cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X

Has anyone published Windchill URL via ISA server to the internet?

mkohn
3-Newcomer

Has anyone published Windchill URL via ISA server to the internet?

Has anyone ever publish Windchill url to the internet using Microsoft's ISA server?  I know about the Apache reverse proxy option, but IT prefers using ISA. I would think it is straight forward, but you can never tell. Oh and the certificate name is different from the server name.

ACCEPTED SOLUTION

Accepted Solutions
BineshKumar1
13-Aquamarine
(To:mkohn)

I have done reverse proxy implementation with Citrix and Cisco gateways with Windchill and I believe the reverse proxy setup of ISA is similar to those gateways. But ISA is a product that was retired  many years ago. So it doesn't make a lot of  sense to use this product, more over most of the settings in ISA are build for SharePoint or .NET based sites.

These are the steps which I followed.


If it is an existing Windchill server and if you are okay using the the same URL for  accessing Windchill, then you can configure your gateway to do the authentication (I assume you are using AD to manage users). Once the authentication is done, the gateway can set remote_user variable and header,  and route the traffic to Windchill Apache. The gateway should be configured to persistent cookies. Also ensure that the client headers are reset to prevent spoofing. Once authentication is done, the gateway should act like a switch and shouldn't rewrite any URLs.

If the desired public access URL is different from your current Windchill server URL, say your desired external URL is pdmlink.company.com and certificate is *.company.com, then you will have to follow the rehost process to rename your Windchill application to pdmlink.company.com.  You can create a c entry in your internal DNS to route all internal users directly to Windchill server instead of proxy when they use pdmlink.company.com. You cannot have external and internal user access with different URLs because all internal links within Windchill are based on the value of a property and we cannot have multiple values for this property based on client IPs.

Hope it helps

Binesh Kumar

View solution in original post

4 REPLIES 4
BineshKumar1
13-Aquamarine
(To:mkohn)

I have done reverse proxy implementation with Citrix and Cisco gateways with Windchill and I believe the reverse proxy setup of ISA is similar to those gateways. But ISA is a product that was retired  many years ago. So it doesn't make a lot of  sense to use this product, more over most of the settings in ISA are build for SharePoint or .NET based sites.

These are the steps which I followed.


If it is an existing Windchill server and if you are okay using the the same URL for  accessing Windchill, then you can configure your gateway to do the authentication (I assume you are using AD to manage users). Once the authentication is done, the gateway can set remote_user variable and header,  and route the traffic to Windchill Apache. The gateway should be configured to persistent cookies. Also ensure that the client headers are reset to prevent spoofing. Once authentication is done, the gateway should act like a switch and shouldn't rewrite any URLs.

If the desired public access URL is different from your current Windchill server URL, say your desired external URL is pdmlink.company.com and certificate is *.company.com, then you will have to follow the rehost process to rename your Windchill application to pdmlink.company.com.  You can create a c entry in your internal DNS to route all internal users directly to Windchill server instead of proxy when they use pdmlink.company.com. You cannot have external and internal user access with different URLs because all internal links within Windchill are based on the value of a property and we cannot have multiple values for this property based on client IPs.

Hope it helps

Binesh Kumar

Hi Binesh,

It helps a lot. I was hoping that I did not have to rehost because of the different URLs (certificate) but I do. The other items mentioned I sent on to the security team. Appreciate your feedback.

Regards,

Mitch

imendiola
13-Aquamarine
(To:mkohn)

Hi Mitch,

I was working for a customer where we published Windchill through ISA Server. We used the same URL intarnal and external, so also used the same certificate in the ISA Server, exporting it to pfx format. Anyway, I suppose that it was caused because it was an old version of ISA Server, only IE 8 and 9 were able to render the Windchill pages correctly. With IE10 or higher, compatibility mode needed to be activated. And with Firefox, the only way to get it rendering pages correctly was with a plugin that changed the user-agent of the browser to IE8. I don't know why, but ISA Server was truncating the HTML when the user-agent was different to IE.

Regards

http://www.prambanan-it.comIker Mendiola - Prambanan IT Services
mkohn
3-Newcomer
(To:imendiola)

Hi Iker,

I will keep an eye on it once I rehost the URL changes.

Thanks,

Mitch

Announcements


Top Tags