Each connector for Simple Proxy can protect only a single web location. If the connector is set to protect the document root, then users can access all files served by the website. If the connector is set to protect a path under the document root, users can access only those files that reside in the path or its subdirectories.
The connector protects access to the web service based on its Appmarks settings. You can allow public access so that all users have access to the web service. You can alternatively deny public access and grant access to users of specific identity source roles by mapping authorization policies for them. Authorization policies dynamically control visibility of appmarks on the landing page for users after authentication. They enforce access when a user attempts to access a protected resource with an appmark, or when they directly browse the website.
Log in as an administrator to the CloudAccess administration console:
https://appliance_dns_name/appliance/index.html
Drag and drop the connector for Simple Proxy from the Applications palette to the Applications panel.
The Configuration window opens automatically for the initial configuration. To view or reconfigure the settings later, click the connector icon, then click Configure.
In the Configuration window on the Configuration tab, provide the following information:
Display name: Specify the display name for the reverse proxy service. This name is also the default name of the appmark that appears in the user interface.
Local path: Specify a unique path on the appliance that will be used in the URL to associate traffic for the remote web service, such as /myservice or servicexyz. The path will be appended to the DNS name of the cluster for accessing the resource, and will be removed from the request before forwarding it to the web server.
The local path must be unique across all connectors for Simple Proxy that you configure on the appliance. You can use alphanumeric characters a to z and 0 to 9, forward slashes (/), hyphens (-), and underscores (_). Spaces, uppercase characters, and other special characters are not supported. The path is not case sensitive. There is no length limit, but you should consider length restrictions for URLs and file system pathnames when you specify the character string.
Connects to: Specify the URL of the destination web service that you want to protect.
You can use HTTP (not secure) or HTTPS (secure) in the URL, depending on requirements of the web server. If you use HTTPS, the value that you specify for the DNS name or IP address must match the CN in the web server's SSL certificate. The connector automatically finds the SSL certificate and installs it for you if the URL uses HTTPS.
You can specify the IP address or DNS name of the web server. Specify the port number if it is needed to access the location.
Do one of the following:
Specify the root of the web server in order to protect all resources in the document root of the web server, including its subdirectories and their content.
For example, you can specify the URL in any of the following formats:
http://10.20.30.40 http://10.20.30.40:8080 https://myweb.example.com https://myweb.example.com:8443
Specify a path within the document root of the web server in order to protect only the resources in that path, including its subdirectories and their content.
For example, you can specify the URL in any of the following formats:
http://10.20.30.40/path_to_protect http://10.20.30.40:8080/path_to_protect https://myweb.example.com/path_to_protect https://myweb.example.com:8443/path_to_protect
Inject Identity in Query: Select this option to include the user identity attributes in the query strings that are sent to the Connects to URL. For more information, see Section 10.2, Viewing or Customizing the Attributes for Identity Injection.
WARNING:Injecting attributes in the query string could exceed the maximum URL length of 2083 characters.
Inject Identity in Headers: Select this option to include the user identity attributes in the headers that are sent to the Connects to URL. For more information, see Section 10.2, Viewing or Customizing the Attributes for Identity Injection.
Expand Advanced Options, then configure the Rewriter Options:
The rewriter parses and searches the web content that passes through the appliance for URL references that qualify to be rewritten. URL references are rewritten when they meet the following conditions:
Strip Local path from query string: Enables URL references specified in the query strings to be rewritten with the published DNS name.
Strip Local path from POST data: Enables URL references specified in the post data to be rewritten with the published DNS name.
Strip Local path from REFERRER header: Enables URL references specified in the referrer headers to be rewritten with the published DNS name.
Alternative Host Names: URL references that match entries in this list are rewritten with the published DNS name. You can use any of the following formats. The entries are not case sensitive.
site.example.com myhostname 10.10.2.10 http://<dns_name_or_ip_address> http://<dns_name_or_ip_address>:port https://<dns_name_or_ip_address> https://<dns_name_or_ip_address>:port
You need to include names in this list if your web servers have the following configurations:
If you have a cluster of web servers that are not sharing the same DNS name, you need to add their DNS names to this list.
If your web server obtains content from another web server, the DNS name for this additional web server needs to be added to the list.
If the web server listens on one port (for example, 80), and redirects the request to a secure port (for example, 443), the DNS name needs to be added to the list. This allows the response to be sent in the format that the user expects.
If an application is written to use a private hostname, you need to add the private hostname to the list. For example, http://<hostname>/index.html.
Click the Appmarks tab, then review and edit the default settings for the appmark.
Click OK to save the configuration.
On the Admin page, click Apply to commit the changes to the appliance.
Wait until the configuration changes have been applied on each node of the CloudAccess cluster.
(Conditional) If Public access is disabled, click Policy in the toolbar, then perform policy mapping to specify entitlements for identity source roles (groups).
For more information, see Mapping Authorizations
in the NetIQ® CloudAccess and MobileAccess Installation and Configuration Guide.