Setting up secure access to the monitoring server via Windows IIS Reverse Proxy with SSL certificate

A reverse proxy protects applications against cybercriminals and malicious software. It also allows limiting access to applications based on username, IP, domain, or geographical location.

This article describes how to ensure secure remote access to NetCrunch Server, using Windows IIS Reverse Proxy with an SSL certificate.

Configuration of Windows IIS Reverse Proxy

Preconditions

Before configuring Windows IIS Reverse Proxy, you should do the following:

  1. Hard your Windows Server - before you start configuring the IIS Server, remember to protect your Windows Server against external attacks (set appropriate Rules on Firewall)
  2. Install Microsoft Application Request Routing 3.0 source: https://www.microsoft.com/en-us/download/details.aspx?id=47333
  3. Install Microsoft URL Rewrite Module 2.0 for IIS (x64) https://www.microsoft.com/en-us/download/details.aspx?id=47337

Adding new IIS role to Windows Server

  1. In Server Manager Manage Add Role and Remove Features
  2. Select Role-Based or feature-based installation option
  3. Add Web Server (IIS) role

Installing Server Certificate (if needed)

If you already have a certificate and you are using it on other Windows Server, you need to export it. To do it:

  1. Use Windows + r shortcut and enter certlm.msc
  2. Select Personal Certificates
  3. Select your certificate
  4. Open the Context Menu All Tasks Export...
  5. In Certificate Export Wizard mark export the private key option, enter the password and select the path

Now you can Import certificate

  1. Open IIS Manager
  2. Select the main tree node (server name) and double click Server Certificates icon
  3. Open Context menu and select Import...
  4. Enter the path and password and click OK button

Enabling Windows IIS Server to function as a Reverse Proxy

  1. Select the main tree node (server name) Application Request Routing Cache Server Proxy Settings
  2. Check the Enable proxy box.
  3. Set the HTTP version to Pass through.
  4. Check the Reverse rewrite host in response headers box.
  5. Click Apply

Creating and configuring new Web Site to Windows IIS Server

  1. On the Sites tab please open Context Menu and select Add Website
  2. Enter a name for this website
  3. Set the Physical path to the Web Site
  4. Select binding HTTP or HTTPS

Setup Reverse Proxy rules for the Website created in the previous step

  1. Click on newly added website URL Rewrite Add Rule(s)... Reverse Proxy
  2. Enter the server name or IP address to NetCrunch Server
  3. Check Rewrite the domain names of the links in HTTP responses checkbox and fill From and To fields as follows:
    From: <NetCrunch server IP> or <DNS name>
    To: www.<your_public_domain_address>.com
    

Setup the following rules for Javascript encoded response:

First rule:
  1. Click on new added website URL Rewrite Add Rule(s)... Outbound rules Blank Rule
  2. Fill the fields as follows:

    Name: RewriteOutboundJavascriptEncodedATags
    Precondition: Create new Precondition...
    
  3. In Add Precondition window enter the Name, from Using dropdown select Regular Expressions, and click Add... button
  4. In Add Condition window field fields as follows:

    Condition input: {RESPONSE_CONTENT_TYPE}
    Check if input string: Matches the pattern
    Pattern: ^text/(.+)
    
  5. After saving settings, in IIS Manager window, please fill fields in Match section as follows:

    Matching scope: Response
    Content: Matches the Pattern
    Using: Regular Expressions
    Pattern: href=(.\*?)http://<internal.ip.or.domain.name.of.NetCrunch.Server>/(.\*?)\s
    
  6. Fill fields in Action section:

    Action type: Rewrite
    Value: href={R:1}https://<external.domain>/{R:2}
    
Second rule:
  1. Click on new added website URL Rewrite Add Rule(s)... Outbound rules Blank Rule

    Name: RewriteOutboundJavascriptEncodedFormAtt
    Precondition: (choose created above): ResponseIsTextStar
    
  2. In Match section fill fields as follows:

    Matching scope: Response
    Content: Matches the Pattern
    Using: Regular Expressions
    Pattern: action=(.\*?)http://<internal.ip.or.domain.name.of.NetCrunch.Server>/(.\*?)\\
    
  3. Fill fields in Action section:

    Action type: Rewrite
    Value: action={R:1}https://<public.domain>/{R:2}\
    

Setup inbound rule for disabling ACCEPT_ENCODING (to deal with compressed responses):

  1. Click on new added website URL Rewrite View Server Variables... Add
  2. Add two variables:
    HTTP_ACCEPT_ENCODING
    HTTP_X_ORIGINAL_ACCEPT_ENCODING
    
  3. Edit ReverseProxyInboundRule1 added previously: URL Rewrite Select ReverseProxyInboundRule1 Edit...
  4. Add two Server Variables:
    Server variable name: HTTP_X_ORIGINAL_ACCEPT_ENCODING       Value: {HTTP_ACCEPT_ENCODING}   
    Server variable name: HTTP_ACCEPT_ENCODING          Value: false
    

Setup outbound rule for restoring ACCEPT_ENCODING:

  1. Click on the newly added website URL Rewrite Add Rule(s)... Outbound rules Blank Rule
  2. Select Create New Preconditions... from Preconditions dropdown
  3. Fill Name, Using, Logical grouping fields:

    Name: NeedsRestoringAcceptEncoding
    Using: Regex
    Logical grouping: Match All
    
  4. Click on Add... button
  5. Fill Condition input, Check if input string and Pattern field as follows:

    Condition input: {HTTP_X_ORIGINAL_ACCEPT_ENCODING}
    Check if input string: Matches the pattern
    Pattern: .+
    
  6. Fill fields in Match section as follows:

    Matching scope: Server Variable
    Variable name: HTTP_ACCEPT_ENCODING
    Variable value: Matches the Pattern
    Using: Regular Expressions
    Pattern ^(.*)
    
  7. Fill fields in Action section as follows:

    Action type: Rewrite
    Value:  {HTTP_X_ORIGINAL_ACCEPT_ENCODING}
    

Configuration of NetCrunch

Configuration of the NetCrunch does not require any major changes. All remote access users defined in NetCrunch will from now on use connection to NetCrunch Server via reverse proxy defined above. If you have not created any web console user access in NetCrunch yet, all you have to do is to add a user in NetCrunch. To do it:

  1. Open Top Menu Tools User & Access Profiles...
  2. From the left pane select NetCrunch Users tab
  3. Click on the Add button on the bottom
  4. Provide Username, Access Profile, and Password
  5. Click OK button

From now, you will be able to open Web Console of your NetCrunch from anywhere in the world in a secure way.

Once you have created the appropriate user, enable your Web Browser, enter the appropriate address, and log in using the previously created user and password.

iisproxyreverse proxysecuritysslwindows

NetCrunch Network Monitoring

Network Maps, Dashboards, and Alerts.
Monitor anything. Network, cloud, config.