3.6.2 Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service

Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options.

Configure the advanced option by removing the pound(#) symbol. To disable an option, add the # symbol in front of the option, save your changes, and update Access Gateway.

Table 3-2 Access Gateway Advanced Options for Proxy Services

Advanced Option	Description
NAGHostOptions EnableWebsocket=on	If the value for this option is set to on, it overrides NAGGlobalOptions EnableWebsocket=off option. If it is set to on for a master proxy, the WebSocket protocol is enabled for its proxy and its path-based children. If it is set to on for a domain-based proxy service, the WebSocket protocol is enabled for that domain-based proxy. If it is set to on at a path level, the WebSocket protocol is enabled only for that path-based child.
NAGHostOptions mangleCookies=on	This option invalidates the cookies set by the web server when the user logs out of Access Manager. By default, Access Gateway does not mangle the cookies that are sent by the web server. Proxy mangles the cookies that are sent by the web server using the user information and sets these mangled cookies at the browser. When a browser sends the mangled cookies to proxy, it de-mangles them using the user information and sends the de-mangled cookies to the web server. For more information about this option, see Cookie Mangling.
NAGHostOptions RWInboundQueryStringExtra=on	To use this option, you must enable Rewrite Inbound Query String Data in Rewriter Profile. Set this option to on to rewrite query strings that match any published DNS name of other proxy services. For example, when you enable this option, the request to https://www.idm.com/user/ii/test.php?redirect_uri=https://forms.idm.com is rewritten as /user/ii/test.php?redirect_uri=http://idm.iamcitdomain.com. When this option is not enabled, the request is forwarded directly to the webserver/user/ii/test.php?redirect_uri=https://forms.idm.com. NOTE:This method is CPU-intensive.
NAGHostOptions SameSiteCookie=on	Use this option to set the behavior of the SameSite attribute for cookies. By default, this option is set to off. When set to on, the default value is None and the option is applied to each Set-Cookie header coming from Access Gateway. After setting NAGHostOptions SameSiteCookie to on, you can set the value of SameSite to Strict or Lax instead of None as follows: NAGHostOptions SameSiteOption "SameSite=Strict": The cookie is withheld with any cross-site usage. It is sent only when the site for the cookie matches the site in the browser's URL bar. NAGHostOptions SameSiteOption "SameSite=Lax": The cookie is sent for cross-site usage when the request is top-level and is a GET request. In addition to setting this option, you must also set additional configuration in the web.xmlfile. For more information, see Configuring Support for Access Manager on Google Chrome Browser.
NoCanonicalization on	For this option to work, you need to enable the NAGGlobalOptions noURLNormalize=on global advanced option and the AllowEncodedSlashes on proxy service advanced option. When enabled, this option retains the encoded characters in the URL while sending the requested URL to a web server. This option adds the nocanon keyword to the ProxyPass directives.
NAGFilteroutUrlForAudit	You can add this option to proxy service that filters out specific URLs from auditing (URL Accessed). For example, NAGFilteroutUrlForAudit "..jpg", and NAGFilteroutUrlForAudit "..gif".
CacheIgnoreHeaders This option is available only for the domain-based proxy service.	Prevents Access Gateway from writing any authorization headers to a disk. This option is enabled by default. Writing authorization headers to a disk is a potential security risk. You can allow authorization headers to be written to a disk by placing a pound (#) symbol in front of the option or by setting it to None. All path-based services under the domain-based service inherit the new value. For more information, see “CacheIgnoreHeaders Directive”.
CacheMaxFileSize This option is available only for the domain-based proxy service.	This option allows you to set the size of the file that can be stored in the cache. By default the size is set to 5 MB. Add the line CacheMaxFileSize <bytes>, for example, CacheMaxFileSize 99900000. All path-based services under the domain-based service inherit the new value.
NAGChildOptions WebDav=/Path This option is valid only for the path-based multi-homing proxy service.	Allows the proxy service to handle the specified path. Remove the pound (#) symbol and replace /Path with the path you want the proxy service to handle.
ProxyPassIgnorePathCase on	Use this option to make the path-based multi-homing path URL case-insensitive. For example, if you have set up a path based proxy /profile in Administration Console and the end user wants to access the URL https://www.lagssl.com/Profile/Security/login.aspx and not https://www.lagssl.com/profile/Security/login.aspx. By default, the url path is case-sensitive.
NAGPostParkingSizeInKiloBytes	This option allows you to change the post data parking size limit if an error occurs after you post large data (more than 56 KiloBytes in size) after a session timeout.
ProxyHTTP2 on (Access Manager 5.0 Service Pack 1 and later)	Set this option to communicate with the backend web server by using the HTTP/2 protocol. To disable the HTTP/2 protocol at the proxy level, add the pound(#) symbol before the ProxyHTTP2 option or remove it. You need to explicitly mention this option for each proxy service where backend communication is required to be HTTP/2. If mentioned only at parent domain level, underlying path-based proxy level will not inherit this option automatically. NOTE:You must apply this option only to the web server which supports the HTTP/2 protocol. If not, Access Gateway displays the following error: The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
SSLProxyProtocol	Access Gateway supports this option when a reverse proxy is connecting to backend web servers. This directive specifies SSL protocols for mod_ssl to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all of these. The syntax for this is SSLProxyProtocol [+-]protocol. For example, SSLProxyProtocol +SSLv3. For information about configuring the SSL versions, see Apache documentation.
SSLProxyCACertificateFile	This option prevents failure in a SSL connection between Access Gateway and a web server, when a self-signed certificate is used. To prevent failure, import the web server certificates to the proxy trust store. After importing the web server certificates, use this option. /opt/novell/apache2/cacerts/myserver.pem
FailOnStatus error code1,error code 2,error code3	Backend servers may return an error code instead of being timed out. Access Gateway keeps sending requests to a web server even if the web server returns error codes. Use this option to prevent Access Gateway from sending requests to such web servers.
RWOutboundHeaderQueryString on	This option enables outbound header query string rewriting.
NAGAddProxyHeader on	When this option is set to off, Access Gateway does not send the XForwarded headers to the back-end web server. By default, this option is set to on.
NAGHostOptions DisableIDC=on	This disables Advance Session Assurance for small lived session IDs. Set to off to enable Advance Session Assurance for session ID. For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.
NAGHostOptions DisableSFP=on	This disables server-side fingerprinting Session Assurance. Set to off to enable server-side fingerprinting Session Assurance. For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.
NAGHostOptions primaryWebdav=<path of pbmh service> This option is valid only for the path-based multi-homing proxy service.	This option enables users who use the Microsoft Network Places client to connect to the WebDAV folders of a SharePoint server when the SharePoint server has been configured as a path-based multi-homing service on Access Gateway. This must be added to master proxy service Advanced Options whose path based child services accelerates webdav resources with remove path on fill option enabled.
NAGHostOptions webdavPath=/_vti_bin This option is valid only for the path-based multi-homing proxy service.	You can add this option to a master proxy service that accelerates webdav resources with remove path on fill enabled.
NAGChildOptions WebDav=<path of pbmh service> This option is valid only for the path-based multi-homing proxy service.	You can add this option to any path based service that accelerates webdav resources with remove path on fill enabled.
NAGHostOptions noURLNormalize=on	This option works similar to NAGGlobalOptions noURLNormalize=on. See NAGGlobalOptions noURLNormalize=on. However, when the NAGHostOptions noURLNormalize is set to on, Uri with %00 - %1F (the ASCII device control characters) will not be served unless you set the global advanced option NAGGlobalOptions noURLNormalize=on.You can set NAGHostOptions noURLNormalize=on at proxy level or path level.The priority is path level > proxy level > global.
NAGHostOptions DisableDetectXSS=on	Set this option to on to disable the XSS attack detection for all request. By default, this option is set to off. This option overrides NAGGlobalOptions DisableDetectXSS for a proxy service. For example, setting NAGHostOptions DisableDetectXSS=on for a proxy service overrides NAGGlobalOptions DisableDetectXSS=off for that proxy service.
AdditionalBalancerMemberOptions	The proxy server checks the web server for each new session request at an interval of one minute by default. You can configure this advanced option to specify a different interval. For example, specify AdditionalBalancerMemberOptions retry=180, where 180 is in seconds. You can set the following parameters for this option: min max smax acquire connectiontimeout disablereuse flushpackets flushwait ping loadfactor redirect retry status For information about these parameters, see Apache Module mod_proxy. Unsupported parameters: keepalive, lbset, route, timeout, ttl
NAGPreflightUrls	Use this option to configure paths in which you can expect preflight requests. Configuring this option prevents possible security threats. The preflight requests must include the origin header and the Access-Control-Request-Method header. If a preflight request does not include these headers, Access Gateway does not consider the request as a preflight request. Therefore, the NAGPreflightURLs option does not work as expected. Configure this option as follows: NAGPreflightUrls <URL Path 1> <URL Path 2> For example, NAGPreflightUrls ^/sample$ ^/test.* ^/sample$ allows requests with just path to be /sample ^/test.* allows the requests coming from the path starting with /test, such as /test/abc If it is configured for both path-based children and the parent proxy, then priority is given to the path-based children's configuration. Parent proxy configuration is considered only if the path-based child does not have URLs configured in the advanced option. No limit is set to the number of paths you want to configure in this option.
NAGHostOptions AcceptCORS=on NAGCORSOriginWhitelist <domain name>	NAGHostOptions AcceptCORS enables Access Gateway to process the CORS preflight request and send a valid CORS response to the browser. By default, the option is set to off. Use this option with NAGCORSOriginWhitelist to specify the domains from which you want to allow CORS preflight request, and NAGPreflightUrls option to specify the URL path. For example, specify as follows: NAGHostOptions AcceptCORS=on NAGCORSOriginWhitelist https://abc.example1.com NAGCORSOriginWhitelist https://xyz.example2.com NAGPreflightUrls ^/test
SharepointEnable on 2013 SharepointEnable on 2016 SharepointEnable on 2019	Set one of these options depending on the version of your SharePoint server for enabling SSO to Microsoft SharePoint server. For information about how to enable SSO to SharePoint, see Configuring SSO to SharePoint Server.
NAGHostOptions OverwriteWithIICookie=on	This option overwrites any browser cookie if Access Gateway creates a cookie with the same name by using the Identity Injection policy. By default, this option is set to on. For example, an Identity Injection policy injects TestCookie with the value <cn>, where cn=foo, and the browser sends a cookie with the same name TestCookie with the value bar. This option overwrites the value bar to foo and the cookie TestCookie=foo is sent to the backend web server. If you set this option to off, then both the cookies are sent to the back-end web server. If it is configured for both path-based children and the parent proxy, then priority is given to the path-based children's configuration. Parent proxy configuration is considered only if the advanced option is not configured for path-based child.
NAGHostOptions DisableFavicon=off	Set this option to on if you want Access Gateway to block any http request containing the filename favicon.ico and return HTTP 404 Not Found to the browser. By default, this option is set to off. This option overrides the NAGGlobalOptions DisableFavicon option for a proxy service. For example, setting NAGHostOptions DisableFavicon to on for a proxy service overrides NAGGlobalOptions DisableFavicon=off for this proxy service.

Advanced Option

Description

NAGHostOptions EnableWebsocket=on

If the value for this option is set to on, it overrides NAGGlobalOptions EnableWebsocket=off option.

If it is set to on for a master proxy, the WebSocket protocol is enabled for its proxy and its path-based children.

If it is set to on for a domain-based proxy service, the WebSocket protocol is enabled for that domain-based proxy.

If it is set to on at a path level, the WebSocket protocol is enabled only for that path-based child.

NAGHostOptions mangleCookies=on

This option invalidates the cookies set by the web server when the user logs out of Access Manager. By default, Access Gateway does not mangle the cookies that are sent by the web server.

Proxy mangles the cookies that are sent by the web server using the user information and sets these mangled cookies at the browser. When a browser sends the mangled cookies to proxy, it de-mangles them using the user information and sends the de-mangled cookies to the web server.

For more information about this option, see Cookie Mangling.

NAGHostOptions RWInboundQueryStringExtra=on

To use this option, you must enable Rewrite Inbound Query String Data in Rewriter Profile.

Set this option to on to rewrite query strings that match any published DNS name of other proxy services.

For example, when you enable this option, the request to https://www.idm.com/user/ii/test.php?redirect_uri=https://forms.idm.com is rewritten as /user/ii/test.php?redirect_uri=http://idm.iamcitdomain.com.

When this option is not enabled, the request is forwarded directly to the webserver/user/ii/test.php?redirect_uri=https://forms.idm.com.

NOTE:This method is CPU-intensive.

NAGHostOptions SameSiteCookie=on

Use this option to set the behavior of the SameSite attribute for cookies. By default, this option is set to off. When set to on, the default value is None and the option is applied to each Set-Cookie header coming from Access Gateway.

After setting NAGHostOptions SameSiteCookie to on, you can set the value of SameSite to Strict or Lax instead of None as follows:

NAGHostOptions SameSiteOption "SameSite=Strict": The cookie is withheld with any cross-site usage. It is sent only when the site for the cookie matches the site in the browser's URL bar.
NAGHostOptions SameSiteOption "SameSite=Lax": The cookie is sent for cross-site usage when the request is top-level and is a GET request.

In addition to setting this option, you must also set additional configuration in the web.xmlfile. For more information, see Configuring Support for Access Manager on Google Chrome Browser.

NoCanonicalization on

For this option to work, you need to enable the NAGGlobalOptions noURLNormalize=on global advanced option and the AllowEncodedSlashes on proxy service advanced option.

When enabled, this option retains the encoded characters in the URL while sending the requested URL to a web server. This option adds the nocanon keyword to the ProxyPass directives.

NAGFilteroutUrlForAudit

You can add this option to proxy service that filters out specific URLs from auditing (URL Accessed).

For example, NAGFilteroutUrlForAudit ".*.jpg", and NAGFilteroutUrlForAudit ".*.gif".

CacheIgnoreHeaders

This option is available only for the domain-based proxy service.

Prevents Access Gateway from writing any authorization headers to a disk. This option is enabled by default. Writing authorization headers to a disk is a potential security risk. You can allow authorization headers to be written to a disk by placing a pound (#) symbol in front of the option or by setting it to None.

All path-based services under the domain-based service inherit the new value.

For more information, see “CacheIgnoreHeaders Directive”.

CacheMaxFileSize

This option is available only for the domain-based proxy service.

This option allows you to set the size of the file that can be stored in the cache. By default the size is set to 5 MB. Add the line CacheMaxFileSize <bytes>, for example, CacheMaxFileSize 99900000.

All path-based services under the domain-based service inherit the new value.

NAGChildOptions WebDav=/Path

This option is valid only for the path-based multi-homing proxy service.

Allows the proxy service to handle the specified path. Remove the pound (#) symbol and replace /Path with the path you want the proxy service to handle.

ProxyPassIgnorePathCase on

Use this option to make the path-based multi-homing path URL case-insensitive. For example, if you have set up a path based proxy /profile in Administration Console and the end user wants to access the URL https://www.lagssl.com/Profile/Security/login.aspx and not https://www.lagssl.com/profile/Security/login.aspx. By default, the url path is case-sensitive.

NAGPostParkingSizeInKiloBytes

This option allows you to change the post data parking size limit if an error occurs after you post large data (more than 56 KiloBytes in size) after a session timeout.

ProxyHTTP2 on

(Access Manager 5.0 Service Pack 1 and later)

Set this option to communicate with the backend web server by using the HTTP/2 protocol. To disable the HTTP/2 protocol at the proxy level, add the pound(#) symbol before the ProxyHTTP2 option or remove it.

You need to explicitly mention this option for each proxy service where backend communication is required to be HTTP/2. If mentioned only at parent domain level, underlying path-based proxy level will not inherit this option automatically.

NOTE:You must apply this option only to the web server which supports the HTTP/2 protocol. If not, Access Gateway displays the following error:

The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

SSLProxyProtocol

Access Gateway supports this option when a reverse proxy is connecting to backend web servers. This directive specifies SSL protocols for mod_ssl to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all of these.

The syntax for this is SSLProxyProtocol [+-]protocol. For example, SSLProxyProtocol +SSLv3.

For information about configuring the SSL versions, see Apache documentation.

SSLProxyCACertificateFile

This option prevents failure in a SSL connection between Access Gateway and a web server, when a self-signed certificate is used. To prevent failure, import the web server certificates to the proxy trust store. After importing the web server certificates, use this option.

/opt/novell/apache2/cacerts/myserver.pem

FailOnStatus error code1,error code 2,error code3

Backend servers may return an error code instead of being timed out. Access Gateway keeps sending requests to a web server even if the web server returns error codes.

Use this option to prevent Access Gateway from sending requests to such web servers.

RWOutboundHeaderQueryString on

This option enables outbound header query string rewriting.

NAGAddProxyHeader on

When this option is set to off, Access Gateway does not send the XForwarded headers to the back-end web server.

By default, this option is set to on.

NAGHostOptions DisableIDC=on

This disables Advance Session Assurance for small lived session IDs.

Set to off to enable Advance Session Assurance for session ID.

For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.

NAGHostOptions DisableSFP=on

This disables server-side fingerprinting Session Assurance.

Set to off to enable server-side fingerprinting Session Assurance.

For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.

NAGHostOptions primaryWebdav=<path of pbmh service>

This option is valid only for the path-based multi-homing proxy service.

This option enables users who use the Microsoft Network Places client to connect to the WebDAV folders of a SharePoint server when the SharePoint server has been configured as a path-based multi-homing service on Access Gateway. This must be added to master proxy service Advanced Options whose path based child services accelerates webdav resources with remove path on fill option enabled.

NAGHostOptions webdavPath=/_vti_bin

This option is valid only for the path-based multi-homing proxy service.

You can add this option to a master proxy service that accelerates webdav resources with remove path on fill enabled.

NAGChildOptions WebDav=<path of pbmh service>

This option is valid only for the path-based multi-homing proxy service.

You can add this option to any path based service that accelerates webdav resources with remove path on fill enabled.

NAGHostOptions noURLNormalize=on

This option works similar to NAGGlobalOptions noURLNormalize=on.

See NAGGlobalOptions noURLNormalize=on.

However, when the NAGHostOptions noURLNormalize is set to on, Uri with %00 - %1F (the ASCII device control characters) will not be served unless you set the global advanced option NAGGlobalOptions noURLNormalize=on.You can set NAGHostOptions noURLNormalize=on at proxy level or path level.The priority is path level > proxy level > global.

NAGHostOptions DisableDetectXSS=on

Set this option to on to disable the XSS attack detection for all request. By default, this option is set to off.

This option overrides NAGGlobalOptions DisableDetectXSS for a proxy service. For example, setting NAGHostOptions DisableDetectXSS=on for a proxy service overrides NAGGlobalOptions DisableDetectXSS=off for that proxy service.

AdditionalBalancerMemberOptions

The proxy server checks the web server for each new session request at an interval of one minute by default. You can configure this advanced option to specify a different interval.

For example, specify AdditionalBalancerMemberOptions retry=180, where 180 is in seconds.

You can set the following parameters for this option:

min
max
smax
acquire
connectiontimeout
disablereuse
flushpackets
flushwait
ping
loadfactor
redirect
retry
status

For information about these parameters, see Apache Module mod_proxy.

Unsupported parameters: keepalive, lbset, route, timeout, ttl

NAGPreflightUrls

Use this option to configure paths in which you can expect preflight requests. Configuring this option prevents possible security threats.

The preflight requests must include the origin header and the Access-Control-Request-Method header. If a preflight request does not include these headers, Access Gateway does not consider the request as a preflight request. Therefore, the NAGPreflightURLs option does not work as expected.

Configure this option as follows:

NAGPreflightUrls <URL Path 1> <URL Path 2>

For example, NAGPreflightUrls ^/sample$ ^/test.*

^/sample$ allows requests with just path to be /sample

^/test.* allows the requests coming from the path starting with /test, such as /test/abc

If it is configured for both path-based children and the parent proxy, then priority is given to the path-based children's configuration.

Parent proxy configuration is considered only if the path-based child does not have URLs configured in the advanced option.

No limit is set to the number of paths you want to configure in this option.

NAGHostOptions AcceptCORS=on

NAGCORSOriginWhitelist <domain name>

NAGHostOptions AcceptCORS enables Access Gateway to process the CORS preflight request and send a valid CORS response to the browser. By default, the option is set to off.

Use this option with NAGCORSOriginWhitelist to specify the domains from which you want to allow CORS preflight request, and NAGPreflightUrls option to specify the URL path.

For example, specify as follows:

NAGHostOptions AcceptCORS=on

NAGCORSOriginWhitelist https://abc.example1.com

NAGCORSOriginWhitelist https://xyz.example2.com

NAGPreflightUrls ^/test

SharepointEnable on 2013

SharepointEnable on 2016

SharepointEnable on 2019

Set one of these options depending on the version of your SharePoint server for enabling SSO to Microsoft SharePoint server.

For information about how to enable SSO to SharePoint, see Configuring SSO to SharePoint Server.

NAGHostOptions OverwriteWithIICookie=on

This option overwrites any browser cookie if Access Gateway creates a cookie with the same name by using the Identity Injection policy. By default, this option is set to on.

For example, an Identity Injection policy injects TestCookie with the value <cn>, where cn=foo, and the browser sends a cookie with the same name TestCookie with the value bar. This option overwrites the value bar to foo and the cookie TestCookie=foo is sent to the backend web server.

If you set this option to off, then both the cookies are sent to the back-end web server.

If it is configured for both path-based children and the parent proxy, then priority is given to the path-based children's configuration.

Parent proxy configuration is considered only if the advanced option is not configured for path-based child.

NAGHostOptions DisableFavicon=off

Set this option to on if you want Access Gateway to block any http request containing the filename favicon.ico and return HTTP 404 Not Found to the browser. By default, this option is set to off.

This option overrides the NAGGlobalOptions DisableFavicon option for a proxy service. For example, setting NAGHostOptions DisableFavicon to on for a proxy service overrides NAGGlobalOptions DisableFavicon=off for this proxy service.

For the list of global advanced options, see Table 3-1.