2.7.3 Managing Reverse Proxies and Authentication

A reverse proxy acts as the front end to your web servers on your Internet or intranet and off-loads frequent requests, thereby freeing up bandwidth. The proxy also increases security because the IP addresses of your web servers are hidden from the Internet.

To create a reverse proxy, you must create at least one proxy service with a protected resource. You must supply a name for each of these components. Reverse proxy names and proxy service names must be unique to Access Gateway because they are configured for global services such as IP addresses and TCP ports. For example, if you have a reverse proxy named products and another reverse proxy named library, only one of these reverse proxies can have a proxy service named corporate.

Protected resource names need to be unique to the proxy service, but they don’t need to be unique to Access Gateway because they are always accessed through their proxy service. For example, if you have a proxy service named account and a proxy service named sales, they both can have a protected resource named public.

The first reverse proxy and proxy service you create are automatically assigned to be the authenticating proxy.

  1. Click Devices > Access Gateways > Edit.

    The Edit link is either for a single Access Gateway or for a cluster of Access Gateways.

  2. Click Reverse Proxy / Authentication.

  3. Configure the authentication settings:

    Identity Server Cluster: Specifies Identity Server you want Access Gateway to trust for authentication. Select the configuration you have assigned to Identity Server.

    Whenever an Identity Server is assigned to a new trust relationship, Identity Server needs to be updated. This process is explained following the step that saves this configuration setting (see Step 5 and Step 6).

  4. (Conditional) If you have already created at least one reverse proxy, you can view the Embedded Service Provider options and configure some of them:

    Reverse Proxy: Specifies which proxy service is used for authentication. If you have configured only one proxy service, only one appears in the list and it is selected. If you change the reverse proxy that is used for authentication, certificates must be updated to match this new configuration.

    Metadata URL: Displays the location of the metadata.

    Health-Check URL: Displays the location of the health check.

    Logout URL: Displays the URL that you need to use for logging users out of protected resources. This value is empty until you have created at least one reverse proxy and it has been assigned to be used for authentication. If you create two or more reverse proxies, you can select which one is used for authentication, and the logout URL changes to match the assigned reverse proxy.

    If any of your protected resources have a logout page or button, you need to redirect the user’s logout request to the page specified by this URL. Access Gateway can then clear the user’s session and log the user out of any other resources that have been enabled for single sign-on. If you do not redirect the user’s logout request, the user is logged out of one resource, but the user’s session remains active until inactivity closes the session. If the user accesses the resource again before the session is closed, single sign-on reauthenticates the user to the resource, and it appears that the logout did nothing.

    ESP Global Options: Allows you to configure global options for ESP. For more information, see Configuring ESP Global Options.

    Auto-Import Identity Server Configuration Trusted Root: Allows you to import the public key from Identity Server cluster into the trust store of the Embedded Service Provider. This sets up a trusted SSL relationship between the Embedded Service Provider and Identity Server. This option is not available until you have selected an Identity Server Cluster and have configured the use of SSL on the Embedded Service Provider of the reverse proxy that is performing authentication (see the Enable SSL with Embedded Service Provider option on the Reverse Proxy page).

    If Identity Server cluster is using a certificate created by the Access Manager certificate authority (CA), the public key is automatically added to this trust store, so you do not need to use this option. If Identity Server cluster is using a certificate created by an external CA, you need to use this option to import the public key into the trust store.

  5. (Optional) Configure the proxy settings:

    Behind Third Party SSL Terminator: Enable this option if you have installed an SSL terminator between the users and Access Gateway. This allows the terminator to handle the SSL traffic between the browsers and the terminator. The terminator and Access Gateway can use HTTP for their communication. For configuration tips, see Using an SSL Terminator.

    Enable Via Header: Enables the sending of the Via header to the web server. The Via header contains the DNS name of Access Gateway and a device ID. It has the following format:

    Via: 1.1 www.mymag.com (Access Gateway-ag-BFBA9849520DB63B-5)

    Deselect this option when your web server does not need this information or does not know what to do with it.

  6. (Optional) Configure the cookie settings:

    For more information, see Section 13.6, Enabling Secure Cookies.

    Enable Secure Cookies: Enabling this option sets secure keyword on HTTPS request. If you have enabled the Behind Third Party SSL Terminator option and also enabled the Enable Secure Cookies option, the secure keyword on HTTP and HTTPS requests are set.

    WARNING:Do not enable the Enable Secure Cookies option if you have both HTTP and HTTPS reverse proxies. The HTTP services become unavailable because authentication requests to the non-HTTP services fail.

    Force HTTP-Only Cookie: Forces Access Gateway to set the HttpOnly keyword, which prevent scripts from accessing the cookie. This helps protect browsers from cross-site scripting vulnerabilities that allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user.

    IMPORTANT:The HttpOnly keyword can prevent applets from loading and can interfere with JavaScript. Do not enable this option if you have Access Gateway protecting applications that download applets or use JavaScript.

  7. To create a proxy service, continue with Creating a Proxy Service.