Overview

A reverse proxy retrieves and serves content from another web server.  This eliminates the need for the web server to be exposed directly to clients, as all traffic appears to originate from the reverse proxy.  Reverse proxies can be implemented in a DMZ to allow a web resources to be accessed publicly while keeping the actual backend server(s) unexposed on a secure network.

 

Prerequisites

  • A functioning FTK Central installation
  • FTK Central must be using a valid HTTPS certificate (self-signed is OK)
  • A Windows Server (2012 R2 or newer), with access to browse FTK Central (typically over port 4443), to act as Reverse Proxy
  • A certificate, signed by a trusted CA and issued to the Reverse Proxy server

 

Procedure

On the Reverse Proxy machine:

  1. Confirm that you can navigate to the FTK Central URL without receiving any certificate warnings (you may need to install the certificate to the Reverse Proxy server's Trusted Root Certification Authorities certificate store).
  2. Install IIS:
    1. Open Server Manager.
    2. In the Dashboard, click Add roles and features.
    3. On the Installation Type page, select Role-based or feature-based installation and click Next.
    4. On the Server Selection page, select the local server and click Next.
    5. On the Server Roles page, check Web Server (IIS).
    6. Accept adding any additional features required for Web Server (IIS), then click Next.
    7. Continue accepting defaults and clicking Next.
    8. On the Confirmation page, click Install and wait for the installation to complete.
    9. Confirm IIS is working by browsing to http://localhost to see the IIS Start page.
  3. Download and install the IIS URL Rewrite extension from http://www.iis.net/downloads/microsoft/url-rewrite.
  4. Download and install the IIS Application Request Routing extension from https://www.iis.net/downloads/microsoft/application-request-routing.
  5. Open Internet Information Services (IIS) Manager from the Windows Administrative Tools program group.
  6. Highlight your server under the Connections tree on the left.
  7. Double-click Application Request Routing Cache.
  8. Under Actions on the right, click Server Proxy Settings.
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875948/original/https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875948/original/mceclip3.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=4292d8afca6cb6880228994072d191a2dab7159cebbf285205f29e9607b867ae?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=4292d8afca6cb6880228994072d191a2dab7159cebbf285205f29e9607b867ae
  9. At the Application Request Routing dialog, check Enable proxy and click Apply on the right.
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875949/original/https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875949/original/https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875949/original/mceclip2.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=07d6c02daa1e9ec8a1ec57298999fa35677e6b6000cc04236ae207dbf476c80e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=07d6c02daa1e9ec8a1ec57298999fa35677e6b6000cc04236ae207dbf476c80e?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=07d6c02daa1e9ec8a1ec57298999fa35677e6b6000cc04236ae207dbf476c80e
  10. Expand your server name and Sites under the Connections tree on the left.
  11. Click Default Web Site.
  12. Double-click URL Rewrite.
  13. Under Actions on the right, click Add Rule(s).
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875952/original/mceclip8.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=69cfbdbb6370cbffba3c77ef80a767f721ec6c5e74d2025519deb0b2e2e716ea
  14. Under Inbound rules, double-click Blank rule.
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875953/original/https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875953/original/mceclip5.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=d9eb911e9039e4ab9c54f83046be7813807a2df722a07cdb45d52a7c646e189b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=d9eb911e9039e4ab9c54f83046be7813807a2df722a07cdb45d52a7c646e189b
  15. At the Edit Inbound Rule dialog, complete the following and click Apply on the right:
    Name: Any friendly name
    Requested URL: Matches the Pattern
    Using: Regular Expressions
    Pattern: (.*)
    Action type: Rewrite
    Rewrite URL: <FTKCentralURL>/{R:0}
    Append query string: Checked
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875954/original/https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875954/original/mceclip6.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=2a67ddaf31e23a4c032c80f81af9693ea6c31954fcb4ff7aa4743e1d1654010c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=2a67ddaf31e23a4c032c80f81af9693ea6c31954fcb4ff7aa4743e1d1654010c
    Note: The Rewrite URL base URL must match FTK Central certificate's Issued To name.
  16. Under the Connections tree on the left, right-click Default Web Site and select Edit Bindings.
    https://s3.amazonaws.com/cdn.freshdesk.com/data/helpdesk/attachments/production/69009875955/original/mceclip12.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAS6FNSMY2XLZULJPI%2F20210926%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210926T164241Z&X-Amz-Expires=300&X-Amz-SignedHeaders=host&X-Amz-Signature=9e034737181702666774596ac19cacf508f733d2db26612fe4d831d45efbf37f
  17. Click Add.
  18. Set the Type to https, select the SSL certificate issued to the Reverse Proxy machine, and click OK.
    Note: We do not recommend a publicly exposed Reverse Proxy without using HTTPS and a valid certificate signed by your CA.
  19. Select the existing http binding and click Remove.