This artcile describes how to publish DualShield Provisioning Service (DPS) via IIS Reverse Proxy.

If you are using DualShield to secure Outlook emails with 2FA, then you might have to make your DualShield Provisioing Service (DPS) accessible to users from external connections, i.e. Internet. In other words, you need to publish DPS on the Internet. You can easily achieve this by using the built-in reverse proxy function in the Internet Information Server (IIS).

Enable IIS Reverse Proxy

In the IIS console, select the server node:

Double click "Application Request Routing Cache" to open it

In the Actions pane, select "Server Proxy Settings"

Turn on the option "Enable proxy"

Click "Apply" in the Actions pane to save the change.

Add Rewrite Rules

In the IIS Console, select the web site that you need to work on. Typically it is the  "Default Web Site"

Couble click "URL Rewrite" to open it

The instruction below is based on the assumpation that the internal FQDN of your DualShield is "dualshield.opensid.net" and that you want to reverse proxy it to the external address "mail.deepnetid.com"

You need to replace those 2 FQDNs with your FQDNs accordlingly.

Create the following 2 inbound rules:

Please note that this rule "ssoReverseProxyInboundRule" might already exist in your system. If so, leave it as is and do not create a new one. 

And the following Outbound rules:

Now, you have 2 inbound and 2 outbound rules as shown below:

Alternatively, instead of using the IIS console, you can edit the "web.config" file. 

  1. Locate the file: "C:\inetpub\wwwroot\web.config"
  2. Open it in a text editor
  3. Locate "<system.webServer>" in the file
  4. Insert the following rewrite rules, but make sure that you replace "dualshield.opensid.net" with the internal FQDN of your DualShield server, and "mail.deepnetid.com" with the external FQDN of your reverse proxy. You also need to change the line below

pattern="https://dualshield\.opensid\.net:8074/appsso/(login|logout)/*"

according to the internal FQDN of your DualShield server.

5. Save and restart the IIS server

Reverse Proxy Rules
<system.webServer>
        <rewrite>
            <rules>
                <rule name="ssoReverseProxyInboundRule" stopProcessing="true">
                    <match url="appsso/(.*)" />
                    <action type="Rewrite" url="https://dualshield.opensid.net:8074/{R:0}" />
                </rule>
                <rule name="dpsInboundRule" stopProcessing="true">
                    <match url="(dps/.*)|(dps)" />
                    <conditions>
                    </conditions>
                    <action type="Rewrite" url="https://dualshield.opensid.net:8072/{R:0}" />
                </rule>
            </rules>
            <outboundRules>
                <rule name="externalSSO" preCondition="dps-saml-request" patternSyntax="ECMAScript">
                    <match filterByTags="Form" pattern="https://dualshield\.opensid\.net:8074/appsso/(login|logout)/*" />
                    <action type="Rewrite" value="https://mail.deepnetid.com/appsso/{R:1}" />
                </rule>
                <rule name="externalDPS" preCondition="sso-saml-response">
                    <match filterByTags="Form" pattern="https://dualshield.opensid.net:8072/dps/SAML/(.*)" />
                    <action type="Rewrite" value="https://mail.deepnetid.com/dps/SAML/{R:1}" />
                </rule>
                <preConditions>
                    <preCondition name="isHtml">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="dps-saml-request">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                        <add input="{REQUEST_URI}" pattern=".*/dps.*" />
                    </preCondition>
                    <preCondition name="sso-saml-response">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                        <add input="{REQUEST_URI}" pattern=".*/appsso/.*" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>






  • No labels