IIS 10 Reverse Proxy 502.3 - Bad Gateway Security Error

Pie 286 Reputation points
2022-01-29T04:09:59.347+00:00

I have a IIS 10 server which sends requests to a Exchange Servers /OWA portal. I am attempting to setup the reverse proxy on the IIS server as all requests that come into the network end up at this server and for a specific subdomain I have the proxy pointed at the Exchange servers FQDN.

The web page error is as follows:

HTTP Error 502.3 - Bad Gateway
A security error occurred

Module ApplicationRequestRouting
Notification ExecuteRequestHandler
Handler ApplicationRequestRoutingHandler
Error Code 0x80072f8f

URL Rewrite Rule:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" enabled="true" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="https://MAIL-01-CORP.corp.domain.com/{R:1}" logRewrittenUrl="false" />
                <serverVariables>
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                        <set name="HTTP_X_FORWARDED_HOST" value="{HTTP_HOST}" />
                        <set name="HTTP_X_FORWARDED_SCHEMA" value="http" />
                        <set name="HTTP_X_FORWARDED_PROTO" value="http" />
                </serverVariables>
                    <conditions>
                    </conditions>
                </rule>
            </rules>
        </rewrite>
        <urlCompression doStaticCompression="false" doDynamicCompression="false" dynamicCompressionBeforeCache="false" />
        <httpErrors errorMode="Detailed" />
    </system.webServer>
</configuration>
Internet Information Services
{count} votes

1 answer

Sort by: Most helpful
  1. Bruce Zhang-MSFT 3,751 Reputation points
    2022-01-30T04:33:46.047+00:00

    Hi @Pie ,

    This is a certificate issue. When the ARR reverse proxy HTTPS request, ARR server also need to install server certificate. Did you install server certificate on ARR server? If not, please import backend server into ARR server.

    Another setting is let ARR server to ignore ssl authentication, you can set in registry to ignore Common name mismatches in the SSL communication.

    Navigate to HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\IIS Extensions\Application Request Routing\Parameters and set SecureConnectionIgnoreFlags to 0.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best regards,
    Bruce Zhang


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.