Host FireStart behind a Reverse Proxy

Prerequisites

The FireStart server and Process Portal are hosted on the same machine (eg.: sho-dev-pc.prologics.at:8443)
The IdentityServer is hosted with the reverse proxy (eg.: bld-agent.firestart.com:443)

Setup

Install the FireStart server

Configure the public and internal names/ports:

Make sure that the server name/port in the init.json for the Process Portal points to the reverse proxy. You may also check the PROLOGICS/Urls Key in the registry. The screenshot below shows an example of what the entries in the registry look like.

installation_reverseProxy_2

Caution: Do not start the FireStart server before authentication has been successfully configured.

Deploy the IdentityServer to the reverse proxy

The reverse proxy configuration needs to rewrite URLs to the internal FireStart server but not the authentication requests. A valid regular expression for the IIS UrlRewrite is ^(?!auth).*$ . Below is an example of what the action looks like when using the mentioned regular expression.

XML

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>  
            <rules>                      
                <rule name="ReverseProxy RewriteURL-LKE" enabled="false" stopProcessing="true">
                    <match url="^(?!auth).*amp;quot; />
                    <action type="Rewrite" url="https://lke-dev-pc.firestart.com:8443/{R:0}" logRewrittenUrl="true" />
                </rule>
                <rule name="ReverseProxy RewriteURL-SHO" enabled="true" stopProcessing="true">
                    <match url="^(?!auth).*amp;quot; />
                    <action type="Rewrite" url="https://sho-dev-pc.prologics.at:8443/{R:0}" logRewrittenUrl="true" />
                </rule>
            </rules>             
        </rewrite>
        <directoryBrowse enabled="true" />
    </system.webServer>
</configuration>

Then copy the PROLOGICS FireStart IdentityServer from the installed server to the folder on the reverse proxy server. Make sure that the .NET Core hosting bundle is installed.

Create the authentication subsite in IIS

The physical path is the PROLOGICS FireStart IdentityServer folder you copied. There you have to enable Windows authentication for the subsite. Make sure the IS app pool has access to the physical path.

Configure the IdentityServer via app settings

The following tasks have to be performed:

adapt the "path:" for the log file in the Serilog section to contain an existing folder, where the app pool has full control to create log files
settings: Adapt the BaseUrl to contain the address of the IdentityServer (e.g. https://bld-agent.firestart.com:443/auth)
adapt the name to the public server (e.g. bld-agent.firestart.com)
adapt the port to the public reachable port (e.g. 443)
adapt the DB path to contain an existing folder where the app pool has full control to create SQLite databases
make sure the selected certificate for JWT signing is available and the app pool has permissions to read the key
perform an IIS reset
try accessing the authentication site from the browser and logging in, which should work now (on the reverse proxy and the FireStart server)

JSON

{
  "Serilog": {
    "MinimumLevel": {
      "Default": "Debug",
      "Override": {
        "Microsoft": "Warning",
        "System": "Warning",
        "Microsoft.AspNetCore.Authentication": "Information",
        "ComponentSApace.SAML2": "Debug"
      }
    },
    "Enrich": [
      "FromLogContext"
    ],
    "WriteTo": [
      {
        "Name": "Console",
        "Args": {
          "outputTemplate": "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message:lj}{NewLine}{Exception}{NewLine}"
        }
      },
      {
        "Name": "File",
        "Args": {
          "path": "C:\\FireStart InstallFolder\\PROLOGICS Resources\\Logs\\IdentityServer.txt",
          "rollOnFileSizeLimit": true,
          "fileSizeLimitBytes": "10485760",
          "shared": true
        }
      }
    ]
  },
  "Settings": {
    "AllowedHosts": "*",
    "BaseUrl": "https://bld-agent.firestart.com:443/auth",
    "Name": [
      "bld-agent.firestart.com",
      "sho-dev-pc.prologics.at"
    ],
    "Port": "443",
    "DbPath": "C:\\FireStart InstallFolder\\PROLOGICS Resources\\Database",
    "JWTCert": "4BD8AEFDCA43E9C3C0CE2992D924958D27D702BE"
  },
  "Provider": {
    "Saml": {
      "Enabled": false,
      "DisplayName": "SAML",
      "Scheme": "external",
      "EntityId": "",
      "SamlCert": "",
      "PartnerIdentityProviderMetadataEndpoint": ""
    },
    "Azure": {
      "Enabled": false,
      "DisplayName": "Azure AD",
      "Scheme": "aad",
      "TenantId": "",
      "AppId": "",
      "AppSecret": ""
    },
    "Windows": {
      "Enabled": true,
      "DisplayName": "Windows Authentication",
      "Scheme": "Windows"
    }
  },
  "SearchProvider": {
    "External": {
      "Enabled": false,
      "DisplayName": "External Search",!
      "Scheme": "external",
      "BaseUrl": "https://sho-upgrade.firestart-dev.local:7443"
    },
    "ActiveDirectory": {
      "Enabled": true,
      "DisplayName": "Active Directory Search",
      "Scheme": "Windows",
      "SearchUserWithinOU": false,
      "Domains": [
        {
          "Domain": "firestart.com",
          "FQDN": "",
          "Username": "",
          "Password": ""
        }
      ]
    },
    "Graph": {
      "Enabled": false,
      "DisplayName": "Microsoft Graph",
      "Scheme": "aad",
      "TenantId": "",
      "AppId": "",
      "AppSecret": "",
      "RedirectUri": ""
    }
  }
}