Saturday, February 1, 2014

Tip: bypass WebProxy for BCS service application

Setting up a fresh Duet Enterprise landscape, I was confronted with an issue trying to import BDC Models from the SAP Gateway system into SharePoint BCS:
Application definition import failed. The following error occurred: Error loading url: "http://....". This normally happens when url does not point to a valid discovery document, or XSD schema.
Using Fiddler I detected that the problem cause is a "(407) Proxy Authentication Required" issue: "The ISA server requires authorization to fulfill the request. Access to proxy filter is denied." Although I did setup a rule in Windows CredentialsManager for automatic authentication against the web proxy, this is not picked up in the context of BCS service application as an autonomous running process. As it turns out, by default .NET web applications and services will attempt to use a proxy, even if it doesn’t need one.
So how then to resolve from this situation? Multiple approaches are possible here:
  1. Explicitly set the Proxy Credentials for the BCS application process.
    It is not possible to set the proxy credentials direct in the web.config of 14hive\webservices\bdc. Instead you must use a 2-step delegation approach: refer in the web.config to a custom Proxy module implementation, and build the custom Proxy to explicitly set the proxy credentials:
    namespace ByPassProxyAuthentication
    {
        public class ByPassProxy : IWebProxy
        {
            public ICredentials Credentials
            {
                get { 
                    return new NetworkCredential(
                        "username", "password", "domain"); }
                set { }
            }
        }
    }
    
    <system.net>
        <defaultProxy enabled="true" useDefaultCredentials="false">
            <module type="ByPassProxyAuthentication.ByPassProxy, 
                   ByPassProxyAuthentication"/>
        </defaultProxy>
    </system.net>
    
  2. Disable usage of (default)proxy altogether for the BCS application process.
    This is a viable approach in case the consumed external systems are all within the internal company network infra.
    <system.net>  
      <defaultProxy  
        enabled="false"  
        useDefaultCredentials="false"/>  
      </system.net>
  3. Disable usage of (default)proxy for specific addresses for the BCS application process.
    <system.net>
        <defaultProxy>
            <bypasslist>
                <add address="[a-z]+\.contoso\.com" />
                <add address="192\.168\..*" />
                <add address="Netbios name of server" />
            </bypasslist>
        </defaultProxy>
    </system.net>
    
    The first bypasses the proxy for all servers in the contoso.com domain; the second bypasses the proxy for all servers whose IP addresses begin with 192.168. The third bypass entry is for the ServerName
  4. Disable usage of proxy for specific address on system level.
    This is in fact the most simple approach, just disable proxy usage for certain url's for all processes on system level. That is also the potential disadvantage, it can be that it is not allowed to disable proxy usage for all processes.
    You disable the proxy via IE \ Internet Options \ Connections \ LAN Settings \ Advanced \ Proxy Server \ Exception <Do not use proxy server for addresses beginning with>.

No comments:

Post a Comment