 21 01:00:57 CEST 2016
.Jose,
I appreciate your patience.
Internet - Clients : 443 -> : https://website.company.com/website/
________Firewall___________
Web\Presentation Layer
2 Win 2012 Webservers (443) not currently connected to the production LB, application needs to work before connecting to LB. This configuration is first time on 64 bit OS… Win 2012.
IIS 8 running Jakarta ISAPI Filter\Stunnel to redirect 9001 to 9009:
_________Firewall\App Layer________
Port 9009
Connects to App server running Apache
Application is working as expected as long as I am logged in to the IIS 8 server. I can telnet to the APP layer over 9009 and I can reach these websites externally as expected. Firewalls are good.
Please let me know any other information you need.
Thank you again,
Michael
From: Jose Alf. [mailto:josealf at rocketmail.com]
Sent: Monday, June 20, 2016 4:32 PM
To: J. Michael Drew
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
Michael,
Please take this in constructive way. I am trying to help, but it looks like you need to do some reading and homework.
Please check http://catb.org/~esr/faqs/smart-questions.html <http://catb.org/%7Eesr/faqs/smart-questions.html>
I suggest you draw a picture of your environment and explain well what you're trying to achieve. Show your client, your backend server, your stunnel server, include the IPs and ports they're listening to and everything should be easier. Don't forget any firewalls thay may be in the way.
Regards,
Jose.
_____
From: J. Michael Drew <jmichaeldrew at hotmail.com>
To: 'Jose Alf.' <josealf at rocketmail.com>
Sent: Monday, June 20, 2016 1:00 PM
Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
Hi Jose,
I made the changes you suggested, but I am still getting the same behavior.
My external address is: https://website.company.com/website
I am not adding any ports to the address.
Thanks so much for your help!
Michael
From: Jose Alf. [mailto:josealf at rocketmail.com]
Sent: Monday, June 20, 2016 12:10 PM
To: J. Michael Drew; stunnel-users at stunnel.org
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
Michael,
I guess what you want to do is to be able to connect to your internal Webserver via your Win2012 stunnel proxy using a URL like:
https://yourwin2012dnsname:9001/ <https://yourwin2012dnsname:9009/>
if that is correct, I suggest to adjust your configuration as follows:
1. Your stunnel mode must be server, not client. So adjust your service stanza as follows:
[CLI9F529A0A]
accept=9001
connect=10.xxx.xxx.xxx:9009
client=no
2. In your current configuration stunnel is listening only in the localhost ipv4 address (127.0.0.1). Therefore, you can only connect when you are logged on the server, you can't connect from a remote client.
Hope this helps you clarify what's going on.
Regards,
Jose
From: J. Michael Drew [mailto:jmichaeldrew at hotmail.com]
Sent: Monday, June 20, 2016 9:54 AM
To: 'Josealf.rm'
Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit
Jose,
Once logged in to the server I can open a browser on the server and connect through https://localhost/website and I can log in to the site externally as expected.
Here are the log files from IIS and stunnel where stunnel is running as a service on the Windows 2012 server:
When I am not logged in to the server it fails:
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2016-06-20 00:30:21
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD / - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2016-06-20 05:41:01
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 500
2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 46
2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 218
2016-06-20 05:41:16 10.xxx.xxx.xxx PROPFIND /patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 - 159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 62
2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 62
2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296
Stunell.conf:
cert = extwebsvr_ver.pem
; Some performance tuning
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
; Peer Authentication
verify = 2
CAfile = extwebsvr_root.pem
; Debug mode - useful for troubleshooting
debug = 7
output = stunnel.log
; Client mode
client = yes
; Setup tunnels to each EMS node
[CLIxxxxxxxx)]
accept=127.0.0.1:9001
connect=10.xxx.xxx.xxx:9009
Stunnel.log:
2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of clients
2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500 platform
2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 2015
2016.06.20 09:17:39 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2016.06.20 09:17:39 LOG7[main]: errno: (*_errno())
2016.06.20 09:17:39 LOG5[main]: Reading configuration from file stunnel.conf
2016.06.20 09:17:39 LOG7[ui]: GUI message loop initialized
2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized
2016.06.20 09:17:39 LOG5[main]: UTF-8 byte order mark detected
2016.06.20 09:17:39 LOG6[main]: Initializing service [CLI9F529A0A]
2016.06.20 09:17:39 LOG6[main]: Loading certificate from file: extwebsvr_ver.pem
2016.06.20 09:17:39 LOG6[main]: Certificate loaded from file: extwebsvr_ver.pem
2016.06.20 09:17:39 LOG6[main]: Loading private key from file: extwebsvr_ver.pem
2016.06.20 09:17:39 LOG6[main]: Private key loaded from file: extwebsvr_ver.pem
2016.06.20 09:17:39 LOG7[main]: Private key check succeeded
2016.06.20 09:17:39 LOG4[main]: Service [CLIxxxxxxxx] uses "verify = 2" without subject checks
2016.06.20 09:17:39 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates
2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000)
2016.06.20 09:17:39 LOG5[main]: Configuration successful
Thanks for your help,
Michael
From: Josealf.rm [mailto:josealf at rocketmail.com]
Sent: Monday, June 20, 2016 8:01 AM
To: J. Michael Drew
Cc: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit
Michael,
Is your stunnel running as a service?
Please post sanitized logs and configuration for a better diagnostic ...
Regards
Jose
El 20 jun 2016, a las 6:39, J. Michael Drew <jmichaeldrew at hotmail.com> escribió:
Hi,
I have a website on IIS8 and am using stunnel to forward requests over 9009 inside to my application server. When I log in to the IIS server and stay logged in everything works as expected. When I log off the IIS 8 web server my site is unreachable with a “service is unavailable”.
Can someone help me?
Sincere thanks,
Michael
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160620/eb847020/attachment.html>
More information about the stunnel-users
mailing list