PRB: HTTPS links fail if original host headers not passed to Zetalink when ForceHTTPS enabled

ZTN2015

ID: ZTN2015

This Zetalink technical note applies to:

• Zetalink 1.0

Symptom

Users are able to browse to the start page on the Zetalink External Web Site and enter their PIN number. However when they select the 'Logon' link or button they will get a 'remote server not found' or similar error.

Cause

The Zetalink External Web Site is accessed via a firewall that redirects requests to an internal IP address (or server name). This firewall publishing rule is set up so as not to pass through original host headers for this re-direction. Additionally the 'ForceHTTPS' option is enabled on the Zetalink External Web Site.

Normally all links in the Zetalink Web Site are 'relative'. For example in the 'Zetalink Home' page, which the browser sees as 'http://domain.com/zetalink/tdy.asp' the 'Inbox' link points to 'ibx.asp' which the browser understands to mean 'http://domain.com/zetalink/ibx.asp'.

Normally the URL for the 'Logon' link is 'lg.asp', which the browser will interpret as 'http://domain.com/zetalink/lg.asp'. If, however, 'ForceHTTPS' is enabled the URL the 'Logon' link points is not relative and it explicitly specifies 'https' as the protocol, so it should be 'https://domain.com/zetalink/lg.asp'. However in this particular scenario 'domain.com/zetalink' is only meaningful on the Internet, it is not the 'real' address on the web site, which is 'server-name/zetalink', where 'server-name' is the NETBIOS name of the machine hosting the Zetalink Web Site. Zetalink only knows what address is being used to access it if it gets passed the headers of the original request, which would say 'domain.com/zetalink'. Instead the original headers are replaced and the URL for the logon link becomes ''https://server-name/zetalink/lg.asp'. This address is not valid for browsers outside the company network (such as the WAP browser on a user's phone).

Resolution

There are two possible solutions: Allow the original host headers to be passed through the firewall or don't use the Zetalink 'ForceHTTPS' option, alternatively IIS could be configured to require HTTPS to the Zetalink site using a valid SSL certificate.

How to allow the original host headers to be passed through the firewall will depend on the type of firewall you are using. Please refer to the individual manufacturers documentation to achieve this.

If the Zetalink External Web Site needs to be configured not to force HTTPS. This is achieved by editing the registry:

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Equisys cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the " Changing Keys and Values" Help topic in Registry Editor (REGEDIT.EXE) or the " Add and Delete Information in the Registry" and " Edit Registry Data" Help topics in REGEDT32.EXE. Note that you should back up the registry before you edit it. If you are running Windows NT or Windows 2000, you should also update your Emergency Repair Disk (ERD).

1. Start Registry Editor on the IIS server hosting the Zetalink External Web Site.
2. Locate the following key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Equisys\Zetalink\IISUIP

3. Edit the DWORD entry below and set the value:

4. Close Registry Editor.
5. Use the Internet Services Manager to restart the web services on the server.

Status

This has been identified by Equisys as a problem with the software versions given above.

Last updated: 15 November 2001 (GS/DH)