Infiniti and reverse proxy

Applies to Infiniti v8.0 or later




There would be business scenarios in which a user would want to use Infiniti in a 3-tier architecture, with a load balancer/reverse proxy, webserver and database server. This guide has been designed to assist Infiniti administrators in the setup and configuration of such an environment. The installation of the Infiniti software is out of scope. This guide just goes through the setup of a 3-tier, load balancer/reverse proxy environment
In this guide, we use the features ‘Application Request Routing [ARR]’ and ‘URL Rewrite’ in Internet Information Service (IIS), to implement the reverse proxy environment.
You might need administrative privileges on the Load balancer/Reverse Proxy server. 

Installation of ARR



This chapter guides you through the process of installing Microsoft’s Application Request Routing (ARR) version 2.5 on IIS 7 or above.
The software is installed using the web platform installer.

Installation Steps

  1. Browse to one of the following URLs:
  1. Click on the ‘Install Now’ button. The webpage prompts the user to either ‘Run’, ‘Save’ or ‘Cancel the application Installation request:
  1. Click on the ‘Run’ button:
  1. Click the ‘Install’ button to proceed with the installation.
  1. Click on the ‘Options’ link. Make sure the default options are correct. If not correct them.
  1. Click ‘OK’. All the dependencies for the software get installed as required:
  1. Select ‘I Accept’ to continue. The installation will continue as shown below:
  1. Please wait until the software installation is completed successfully. This may take few minutes.
  1. Click the ‘Finish’ button to complete the installation process.
  1. To verify the successful installation of the feature, please open IIS. A new node Server Farms should now be visible in the Connections pane:

Configuring the Server Farm



This chapter guides you through the process of configuring Microsoft’s Application Request Routing (ARR) version 2.5 to act as a reverse proxy / 3rd tier.

Create server farm in ARR

  1. Launch IIS Manager
  2. ARR is a server level feature. Select and expand the root of the server:
  1. Right click on ‘Server Farms’ and then select ‘Create Server Farm’:
  1. Enter a name. In this example, myServerFarm is the name :
  1. Click ‘Next’.
  2. The next step is to add servers to the farm. On this page, add as many application / web server(s) as needed. The ‘Advanced options’ allows the user  to configure non-standard HTTP / HTTPS ports:
  1. Click ‘Finish’. The user will be prompted with a request for automatic creation of ‘URL rewrite rules’ for the server farm just created:
  1. Click ‘Yes’.
  2. The user has now successfully created a server farm with the required application servers as its members
  3. To verify / view the rules, select and expand the root of the server. Click on the ‘URL Rewrite’ icon in the middle pane.
  1. The ‘URL rewrite rules’ should be visible

Configuring the Server farm properties

After the server farm has been created and defined, additional properties can be set to manage the behaviour of ARR. Only the basic settings are discussed here.
  1. Select the newly created server farm, myServerFarm‚Äč.
  2. The following icons should be visible:
  1. To change the load balance algorithm, double click on the icon ‘Load Balance’.
  2. The default is ‘Least current request’:
  1. For our example, select the ‘Weighted round robin’ algorithm in the drop down menu. For the load distribution, select ‘Custom distribution’ and change the values to a desired level:
  1. To monitor the runtime statistics, click on the icon Monitoring and Management':

Server Affinity

Application Request Routing provides a client affinity feature that maps a client to an Application server behind Application Request Routing for the duration of a client session. When this feature is enabled, the load balancing algorithm is applied only for the very first request from the client. From that point on, all subsequent requests from the same client would be routed to the same content server for the duration of the client session. This feature is useful if the application on the content server is stateful and the client's requests must be routed to the same content server because the session management is not centralized.
  1. Launch IIS Manager
  2. Select the server farm created
  3. Double click on the Server Affinity icon
  1. To enable Client affinity, check the box besides it and then click Apply
  1. Application Request Routing uses a cookie to enable client affinity. The Cookie name will be used to set the cookie on the client. So the client must accept cookies for client affinity to work properly
  2. To verify the functionality of client affinity, send several requests to the ARR server. Refresh the dashboard in IIS Manager (Monitoring and Management). The runtime statistics would be changing for only one of the application servers to where the client is affinitized. You may test by sending additional requests from different client machines and refreshing the dashboard, as needed

ARR and Infiniti with Windows Authentication



Setting up the Reverse proxy to work with Windows Authentication is not a simple task; it requires few complicated configuration changes on the Application servers, Reverse Proxy and the Domain controller as well.
This chapter guides you through the process of configuring ARR and Infiniti to work in windows authenticated mode.


It is assumed that the Infiniti software is installed on the Application server in Windows Authentication mode. If there are more than one application servers, then the set-up has to be done on all the application servers. It is assumed that the setup has been verified on all the application servers.
You might need administrative privileges on the Load balancer / Reverse Proxy server, all the application server and Domain Admin access on the Domain controller for the domain

Changes on the Application servers

The below steps has to be performed on all the Application servers
  1. On the Application server, please change all your Infiniti App Pools to use a domain user account  (domain\appPoolUser)
  1. Make sure all Infiniti Applications are still setup Windows Authentication mode
  2. Make sure the windows authentication settings matches the following configuration
  1. Open an elevated command prompt (i.e. command prompt with Admin privileges )and run the following commands to stop the IIS services
o   Net stop was /y
o   Net stop wmsvc
  1. Go to the system folder %windir%\system32\inetsrv\config\ and open up ApplicationHost.config using notepad or any other editor
  2. Find the tag <location path="Default Web Site/<your Infiniti application’s virtual directory>">
  3. Update the Windows authentication element under it by adding the attribute useAppPoolCredentials="true". After making the change the windows authentication element would look similar to
<windowsAuthentication enabled="true" useAppPoolCredentials="true" />
  1. Repeat the steps 6 & 7 for all other Infiniti applications
  2. On the elevated command prompt, execute the following commands; this is to register Service Principal Names [SPN] for the App Pool User
o   Setspn -s HTTP/<App Server’s NetBIOS Name> DOMAIN\APPPOOLUSER
o   Setspn -s HTTP/<App Server’s FQDN> DOMAIN\APPPOOLUSER
To check for the duplicates, please run the setspn –L command for APPSERVERNETBIOSNAME to find out all defined SPNs. Then use Setspn –d to delete the duplicate ones. Only the HTTP SPN duplicates needs to be deleted
  1. On the elevated command prompt run the following commands to start the IIS services
o   Net start w3svc
o   Net start wmsvc
  1. Open a browser and browse to the application using the below URLs
o   Localhost
o   Appserver’s NETBIOS name
o   Appserver’s FQDN
They should all work. If they did not, then you have duplicate SPNs. Please correct them and test again.
Another thing to be wary of is, if you do not add the site to your Intranet sites or Trusted sites on the browser’s security settings, then you might be prompted for user credentials again and again

Changes on the Reverse Proxy server

The below steps has to be performed on the Reverse Proxy server
  1. Keep the default authentication settings. i.e. Make sure the default website has the Anonymous access enabled
  2. Please set up a simple test page on the App servers with anonymous access enabled and make sure it works thru the reverse proxy
  3. Open an elevated command prompt and set the SPNs for the app pool user using the below commands
o   Setspn -s HTTP/ <Proxy Server’s NetBIOS Name> DOMAIN\APPPOOLUSER
o   Setspn -s HTTP/<Proxy Server’s FQDN>  DOMAIN\APPPOOLUSER
  1. Make sure you can open Infiniti sites from the proxy server Internet explorer with no authentication problems

Changes on the Domain Controller

The below steps has to be performed on the Domain Controller for that domain
  1. Go to Computers
  2. Select the Reverse Proxy server
  3. Right-click and select Properties
  4. Go to the Delegation tab
  5. Click on the option ‘Trust this computer for delegation to any service [Kerberos only]’
  6. Click Ok
  7. From a remote machine on the same domain, test if you can successfully browse to the Infiniti site using the Reverse proxy’s FQDN / NetBIOS Name

DNS alias for the site

If you want to have an alias for the site, please set up the Host header on the reverse proxy server and make sure you have an entry on your DNS pointing to the Reverse Proxy

Related Articles