Novell Cool Solutions

Configuring NetIQ Access Manager as Reverse Proxy for Filr Site



By:

June 13, 2013 10:46 am

Reads:4,325

Comments:0

Score:Unrated

Overview:

You can configure NetIQ Access Manager to act as Proxy service for a Filr site. This will help you provide the ease of single sign-on as well as trusted relationship with Access Gateway. Using Access Gateway, you can be sure that the requests processed at a Filr site are from a trusted source. The following sections will guide you through the detailed steps:

Pre-requisites:

  1. NetIQ Access Manager 3.2 SP1 setup is up and running.
  2. Filr 1.0 Appliance is up and running.
  3. Both Access Manager and Filr use the same LDAP as user store.
  4. Desktop and Mobile client(s) available to configure with Filr using Access Manager published URL.
  5. The published URL used for creating a proxy service for Filr in Access Manager should be included in DNS.

Configure trust relationship and simultaneous logout in Filr site

Creating a Trust relationship would ensure a safe communication between Filr and Access Manager. You can configure the trust with the following steps:

  1. Access Filr Appliance using https://<Filr-hostname/IP>:9443 and goto “Novell Filr Appliance Configuration >> Reverse Proxy” page. Fill the following fields:

    Host: Provide the NAM’s published DNS name given in the proxy service for Filr.

    Reverse Proxy HTTP Port: By default disabled. You must use port 80 if you have enabled port redirection in your network settings page.

    Reverse Proxy Secure HTTP Port: Specify the port number(default 8443) that you want to use for the secure reverse proxy HTTP port. You must use port 443 if you have enabled port redirection in your network settings page.

    Enable Access Gateway: Select this option to enable the reverse proxy Access Gateway.

    Access Gateway address(es): Specify the IP address of the Access Gateway that is used for the connection to the Filr server. You must specify the IP address; host names are not supported. If the Access Gateway is part of a cluster, add the IP address for each cluster member. Wildcards such as 164.99.*.* are allowed.

    Logout URL: Specify the URL of the published DNS name of the reverse proxy that you have specified for Filr, plus /AGLogout.

  2. Click OK, then click Reconfigure Filr Server for your changes to take effect.

Creating a Reverse Proxy in Access Manager for Single Sign-On with Filr.

  1. Login to Access Manager Administration Console, click on Devices > Access Gateways
  2. From the Access Gateway Servers screen, click on Edit
  3. From the Servers page, click on “Reverse Proxy / Authentication” link

  4. From the Servers > Configuration page, click on “New…” under Reverse Proxy List
  5. Provide a name to your Reverse Proxy and click on OK. For example, FILR-RP

Configure Reverse Proxy Service for Filr

  1. Select the check box’s “Enable SSL between Browser and Access Gateway” and “Redirect Requests from Non-Secure Port to Secure Port”
  2. Provide the available “Non-Secure” and “Secure” Ports for this proxy service.

Configure a Domain based Proxy Service

  1. We now have to create and configure a Domain based Proxy service. For this, click on “New…” under Proxy Service List. Provide values for Proxy Service Name, Published DNS Name (this would be used by public to access this site), Web Server IP Address (Filr IP Address) and Select “Forward Received Host Name for Host Header field. Click OK.
  2. Select a Server Certificate for this Proxy service by clicking on icon next to “Server Certificate: ” field. You can also use Auto-generate key to create a new Certificate.
  3. Click the newly added proxy service, then select the appropriate Cookie Domain from the drop down. Ideally it should be same as your Published DNS Name value.name
  4. Click the Web Servers tab, modify the Connect Port to match the Reverse Proxy Secure HTTP Port setting that you configured from the Filr appliance. For more information refer to the section “Configure trust relationship and simultaneous logout in Filr site.” in this document. This will be either port 443 or 8443.

Configure Protected Resource

  1. Goto Protected Resources tab. We need to create two protected resources, one for HTML content and another for public protected resource.
  2. First create a HTML protected resource. Click “New…” in the Protected Resource List. Specify a name, for example “html”, and then click OK.
  3. Click the Edit icon next to the Authentication Procedure drop-down list.
  4. Create a new authentication procedure by clicking New, specifying a name for the authentication procedure, then clicking OK.
  5. In the dialog box that is displayed, fill in the fields. For Contract: Select the Secure Name/Password – Form contract, Select this option “Non-Redirected Login”. For Realm: Specify a name that you want to use for the Filr server. This name does not correspond to a Filr configuration option. It appears when the user is prompted for credentials. Select the option “Redirect to Identity Server When No Authentication Header is Provided”.
  6. Click OK twice.
  7. Now from the Authentication Procedure drop-down list, select the one created in the above step.
  8. In the URL Path List, add the following paths for HTML content:

    /*

    /ssf/*
  9. Click OK.
  10. Now create a Public protected resource. Click “New…” in the Protected Resource List. Specify a name, for example “public”, and then click OK.
  11. For the Authentication Procedure, select None.
  12. In the URL Path List, remove the /* path and add the following paths:

    /ssf/atom/*

    /ssf/ical/*

    /ssf/ws/*

    /ssf/rss/*

    /ssr/*

    /rest/*

    /dave/*

    /my_files/*

    /net_folders/*

    /shared_with_me/*

    /desktopapp/*
  13. Click OK.

Create and associate policies to the protected resources

  1. Now we need to create the Identity Injection Policy and X-Forward HTTP Header Policy.
  2. Click on the [None] link below Identity Injection for “html” protected resource created earlier.
  3. Click on Manage Policies under Identity Injection Policy List. Click New.
  4. Specify ldap_auth as the name for the policy, select Access Gateway: Identity Injection for the type, then click OK.
  5. In the Actions section, click New, then select Inject into Authentication Header.
  6. Fill in the following fields:

    User Name: If users are provisioned with cn or uid attributes, select Credential Profile, then select LDAP Credentials:LDAP User Name. In the Refresh Data Every drop-down,
    select Session.

    Or

    If users are provisioned with mail attributes, select LDAP Attribute, then select mail. In the Refresh Data Every drop-down, select Session.

    Password: Select Credential Profile, then select LDAP Credentials:LDAP Password.

    Leave the default value for the Multi-Value Separator, which is comma.

  7. Click OK twice.
  8. Now again click on the link below Identity Injection for “html” protected resource for creating the X-Forward-Proto HTTP Header Policy.
  9. Click on Manage Policies under Identity Injection Policy List. Click New.
  10. Specify x-forward as the name for the policy, select Access Gateway: Identity Injection for the type, then click OK.
  11. In the Actions section, click New, then select Inject into Custom Header.
  12. Fill in the following fields:

    Custom Header Name: Specify X-Forward-Proto as the name.

    Value: Select String Constant in the drop-down, then specify https.

  13. Leave the other settings at the defaults and Click OK.
  14. Click on the [None] link below Identity Injection for “public” protected resource created earlier and associate “x-forward” policy created in earlier steps.

Configuration for enabling HTML Rewriting

  1. Click on “HTML Rewriting” tab in your Proxy Service List>Protected Resources
  2. Select “Enable HTML Rewriting”
  3. Under HTML Rewriter Profile List, Click New and provide the Rewriter Profile Name and select “Word” for the “Search Boundry”.
  4. Click “New” under “And Document Content-Type Header Is”. Add the following content type header “application/rss+xml” and click OK.
  5. Click “New” under “Variable or Attribute Name to Search for is” list and provide “value” (without quotes) and click OK.
  6. All other settings in this rewriter profile at defaults and click OK.
  7. Before saving, in the Protected Resource List, ensure that the protected resources you created are enabled.
  8. To save the configuration changes, click Devices > Access Gateways, then click Update

Configuring the Desktop and Mobile clients.

  1. After the proxy service is up and running in Access Manager. You can first verify accessing and logging into Filr Web-client using the defined published URL for Filr as proxy service. i.e.,

    https://<Access Manager published URL for Filr proxy service>/

    For example: Access Filr web-console using the URL

    https://filr-san.labs.blr.novell.com/
  2. This would redirect to Access Manager login page. Login using Filr provisioned user credentials who is also associated with Access Manager.
  3. On successfull login to Filr web-console, use the above URL to configure your Filr Desktop and Mobile clients.

Troubleshooting Tips:

Problem 1:
Not able to login to Windows Desktop clients when configured using NAM published URL.

Solution/Workaround:
This would happen if the Access Manager IDP and MAG IP addresses are not included in DNS. In this case, you can include the entries in “C:\Windows\System32\drivers\etc\hosts” file of the Desktop client.

Problem 2:
Filr when accessed directly using IP address in web-console, displays a pop-up for entering authentication.

Solution/Workaround:
If the configurations are updated using the section “Configure trust relationship and simultaneous logout in Filr site“, this is an expected behaviour. The pop-up which displays is an Basic Authentication request from Access Manager.

Problem 3:
After providing credentials in the Access Manager Login page, an error page is thrown instead of redirecting to Filr Home page.

Solution/Workaround:
This could be for various reasons. You can troubleshoot step by step:

  1. Check if the Port configurations in Filr and Access Manager doesn’t mismatch.
  2. Check if the Filr server is down or being re-configured.
  3. Check if the Authentication Procedure in HTML protected resource has the following options checked: “Non-Redirected Login” and “Redirect to Identity Server When No Authentication Header is Provided”
  4. If you are using the default Listening port’s i.e., 8443, check if HTML Rewriting is enabled.
  5. Check if all the configurations while creating the Reverse Proxy in Access Manager are properly done following the documentation.

Conclusion:

This document will help Filr Administrator(s) set up a Filr Site behind Access Manager as Reverse Proxy.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.
Loading...Loading...

Tags: ,
Categories: Filr, Technical

0

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

Comment

RSS