From: J. Michael Drew [mailto:***@hotmail.com]
Sent: Monday, June 20, 2016 9:54 AM
To: 'Josealf.rm'
Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit



Jose,



Once logged in to the server I can open a browser on the server and connect through https://localhost/website and I can log in to the site externally as expected.



Here are the log files from IIS and stunnel where stunnel is running as a service on the Windows 2012 server:



When I am not logged in to the server it fails:



#Software: Microsoft Internet Information Services 8.5

#Version: 1.0

#Date: 2016-06-20 00:30:21

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD / - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218

#Software: Microsoft Internet Information Services 8.5

#Version: 1.0

#Date: 2016-06-20 05:41:01

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 500

2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 46

2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 218

2016-06-20 05:41:16 10.xxx.xxx.xxx PROPFIND /patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 - 159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 62

2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 62

2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296



Stunell.conf:



cert = extwebsvr_ver.pem



; Some performance tuning

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1



; Peer Authentication

verify = 2

CAfile = extwebsvr_root.pem



; Debug mode - useful for troubleshooting

debug = 7

output = stunnel.log





; Client mode

client = yes



; Setup tunnels to each EMS node



[CLIxxxxxxxx)]

accept=127.0.0.1:9001

connect=10.xxx.xxx.xxx:9009



Stunnel.log:



2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of clients

2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500 platform

2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 2015

2016.06.20 09:17:39 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

2016.06.20 09:17:39 LOG7[main]: errno: (*_errno())

2016.06.20 09:17:39 LOG5[main]: Reading configuration from file stunnel.conf

2016.06.20 09:17:39 LOG7[ui]: GUI message loop initialized

2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized

2016.06.20 09:17:39 LOG5[main]: UTF-8 byte order mark detected

2016.06.20 09:17:39 LOG6[main]: Initializing service [CLI9F529A0A]

2016.06.20 09:17:39 LOG6[main]: Loading certificate from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Certificate loaded from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Loading private key from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Private key loaded from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG7[main]: Private key check succeeded

2016.06.20 09:17:39 LOG4[main]: Service [CLIxxxxxxxx] uses "verify = 2" without subject checks

2016.06.20 09:17:39 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates

2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000)

2016.06.20 09:17:39 LOG5[main]: Configuration successful



Thanks for your help,



Michael









From: Josealf.rm [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 8:01 AM
To: J. Michael Drew
Cc: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit



Michael,



Is your stunnel running as a service?

Please post sanitized logs and configuration for a better diagnostic ...

Regards

Jose


El 20 jun 2016, a las 6:39, J. Michael Drew <***@hotmail.com> escribió:

Hi,



I have a website on IIS8 and am using stunnel to forward requests over 9009 inside to my application server. When I log in to the IIS server and stay logged in everything works as expected. When I log off the IIS 8 web server my site is unreachable with a “service is unavailable”.



Can someone help me?



Sincere thanks,



Michael

Michael,
I guess what you want to do is to be able to connect to your internal Webserver via your Win2012 stunnel proxy using a URL like:
https://yourwin2012dnsname:9001/
if that is correct, I suggest to adjust your configuration as follows:
1. Your stunnel mode must be server, not client. So adjust your service stanza as follows:
[CLI9F529A0A]accept=9001connect=10.xxx.xxx.xxx:9009client=no
2. In your current configuration stunnel is listening only in the localhost ipv4 address (127.0.0.1). Therefore, you can only connect when you are logged on the server, you can't connect from a remote client.

Hope this helps you clarify what's going on.



Regards,Jose
<!--#yiv6540481299 _filtered #yiv6540481299 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv6540481299 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;}#yiv6540481299 #yiv6540481299 p.yiv6540481299MsoNormal, #yiv6540481299 li.yiv6540481299MsoNormal, #yiv6540481299 div.yiv6540481299MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:"Calibri", "sans-serif";}#yiv6540481299 a:link, #yiv6540481299 span.yiv6540481299MsoHyperlink {color:blue;text-decoration:underline;}#yiv6540481299 a:visited, #yiv6540481299 span.yiv6540481299MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv6540481299 p.yiv6540481299MsoAcetate, #yiv6540481299 li.yiv6540481299MsoAcetate, #yiv6540481299 div.yiv6540481299MsoAcetate {margin:0in;margin-bottom:.0001pt;font-size:8.0pt;font-family:"Tahoma", "sans-serif";}#yiv6540481299 span.yiv6540481299EmailStyle17 {font-family:"Calibri", "sans-serif";color:windowtext;}#yiv6540481299 span.yiv6540481299EmailStyle18 {font-family:"Calibri", "sans-serif";color:#1F497D;}#yiv6540481299 span.yiv6540481299BalloonTextChar {font-family:"Tahoma", "sans-serif";}#yiv6540481299 span.yiv6540481299EmailStyle21 {font-family:"Calibri", "sans-serif";color:#1F497D;}#yiv6540481299 .yiv6540481299MsoChpDefault {font-size:10.0pt;} _filtered #yiv6540481299 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv6540481299 div.yiv6540481299WordSection1 {}--> From: J. Michael Drew [mailto:***@hotmail.com]
Sent: Monday, June 20, 2016 9:54 AM
To: 'Josealf.rm'
Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit  Jose,  Once logged in to the server I can open a browser on the server and connect through https://localhost/website and I can log in to the site externally as expected.  Here are the log files from IIS and stunnel where stunnel is running as a service on the Windows 2012 server:  When I am not logged in to the server it fails:  #Software: Microsoft Internet Information Services 8.5#Version: 1.0#Date: 2016-06-20 00:30:21#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD / - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218#Software: Microsoft Internet Information Services 8.5#Version: 1.0#Date: 2016-06-20 05:41:01#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 5002016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 462016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 2182016-06-20 05:41:16 10.xxx.xxx.xxx PROPFIND /patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 - 159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 622016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 622016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296  Stunell.conf:  cert = extwebsvr_ver.pem  ; Some performance tuningsocket = l:TCP_NODELAY=1socket = r:TCP_NODELAY=1  ; Peer Authenticationverify = 2CAfile = extwebsvr_root.pem  ; Debug mode - useful for troubleshootingdebug = 7output = stunnel.log    ; Client modeclient = yes  ; Setup tunnels to each EMS node  [CLIxxxxxxxx)]accept=127.0.0.1:9001connect=10.xxx.xxx.xxx:9009  Stunnel.log:  2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of clients2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500 platform2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 20152016.06.20 09:17:39 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI2016.06.20 09:17:39 LOG7[main]: errno: (*_errno())2016.06.20 09:17:39 LOG5[main]: Reading configuration from file stunnel.conf2016.06.20 09:17:39 LOG7[ui]: GUI message loop initialized2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized2016.06.20 09:17:39 LOG5[main]: UTF-8 byte order mark detected2016.06.20 09:17:39 LOG6[main]: Initializing service [CLI9F529A0A]2016.06.20 09:17:39 LOG6[main]: Loading certificate from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]: Certificate loaded from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]: Loading private key from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]: Private key loaded from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG7[main]: Private key check succeeded2016.06.20 09:17:39 LOG4[main]: Service [CLIxxxxxxxx] uses "verify = 2" without subject checks2016.06.20 09:17:39 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000)2016.06.20 09:17:39 LOG5[main]: Configuration successful  Thanks for your help,  Michael        From: Josealf.rm [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 8:01 AM
To: J. Michael Drew
Cc: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit  Michael,  Is your stunnel running as a service?Please post sanitized logs and configuration for a better diagnostic ...

Regards Jose
El 20 jun 2016, a las 6:39, J. Michael Drew <***@hotmail.com> escribió:
Hi, I have a website on IIS8 and am using stunnel to forward requests over 9009 inside to my application server.  When I log in to the IIS server and stay logged in everything works as expected. When I log off the IIS 8 web server my site is unreachable with a “service is unavailable”. Can someone help me? Sincere thanks, Michael

.Jose,



I appreciate your patience.



Internet - Clients : 443 -> : https://website.company.com/website/



________Firewall___________



Web\Presentation Layer



2 Win 2012 Webservers (443) not currently connected to the production LB, application needs to work before connecting to LB. This configuration is first time on 64 bit OS
 Win 2012.

IIS 8 running Jakarta ISAPI Filter\Stunnel to redirect 9001 to 9009:



_________Firewall\App Layer________

Port 9009



Connects to App server running Apache







Application is working as expected as long as I am logged in to the IIS 8 server. I can telnet to the APP layer over 9009 and I can reach these websites externally as expected. Firewalls are good.



Please let me know any other information you need.



Thank you again,



Michael









From: Jose Alf. [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 4:32 PM
To: J. Michael Drew
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit



Michael,



Please take this in constructive way. I am trying to help, but it looks like you need to do some reading and homework.

Please check http://catb.org/~esr/faqs/smart-questions.html <http://catb.org/%7Eesr/faqs/smart-questions.html>



I suggest you draw a picture of your environment and explain well what you're trying to achieve. Show your client, your backend server, your stunnel server, include the IPs and ports they're listening to and everything should be easier. Don't forget any firewalls thay may be in the way.



Regards,

Jose.



_____

From: J. Michael Drew <***@hotmail.com>
To: 'Jose Alf.' <***@rocketmail.com>
Sent: Monday, June 20, 2016 1:00 PM
Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit



Hi Jose,



I made the changes you suggested, but I am still getting the same behavior.



My external address is: https://website.company.com/website



I am not adding any ports to the address.



Thanks so much for your help!



Michael



From: Jose Alf. [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 12:10 PM
To: J. Michael Drew; stunnel-***@stunnel.org
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit



Michael,



I guess what you want to do is to be able to connect to your internal Webserver via your Win2012 stunnel proxy using a URL like:



https://yourwin2012dnsname:9001/ <https://yourwin2012dnsname:9009/>



if that is correct, I suggest to adjust your configuration as follows:



1. Your stunnel mode must be server, not client. So adjust your service stanza as follows:



[CLI9F529A0A]

accept=9001

connect=10.xxx.xxx.xxx:9009

client=no



2. In your current configuration stunnel is listening only in the localhost ipv4 address (127.0.0.1). Therefore, you can only connect when you are logged on the server, you can't connect from a remote client.



Hope this helps you clarify what's going on.





Regards,

Jose



From: J. Michael Drew [mailto:***@hotmail.com]
Sent: Monday, June 20, 2016 9:54 AM
To: 'Josealf.rm'
Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit



Jose,



Once logged in to the server I can open a browser on the server and connect through https://localhost/website and I can log in to the site externally as expected.



Here are the log files from IIS and stunnel where stunnel is running as a service on the Windows 2012 server:



When I am not logged in to the server it fails:



#Software: Microsoft Internet Information Services 8.5

#Version: 1.0

#Date: 2016-06-20 00:30:21

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD / - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218

#Software: Microsoft Internet Information Services 8.5

#Version: 1.0

#Date: 2016-06-20 05:41:01

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 500

2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 46

2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 218

2016-06-20 05:41:16 10.xxx.xxx.xxx PROPFIND /patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 - 159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 62

2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 62

2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296



Stunell.conf:



cert = extwebsvr_ver.pem



; Some performance tuning

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1



; Peer Authentication

verify = 2

CAfile = extwebsvr_root.pem



; Debug mode - useful for troubleshooting

debug = 7

output = stunnel.log





; Client mode

client = yes



; Setup tunnels to each EMS node



[CLIxxxxxxxx)]

accept=127.0.0.1:9001

connect=10.xxx.xxx.xxx:9009



Stunnel.log:



2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of clients

2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500 platform

2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 2015

2016.06.20 09:17:39 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

2016.06.20 09:17:39 LOG7[main]: errno: (*_errno())

2016.06.20 09:17:39 LOG5[main]: Reading configuration from file stunnel.conf

2016.06.20 09:17:39 LOG7[ui]: GUI message loop initialized

2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized

2016.06.20 09:17:39 LOG5[main]: UTF-8 byte order mark detected

2016.06.20 09:17:39 LOG6[main]: Initializing service [CLI9F529A0A]

2016.06.20 09:17:39 LOG6[main]: Loading certificate from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Certificate loaded from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Loading private key from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Private key loaded from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG7[main]: Private key check succeeded

2016.06.20 09:17:39 LOG4[main]: Service [CLIxxxxxxxx] uses "verify = 2" without subject checks

2016.06.20 09:17:39 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates

2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000)

2016.06.20 09:17:39 LOG5[main]: Configuration successful



Thanks for your help,



Michael









From: Josealf.rm [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 8:01 AM
To: J. Michael Drew
Cc: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit



Michael,



Is your stunnel running as a service?

Please post sanitized logs and configuration for a better diagnostic ...

Regards

Jose


El 20 jun 2016, a las 6:39, J. Michael Drew <***@hotmail.com> escribió:

Hi,



I have a website on IIS8 and am using stunnel to forward requests over 9009 inside to my application server. When I log in to the IIS server and stay logged in everything works as expected. When I log off the IIS 8 web server my site is unreachable with a “service is unavailable”.



Can someone help me?



Sincere thanks,



Michael

your-apache-tomcat-ip:

Michael,
Sorry I could not answer before.I read your note and I think this is mostly off-topic. I am not sure I understand what you want to do with stunnel in this configuration. But l will try an educated guess:
1. Keep in mind that Stunnel is mostly used for securing services that do not support TLS natively.I haven't worked with tomcat + ISS, but I have experience with tomcat + Apache httpd
2. It looks like you already have your IIS servers configured to serve web requests with TLS on port 443, and since you are trying to insert an stunnel client between IIS and tomcat AJP port (9009 or 8009), I guess you are trying to encrypt the AJP trafic. It doesn't make much sense to encrypt local traffic, so I assume your apache tomcat is running on different host than your IIS. Is this correct?

3. If I am right on 2, you need to run an stunnel in your IIS host and another stunnel in your tomcat host.

In your IIS host, you configure stunnel like this:
[client]accept = localhost:9009connect = your-apache-tomcat-ip:10009 (or another free port)client = yes
In your tomcat host, you configure stunnel like this:
[server]accept = your-apache-tomcat-ip:10009 (same port as connect in client)
connect = localhost:9009 (or another free port)client = no
Do you see the tunnel? Note that your isapi filter in IIS should also reference localhost and port 9009.

Hope this helps.
Regards,Jose

From: J. Michael Drew <***@hotmail.com>
To: 'Jose Alf.' <***@rocketmail.com>
Cc: stunnel-***@stunnel.org
Sent: Monday, June 20, 2016 6:00 PM
Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit

.Jose,  I appreciate your patience.  Internet -  Clients : 443 ->  : https://website.company.com/website/  ________Firewall___________  Web\Presentation Layer  2 Win 2012 Webservers (443) not currently connected to the production LB, application needs to work before connecting to LB. This configuration is first time on 64 bit OS
 Win 2012.IIS 8 running Jakarta ISAPI Filter\Stunnel to redirect 9001 to 9009:  _________Firewall\App Layer________Port 9009  Connects to App server running Apache      Application is working as expected as long as I am logged in to the IIS 8 server. I can telnet to the APP layer over 9009 and I can reach these websites externally as expected. Firewalls are good.  Please let me know any other information you need.  Thank you again,  Michael        From: Jose Alf. [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 4:32 PM
To: J. Michael Drew
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit  Michael,  Please take this in constructive way. I am trying to help, but it looks like you need to do some reading and homework. Please check http://catb.org/~esr/faqs/smart-questions.html  I suggest you draw a picture of your environment and explain well what you're trying to achieve.  Show your client, your backend server, your stunnel server, include the IPs and ports they're listening to and everything should be easier. Don't forget any firewalls thay may be in the way.  Regards,Jose.  From: J. Michael Drew <***@hotmail.com>
To: 'Jose Alf.' <***@rocketmail.com>
Sent: Monday, June 20, 2016 1:00 PM
Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit  Hi Jose, I made the changes you suggested, but I am still getting the same behavior. My external address is: https://website.company.com/website I am not adding any ports to the address. Thanks so much for your help! Michael From: Jose Alf. [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 12:10 PM
To: J. Michael Drew; stunnel-***@stunnel.org
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit Michael,  I guess what you want to do is to be able to connect to your internal Webserver via your Win2012 stunnel proxy using a URL like:  https://yourwin2012dnsname:9001/  if that is correct, I suggest to adjust your configuration as follows:  1. Your stunnel mode must be server, not client. So adjust your service stanza as follows:  [CLI9F529A0A]accept=9001connect=10.xxx.xxx.xxx:9009client=no 2. In your current configuration stunnel is listening only in the localhost ipv4 address (127.0.0.1). Therefore, you can only connect when you are logged on the server, you can't connect from a remote client.  Hope this helps you clarify what's going on.  Regards,Jose From: J. Michael Drew [mailto:***@hotmail.com]
Sent: Monday, June 20, 2016 9:54 AM
To: 'Josealf.rm'
Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit Jose, Once logged in to the server I can open a browser on the server and connect through https://localhost/website and I can log in to the site externally as expected. Here are the log files from IIS and stunnel where stunnel is running as a service on the Windows 2012 server: When I am not logged in to the server it fails: #Software: Microsoft Internet Information Services 8.5#Version: 1.0#Date: 2016-06-20 00:30:21#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD / - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218#Software: Microsoft Internet Information Services 8.5#Version: 1.0#Date: 2016-06-20 05:41:01#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 5002016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 462016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 2182016-06-20 05:41:16 10.xxx.xxx.xxx PROPFIND /patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 - 159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 622016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 622016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296 Stunell.conf: cert = extwebsvr_ver.pem ; Some performance tuningsocket = l:TCP_NODELAY=1socket = r:TCP_NODELAY=1 ; Peer Authenticationverify = 2CAfile = extwebsvr_root.pem ; Debug mode - useful for troubleshootingdebug = 7output = stunnel.log  ; Client modeclient = yes ; Setup tunnels to each EMS node [CLIxxxxxxxx)]accept=127.0.0.1:9001connect=10.xxx.xxx.xxx:9009 Stunnel.log: 2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of clients2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500 platform2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 20152016.06.20 09:17:39 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI2016.06.20 09:17:39 LOG7[main]: errno: (*_errno())2016.06.20 09:17:39 LOG5[main]: Reading configuration from file stunnel.conf2016.06.20 09:17:39 LOG7[ui]: GUI message loop initialized2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized2016.06.20 09:17:39 LOG5[main]: UTF-8 byte order mark detected2016.06.20 09:17:39 LOG6[main]: Initializing service [CLI9F529A0A]2016.06.20 09:17:39 LOG6[main]: Loading certificate from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]: Certificate loaded from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]: Loading private key from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG6[main]: Private key loaded from file: extwebsvr_ver.pem2016.06.20 09:17:39 LOG7[main]: Private key check succeeded2016.06.20 09:17:39 LOG4[main]: Service [CLIxxxxxxxx] uses "verify = 2" without subject checks2016.06.20 09:17:39 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000)2016.06.20 09:17:39 LOG5[main]: Configuration successful Thanks for your help, Michael    From: Josealf.rm [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 8:01 AM
To: J. Michael Drew
Cc: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit Michael, Is your stunnel running as a service?Please post sanitized logs and configuration for a better diagnostic ...

Regards Jose
El 20 jun 2016, a las 6:39, J. Michael Drew <***@hotmail.com> escribió:
Hi, I have a website on IIS8 and am using stunnel to forward requests over 9009 inside to my application server.  When I log in to the IIS server and stay logged in everything works as expected. When I log off the IIS 8 web server my site is unreachable with a “service is unavailable”. Can someone help me? Sincere thanks, Michael

Jose,



I have discovered what I did wrong.



I did the original stunnel installs from the command line and then installed the stunnel service from the command line as well. When I installed the stunnel service it would break the website. So I removed the service (I thought) then I copied a shortcut to stunnel.exe to the Win start up> program folder. Both sites started working on the servers as long as I was logged in through an RDP session.



I uninstalled everything and reinstalled. Stunnel 5.32 installs a Windows GUI on Server 2012 as well so I went back and used the Windows server 2012 desktop applications to install the windows service and to stop the GUI application.



Everything is now working as expected.



It appears that I was running two instances of stunnel at the same time and I didn’t completely remove the original stunnel service.



Thanks for all of your help,



Cheers,



Michael







From: Josealf.rm [mailto:***@rocketmail.com]
Sent: Thursday, June 23, 2016 2:37 PM
To: J. Michael Drew
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit



Hi Michael,



Did my last suggestions help with your issue?

Regards




El 20 jun 2016, a las 18:00, J. Michael Drew <***@hotmail.com> escribió:

.Jose,



I appreciate your patience.



Internet - Clients : 443 -> : https://website.company.com/website/



________Firewall___________



Web\Presentation Layer



2 Win 2012 Webservers (443) not currently connected to the production LB, application needs to work before connecting to LB. This configuration is first time on 64 bit OS
 Win 2012.

IIS 8 running Jakarta ISAPI Filter\Stunnel to redirect 9001 to 9009:



_________Firewall\App Layer________

Port 9009



Connects to App server running Apache







Application is working as expected as long as I am logged in to the IIS 8 server. I can telnet to the APP layer over 9009 and I can reach these websites externally as expected. Firewalls are good.



Please let me know any other information you need.



Thank you again,



Michael









From: Jose Alf. [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 4:32 PM
To: J. Michael Drew
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit



Michael,



Please take this in constructive way. I am trying to help, but it looks like you need to do some reading and homework.

Please check http://catb.org/~esr/faqs/smart-questions.html <http://catb.org/%7Eesr/faqs/smart-questions.html>



I suggest you draw a picture of your environment and explain well what you're trying to achieve. Show your client, your backend server, your stunnel server, include the IPs and ports they're listening to and everything should be easier. Don't forget any firewalls thay may be in the way.



Regards,

Jose.




_____


From: J. Michael Drew <***@hotmail.com>
To: 'Jose Alf.' <***@rocketmail.com>
Sent: Monday, June 20, 2016 1:00 PM
Subject: RE: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit



Hi Jose,



I made the changes you suggested, but I am still getting the same behavior.



My external address is: https://website.company.com/website



I am not adding any ports to the address.



Thanks so much for your help!



Michael



From: Jose Alf. [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 12:10 PM
To: J. Michael Drew; stunnel-***@stunnel.org
Subject: Re: [stunnel-users] FW: Stunnel with IIS8 on server 2012 64 bit



Michael,



I guess what you want to do is to be able to connect to your internal Webserver via your Win2012 stunnel proxy using a URL like:



https://yourwin2012dnsname:9001/ <https://yourwin2012dnsname:9009/>



if that is correct, I suggest to adjust your configuration as follows:



1. Your stunnel mode must be server, not client. So adjust your service stanza as follows:



[CLI9F529A0A]

accept=9001

connect=10.xxx.xxx.xxx:9009

client=no



2. In your current configuration stunnel is listening only in the localhost ipv4 address (127.0.0.1). Therefore, you can only connect when you are logged on the server, you can't connect from a remote client.



Hope this helps you clarify what's going on.





Regards,

Jose



From: J. Michael Drew [mailto:***@hotmail.com]
Sent: Monday, June 20, 2016 9:54 AM
To: 'Josealf.rm'
Subject: RE: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit



Jose,



Once logged in to the server I can open a browser on the server and connect through https://localhost/website and I can log in to the site externally as expected.



Here are the log files from IIS and stunnel where stunnel is running as a service on the Windows 2012 server:



When I am not logged in to the server it fails:



#Software: Microsoft Internet Information Services 8.5

#Version: 1.0

#Date: 2016-06-20 00:30:21

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2016-06-20 00:30:21 159.xxx.xxx.xxx HEAD / - 443 - 190.xxx.xxx.xxx - - 200 0 0 1218

#Software: Microsoft Internet Information Services 8.5

#Version: 1.0

#Date: 2016-06-20 05:41:01

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken

2016-06-20 05:41:01 10.xxx.xxx.xxx OPTIONS /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 200 0 0 500

2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32/NTDLL.DLL - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 46

2016-06-20 05:41:01 10.xxx.xxx.xxx PROPFIND /C$/windows/system32 - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 218

2016-06-20 05:41:16 10.xxx.xxx.xxx PROPFIND /patch-{682810b5-36dc-4e5d-81dd-6c02cd8f445b}-patchtoolsd.exe - 80 - 159.82.156.241 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 64 62

2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /N$cl64.exe - 80 - 159.xxx.xxx.xxx 1 Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 62

2016-06-20 05:41:27 10.xxx.xxx.xxx PROPFIND /C$rome.dll - 80 - 159.xxx.xxx.xxx Microsoft-WebDAV-MiniRedir/6.1.7601 - 404 0 2 296



Stunell.conf:



cert = extwebsvr_ver.pem



; Some performance tuning

socket = l:TCP_NODELAY=1

socket = r:TCP_NODELAY=1



; Peer Authentication

verify = 2

CAfile = extwebsvr_root.pem



; Debug mode - useful for troubleshooting

debug = 7

output = stunnel.log





; Client mode

client = yes



; Setup tunnels to each EMS node



[CLIxxxxxxxx)]

accept=127.0.0.1:9001

connect=10.xxx.xxx.xxx:9009



Stunnel.log:



2016.06.20 09:17:39 LOG7[main]: No limit detected for the number of clients

2016.06.20 09:17:39 LOG5[main]: stunnel 5.27 on x86-pc-msvc-1500 platform

2016.06.20 09:17:39 LOG5[main]: Compiled/running with OpenSSL 1.0.2e-fips 3 Dec 2015

2016.06.20 09:17:39 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI

2016.06.20 09:17:39 LOG7[main]: errno: (*_errno())

2016.06.20 09:17:39 LOG5[main]: Reading configuration from file stunnel.conf

2016.06.20 09:17:39 LOG7[ui]: GUI message loop initialized

2016.06.20 09:17:39 LOG7[cron]: Cron thread initialized

2016.06.20 09:17:39 LOG5[main]: UTF-8 byte order mark detected

2016.06.20 09:17:39 LOG6[main]: Initializing service [CLI9F529A0A]

2016.06.20 09:17:39 LOG6[main]: Loading certificate from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Certificate loaded from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Loading private key from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG6[main]: Private key loaded from file: extwebsvr_ver.pem

2016.06.20 09:17:39 LOG7[main]: Private key check succeeded

2016.06.20 09:17:39 LOG4[main]: Service [CLIxxxxxxxx] uses "verify = 2" without subject checks

2016.06.20 09:17:39 LOG4[main]: Use "checkHost" or "checkIP" to restrict trusted certificates

2016.06.20 09:17:39 LOG7[main]: SSL options: 0x03000004 (+0x03000000, -0x00000000)

2016.06.20 09:17:39 LOG5[main]: Configuration successful



Thanks for your help,



Michael









From: Josealf.rm [mailto:***@rocketmail.com]
Sent: Monday, June 20, 2016 8:01 AM
To: J. Michael Drew
Cc: stunnel-***@stunnel.org
Subject: Re: [stunnel-users] Stunnel with IIS8 on server 2012 64 bit



Michael,



Is your stunnel running as a service?

Please post sanitized logs and configuration for a better diagnostic ...

Regards

Jose


El 20 jun 2016, a las 6:39, J. Michael Drew <***@hotmail.com> escribió:

Hi,



I have a website on IIS8 and am using stunnel to forward requests over 9009 inside to my application server. When I log in to the IIS server and stay logged in everything works as expected. When I log off the IIS 8 web server my site is unreachable with a “service is unavailable”.



Can someone help me?



Sincere thanks,



Michael

Excellent. I'm glad you solved it. Thanks for closing the loop.