cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Your Friends List is a way to easily have access to the community members that you interact with the most! X

Has anyone published Windchill URL via ISA server to the internet?

Go to solution
mkohn
3-Visitor
3-Visitor
‎Mar 30, 2016 11:50 AM
‎Mar 30, 2016 11:50 AM

Has anyone published Windchill URL via ISA server to the internet?

Has anyone ever publish Windchill url to the internet using Microsoft's ISA server?  I know about the Apache reverse proxy option, but IT prefers using ISA. I would think it is straight forward, but you can never tell. Oh and the certificate name is different from the server name.

Labels:
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
BineshKumar1
12-Amethyst
12-Amethyst
(To:mkohn)
‎Mar 30, 2016 07:20 PM
‎Mar 30, 2016 07:20 PM

I have done reverse proxy implementation with Citrix and Cisco gateways with Windchill and I believe the reverse proxy setup of ISA is similar to those gateways. But ISA is a product that was retired  many years ago. So it doesn't make a lot of  sense to use this product, more over most of the settings in ISA are build for SharePoint or .NET based sites.

These are the steps which I followed.


If it is an existing Windchill server and if you are okay using the the same URL for  accessing Windchill, then you can configure your gateway to do the authentication (I assume you are using AD to manage users). Once the authentication is done, the gateway can set remote_user variable and header,  and route the traffic to Windchill Apache. The gateway should be configured to persistent cookies. Also ensure that the client headers are reset to prevent spoofing. Once authentication is done, the gateway should act like a switch and shouldn't rewrite any URLs.

If the desired public access URL is different from your current Windchill server URL, say your desired external URL is pdmlink.company.com and certificate is *.company.com, then you will have to follow the rehost process to rename your Windchill application to pdmlink.company.com.  You can create a c entry in your internal DNS to route all internal users directly to Windchill server instead of proxy when they use pdmlink.company.com. You cannot have external and internal user access with different URLs because all internal links within Windchill are based on the value of a property and we cannot have multiple values for this property based on client IPs.

Hope it helps

Binesh Kumar

View solution in original post

Notify Moderator
4 REPLIES 4
BineshKumar1
12-Amethyst
12-Amethyst
(To:mkohn)
‎Mar 30, 2016 07:20 PM
‎Mar 30, 2016 07:20 PM

I have done reverse proxy implementation with Citrix and Cisco gateways with Windchill and I believe the reverse proxy setup of ISA is similar to those gateways. But ISA is a product that was retired  many years ago. So it doesn't make a lot of  sense to use this product, more over most of the settings in ISA are build for SharePoint or .NET based sites.

These are the steps which I followed.


If it is an existing Windchill server and if you are okay using the the same URL for  accessing Windchill, then you can configure your gateway to do the authentication (I assume you are using AD to manage users). Once the authentication is done, the gateway can set remote_user variable and header,  and route the traffic to Windchill Apache. The gateway should be configured to persistent cookies. Also ensure that the client headers are reset to prevent spoofing. Once authentication is done, the gateway should act like a switch and shouldn't rewrite any URLs.

If the desired public access URL is different from your current Windchill server URL, say your desired external URL is pdmlink.company.com and certificate is *.company.com, then you will have to follow the rehost process to rename your Windchill application to pdmlink.company.com.  You can create a c entry in your internal DNS to route all internal users directly to Windchill server instead of proxy when they use pdmlink.company.com. You cannot have external and internal user access with different URLs because all internal links within Windchill are based on the value of a property and we cannot have multiple values for this property based on client IPs.

Hope it helps

Binesh Kumar

Notify Moderator
mkohn
3-Visitor
3-Visitor
(To:BineshKumar1)
‎Mar 31, 2016 01:23 PM
‎Mar 31, 2016 01:23 PM

Hi Binesh,

It helps a lot. I was hoping that I did not have to rehost because of the different URLs (certificate) but I do. The other items mentioned I sent on to the security team. Appreciate your feedback.

Regards,

Mitch

0 Kudos
Notify Moderator
imendiola
12-Amethyst
12-Amethyst
(To:mkohn)
‎Mar 31, 2016 03:19 AM
‎Mar 31, 2016 03:19 AM

Hi Mitch,

I was working for a customer where we published Windchill through ISA Server. We used the same URL intarnal and external, so also used the same certificate in the ISA Server, exporting it to pfx format. Anyway, I suppose that it was caused because it was an old version of ISA Server, only IE 8 and 9 were able to render the Windchill pages correctly. With IE10 or higher, compatibility mode needed to be activated. And with Firefox, the only way to get it rendering pages correctly was with a plugin that changed the user-agent of the browser to IE8. I don't know why, but ISA Server was truncating the HTML when the user-agent was different to IE.

Regards

http://www.prambanan-it.comIker Mendiola - Prambanan IT Services
0 Kudos
Notify Moderator
mkohn
3-Visitor
3-Visitor
(To:imendiola)
‎Mar 31, 2016 01:24 PM
‎Mar 31, 2016 01:24 PM

Hi Iker,

I will keep an eye on it once I rehost the URL changes.

Thanks,

Mitch

0 Kudos
Notify Moderator
Top Tags