1.4 Configuring the Access Gateway

The basic Access Gateway configuration procedures have been divided into the following tasks:

1.4.1 Configuring a Reverse Proxy

You protect your Web services by creating a reverse proxy. A reverse proxy acts as the front end to your Web servers in your DMZ or on your intranet, and off-loads frequent requests, thereby freeing up bandwidth and Web server connections. It also increases security because the IP addresses and DNS names of your Web servers are hidden from the Internet. A reverse proxy can be configured to protect one or more proxy services.

To create a reverse proxy, you must create at least one proxy service with a protected resource. You must supply a name for each of these components. Reverse proxy names and proxy service names must be unique to the Access Gateway because they are configured for global services such as IP addresses and TCP ports. For example, if you have a reverse proxy named products and another reverse proxy named library, only one of these reverse proxies can have a proxy service named corporate.

Protected resource names need to be unique to the proxy service, but they don’t need to be unique to the Access Gateway because they are always accessed through their proxy service. For example, if you have a proxy service named account and a proxy service named sales, they both can have a protected resource named public.

What You Need To Know

Example

Your Value

Name of the Identity Server cluster

idp-corporate

_______________________

DNS name of the Access Gateway

mytest.com

______________________

Web server information

 

 

IP address

10.15.70.21

______________________

DNS name

mywebserver.com

______________________

Names you need to create

 

 

 

Reverse proxy name

mycompany

________________________

 

Proxy service name

company

________________________

 

Protected resource name

public

________________________

This first reverse proxy is used for authentication. You need to configure the proxy service to use the DNS name of the Access Gateway as its Published DNS Name, and the Web server and the resource on that Web server need to point to the page you want displayed to the users when they first access your Web site. You can use Access Gateway configuration options to allow this first page to be a public site with no authentication required until the users access the links on the page, or you can require authentication on this first page. The following configuration steps have you first configure the protected resource as a public resource, then you modify the configuration to require authentication.

  1. In the Administration Console, click Devices > Access Gateways, then click Edit > Reverse Proxy / Authentication.

  2. In the Identity Server Cluster option, select the configuration you have assigned to the Identity Server.

    This sets up the trust relationship between the Access Gateway and the Identity Server that is used for authentication.

  3. In the Reverse Proxy List, click New, specify a display name for the reverse proxy, then click OK.

    The Reverse Proxy configuration page appears.

  4. Enable a listening address.

    Listening Address(es): A list of available IP addresses. If the server has only one IP address, only one is displayed and it is automatically selected. If the server has multiple addresses, you can select one or more IP addresses to enable. You must enable at least one address by selecting its check box.

    TCP Listen Options: Options for configuring how requests are handled. You cannot set up the listening options until you create a proxy service.

  5. Ignore the SSL configuration options.

    This basic configuration does not set up SSL. For SSL information, see Section 2.0, Enabling SSL Communication.

  6. Configure a listening port.

    Non-Secure Port: Select 80, which is the default port for HTTP.

    Secure Port: This is the HTTPS listening port. This port is unused and cannot be configured until you enable SSL.

  7. In the Proxy Service List, click New.

  8. Fill in the fields.

    Proxy Service Name: A display name for the proxy service.

    Published DNS Name: The DNS name you want the public to use to access your site. For this first proxy server, the DNS name must resolve to the Access Gateway IP address that you selected as the listening address. For the example in Figure 1-2, this name would be www.mytest.com.

    Web Server IP Address: The IP address of your Web server. This is usually a Web server with content that you want to share with authorized users and protect from all others. In Figure 1-2, this is Server 4, whose IP address is 10.15.70.21.

    Host Header: The name you want sent in the HTTP header to the Web server. This can be either the Published DNS Name (the Forward Received Host Name option) or the DNS name of the Web Server (the Web Server Host Name option).

    Web Server Host Name: The DNS name that the Access Gateway should forward to the Web server. This option is not available if you selected Forward Received Host Name for the Host Header option. The name you use depends upon how you have set up the Web server. If your Web server has been configured to verify that the host name in the header matches its name, you need to specify that name here. In Figure 1-2 the Web Server Host Name is mywebserver.com.

  9. Click OK.

  10. Continue with Section 1.4.2, Configuring a Public Protected Resource.

1.4.2 Configuring a Public Protected Resource

The first protected resource in this configuration tutorial is configured to be a public resource. For information on how to set up authentication for a protected resource, see Section 1.5, Configuring the Access Gateway for Authentication.

  1. In the Proxy Service List, click [Name of Proxy Service] > Protected Resources.

  2. In the Protected Resource List, click New.

  3. Specify a display name for the protected resource, then click OK.

  4. (Optional) Specify a description for the protected resource.

  5. In the Contract field, select None.

    The Contract field must be set to None. This is what makes this resource a public resource.

  6. Configure the URL Path List.

    The default path is /*, which allows access to everything on the Web server. Modify this if you need to restrict access to a specific directory on your Web server.

    • To delete the default path, select the check box next to the path, then click Delete.

    • To edit a path in the list, click the path, modify it, then click OK.

    • To add a path, click New, specify the path, then click OK. For example, to allow access to the pages in the public directory on the Web server, specify the following path:

      /public/*

  7. Click OK.

  8. In the Protected Resource List, verify that the protected resource you created is enabled, then click OK.

  9. Click the Devices > Access Gateways.

  10. To apply the changes, click Update > OK.

    Until this step, nothing has been permanently saved or applied. The Update status pushes the configuration to the server and writes the configuration to the configuration data store. When the update has completed successfully, the server returns the status of Current.

    To save the changes to the configuration store without applying them, do not click Update. Instead, click Edit. If you have pending configuration settings, the OK button is active, and the configuration page indicates which services will be updated. Click OK to write these changes to the configuration store. The changes are not applied until you click Update on the Access Gateways page.

  11. To update the Identity Server to establish the trust relationship with the Access Gateway, click Devices > Identity Servers > Update, then click OK.

    Wait until the Command status is Complete and the Health status is green.

  12. (Optional). To test this configuration from a client browser, enter the published DNS name as the URL in the browser. For the example illustrated in Figure 1-2, you would enter the following URL:

    http://www.mytest.com

    This should resolve to the published DNS name you specified in Step 8, and the user should be connected to the Web server through the Access Gateway.

  13. Continue with Section 1.5, Configuring the Access Gateway for Authentication.