1.1 Creating a Reverse Proxy and Proxy Service

A reverse proxy acts as the front end to your Web servers on your Internet or intranet and off-loads frequent requests, thereby freeing up bandwidth. The proxy also increases security because the IP addresses of your Web servers are hidden from the Internet.

To create a reverse proxy, you must create at least one proxy service with a protected resource. You must supply a name for each of these components. Reverse proxy names and proxy service names must be unique to the Access Gateway because they are configured for global services such as IP addresses and TCP ports. For example, if you have a reverse proxy named products and another reverse proxy named library, only one of these reverse proxies can have a proxy service named corporate.

Protected resource names need to be unique to the proxy service, but they don’t need to be unique to the Access Gateway because they are always accessed through their proxy service. For example, if you have a proxy service named account and a proxy service named sales, they both can have a protected resource named public.

The first reverse proxy and proxy service you create is automatically assigned to be the authenticating proxy.

  1. In the Administration Console, click Devices > Access Gateways > Edit

    The Edit link is either for a single Access Gateway or for a cluster of Access Gateways.

  2. Click Reverse Proxy / Authentication.

  3. Configure the authentication settings.

    Identity Server Cluster: Specifies the Identity Server you want the Access Gateway to trust for authentication. Select the configuration you have assigned to the Identity Server.

    Whenever an Identity Server is assigned to a new trust relationship, the Identity Server needs to be updated. This process is explained following the step that saves this configuration setting (see Step 5 and Step 6).

  4. (Optional) Configure the proxy settings.

    Use the options in this section to control how all reverse proxies handle the security issues involving secure cookies and the Via header

    Force Secure Cookies: Forces the Access Gateway to set the secure keyword for the proxy authentication cookie, regardless of whether the services hosted are all based on HTTPS. You should enable this option for either of the following conditions:

    • All services that require the proxy authentication cookie (such as identity based policies) are hosted as HTTPS services

    • An SSL accelerator, such as the Cisco* SSL accelerator, is placed between the Access Gateway and the browsers and the browser receives only HTTPS links.

    Force HTTP-Only Cookie: Forces the Access Gateway to set the HttpOnly keyword, which prevent scripts from accessing the cookie. This helps protect browsers from cross-site scripting vulnerabilities that allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user.

    For more information and other options for securing Access Manager cookies, see Section 2.5, Enabling Secure Cookies.

    Enable Via Header: Enables the sending of the Via header to the Web server. The Via header contains the DNS name of the Access Gateway and a device ID. It has the following format:

    Via: 1.0 www.mylag.com (Access Gateway 3.1.1-72-D06FBFA8CF21AF45)

    Deselect this option when your Web server does not need this information or does not know what to do with it.

  5. In the Reverse Proxy List, click New, specify a display name for the reverse proxy, then click OK.

    Configuring a reverse proxy

  6. Enable a listening address. Fill in the following fields:

    Cluster Member: (Available only if the Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. The Listening Address(es) and TCP Listen Options modifications apply to the selected server. Modifications made to any other options on the page apply to all servers in the cluster.

    Listening Address(es): Displays a list of available IP addresses. If the server has only one IP address, only one is displayed and it is automatically selected. If the server has multiple addresses, you can select one or more IP addresses to enable. You must enable at least one address by selecting its check box.

    If the Access Gateway is in a cluster, you must select a listening address for each cluster member.

    TCP Listen Options: Provides options for configuring how requests are handled between the reverse proxy and the client browsers. You cannot set up the listening options until you create and configure a proxy service. For information about these options, see Section 1.7.1, Configuring TCP Listen Options for Clients.

  7. Configure the listening ports:

    Non-Secure Port: Specifies the port on which to listen for HTTP requests; the default port for HTTP is 80. Depending upon your configuration, this port might also handle other tasks. These tasks are listed to the right of the text box.

    Secure Port: Specifies the port on which to listen for HTTPS requests; the default port for HTTPS is 443.

    For information about the SSL options, see Section 2.0, Configuring the Access Gateway for SSL.

  8. In the Proxy Service List section, click New.

    The first proxy service of a reverse proxy is considered the master (or parent) proxy. Subsequent proxy services can use domain-based, path-based, or virtual multi-homing, relative to the published DNS name of the master proxy service. If you are creating a second proxy service for a reverse proxy, see Section 6.2, Using Multi-Homing to Access Multiple Resources.

  9. Fill in the fields:

    Proxy Service Name: Specify a display name for the proxy service, which the Administration Console uses for its interfaces.

    Published DNS Name: Specify the DNS name you want the public to use to access your site. This DNS name must resolve to the IP address you set up as the listening address.

    Web Server IP Address: Specify the IP address of the Web server you want this proxy service to manage. You can specify additional Web server IP addresses by clicking the Web Server Addresses link when you have finished creating the proxy service.

    Host Header: Specify whether the HTTP header should contain the name of the back-end Web server (Web Server Host Name option) or whether the HTTP header should contain the published DNS name (the Forward Received Host Name option).

    Web Server Host Name: Specify the DNS name of the Web server that the Access Gateway should forward to the Web server. If you have set up a DNS name for the Web server and it requires its DNS name in the HTTP header, specify that name in this field. If the Web server has absolute links referencing its DNS name, include this name in this field. If you selected Forward Received Host Name, this option is not available.

    NOTE:For iChain® administrators, the Web Server Host Name is the alternate hostname when configuring a Web Server Accelerator.

  10. Click OK.

  11. Continue with Section 1.2, Configuring a Proxy Service or select one of the following tasks: