[stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
Josealf.rm
josealf at rocketmail.com
Fri Jun 24 04:54:58 CEST 2016
Excellent. I'm glad you solved it. Thanks for closing the loop.
> El 23 jun 2016, a las 19:49, J. Michael Drew <jmichaeldrew at hotmail.com> escribió:
>
> Jose,
>
> I have discovered what I did wrong.
>
> I did the original stunnel installs from the command line and then installed the stunnel service from the command line as well. When I installed the stunnel service it would break the website. So I removed the service (I thought) then I copied a shortcut to stunnel.exe to the Win start up> program folder. Both sites started working on the servers as long as I was logged in through an RDP session.
>
> I uninstalled everything and reinstalled. Stunnel 5.32 installs a Windows GUI on Server 2012 as well so I went back and used the Windows server 2012 desktop applications to install the windows service and to stop the GUI application.
>
> Everything is now working as expected.
>
> It appears that I was running two instances of stunnel at the same time and I didn’t completely remove the original stunnel service.
>
> Thanks for all of your help,
>
> Cheers,
>
> Michael
>
>
>
> From: Josealf.rm [mailto:josealf at rocketmail.com]
> Sent: Thursday, June 23, 2016 2:37 PM
> To: J. Michael Drew
> Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
>
> Hi Michael,
>
> Did my last suggestions help with your issue?
>
> Regards
>
>
> El 20 jun 2016, a las 18:00, J. Michael Drew <jmichaeldrew at hotmail.com> escribió:
>
> .Jose,
>
> I appreciate your patience.
>
> Internet - Clients : 443 -> : https://website.company.com/website/
>
> ________Firewall___________
>
> Web\Presentation Layer
>
> 2 Win 2012 Webservers (443) not currently connected to the production LB, application needs to work before connecting to LB. This configuration is first time on 64 bit OS… Win 2012.
> IIS 8 running Jakarta ISAPI Filter\Stunnel to redirect 9001 to 9009:
>
> _________Firewall\App Layer________
> Port 9009
>
> Connects to App server running Apache
>
>
>
> Application is working as expected as long as I am logged in to the IIS 8 server. I can telnet to the APP layer over 9009 and I can reach these websites externally as expected. Firewalls are good.
>
> Please let me know any other information you need.
>
> Thank you again,
>
> Michael
>
>
>
>
> From: Jose Alf. [mailto:josealf at rocketmail.com]
> Sent: Monday, June 20, 2016 4:32 PM
> To: J. Michael Drew
> Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
>
> Michael,
>
> Please take this in constructive way. I am trying to help, but it looks like you need to do some reading and homework.
> Please check http://catb.org/~esr/faqs/smart-questions.html
>
> I suggest you draw a picture of your environment and explain well what you're trying to achieve. Show your client, your backend server, your stunnel server, include the IPs and ports they're listening to and everything should be easier. Don't forget any firewalls thay may be in the way.
>
> Regards,
> Jose.
>
> From: J. Michael Drew <jmichaeldrew at hotmail.com>
> To: 'Jose Alf.' <josealf at rocketmail.com>
> Sent: Monday, June 20, 2016 1:00 PM
> Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
>
> Hi Jose,
>
> I made the changes you suggested, but I am still getting the same behavior.
>
> My external address is: https://website.company.com/website
>
> I am not adding any ports to the address.
>
> Thanks so much for your help!
>
> Michael
>
> From: Jose Alf. [mailto:josealf at rocketmail.com]
> Sent: Monday, June 20, 2016 12:10 PM
> To: J. Michael Drew; stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit
>
> Michael,
>
>
> I guess what you want to do is to be able to connect to your internal Webserver via your Win2012 stunnel proxy using a URL like:
>
>
> https://yourwin2012dnsname:9001/
>
>
> if that is correct, I suggest to adjust your configuration as follows:
>
>
> 1. Your stunnel mode must be server, not client. So adjust your service stanza as follows:
>
>
> [CLI9F529A0A]
> accept=9001
> connect=10.xxx.xxx.xxx:9009
> client=no
>
> 2. In your current configuration stunnel is listening only in the localhost ipv4 address (127.0.0.1). Therefore, you can only connect when you are logged on the server, you can't connect from a remote client.
>
> Hope this helps you clarify what's going on.
>
>
> Regards,
> Jose
>
> From: J. Michael Drew [mailto:jmichaeldrew at hotmail.com]
> Sent: Monday, June 20, 2016 9:54 AM
> To: 'Josealf.rm'
> Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit
>
> Jose,
>
> Once logged in to the server I can open a browser on the server and connect through https://localhost/website and I can log in to the site externally as expected.
>
> Here are the log files from IIS and stunnel where stunnel is running as a service on the Windows 2012 server:
>
> When I am not logged in to the server it fails:
>
> #Software: Microsoft Internet Information Services 8.5
> #Version: 1.0
> #Date: 2016-06-20 00:30:21
> #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
> 2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD / - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218
> #Software: Microsoft Internet Information Services 8.5
> #Version: 1.0
> #Date: 2016-06-20 05:41:01
> #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
> 2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 500
> 2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 46
> 2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 218
> 2016-06-20 05:41:16 10.xxx.xxx.xxx PROPFIND /patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 - 159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 62
> 2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 62
> 2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296
>
> Stunell.conf:
>
> cert = extwebsvr_ver.pem
>
> ; Some performance tuning
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
>
> ; Peer Authentication
> verify = 2
> CAfile = extwebsvr_root.pem
>
> ; Debug mode - useful for troubleshooting
> debug = 7
> output = stunnel.log
>
>
> ; Client mode
> client = yes
>
> ; Setup tunnels to each EMS node
>
> [CLIxxxxxxxx)]
> accept=127.0.0.1:9001
> connect=10.xxx.xxx.xxx:9009
>
> Stunnel.log:
>
> 2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of clients
> 2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500 platform
> 2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 2015
> 2016.06.20 09:17:39 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
> 2016.06.20 09:17:39 LOG7[main]: errno: (*_errno())
> 2016.06.20 09:17:39 LOG5[main]: Reading configuration from file stunnel.conf
> 2016.06.20 09:17:39 LOG7[ui]: GUI message loop initialized
> 2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized
> 2016.06.20 09:17:39 LOG5[main]: UTF-8 byte order mark detected
> 2016.06.20 09:17:39 LOG6[main]: Initializing service [CLI9F529A0A]
> 2016.06.20 09:17:39 LOG6[main]: Loading certificate from file: extwebsvr_ver.pem
> 2016.06.20 09:17:39 LOG6[main]: Certificate loaded from file: extwebsvr_ver.pem
> 2016.06.20 09:17:39 LOG6[main]: Loading private key from file: extwebsvr_ver.pem
> 2016.06.20 09:17:39 LOG6[main]: Private key loaded from file: extwebsvr_ver.pem
> 2016.06.20 09:17:39 LOG7[main]: Private key check succeeded
> 2016.06.20 09:17:39 LOG4[main]: Service [CLIxxxxxxxx] uses "verify = 2" without subject checks
> 2016.06.20 09:17:39 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates
> 2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000)
> 2016.06.20 09:17:39 LOG5[main]: Configuration successful
>
> Thanks for your help,
>
> Michael
>
>
>
>
> From: Josealf.rm [mailto:josealf at rocketmail.com]
> Sent: Monday, June 20, 2016 8:01 AM
> To: J. Michael Drew
> Cc: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit
>
> Michael,
>
> Is your stunnel running as a service?
> Please post sanitized logs and configuration for a better diagnostic ...
>
> Regards
> Jose
>
> El 20 jun 2016, a las 6:39, J. Michael Drew <jmichaeldrew at hotmail.com> escribió:
> Hi,
>
> I have a website on IIS8 and am using stunnel to forward requests over 9009 inside to my application server. When I log in to the IIS server and stay logged in everything works as expected. When I log off the IIS 8 web server my site is unreachable with a “service is unavailable”.
>
> Can someone help me?
>
> Sincere thanks,
>
> Michael
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20160623/712fbce2/attachment.html>
More information about the stunnel-users
mailing list