Wednesday, November 6, 2024

[RESOLVED] MS Web Application Proxy used with SfB caused a Error 502

Abstract: You are using a MS Web Application Proxy as reverse proxy (and ADFS) and when a anonymous user try to join via SfB (=Skype for Business) Web App, he got the error message “Sorry that didn´t work”. Additional to that an external mobile client (e.g. Skype for Business on iOS) could´t connect.

To troubleshoot that issue you installed Fiddler on the affected PC and configured it to decrypt SSL traffic. Inside the fiddler log you found (for UCWA) the following:

HTTP/1.1 502 Bad Gateway
Content-Length: 1477
Content-Type: text/html
Server: Microsoft-HTTPAPI/2.0
client-request-id: c21a7a01-8016-4bb9-9428-e72174f8c60c
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-MS-Correlation-Id: 2147485257
X-Ms-diagnostics: 28067;source="lyfront02.int.contoso.com";reason="Policy prevents request from being proxied."
X-MS-Server-Fqdn: lyfront02.int.contoso.com
Date: Wed, 27 Jul 2016 22:09:09 GMT

and

  <h2>502 - Web server received an invalid response while acting as a gateway or proxy server.</h2>
  <h3>There is a problem with the page you are looking for, and it cannot be displayed. When the Web server (while acting as a gateway or proxy) contacted the upstream content server, it received an invalid response from the content server.</h3>

 

Troubleshooting steps:

1.) Check if you see some issues with the Microsoft Remote connectivity Analyzer (https://testconnectivity.microsoft.com) via a testuser and fix those.

2.) Make sure that the MS Web Application Proxy can reach the SfB fronted server via 4443 via Telnet. If not check the firewall.

3.) Check if you can open the default website on your SfB frontend server

https://yourlyncfrontend.yourdomain.com:4443

On your MS Web Application Proxy (if you have multiple SfB frontend server try each of them). If you got a SSL certificate error you need to install the root certificates on the MS Web Application Proxy from this server.

4.) In some situations it might needed to set the DisableTranslateUrlInRequestHeaders to true.

4a.) At first find the web application proxy application which fits to the URL in your fiddler log via:

Get-WebApplicationProxyApplication | Format-Table ID, Name, ExternalURL

4b.) Once done and once you have the ID check the configuration via:

Set-WebApplicationProxyApplication –ID <application_ID> | fl

this should show something like:

ADFSRelyingPartyID                           :
ADFSRelyingPartyName                         :
BackendServerAuthenticationMode              : NoAuthentication
BackendServerAuthenticationSPN               :
BackendServerCertificateValidation           : None
BackendServerUrl                             : https://yncpool.int.contoso.com:4443/
ClientCertificateAuthenticationBindingMode   : None
ClientCertificatePreauthenticationThumbprint :
DisableHttpOnlyCookieProtection              : False
DisableTranslateUrlInRequestHeaders          : False
DisableTranslateUrlInResponseHeaders         : False
ExternalCertificateThumbprint                : F2A2340D3783803F827155F14147042343B105A23A
ExternalPreauthentication                    : PassThrough
ExternalUrl                                  : https://lyncweb.contoso.com/
ID                                           : 4f8906D6-XXXX-XXXX-XXXX-8A753845d5672
InactiveTransactionsTimeoutSec               : 300
Name                                         : Skype for Business - Web Services
UseOAuthAuthentication                       : False
PSComputerName                               :

4c.) To fix that we need now to set the DisableTranslateUrlInRequestHeaders to true via:

Set-WebApplicationProxyApplication -id <application_ID> -DisableTranslateUrlInRequestHeaders:$true

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Stay Connected

35FollowersFollow
- Advertisement -

Latest Articles