Section 1.8.1, Understanding Reverse Proxy and NetIQ Access Manager
Section 1.8.2, Understanding How Port Redirection Affects Reverse Proxy Settings
Section 1.8.3, Changing Reverse Proxy Configuration Settings
Section 1.8.4, Bypassing NetIQ Access Manager to Log In to Filr and Perform Administrative Tasks
You might need to modify the reverse proxy configuration settings for your Filr appliance for either of the following reasons:
When you configure a reverse proxy server, such as NetIQ Access Manager
For more information about this scenario, see Section 1.8.1, Understanding Reverse Proxy and NetIQ Access Manager.
If you have enabled port redirection in your network settings page (as described in Section 1.2.1, Changing the Network Configuration Settings)
For more information about this scenario, see Section 1.8.2, Understanding How Port Redirection Affects Reverse Proxy Settings.
NetIQ Access Manager can provide secure single sign-on access to your Novell Filr site by functioning as a reverse proxy server. When using Access Manager with Novell Filr, Access Manager 4.1.1 or later is required and is an additional add-on product. You can download the required version of Access Manager from the NetIQ Downloads site.
For background information about setting up NetIQ Access Manager 4.1.1, see the Access Manager 4.1 Documentation website. For instructions specific to Filr, see Section 12.1, Configuring a Protected Resource for a Novell Filr Server.
After you have configured NetIQ Access Manager, you must configure your Filr site with the IP address of one or more Access Gateway servers and with the logout URL. When you configure the Filr site to use the Access Gateway, the IP addresses that you specify are the only locations from which the Filr site accepts logins. The logout URL is the location where users find themselves when they log out of the Filr site.
When you enable the Access Gateway for use with your Filr site, all Filr users must log in through the Access Gateway. It is not possible to set up the Filr site so that some users log in through the Access Gateway and some do not.
If you have enabled the reverse proxy settings in Filr (as described in Section 1.2.1, Changing the Network Configuration Settings) and you have an additional reverse web proxy such as NetIQ Access Manager that is servicing Filr requests, ensure that the ports that the additional proxy connects to are the same as the ports that are configured in the Filr reverse proxy settings. (This is the Reverse Proxy HTTP port and the Reverse Proxy Secure HTTP Port.)
The reverse proxy HTTP port should be set to 80, and the reverse proxy secure HTTP port should be set to 443. If the reverse proxy ports are not correct, links that are sent from Filr in email notifications are incorrect, and users are not able to access Filr.
This issue is described in Section A.4, Email Notification URLs Are Not Working.
Follow the steps in Section 1.1, Changing Configuration Options for the Filr Appliance.
You can modify the following configuration options:
Host: The host name is used to build some of the URLs that are sent in notifications. It should reflect the host used to access the Filr system from any user (either an internal or external user). It is common across all the Filr Virtual Appliances, and represents the reverse proxy or L4 device that fronts the Filr Virtual Appliance.
If Access Manager is being used to front Filr, specify the NetIQ Access Manager published DNS name for Filr application in the Host field.
Reverse Proxy HTTP Port: Select Enabled if you want to use a non-secure port for the reverse proxy. Specify the port number that you want to use. You must use port 80 if you have enabled port redirection in your network settings page.
Reverse Proxy Secure HTTP Port: Specify the port number that you want to use for the secure reverse proxy HTTP port. You must use port 443 if you have enabled port redirection in your network settings page. (Port redirection allows users to access the Filr site without specifying the port number in the URL. For information about port redirection, see Section 2.2, Changing Network Settings.)
Enable Access Gateway: Select this option to enable the reverse proxy Access Gateway.
Access Gateway address(es): Specify the IP address of the Access Gateway that is used for the connection to the Filr server. You must specify the IP address; host names are not supported.
If the Access Gateway is part of a cluster, add the IP address for each cluster member. Wildcards such as 164.99.*.* are allowed. Separate IP addresses with a comma. For example, 172.2.3, 172.2.4.
IMPORTANT:When you specify specific IP addresses in this option, Filr access is allowed only from the specified addresses. Also, if Authorization header credentials are not present or are incorrect, the user is prompted for login using Basic Authentication.
Logout URL: Specify the URL of the published DNS name of the reverse proxy that you have specified for the ESP, plus /AGLogout.
You can find the domain used for the ESP by editing the LAG/MAG cluster configuration and then clicking Reverse Proxy / Authentication.
For example, if the published DNS name of the proxy service that you have specified for the ESP is esp.yoursite.com, specify the following URL:
https://esp.yoursite.com/AGLogout
Click OK, then click Reconfigure Filr Server for your changes to take effect.
This stops and restarts your Filr server. Because this results in server downtime, you should restart the server at off-peak hours.
To perform administrative tasks on your Filr system, you need to log in to bypass NetIQ Access Manager and log in to Filr directly as the Filr administrator.
To allow administrator access to the Filr system when your Filr system is fronted by Access Manager:
Add another IP address to the Access Gateway address(es) field, as described in Section 1.8.3, Changing Reverse Proxy Configuration Settings.
Click Reconfigure Filr Server for your changes to take effect.
This stops and restarts your Filr server. Because this results in server downtime, you should restart the server at off-peak hours.
Access this IP address that you added in Step 1 at port 8443. For example, 172.17.2.3:8443.