Administer > Hardening > Configure secure access to the OMi reverse proxy > Configure a reverse proxy - IIS

Configure a reverse proxy - IIS

This section contains the procedure describing how to configure a reverse proxy using an IIS web server. Procedures describing steps that are performed in products other than OMi are for example purposes only.

Note Securing access to the reverse proxy should be performed as part of the Hardening Workflow. For details, see Hardening Workflow.

This section includes:

Configure IIS to work as a reverse proxy

This procedure may differ depending on your version of IIS.

For example:

  1. Install the Application Request Routing (ARR) extension. For details, see http://www.iis.net/downloads/microsoft/application-request-routing.

  2. Open the IIS Manager.

  3. Create a new IIS website, or use the default website.

  4. Create a new IIS Server Farm named OMi.

    1. Add a new server to the farm with the IP of your OMi gateway server.

    2. When prompted, allow it to create a URL rewrite rule.

  5. Enable IIS to function as a proxy.

    1. Select the main tree node (server name) > Application Request Routing Cache > Server Proxy Settings.

    2. Check the Enable proxy box.

    3. Set the HTTP version to Pass through.

    4. Check the Reverse rewrite host in response headers box.

    5. Click Apply.

  6. Verify reverse proxy points to OMi

    Go to http://<Reverse Proxy FQDN>/topaz - verify that you see the OMi log-in page. At this point, if you enter your credentials you would see an empty page because OMi is not yet configured to work with a reverse proxy.

Configure IIS reverse proxy to work with TLS

Note Securing access to the reverse proxy should be performed as part of the Hardening Workflow. For details, see Hardening Workflow.

  1. Establish trust on the reverse proxy to the CA that issued the server certificate

    Import the CA root certificate of the authority that issued the server certificate for this server into the computer truststore using mmc

    For example:

    1. From the reverse proxy, open the Microsoft Management Console (Run > mmc).

    2. Add a snapin (File > Add / Remove snapin).

    3. Select Certificates and click Add.

    4. Select Computer Account and click Next.

    5. Select Local Computer and click Finish.

    6. Click OK.

    7. Import the certificate

      Import ca.cer into the Trusted Root Certificate Authorities list.

  2. Import the server certificate to the Microsoft Management Console

    Import the server certificate you obtained earlier into Personal > Certificates in the Microsoft Management Console.

  3. Enable TLS on IIS

    For example:

    1. In the IIS Manager, select your website.

    2. In the actions pane, select Bindings.

    3. Add an HTTPS binding for port 443

    4. Specify your server certificate in the SSL Certificate field.

  4. Configure the Reverse Proxy to Require TLS

    For example:

    1. In the IIS Manager, select your website, and select SSL settings.

    2. Select the Require SSL check box.

  5. Configure TLS Offloading

    If your TLS terminates on the reverse proxy, perform the following steps:

    1. Run the following command to configure IIS to allow large data samples (1 MB) to pass through:

      C:\Windows\System32\inetsrv>appcmd.exe set config -section:system.webserver/serverruntime /uploadreadaheadsize:1048576 /commit:apphost

    2. In the ISS Manager, Select the main tree node (server name) > Application Request Routing Cache > Server Proxy Settings

    3. Check the enable SSL offloading check box.

Configure IIS to require client authentication - optional

  1. Recreate the TLS binding to enable client negotiation

    The previous binding will function, but may have performance issues. This binding enables negotiation, thereby increasing performance when using client authentication.

    1. Remove the current binding using the IIS manager user interface

    2. Run the following commands from the IIS server:

      c:\windows\system32\inetsrv\appcmd set site /site.name:"Default Web Site" /+bindings.[protocol='https',bindingInformation='*:443:']

      netsh http add sslcert ipport=0.0.0.0:443 certhash=<your server certificate hash> appid={00112233-4455-6677-8899-AABBCCDDEEFF} clientcertnegotiation=enable

      Note You can find the certificate hash from mmc by viewing the thumbprint in the details of the certificate.

  2. Configure the Reverse Proxy to Require a Client Certificate

    For example:

    1. In the IIS Manager, select your website, and select SSL settings.

    2. In Client certificates, select Require.

  3. Specify the header the reverse proxy passes to OMi for client certificate authentication in base64 format

    For example:

    1. From the IIS manager, select your farm and select Proxy.

    2. Select the checkbox Reverse rewrite host in response header.

    3. In the field forward encoded client certificate in the following header, enter the header name CLIENT_CERT_HEADER.

    4. Click Apply.

Additional required configurations

  1. Install Visual C++ dll

    Install Visual C++ redistributable package on the reverse proxy. For details, see http://answers.microsoft.com/en-us/windows/forum/windows_7-windows_programs/trying-to-open-computer-management-the-program/5c9d301a-2191-4edb-916e-5e4958558090.

  2. Install L-Core/BBC on the IIS SRP:

    Copy HPSharedComp.msi from the packages folder on the OMi installation DVD to the SRP system and install by double-clicking.

  3. On the IIS SRP run the following command:

    ovc –start

  4. On the IIS SRP run the following command:

    netstat –an

    Select a port NOT in use. This selected free port is referenced in the next lines as <port>.

  5. In a command shell on the IIS SRP run the following command:

    ovconfchg –ns sec.cm.client –set CERTIFICATE_SERVER <FQDN of OMi GW Server or Load Balancer if you have one>

  6. In a command shell on the IIS SRP run the following command:

    ovcert –certreq

  7. On OMi grant the certificate request:

    1. In the OMi UI navigate to Administration > Setup and Maintenance > Certificate Requests and grant the certificate request from the IIS SRP.

      Alternatively you can perform this procedure in the command line as follows:

      On the data processing server, run ovcm - listpending. Then run ovcm –grant <ID> where <ID> is the result of the previous command.

    2. Verify that the certificate is installed correctly by running the following command on the IIS SRP:

      ovcert –list

      If the list is not empty the certificate was installed successfully.

  8. On the IIS SRP, run the following commands where <RP FQDN> is the FQDN of the IIS SRP server and <RP short hostname> is it’s short hostname:

    ovconfchg -ns bbc.rcp -SERVER_PORT <port>

    For example: ovconfchg -ns bbc.rcp -set SERVER_PORT 9383

    ovconfchg -ns bbc.http -set PROXY <RP FQDN>:<port>+(*)-(<RP FQDN>,<RP short hostname>)

    For example: ovconfchg -ns bbc.http -set PROXY myrp.mydomain.com:9383+(*)-(myrp.mydomain.com,myrp)

    Note: use the same port as the previous command.

    ovcreg -add "%OVDATADIR%\conf\bbc\ovbbcrcp.xml"

    ovc -start

  9. On all OMi gateway servers, run the following commands:

    ovconfchg -ns bbc.cb -set ENABLE_REVERSE_ADMIN_CHANNELS true

    ovconfchg -ns bbc.cb -set RC_CHANNELS <RP FQDN>:<port>

    ovconfchg -ns bbc.http -set PROXY <RP FQDN>:<port>+(*)-(<RP FQDN>,<RP short hostname>,<DPS FQDN>,<DPS short hostname>)

    Note: use the same port as the previous steps.

  10. On every server that will remotely connect to the OMi environment, run the following commands depending on whether that server is a server or an agent:

    • For "Server" connections (like OM or OMi) run the following commands:

      ovconfchg -ns bbc.cb -set ENABLE_REVERSE_ADMIN_CHANNELS true

      ovconfchg -ns bbc.cb -set RC_CHANNELS <RP FQDN>:<port>

      ovconfchg -ns bbc.http -set PROXY <RP FQDN>:<port>+(*)-(<RP FQDN,RP short hostname>)

    • For “Agent” connections (like HPE Operations Agent, SiteScope (event integration), OpsCx), run the following commands:

      ovconfchg -ns bbc.cb -set ENABLE_REVERSE_ADMIN_CHANNELS true

      ovconfchg -ns bbc.cb -set RC_CHANNELS <RP FQDN>:<port>

      ovconfchg -ns bbc.http -set PROXY <RP FQDN>:<port>+(*)-(<RP FQDN>,<RP short hostname>)

      Configure the agent according to the relevant documentation (HPE Operations Agent, SiteScope, OpsCx) to get the relevant certificates. If this does not work out, use the following procedure to manually install the certificates on the agent system:

      1. On the agent node, run the following command:

        ovcoreid

        Remember the output. We will refer to the output in the next few steps as <CoreID>.

      2. On the OMi data processing server, run the following command:

        ovcm –issue –file <nodename>.cer –node <FQDN of agent node> -coreid <coreid>

        Select a password and remember it.

      3. Copy the created file to the agent node

      4. On the agent node run the following command:

        ovcert –importcert –file <nodename>.cer

        Provide the password you selected earlier.

    All message targets on these systems should target the load balancer if it exists, or specify one OMi gateway server.

    For example, the message target in the flex manager forwarding policy of the OM system the forwarding target must be: ‘OPCMGR IP 0.0.0.0 "<OMi GW Server>", or “<LoadBalancer,> if available.

  11. Verify that the configuration was successful.

    1. On an OMi gateway server run the following command:

      bbcutil –ping <FQDN of SiS, Operations Connector, OM, HPE Operations Agent>

    2. On a remote system (SiteScope, OpsCx, HPE Operations Agent) run the following command:

      bbcutil –ping <FQDN of OMi GW server or Load Balancer if used>

    Each command should return eServiceOK if the configuration was successful.

Send Help Center feedback