4.4.2 Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service

The following procedure helps you configure the advanced options for domain-based and path-based multi-homing proxy service of an Access Gateway.

Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options.

Configure the advanced option by removing the pound(#) symbol. To disable an option, add the # symbol in front of the option, save your changes, then update Access Gateway.

Table 4-2 Access Gateway Advanced Options for Proxy Services

Advanced Option	Description
NAGHostOptions EnableWebsocket=on	If the value for this option is set to on, it overrides NAGGlobalOptions EnableWebsocket=off option. If it is set to on for a master proxy, the WebSocket protocol is enabled for its proxy and its path-based children. If it is set to on for a domain-based proxy service, the WebSocket protocol is enabled for that domain-based proxy. If it is set to on at a path level, the WebSocket protocol is enabled only for that path-based child.
NAGHostOptions mangleCookies=on	This option invalidates the cookies set by the web server when the user logs out of Access Manager. By default, Access Gateway does not mangle the cookies that are sent by the web server. Proxy mangles the cookies that are sent by the web server using the user information and sets these mangled cookies at the browser. When a browser sends the mangled cookies to proxy, it de-mangles them using the user information and sends the de-mangled cookies to the web server. For more information about this option, see Enabling Cookie Mangling.
NAGWSMangleCookiePrefix	Use the NAGWSMangleCookiePrefix <AnyString> option to specify the string added to the application cookie after manipulation. For more information about this option, see Enabling Cookie Mangling.
NoCanonicalization on	For this option to work, you need to enable the NAGGlobalOptions noURLNormalize=on global advanced option and the AllowEncodedSlashes on proxy service advanced option. When enabled, this option retains the encoded characters in the URL while sending the requested URL to a web server. This option adds the nocanon keyword to the ProxyPass directives.
NAGFilteroutUrlForAudit	You can add this option to proxy service that filters out specific URLs from auditing (URL Accessed). For example, NAGFilteroutUrlForAudit "..jpg", and NAGFilteroutUrlForAudit "..gif".
CacheIgnoreHeaders This option is available only for the domain-based proxy service.	Prevents Access Gateway from writing any authorization headers to disk. This option is enabled by default. Writing authorization headers to a disk is a potential security risk. You can allow authorization headers to be written to a disk by placing a pound (#) symbol in front of the option or by setting it to None. All path-based services under the domain-based service inherit the new value. For more information about this Apache option, see “CacheIgnoreHeaders Directive”.
CacheMaxFileSize This option is available only for the domain-based proxy service.	Configuring this option in the Advanced Options of a proxy service allows you to set the size of the file that can be stored in the cache. By default the size is set to 5 MB. Add the line CacheMaxFileSize <bytes>, for example, CacheMaxFileSize 99900000. All path-based services under the domain-based service inherit the new value.
NAGChildOptions WebDav=/Path This option is valid only for the path-based multi-homing proxy service.	Allows the proxy service to handle the specified path. Remove the pound (#) symbol and replace /Path with the path you want the proxy service to handle.
ProxyPassIgnorePathCase on	Use this option to make the path-based multi-homing path URL case-insensitive. For example, if you have set up a path based proxy /profile in Administration Console and the end user wants to access the URL https://www.lagssl.com/Profile/Security/login.aspx and not https://www.lagssl.com/profile/Security/login.aspx. By default, the url path is case-sensitive.
NAGPostParkingSizeInKiloBytes	This option allows you to change the post data parking size limit if an error occurs after you post large data (more than 56 KiloBytes in size) after a session timeout.
SSLProtocol	This option is supported by Access Gateway when listening as a server to clients (typically browsers). This directive specifies SSL protocols for mod_ssl to use when establishing the server environment. Clients can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and all of these. The syntax for this is SSLProtocol [+-]protocol. For example, SSLProtocol +SSLv3. For more information about configuring the SSL versions, see Apache documentation.
SSLProxyProtocol	This option is supported by Access Gateway when the reverse proxy is connecting to the backend web servers. This directive specifies SSL protocols for mod_ssl to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and all of these. The syntax for this is SSLProxyProtocol [+-]protocol. For example, SSLProxyProtocol +SSLv3. For more information about configuring the SSL versions, see Apache documentation.
For Windows: SSLProxyCACertificateFile "C:\Program Files\Novell\apache\cacerts\myserver.pem" For Linux: SSLProxyCACertificateFile /opt/novell/apache2/cacerts/myserver.pem.	This option prevents failure in SSL connection between Access Gateway and web server, when a self-signed certificate is used. To prevent this, import the web server certificates to the proxy trust store. After importing the web server certificates, use this advanced option.
FailOnStatus error code1,error code 2,error code3	Back-end servers may return an error code instead of being timed out. Access Gateway keeps sending requests to a web server, even if the web server returns error codes. To prevent sending Access Gateway requests to such web servers, you can use this advanced option.
AdditionalBalancerMemberOptions	The proxy server checks the web server for each new session request at an interval of one minute by default. You can configure this advanced option to specify a different interval. For example, specify AdditionalBalancerMemberOptions retry=180, where 180 is in seconds. You can set the following parameters for this option: min max smax acquire connectiontimeout disablereuse flushpackets flushwait ping loadfactor redirect retry status For more information about these parameters, see Apache Module mod_proxy. Unsupported parameters: keepalive, lbset, route, timeout, ttl
RWOutboundHeaderQueryString on	This option enables outbound header query string rewriting.
NAGAddProxyHeader on	When this option is set to off, Access Gateway will not send the XForwarded Headers to the back-end web server. By default, this option is set to on.
NAGHostOptions DisableIDC on	This disables Advance Session Assurance for small lived session IDs. Set to off to enable Advance Session Assurance for session ID. For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.
NAGHostOptions DisableSFP on	This disables server-side fingerprinting Session Assurance. Set to off to enable server-side fingerprinting Session Assurance. For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.
NAGHostOptions primaryWebdav=<path of pbmh service> This option is valid only for the path-based multi-homing proxy service.	This option enables users who use the Microsoft Network Places client to connect to the WebDAV folders of a SharePoint server when the SharePoint server has been configured as a path-based multi-homing service on Access Gateway. This must be added to master proxy service Advanced Options whose path based child services accelerates webdav resources with remove path on fill option enabled. This option is equivalent to .modifyRequestURI in the 3.1 SP4 Access Gateway Appliance.
NAGHostOptions webdavPath=/_vti_bin This option is valid only for the path-based multi-homing proxy service.	You can add this option to a master proxy service that accelerates webdav resources with remove path on fill enabled.
NAGChildOptions WebDav=<path of pbmh service> This option is valid only for the path-based multi-homing proxy service.	You can add this option to any path based service that accelerates webdav resources with remove path on fill enabled. This option is equivalent to .modifyRequestURI in the 3.1 SP4 Access Gateway Appliance.
NAGHostOptions noURLNormalize=on	This option works similar to the NAGGlobalOptions noURLNormalize=on option. See NAGGlobalOptions noURLNormalize=on. However, when the NAGHostOptions noURLNormalize is set to on, Uri with %00 - %1F (the ASCII device control characters) will not be served unless you set the global advanced option NAGGlobalOptions noURLNormalize=on.You can set NAGHostOptions noURLNormalize=on at proxy level or path level.The priority is path level > proxy level > global.
NAGPreflightUrls (This option is available in Access Manager 4.4 Service Pack 2 and later versions)	Use this option to configure paths in which you can expect preflight requests. Configuring this option prevents possible security threats. The preflight requests must include the origin header and the Access-Control-Request-Method header. If a preflight request does not include these headers, Access Gateway does not consider the request as a preflight request. Therefore, the NAGPreflightURLs option does not work as expected. Configure this option as follows: NAGPreflightUrls <URL Path 1> <URL Path 2> For example, NAGPreflightUrls ^/sample$ ^/test.* ^/sample$ allows requests with just path to be /sample ^/test.* allows the requests coming from the path starting with /test, such as /test/abc If it is configured for both path-based children and the parent proxy, then priority is given to the path-based children's configuration. Parent proxy configuration is considered only if the path-based child does not have URLs configured in the advanced option. There is no limit to the number of paths that you want to configure in the advanced option.
NAGHostOptions OverwriteWithIICookie=on (This option is available in Access Manager 4.4 Service Pack 3 and later versions.)	This option overwrites any browser cookie if Access Gateway creates a cookie with the same name by using the Identity Injection policy. By default, this option is set to on. For example, an Identity Injection policy injects TestCookie with the value <cn>, where cn=foo, and the browser sends a cookie with the same name TestCookie with the value bar. This option overwrites the value bar to foo and the cookie TestCookie=foo is sent to the backend web server. If you set this option to off, then both the cookies are sent to the backend web server. If it is configured for both path-based children and the parent proxy, then priority is given to the path-based children's configuration. Parent proxy configuration is considered only if the advanced option is not configured for path-based child.

Advanced Option

Description

NAGHostOptions EnableWebsocket=on

If the value for this option is set to on, it overrides NAGGlobalOptions EnableWebsocket=off option.

If it is set to on for a master proxy, the WebSocket protocol is enabled for its proxy and its path-based children.

If it is set to on for a domain-based proxy service, the WebSocket protocol is enabled for that domain-based proxy.

If it is set to on at a path level, the WebSocket protocol is enabled only for that path-based child.

NAGHostOptions mangleCookies=on

This option invalidates the cookies set by the web server when the user logs out of Access Manager. By default, Access Gateway does not mangle the cookies that are sent by the web server.

Proxy mangles the cookies that are sent by the web server using the user information and sets these mangled cookies at the browser. When a browser sends the mangled cookies to proxy, it de-mangles them using the user information and sends the de-mangled cookies to the web server. For more information about this option, see Enabling Cookie Mangling.

NAGWSMangleCookiePrefix

Use the NAGWSMangleCookiePrefix <AnyString> option to specify the string added to the application cookie after manipulation. For more information about this option, see Enabling Cookie Mangling.

NoCanonicalization on

For this option to work, you need to enable the NAGGlobalOptions noURLNormalize=on global advanced option and the AllowEncodedSlashes on proxy service advanced option.

When enabled, this option retains the encoded characters in the URL while sending the requested URL to a web server. This option adds the nocanon keyword to the ProxyPass directives.

NAGFilteroutUrlForAudit

You can add this option to proxy service that filters out specific URLs from auditing (URL Accessed).

For example, NAGFilteroutUrlForAudit ".*.jpg", and NAGFilteroutUrlForAudit ".*.gif".

CacheIgnoreHeaders

This option is available only for the domain-based proxy service.

Prevents Access Gateway from writing any authorization headers to disk. This option is enabled by default. Writing authorization headers to a disk is a potential security risk. You can allow authorization headers to be written to a disk by placing a pound (#) symbol in front of the option or by setting it to None.

All path-based services under the domain-based service inherit the new value.

For more information about this Apache option, see “CacheIgnoreHeaders Directive”.

CacheMaxFileSize

This option is available only for the domain-based proxy service.

Configuring this option in the Advanced Options of a proxy service allows you to set the size of the file that can be stored in the cache. By default the size is set to 5 MB. Add the line CacheMaxFileSize <bytes>, for example, CacheMaxFileSize 99900000.

All path-based services under the domain-based service inherit the new value.

NAGChildOptions WebDav=/Path

This option is valid only for the path-based multi-homing proxy service.

Allows the proxy service to handle the specified path. Remove the pound (#) symbol and replace /Path with the path you want the proxy service to handle.

ProxyPassIgnorePathCase on

Use this option to make the path-based multi-homing path URL case-insensitive. For example, if you have set up a path based proxy /profile in Administration Console and the end user wants to access the URL https://www.lagssl.com/Profile/Security/login.aspx and not https://www.lagssl.com/profile/Security/login.aspx. By default, the url path is case-sensitive.

NAGPostParkingSizeInKiloBytes

This option allows you to change the post data parking size limit if an error occurs after you post large data (more than 56 KiloBytes in size) after a session timeout.

SSLProtocol

This option is supported by Access Gateway when listening as a server to clients (typically browsers). This directive specifies SSL protocols for mod_ssl to use when establishing the server environment. Clients can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and all of these.

The syntax for this is SSLProtocol [+-]protocol. For example, SSLProtocol +SSLv3. For more information about configuring the SSL versions, see Apache documentation.

SSLProxyProtocol

This option is supported by Access Gateway when the reverse proxy is connecting to the backend web servers. This directive specifies SSL protocols for mod_ssl to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and all of these.

The syntax for this is SSLProxyProtocol [+-]protocol. For example, SSLProxyProtocol +SSLv3. For more information about configuring the SSL versions, see Apache documentation.

For Windows: SSLProxyCACertificateFile "C:\Program Files\Novell\apache\cacerts\myserver.pem"

For Linux: SSLProxyCACertificateFile /opt/novell/apache2/cacerts/myserver.pem.

This option prevents failure in SSL connection between Access Gateway and web server, when a self-signed certificate is used. To prevent this, import the web server certificates to the proxy trust store. After importing the web server certificates, use this advanced option.

FailOnStatus error code1,error code 2,error code3

Back-end servers may return an error code instead of being timed out. Access Gateway keeps sending requests to a web server, even if the web server returns error codes.

To prevent sending Access Gateway requests to such web servers, you can use this advanced option.

AdditionalBalancerMemberOptions

The proxy server checks the web server for each new session request at an interval of one minute by default. You can configure this advanced option to specify a different interval.

For example, specify AdditionalBalancerMemberOptions retry=180, where 180 is in seconds.

You can set the following parameters for this option:

min
max
smax
acquire
connectiontimeout
disablereuse
flushpackets
flushwait
ping
loadfactor
redirect
retry
status

For more information about these parameters, see Apache Module mod_proxy.

Unsupported parameters: keepalive, lbset, route, timeout, ttl

RWOutboundHeaderQueryString on

This option enables outbound header query string rewriting.

NAGAddProxyHeader on

When this option is set to off, Access Gateway will not send the XForwarded Headers to the back-end web server.

By default, this option is set to on.

NAGHostOptions DisableIDC on

This disables Advance Session Assurance for small lived session IDs.

Set to off to enable Advance Session Assurance for session ID.

For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.

NAGHostOptions DisableSFP on

This disables server-side fingerprinting Session Assurance.

Set to off to enable server-side fingerprinting Session Assurance.

For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.

NAGHostOptions primaryWebdav=<path of pbmh service>

This option is valid only for the path-based multi-homing proxy service.

This option enables users who use the Microsoft Network Places client to connect to the WebDAV folders of a SharePoint server when the SharePoint server has been configured as a path-based multi-homing service on Access Gateway. This must be added to master proxy service Advanced Options whose path based child services accelerates webdav resources with remove path on fill option enabled.

This option is equivalent to .modifyRequestURI in the 3.1 SP4 Access Gateway Appliance.

NAGHostOptions webdavPath=/_vti_bin

This option is valid only for the path-based multi-homing proxy service.

You can add this option to a master proxy service that accelerates webdav resources with remove path on fill enabled.

NAGChildOptions WebDav=<path of pbmh service>

This option is valid only for the path-based multi-homing proxy service.

You can add this option to any path based service that accelerates webdav resources with remove path on fill enabled.

This option is equivalent to .modifyRequestURI in the 3.1 SP4 Access Gateway Appliance.

NAGHostOptions noURLNormalize=on

This option works similar to the NAGGlobalOptions noURLNormalize=on option.

See NAGGlobalOptions noURLNormalize=on.

However, when the NAGHostOptions noURLNormalize is set to on, Uri with %00 - %1F (the ASCII device control characters) will not be served unless you set the global advanced option NAGGlobalOptions noURLNormalize=on.You can set NAGHostOptions noURLNormalize=on at proxy level or path level.The priority is path level > proxy level > global.

NAGPreflightUrls

(This option is available in Access Manager 4.4 Service Pack 2 and later versions)

Use this option to configure paths in which you can expect preflight requests. Configuring this option prevents possible security threats.

The preflight requests must include the origin header and the Access-Control-Request-Method header. If a preflight request does not include these headers, Access Gateway does not consider the request as a preflight request. Therefore, the NAGPreflightURLs option does not work as expected.

Configure this option as follows:

NAGPreflightUrls <URL Path 1> <URL Path 2>

For example, NAGPreflightUrls ^/sample$ ^/test.*

^/sample$ allows requests with just path to be /sample

^/test.* allows the requests coming from the path starting with /test, such as /test/abc

If it is configured for both path-based children and the parent proxy, then priority is given to the path-based children's configuration.

Parent proxy configuration is considered only if the path-based child does not have URLs configured in the advanced option.

There is no limit to the number of paths that you want to configure in the advanced option.

NAGHostOptions OverwriteWithIICookie=on

(This option is available in Access Manager 4.4 Service Pack 3 and later versions.)

This option overwrites any browser cookie if Access Gateway creates a cookie with the same name by using the Identity Injection policy. By default, this option is set to on.

For example, an Identity Injection policy injects TestCookie with the value <cn>, where cn=foo, and the browser sends a cookie with the same name TestCookie with the value bar. This option overwrites the value bar to foo and the cookie TestCookie=foo is sent to the backend web server.

If you set this option to off, then both the cookies are sent to the backend web server.

If it is configured for both path-based children and the parent proxy, then priority is given to the path-based children's configuration.

Parent proxy configuration is considered only if the advanced option is not configured for path-based child.

For the list of global advanced options, see Table 4-1.