Setup Reverse Proxy for K2 smartforms

Setup Reverse Proxy for K2 smartforms

If you want to expose K2 smartforms to the Internet, the biggest problem you will face will be how to put the K2 smartforms Server in the DMZ zone and still get it to function correctly. You can solve the technical issues like access to port 5252, 5555 by opening the firewall ports, resolve the K2 blackpearl Server name by hard-coding the IP into the host file, but what about AD connection? Your security is not going to allow the AD to be accessible from the DMZ zone and risk compromising it. K2 smartforms is not going to function since IIS cannot verify your login without AD.

So, the general solution is to use a Reverse Proxy Server. This will place your K2 smartforms Server within the Intranet environment (to keep your security folks happy) and your Internet users will access the content via the Reverse Proxy Server in the DMZ zone.

Let’s go right in to setup Reverse Proxy K2 smartforms now.

Setup Reverse Proxy for K2 smartforms

How it will look like

This is a graphical representation of the network environment and we will be configuring the Reverse Proxy server below.

Network Diagram
Network Diagram

Prepare the Reverse Proxy Server

  1. Your Proxy Server will reside in the DMZ zone and should have 2 network link, one for the Internet, the other to the Intranet. So make sure your Proxy Server can resolve the K2 smarforms URL.
  2. Make sure IIS is installed in the server.
  3. Install the URL Rewrite module from http://www.iis.net/downloads/microsoft/url-rewrite.
  4. Install Application request Routing (ARR) module from http://www.iis.net/expand/ApplicationRequestRouting.

Setup Reverse Proxy in IIS

  1. Create a new Website in IIS (I’ll name it RewriteURL for my demo). This will be website Internet users will be accessing. I’ll not touch on how to setup a simple website with the bindings.
  2. Go to the new Website and double-click on the URL Rewrite module.

    URL Rewrite Module
    URL Rewrite Module
  3. On the Actions menu on the right, click on View Server Variables.. 

    View Server Variables
    View Server Variables
  4. Add two variables – HTTP_ACCEPT_ENCODING and HTTP_X_ORIGINAL_ACCEPT_ENCODING.

    Add Server Variables
    Add Server Variables
  5. Now, return to the URL Rewrite module’s home page by clicking Back to Rules.
  6. On the Actions menu on the right again, click on Add Rules(s)…

    Add Rules
    Add Rules
  7. In the Add Rule(s) dialog, select Reverse Proxy and click on OK.

    Select Reverse Proxy
    Select Reverse Proxy
  8. You will see a prompt regarding the Application Request Routing (ARR) module if this is the first time you created a Reverse Proxy. Click OK to close the prompt.

    ARR prompt
    ARR prompt
  9. In the Add Reverse Proxy Rules dialog,
    1. Fill in the URL of the K2 smartforms website. Make sure the Reverse Proxy server can resolve this URL.
    2. Check on Enable SSL Offloading, if your Internet website is running HTTPS and your K2 smartforms website is running on HTTP.
    3. Check on the option Rewrite the domain names of the links in HTTP responses. This will ensure the URL generated by K2 smartforms will be rewritten to the Internet website’s URL.
    4. Under the Outbound Rules section, fill in the K2 smartforms URL in the From field and the Internet website’s URL in the To field.

      Reverse Proxy Rule
      Reverse Proxy Rule
  10. Click OK when you are done.
  11. You will see a new inbound rule entry. Edit it.

    Inbound Rule
    Inbound Rule
  12. Under the Server Variables section, add (Order of the variables is important here):
    1. HTTP_X_ORIGINAL_ACCEPT_ENCODING and set the value to {HTTP_ACCEPT_ENCODING}.
    2. HTTP_ACCEPT_ENCODING and give it a temporary value first. We will be removing the value in the web.config later.
  13. Under the Action section, ensure the scheme (http/https) in the Rewrite URL field is correct. Leave the rest of the selection as is.

    Rewrite URL scheme
    Rewrite URL scheme
  14. Click Apply in the Actions menu.
  15. Back in the URL Rewrite module home page, edit the outbound rule.

    Outbound Rule
    Outbound Rule
  16. Under the Actions section, make sure the scheme (http/https) of the URL is correct.

    Outbound Rewrite URL
    Outbound Rewrite URL
  17. Click Apply in the Actions menu to save the changes, if any.
  18. Back on URL Rewrite module home page, click on Add Rule(s)… in the Action menu.
  19. Select Blank rule under the Outbound rules section and click OK.

    New Outbound Rule
    New Outbound Rule
  20. Set the rule’s Name to RestoreAcceptEncoding.
  21. In the Precondition dropdown list, select <Create New Precondition…>.
  22. In the Add Precondition dialog, set the Name to NeedsRestoringAcceptEncoding.
  23. Select Regular Express under Using dropdown list.
  24. Select Match All under Logical grouping dropdown list.
  25. Click on the Add button.
  26. In the Add Condition dialog, fill in the following and click OK:
    1. Condition input: {HTTP_X_ORIGINAL_ACCEPT_ENCODING}
    2. Check if input string: Matches the Pattern
    3. Pattern: .+
    4. Ignore case: checked 

      Add Condition
      Add Condition
  27. The Add Precondition dialog should look like the following. Click OK to complete it.

    Add Precondition Dialog
    Add Precondition Dialog
  28. Back in the Edit outbound Rule page, set the following values in the Match section:
    1. Matching scope: Server Variable
    2. Variable name: HTTP_ACCEPT_ENCODING
    3. Variable value: Matches the Pattern
    4. Using: Regular Expressions
    5. Pattern: ^(.*)
    6. Ignore case: checked

      Match Section
      Match Section
  29. Under the Action section, set the following values:
    1. Action type: Rewrite
    2. Action Properties – Value: {HTTP_X_ORIGINAL_ACCEPT_ENCODING}
    3. Replace existing server variable value: checked
    4. Stop Processing of subsequent rules: not checked

      Action Section
      Action Section
  30. Click Apply under the Actions menu and return to the URL Rewrite home page.
  31. Click on the new outbound rule and ensure RestoreAcceptEncoding is before ReverseProxyOutboundRule1. The order is important here.

    Rule Order
    Rule Order
  32. Next, leave the IIS Manager app and edit the web.config file for this website.
  33. If you recall, I mentioned that the server variable value for HTTP_ACCEPT_ENCODING will be updated later and this is where we will set the value to empty.

    Update Web.config
    Update Web.config
  34. And that’s all for the configuration

Testing

Now, to test that your Reverse Proxy for K2 smartforms works, carry out an IIS reset and hit the proxy server’s website (e.g. http://rewritetest.local/designer).

Web.config for reference

Well, if your proxy setup did not work, you might have missed some settings. I’ve attached my sample web.config file for your reference =)

 

Have fun setting up your Reverse Proxy for K2 smartforms!

 

Ji Kai

Ji Kai

Director / Principal Consultant at Alrighty Labs Pte. Ltd.
Ji Kai is the Director and Principal Consultant of Alrighty Labs Pte. Ltd. He has over 10 years of experience in solution designing, consulting and management of software development projects in both private and public sectors. His primary responsibility is to take lead in customer engagements and use his expertise in K2 technologies to assist customers to design successful business process applications. In addition, he has proven past records of leading the successful delivery of complex business process applications on K2 and Microsoft technologies.

Linkedin
Ji Kai

3 thoughts on “Setup Reverse Proxy for K2 smartforms

  1. Hi,

    This looks like a great informative guide and something that I’m going to keep a hold of as we’re in the middle of a migration from one legacy system to a new K2 environment which will require exposure via a DMZ.

    I have one question if I may; it’s been mentioned to us via another consultant that we could host the SmartForm runtime component only in the DMZ and have this configured to point back through a firewall to the K2 host and the smart object services. I’ve searched for reference material regarding this type of setup which is how I stumbled across this one but can’t find anything else. Are you aware of this type of configuration or do you know if it is actually possible?

    Cheers,

    Paul.

    1. Hi Paul,

      Sorry for the late reply.

      If you are using NTLM authentication, your smartforms server sitting in the DMZ will still need to be joined to the same AD as the K2 blackpearl app server. So this poses an issue with most organisations’ security policies as they do not allow DMZ servers to join to the internal domain.

      I’ve not seen any successful implementation or documentations on smartforms server in the DMZ to date, but I can confirm that the reverse proxy implementation proved to work for a client.

      JK

  2. Thank you Ji Kai, this was an extremely valuable post and we will look to implement something like this in the near future.

Leave a Reply