A reverse proxy acts as the front end to your Web servers on your Internet or intranet and off-loads frequent requests, thereby freeing up bandwidth. The proxy also increases security because the IP addresses of your Web servers are hidden from the Internet.
To create a reverse proxy, you must create at least one proxy service with a protected resource. You must supply a name for each of these components. Reverse proxy names and proxy service names must be unique to the Access Gateway because they are configured for global services such as IP addresses and TCP ports. For example, if you have a reverse proxy named products and another reverse proxy named library, only one of these reverse proxies can have a proxy service named corporate.
Protected resource names need to be unique to the proxy service, but they don’t need to be unique to the Access Gateway because they are always accessed through their proxy service. For example, if you have a proxy service named account and a proxy service named sales, they both can have a protected resource named public.
The first reverse proxy and proxy service you create are automatically assigned to be the authenticating proxy.
In the Administration Console, click
> >The
link is either for a single Access Gateway or for a cluster of Access Gateways.Click
.Configure the authentication settings:
Identity Server Cluster: Specifies the Identity Server you want the Access Gateway to trust for authentication. Select the configuration you have assigned to the Identity Server.
Whenever an Identity Server is assigned to a new trust relationship, the Identity Server needs to be updated. This process is explained following the step that saves this configuration setting (see Step 5 and Step 6).
(Conditional) If you have already created at least one reverse proxy, you can view the Embedded Service Provider options and configure some of them:
Reverse Proxy: Specifies which proxy service is used for authentication. If you have configured only one proxy service, only one appears in the list and it is selected. If you change the reverse proxy that is used for authentication, certificates must be updated to match this new configuration. For more information on this process, see Section 6.3.2, Changing the Authentication Proxy Service.
Metadata URL: Displays the location of the metadata.
Health-Check URL: Displays the location of the health check.
Logout URL: Displays the URL that you need to use for logging users out of protected resources. This value is empty until you have created at least one reverse proxy and it has been assigned to be used for authentication. If you create two or more reverse proxies, you can select which one is used for authentication, and the logout URL changes to match the assigned reverse proxy.
If any of your protected resources have a logout page or button, you need to redirect the user’s logout request to the page specified by this URL. The Access Gateway can then clear the user’s session and log the user out of any other resources that have been enabled for single sign-on. If you do not redirect the user’s logout request, the user is logged out of one resource, but the user’s session remains active until inactivity closes the session. If the user accesses the resource again before the session is closed, single sign-on re-authenticates the user to the resource, and it appears that the logout did nothing.
Auto-Import Identity Server Configuration Trusted Root: Allows you to import the public key from the Identity Server cluster into the trust store of the Embedded Service Provider. This sets up a trusted SSL relationship between the Embedded Service Provider and the Identity Server. This option is not available until you have selected an
and have configured the use of SSL on the Embedded Service Provider of the reverse proxy that is performing authentication (see the option on the Reverse Proxy page).If the Identity Server cluster is using a certificate created by the Novell Access Manager certificate authority (CA), the public key is automatically added to this trust store, so you do not need to use this option. If the Identity Server cluster is using a certificate created by an external CA, you need to use this option to import the public key into the trust store.
(Optional) Configure the proxy settings:
Behind Third Party SSL Terminator:
Enable this option if you have installed an SSL terminator between the users and the Access Gateway. This allows the terminator to handle the SSL traffic between the browsers and the terminator. The terminator and the Access Gateway can use HTTP for their communication. For some configuration tips, see Using an SSL Terminator
in the Novell Access Manager 3.1 SP2 Setup Guide.
Enable Via Header: Enables the sending of the Via header to the Web server. The Via header contains the DNS name of the Access Gateway and a device ID. It has the following format:
Via: 1.0 www.mylag.com (Access Gateway 3.1.1-72-D06FBFA8CF21AF45)
Deselect this option when your Web server does not need this information or does not know what to do with it.
(Optional) Configure the cookie settings:
For more information and other options for securing Access Manager cookies, see Section 3.5, Enabling Secure Cookies.
Enable Secure Cookies: Configures the Access Gateway to set the secure keyword for the proxy authentication cookie. This provides some additional security for the cookie stored in the browser and allows the browser to destroy the cookie when the SSL session closes.
If you have enabled the
option, enabling this option sets the secure keyword on HTTP requests.WARNING:Do not enable the
option if you have both HTTP and HTTPS reverse proxies. The HTTP services become unavailable because authentication requests to the non-secure services fail.Force HTTP-Only Cookie: Forces the Access Gateway to set the HttpOnly keyword, which prevent scripts from accessing the cookie. This helps protect browsers from cross-site scripting vulnerabilities that allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user.
IMPORTANT:The HttpOnly keyword can prevent applets from loading and can interfere with JavaScript. Do not enable this option if you are using the traditional SSL VPN server (which is configured as a protected resource of the Access Gateway) or if you have the Access Gateway protecting applications that download applets or use JavaScript.
To create a proxy service, continue with Section 1.1.1, Creating a Proxy Service.
In the Administration Console, click
> > > .In the
, click , specify a display name for the reverse proxy, then click .Enable a listening address. Fill in the following fields:
Cluster Member: (Available only if the Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. The
and modifications apply to the selected server. Modifications made to any other options on the page apply to all servers in the cluster.Listening Address(es): Displays a list of available IP addresses. If the server has only one IP address, only one is displayed and it is automatically selected. If the server has multiple addresses, you can select one or more IP addresses to enable. You must enable at least one address by selecting its check box.
If the Access Gateway is in a cluster, you must select a listening address for each cluster member.
TCP Listen Options: Provides options for configuring how requests are handled between the reverse proxy and the client browsers. You cannot set up the listening options until you create and configure a proxy service. For information about these options, see Section 1.6.1, Configuring TCP Listen Options for Clients.
Configure the listening ports:
Non-Secure Port: Specifies the port on which to listen for HTTP requests; the default port for HTTP is 80. Depending upon your configuration, this port might also handle other tasks. These tasks are listed to the right of the text box.
Secure Port: Specifies the port on which to listen for HTTPS requests; the default port for HTTPS is 443.
For information about the SSL options, see Section 3.0, Configuring the Access Gateway for SSL and Other Security Features.
In the
section, click .The first proxy service of a reverse proxy is considered the master (or parent) proxy. Subsequent proxy services can use domain-based, path-based, or virtual multi-homing, relative to the published DNS name of the master proxy service. If you are creating a second proxy service for a reverse proxy, see Section 6.2, Using Multi-Homing to Access Multiple Resources.
Fill in the fields:
Proxy Service Name: Specify a display name for the proxy service, which the Administration Console uses for its interfaces.
Published DNS Name: Specify the DNS name you want the public to use to access your site. This DNS name must resolve to the IP address you set up as the listening address.
Web Server IP Address: Specify the IP address of the Web server you want this proxy service to manage. You can specify additional Web server IP addresses by clicking the
link when you have finished creating the proxy service.Host Header: Specify whether the HTTP header should contain the name of the back-end Web server (
option) or whether the HTTP header should contain the published DNS name (the option).Web Server Host Name: Specify the DNS name of the Web server that the Access Gateway should forward to the Web server. If you have set up a DNS name for the Web server and it requires its DNS name in the HTTP header, specify that name in this field. If the Web server has absolute links referencing its DNS name, include this name in this field. If you selected
, this option is not available.NOTE:For iChain administrators, the
is the alternate hostname when configuring a Web Server Accelerator.Click
.Continue with Section 1.1.2, Configuring a Proxy Service or select one of the following tasks:
For instructions on creating multiple reverse proxies, see Section 6.3, Managing Multiple Reverse Proxies.
For instructions on creating multiple proxy services for a reverse proxy, see Section 6.2, Using Multi-Homing to Access Multiple Resources.
A reverse proxy can have multiple proxy services, and each proxy service can protect multiple resources. You can modify the following features of the proxy service:
Web servers
HTML rewriting
Logging
Protected resources
Caching
To configure a proxy service, click
> > > .Fill in the following fields:
Published DNS Name: Displays the value that users are currently using to access this proxy service. This DNS name must resolve to the IP address you set up as a listening address on the Access Gateway. You should modify this field only if you have modified the DNS name you want users to use to access this resource.
This name determines the possible values of the
.Description: (Optional). Provides a field where you can describe the purpose of this proxy service or specify any other pertinent information.
Cookie Domain: Specifies the domain for which the cookie is valid.
If one proxy service has a DNS name of www.support.novell.com and the second proxy service has a DNS name of www.developernet.novell.com, the cookie domains are support.novell.com for the first proxy service and developernet.novell.com for the second proxy service. You can configure them to share the same cookie domain by selecting novell.com for each proxy service. Single sign-on between the proxy services is simplified when the proxy services share the same cookie domain.
HTTP Options: Allows you to set up custom caching options for this proxy service. See the following:
Advanced Options: (Access Gateway Service) Specifies how the proxy service handles specific conditions, such as Web server error pages. If similar options are configured globally, the proxy service configuration overwrites the global setting. For configuration information on the proxy service options, see Section 1.1.3, Configuring Advanced Options for a Domain-Based Proxy Service.
Click
to save your changes to browser cache.Click
> .To apply your changes, click
> .Until this step, nothing has been permanently saved or applied. The
status pushes the configuration to the server and writes the configuration to the configuration data store. When the update has completed successfully, the server returns the status of .To save the changes to the configuration store without applying them, do not click
. Instead, click . On the Configuration page, click . The button on this pages saves the cached changes to the configuration store. The changes are not applied until you click on the Access Gateways page.Update the Identity Server to accept the new trusted relationship. Click
> .Continue with one of the following.
If the Web server that contains the resources you want to protect does not use the standard HTML port (port 80), you need to configure the Web server. See Section 1.2, Configuring the Web Servers of a Proxy Service.
Until you configure a protected resource, the proxy service blocks access to all services on the Web server. To configure a protected resource, see Section 1.3, Configuring Protected Resources.
The following advanced options are available only for a domain-based proxy service of an Access Gateway Service. For a path-based proxy service, see Section 6.2.6, Configuring Advanced Options for Path-Based Multi-Homing.
In the Administration Console, click
> > > > .To activate these options, remove the # symbol, configure the value, save your changes, then update the Access Gateway Service.
#FlushUserCache=on: Specifies whether cached credential data of the user is updated when the session expires or the user changes an expiring password.
When it is turned on, which is the default setting, credentials and the Identity Injection data are refreshed.
When it is turned off, the cached user data can become stale. For example, if your password management service is a protected resource of the Access Gateway and this option is turned off, every time a user changes an expiring password, the user’s data is not flushed and the Access Gateway continues to use stale data for that user.
#SSLProxyVerifyDepth=3: Specifies how many certificates are in a Web server certificate chain. When you activate the verification of the Web server certificate with the Section 3.4, Configuring SSL between the Proxy Service and the Web Servers.
and the public certificate is part of a chain, you need to specify the number of certificates that are in the certificate chain. For more information on configuring Web servers for SSL, see#ProxyErrorOverride: Allows you to specify which errors you want returned to the browser unchanged by the Gateway Service. The default behavior of the Gateway Service is to replace Web server errors with Gateway Service errors.
However, some applications put more than the error code in the message. They include keys and JavaScript. If this information is critical, you need to specify an override and allow the error message to be returned to the browser without any modifications.
For example, NetStorage requires an override for the 401 error because it includes a key in the 401 error. The portal page for the Novell Open Enterprise Server requires an override for error 403 because it includes JavaScript.
You can use the following syntax to set this option:
CacheIgnoreHeaders: Prevents the Access Gateway from writing any Authorization headers to disk. It is enabled by default because writing Authorization headers to disk is a potential security risk. You can allow Authorization headers to be written to disk by placing a # symbol in front of the option or by setting it to None. For more information about this Apache option, see “CacheIgnoreHeaders Directive”.
To disable an option, add the pound (#) symbol in front of the option, save your changes, then update the Access Gateway Service.