4.7 Changing Reverse Proxy Configuration Settings

You might need to modify the reverse proxy configuration settings for your Filr appliance for either of the following reasons:

4.7.1 Understanding Reverse Proxy and NetIQ Access Manager

NetIQ Access Manager can provide secure single sign-on access to your Novell Filr site by functioning as a reverse proxy server. When using Access Manager with Novell Filr, Access Manager 3.1 SP1 IR1 is required and is an additional add-on product. You can download the required version of Access Manager from Novell Downloads.

For background information about setting up NetIQ Access Manager 3.1, see the Access Manager 3.1 Documentation Web site. For instructions specific to Filr, see Configuring a Protected Resource for a Novell Filr Server in the Novell Filr 1.0.1 Administration Guide.

After you have configured NetIQ Access Manager, you must configure your Filr site with the IP address of one or more Access Gateway servers and with the logout URL. When you configure the Filr site to use the Access Gateway, the IP addresses that you specify are the only locations from which the Filr site accepts logins. The logout URL is the location where users find themselves when they log out of the Filr site.

When you enable the Access Gateway for use with your Filr site, all Filr users must log in through the Access Gateway. It is not possible to set up the Filr site so that some users log in through the Access Gateway and some do not.

4.7.2 Understanding How Port Redirection Affects Reverse Proxy Settings

If you have enabled the reverse proxy settings in Filr (as described in Section 4.2.1, Changing the Network Configuration Settings) and you have an additional reverse web proxy such as NetIQ Access Manager that is servicing Filr requests, you must ensure that the ports that the additional proxy connects to are the same as the ports that are configured in the Filr reverse proxy settings. (This is the Reverse Proxy HTTP port and the Reverse Proxy Secure HTTP Port.)

The reverse proxy HTTP port should be set to 80, and the reverse proxy secure HTTP port should be set to 443. If the reverse proxy ports are not correct, links that are sent from Filr in email notifications are incorrect, and users are not able to access Filr.

This issue is described in Email Notification URLs Are Not Working in Troubleshooting the Filr System in the Novell Filr 1.0.1 Administration Guide.

4.7.3 Changing Reverse Proxy Configuration Settings

  1. Follow the steps in Section 4.1, Changing Configuration Options for the Filr Appliance.

    You can modify the following configuration options:

    Host: The host name is used to build some of the URLs that are sent in notifications. It should reflect the host used to access the Filr system from any user (either an internal or external user). It is common across all the Filr Virtual Appliances, and represents the reverse proxy or L4 device that fronts the Filr Virtual Appliance.

    If Access Manager is being used to front Filr, specify the NetIQ Access Manager published DNS name for Filr application in the Host field.

    Reverse Proxy HTTP Port: Select Enabled if you want to use a non-secure port for the reverse proxy. Specify the port number that you want to use. You must use port 80 if you have enabled port redirection in your network settings page.

    Reverse Proxy Secure HTTP Port: Specify the port number that you want to use for the secure reverse proxy HTTP port. You must use port 443 if you have enabled port redirection in your network settings page. (Port redirection allows users to access the Filr site without specifying the port number in the URL. For information about port redirection, see Section 4.2, Network Configuration.)

    Enable Access Gateway: Select this option to enable the reverse proxy Access Gateway.

    Access Gateway address(es): Specify the IP address of the Access Gateway that is used for the connection to the Filr server. You must specify the IP address; host names are not supported.

    If the Access Gateway is part of a cluster, add the IP address for each cluster member. Wildcards such as 164.99.*.* are allowed.

    IMPORTANT:When you specify specific IP addresses in this option, Filr access is allowed only from the specified addresses. Also, if Authorization header credentials are not present or are incorrect, the user is prompted for login using Basic Authentication.

    Logout URL: Specify the URL of the published DNS name of the reverse proxy that you have specified for the ESP, plus /AGLogout.

    You can find the domain used for the ESP by editing the LAG/MAG cluster configuration, then clicking Reverse Proxy / Authentication.

    For example, if the published DNS name of the proxy service that you have specified for the ESP is esp.yoursite.com, specify the following URL:

    https://esp.yoursite.com/AGLogout

  2. Click OK, then click Reconfigure Filr Server for your changes to take effect.

    NOTE:This stops and restarts your Filr server. Because this results in server downtime, you should restart the server at off-peak hours.