Strange HTTP Redirect / DMZ IIS
- We have a fairly large new IIS server (win 2008 x64) that hosts a number of websites (replacing 2003 box behind pix). We have a BUNCH of "http redirects" setup at the IIS level and also some in META code. We just moved this server behind an ISA 2006 firewall (in DMZ) and now none of the redirects work. For instance if I hit a site www.domainA.com which has an HTTP Redirect to www.DomainB.com and both of these sites are on the same server then a few thousand requests start looping for DomainA.com. We think this behavior is related to host headers not passing around properly.
ISA shows a HTTP Status Code of 304 Not Modified and error info 0x580
I also see the following entries related to cache.
0x40801012 (Request includes the IF-MODIFIED-SINCE header. Request includes the VIA header. Request includes the IF-NONE-MATCH header. Response includes the LAST-MODIFIED header. Response should not be cached.)
There are no deny actions reported in the log just thousands of "allow connection" over and over again.
The browser received this message from the ISA server.
Error Code: 500 Internal Server Error. The number of HTTP requests per minute exceeded the configured limit. Contact the server administrator. (12219)
We need to know how to fix this. I know I could create a rule to deny www.domainA.com and then send the request to www.domainB.com however we need to do this at the server for many reasons. It was never an issues when we used a pix firewall and windows 2003. Detailed help would be great. Thanks
All Replies
- For the redirects, you'll want to have a read here: http://technet.microsoft.com/en-us/library/bb794742.aspx.
Specifically, cross-domain link translation...
For the HTTP requests per second issue, you'll want to have a read in http://technet.microsoft.com/en-us/library/bb838988.aspx; specifically th epart relating to "exceptions".
Jim Harrison Forefront Edge CS- Proposed As Answer byNick Gu - MSFTMSFT, ModeratorWednesday, October 28, 2009 7:02 AM
I have read through that however I am still a little confused. Let me explain in a little better detail how are setup works. We are not worried about inside names vs public names. There is no split DNS.
1 isa 2006 server with 3 NICS
NIC 1 public ip 12.12.12.12
NIC 2 DMZ ip 10.10.10.10
NIC 3 Private ip 192.168.1.1
Webserver 1 NIC ip 10.10.10.20
Webserver 3 websites all on same IP and same port
www.domainA.com
www.domainB.com
123.domainA.com
Another Public web farm in another datacenter 12.12.1.1 (www.domainF.com)
1 web publishing rule in ISA
From Anywhere to 10.10.10.20 [forward original hostheader] [request appear to come from client]
Rule applies to request for the following websites:
www.domainA.com
www.domainB.com
123.domainA.com
Web listener on 12.12.12.12
Public DNS for all 3 websites goes to 12.12.12.12
IIS server is setup such that requests for:
www.domainA.com should do an http redirect to www.domainF.com in the other datacenter
123.domainA.com\* should do an http redirect to www.domainB.com\CompanyB-bought-companyA\ on the same webserver {need for directory redirection functionality not just hosthead combining}
This sums up a few of the scenarios we are trying to get around. All of this works with no special tricks on win 2003 and Cisco PIX. The sites on IIS are setup exactly the same except for the upgrade in server/iis version to 2008. ISA is what I believe is giving me the hassle. All of these scenarios cause the system to loop....internal redirect and external.
You still need to get familiar with the Link Translation concepts.
All content provided by the published server is processed by Link Translation; even a 30x response.
If the web publishing rule accepted a request for www.domaina.com and the redirect sent www.domainf.com, LT will change it to read www.domaina.com.
You'll need to create a LT mapping as:
replace: www.domainf.com
with: www.domainf.com
If you want to move the redirect to ISA,you can create a deny web publishing rule that accepts traffic for www.domaina.com and redirects to www.domainb.com/companyb-bought-companya.
This way, the web server need not bother with this and you avoid all that LT madness....
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Tuesday, November 03, 2009 12:15 AM
- Edited byJim Harrison IsaDewd Tuesday, November 03, 2009 12:15 AMmizspel
