How can I make ARR work with SSL offloading DISABLED? 502.3 Bad Gateway

3
votes

So I have been hitting this error for days now. I have googled and googled but nothing seems to resolve my scenario and am hoping someone out there can help.

The problem:

When I disable SSL offloading in ARR (Routing Rules) I receive the following:

502 - Web server received an invalid response while acting as a gateway or proxy server.

There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.

So, digging further, I enabled Failed Request Tracing to capture the error. The log offers the following info:

  1. view trace Warning -MODULE_SET_RESPONSE_ERROR_STATUS

ModuleName: ApplicationRequestRouting
Notification: EXECUTE_REQUEST_HANDLER
HttpStatus: 502
HttpReason: Bad Gateway
HttpSubStatus: 3
ErrorCode: 2147954430

  1. view trace Warning -SET_RESPONSE_ERROR_DESCRIPTION

ErrorDescription: The connection with the server was terminated abnormally

My Config:

2 x ARR/NLB Servers

  • Server 2012
  • NLB (Clustered)
  • ARR 3 (Server Farm)
  • IIS 8 (Shared configuration, Centralized Certificates (CCS))

2 x Content Servers

  • Server 2012
  • IIS 8 (Shared configuration, Centralized Certificates)
  • Default VS 2013 MVC 5.2 application template

Basically, I am trying to accomplish load balancing and redundancy up front via NLB and ARR. I went by the book on all the configuration. These are all fresh installs with only bare minimum components installed. The certificate is self signed through AD CA. Root CA is installed in trusted cert authorities on all servers.

Everything works perfectly over port 80 (non SSL) and when I enable SSL offloading in ARR. However, due to application constraints, I cannot enable offloading.

Hitting the content servers directly works fine via http and https (aside from browser warning about certificate).

I've tried installing the certificate on each server and selecting in the site binding rather than selecting Centralized Certificate Store, but it doesn't seem to matter as I get the same results when ARR is the requester.

Below I've attached the relevant config files. Many thanks in advance.

IIS/ARR administration.config

IIS/ARR applicationHost.config

3
sslwindows-server-2012iis-8web-farmarr
We're getting the same error too... did you ever find a solution? I found the MS page that listed a hotfix, but the hotfix couldn't be found support.microsoft.com/kb/2455129?wa=wsignin1.0MattGWagner
No solution yet. The KB you refer to applies to IIS 7, not 8. It also refers to some error with mapping for unicode characters in multi-byte code page. This is not my issue. Good luck with yours.Jason

3 Answers

1
votes

You must have same SSL certificate on ARR and Application servers. And of course on all servers you must enable https. So create a wildcard certificate for your domain and use it on both ARR and Content servers.

1
votes

I have been getting the same error. This is how I resolved it.

You need to make sure the ARR server and the server you are targeting are using the exact same SSL certificate.

In my case they were the same, but the target SSL certificate somehow got corrupted or imported into IIS incorrectly.

Anyway, to resolve this, I removed all references to the corrupted SSL certificate on the target server, and then reinstalled the certificate.

I made sure that I could access this site on my target server, by making a direct connection, and bypassing the ARR server.

I hope this reference helps someone else.

0
votes

It been a while, but this is the only post that directly referenced my issue.

Environment: ARR with centralized certs Farm web machines with centralized certs

I had to move to NOT using SSL offloading and got 502.3.

The solution for me was to install the cert on the farm web machines using MMC and then give the app pool user Read rights on the private key. This was the only way to get the ARR to negotiate a secure connection.