3.6 Configuring Access Gateway

The basic Access Gateway configuration procedures consists of the following tasks:

3.6.1 Configuring a Reverse Proxy

You can protect your web services by creating a reverse proxy. A reverse proxy acts as the front end to your web servers in your DMZ or on your intranet. It off-loads frequent requests, thereby freeing up bandwidth and web server connections. It also increases security because the IP addresses and DNS names of your web servers are hidden from the Internet. A reverse proxy can be configured to protect one or more proxy services. To configure Access Gateway, you can create a new configuration as described in this section.

To create a reverse proxy, you must create at least one proxy service with a protected resource. You must supply a name for each of these components. Reverse proxy names and proxy service names must be unique to Access Gateway because they are configured for global services such as IP addresses and TCP ports. For example, if you have a reverse proxy named products and another reverse proxy named library, only one of these reverse proxies can have a proxy service named corporate.

You can also modify the existing default NAM-RP to match your requirement. The Access Manager Appliance has a default SSL-enabled reverse proxy (NAM-RP). The reverse proxy is associated with a self-signed certificate, which is created during installation of the primary Access Manager Appliance. To modify the default NAM-RP, click Devices > Access Gateways > Edit > NAM-RP in Administration Console. The default proxy service is NAM-Service. You cannot delete this proxy service and base service. You can modify, enable, disable, rename, and delete the Path-Based Multi-Homing (PBMH), which is created under this proxy service. You can create a new PBMH or Domain-Based Multi-Homing (DBMH) under NAM-service. You can also create a new protected resource, which you can assign it to the newly created PBMH or DBMH. The protected resource, which are not greyed out can also be used to add, delete, modify, enable, and disable paths.

Protected resource names need to be unique to the proxy service, but they don’t need to be unique to Access Gateway because they are always accessed through their proxy service. For example, if you have a proxy service named account and a proxy service named sales, they both can have a protected resource named public.

What You Need To Know

Example

Your Value

DNS name of Access Gateway

mytest.com

______________________

Web server information

 

 

IP address

10.15.70.21

______________________

DNS name

mywebserver.com

______________________

Names you need to create

 

 

 

Reverse proxy name

mycompany

________________________

 

Proxy service name

company

________________________

 

Protected resource name

public

________________________

This first reverse proxy is used for authentication. You need to configure the proxy service to use the DNS name of Access Gateway as its Published DNS Name, and the web server and the resource on that web server need to point to the page you want displayed to the users when they first access your web site. You can use Access Gateway configuration options to allow this first page to be a public site with no authentication required until the users access the links on the page, or you can require authentication on this first page. Complete the following configuration steps to first configure a protected resource as a public resource and then to modify the configuration to require authentication.

  1. Click Devices > Access Gateways, Edit > Reverse Proxy / Authentication.

  2. In Reverse Proxy List, click New, specify a display name for the reverse proxy, then click OK.

  3. Enable a listening address.

    Listening Address(es): A list of available IP addresses. If the server has only one IP address, only one is displayed and it is automatically selected. If the server has multiple addresses, you can select one or more IP addresses to enable. You must enable at least one address.

    TCP Listen Options: Options for configuring how requests are handled. You cannot set up listening options until you create a proxy service.

  4. Ignore the SSL configuration options.

    This basic configuration does not set up SSL. For SSL information, see Section 17.0, Enabling SSL Communication.

  5. Configure a listening port.

    Non-Secure Port: Select 80 that is the default port for HTTP.

    Secure Port: This is the HTTPS listening port. This port is unused and cannot be configured until you enable SSL.

  6. In Proxy Service List, click New.

  7. Specify the following details:

    Field

    Description

    Proxy Service Name

    A display name for the proxy service.

    Published DNS Name

    The DNS name you want the public to use to access your site. For this first proxy server, the DNS name must resolve to Access Gateway IP address that you selected as the listening address. For the example in Figure 3-2, this name would be www.mytest.com.

    Web Server IP Address

    The IP address of your web server. This is the web server with content that you want to share with authorized users and protect from others. In Figure 3-2, this is Server 4, whose IP address is 10.15.70.21.

    Host Header

    The name you want to send in the HTTP header to the web server. This can either be the published DNS Name (the Forward Received Host Name option) or the DNS name of the web Server (the Web Server Host Name option).

    Web Server Host Name

    The DNS name that Access Gateway must forward to the web server. This option is not available if you select Forward Received Host Name for the Host Header option. The name you use depends upon how you have set up the web server. If your web server has been configured to verify that the host name in the header matches its name, you need to specify that name here. In Figure 3-2, the Web Server Host Name is mywebserver.com.

  8. Click OK.

3.6.2 Configuring a Public Protected Resource

The first protected resource in discussed in this configuration is configured to be a public resource.

  1. In Proxy Service List, click [Name of Proxy Service] > Protected Resources.

  2. In Protected Resource List, click New, specify a name for the resource, and click OK.

  3. In the Contract field, select None.

    The Contract field must be set to None. This is makes this resource a public resource.

  4. Configure URL Path List.

    The default path is /*, which allows access to everything on the web server. Modify this if you need to restrict access to a specific directory on your web server.

    • To delete the default path, select the check box next to the path, then click Delete.

    • To edit a path in the list, click the path, modify it, then click OK.

    • To add a path, click New, specify the path, then click OK. For example, to allow access to the pages in the public directory on the web server, specify the following path:

      /public/*

  5. Click OK.

  6. In the Protected Resource List, verify that the protected resource you created is enabled, then click OK.

  7. Click Devices > Access Gateways.

  8. Click Update > OK.

    The system sends configuration changes to the server and writes the configuration to the configuration data store. When the update has completed successfully, the server returns the status of Current.

    To save the changes to the configuration store without applying them, do not click Update. Instead, click Edit. If you have pending configuration settings, the OK button is active, and the configuration page indicates which services will be updated. Click OK to save these changes to the configuration store. The changes are not applied until you Update on Access Gateways page.

  9. To update Identity Server to establish the trust relationship with Access Gateway, click Devices > Identity Servers > Update > OK.

    Wait until the Command status is Complete and the Health status is green.

  10. (Optional). To test this configuration from a client browser, specify the published DNS name as the URL in the browser. In the example illustrated in Figure 3-2, specify the following URL:

    http://www.mytest.com

    This must resolve to the published DNS name you specified in Step 7, and the user must be connected to the web server through Access Gateway.

IMPORTANT:You must not modify the default NAM-Service proxy service.

3.6.3 Setting Up Policies

Access Gateway lets you retrieve information from your LDAP directory and inject the information into HTML headers, query strings, or basic authentication headers. Access Gateway can then send this information to the back-end web servers. Access Manager calls this technology Identity Injection.

This is one of the features within Access Manager that enables single sign-on. Users are prompted for the login credentials for one time, and Access Manager then supplies them for the resources you have configured for Identity Injection.

This section explains how to set up an Identity Injection policy for basic authentication. This policy is assigned to the third directory on your web server, which is the basic directory that your web server has been configured to require basic authentication before allowing access.

  1. Click Devices > Access Gateways > Edit > [Reverse Proxy Name] > [Proxy Service Name] > Protected Resources > New.

  2. Configure the resource for the basic directory as described in Section 3.2, Prerequisites for Setup:

    1. For the contract, select Name/Password - Basic or Name/Password - Form.

    2. For the URL path, specify the path to the basic directory (/basic/*).

    3. Click OK.

  3. Click [Protected Resource Name] > Identity Injection.

    On a new installation, the list is empty because no policies have been created.

  4. In the Identity Injection Policy List section, click Manage Policies.

  5. In the Policy List section, click New, then specify values for the following fields:

    Name: Specify a name for the Identity Injection policy.

    Type: Select Access Gateway: Identity Injection.

  6. Click OK.

  7. (Optional) Specify a description for the policy.

  8. In the Actions section, click New > Inject into Authentication Header.

  9. Set up the policy for User Name and Password:

    • For User Name, select Credential Profile and LDAP Credentials: LDAP User Name.

      This injects the value of the cn attribute into the header.

    • For Password, select Credential Profile and LDAP Credentials: LDAP Password.

    The policy must look similar to the following:

  10. Click OK > OK > Apply Changes > Close.

  11. Select the new Identity Injection policy, then click Enable > OK.

  12. Click Devices > Access Gateways > Update > OK.

  13. To test this configuration from a client browser, specify the published DNS name as the URL in the browser. Click the link to the page that uses basic authentication.

    You are prompted to log in. If you have set up web applications on your web server that require login, any additional login prompts are hidden from the user and are handled by the identity injection system.

For an example of how Identity Injection policies can be used for single sign-on to the Identity Manager User Application, see “Configuring Access Manager for UserApp and SAML”.