2-way SSL with IIS behind ELB

Question

A customer is migrating an internal-facing .net microservice to AWS that uses 2-way SSL (client-side authentication) for access control.  It's hosted on IIS (Windows Server 2012) in an ASG behind a classic ELB.

The problem is that we can't get 2-way to work with IIS behind the ELB.  The ELB is configured to use [proxy protocol][1], and has TCP Listeners on port 443 (In & Out).  All in-coming REST requests time-out (system cannot be reached).

Does anyone know how to get 2-Way SSL to work with IIS behind an ELB?

[1]: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html

Accepted Answer

As it turns out, we discovered that our requests were timing out because IIS doesn't support [proxy protocol][1].  That's okay, because 2-way SSL doesn't utilize x-forwarded-for headers[.][2]

We got it to work as follows:

1) Configure the ELB to pass-through SSL to the server (Protocol = TCP, Port = 443).

2) Ensure proxy mode is disabled on the ELB (this is the default setting).

3) Configure the IIS site to accept client-side SSL certificates, using these [instructions][3].

4) Client-Side app adds the client-cert to each rest request

5) Server-Side app's request handler inspects requests for matching client-cert thumbprint


  [1]: http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-proxy-protocol.html
  [2]: https://en.wikipedia.org/wiki/X-Forwarded-For
  [3]: https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/

2-way SSL with IIS behind ELB

Relevant content