Hyper-V Replica Certificate based authentication and Proxy servers

First published on TECHNET on Feb 17, 2014

Continuing from where we left

off

, I have a small lab deployment which consists of a AD, DNS, Proxy server (Forefront TMG 2010 on WS 2008 R2 SP1), primary servers and servers. When the primary server is behind the proxy (forward proxy) and when I tried to enable replication using based , I got the following error message:
The handle is in the wrong state for the requested operation (0x00002EF3)

That didn't convey too much, did it? Fortunately I had
netmon
running in the background and the only set of traffic which was seen was between the primary server and the proxy. A particular HTTP response caught my eye:

The highlighted text indicated that the proxy was terminating the connection and returning a ‘Bad gateway' error. Closer look at the TMG error log indicated that the error was encountered during https-inspect state.

After some bing'ing of the errors and the pieces began to emerge. When HTTPS inspection is enabled, the TMG server terminates the connection and establishes a new connection (in our case to the server) acting as a trusted man-in-the-middle. This doesn't work for as we mutually the primary and replica server endpoints. To work around the situation, I disabled HTTPS inspection in the proxy server

and things worked as expected. The primary server was able to establish the connection and replication was on track.

 

This article was originally published by Microsoft's Virtualization Blog. You can find the original article here.