In This Section: |
You can configure a Mobile Access gateway to be a reverse proxy for Web Applications on your servers. Reverse proxy users browse to a URL that is resolved to the gateway IP address. Then the gateway passes the request to an internal server, based on the Reverse Proxy rules. This lets external clients access resources on internal servers, while the internal addresses of the servers are hidden.
Configure the reverse proxy with rules that:
By default, reverse proxy is disabled. Enable and configure it in the CLI.
In CLI, you can:
Note - After each change in the Reverse Proxy rules that you make in the CLI, you MUST run this to apply the changes: ReverseProxyCLI apply config
Description |
Configure reverse proxy. |
Syntax |
|
Parameters
Parameter |
Description |
|
Turn reverse proxy on. |
|
Turn reverse proxy off. |
|
Show the reverse proxy rules and applications. |
|
Add a reverse proxy rule or application. The Add rule command runs in interactive mode. Select actions as prompted. Note that for external hostname and internal hostname, when you enter the URL, you can specify: The Add application command adds a set of one or more reverse proxy |
|
Edit a reverse proxy rule. This command option runs in interactive mode. Select actions as prompted. |
|
Delete a reverse proxy rule. |
|
Apply the reverse proxy configuration changes. Note - To apply reverse proxy rule configuration changes, you must run the apply command at the end of each configuration session. |
Important Notes:
https://<gateway ip>/
with a "/" at the end, you MUST change the URL OR port. For example, change the URL to https://<gateway ip>/gaia
or change the port to 4434. To change the Gaia portal URL:
If you do not change either the URL or the port, the Gaia portal will not be accessible.
For complete examples and advanced CLI and XML configuration, see sk110348.
You can troubleshoot the reverse proxy through standard Check Point monitoring tools, such as SmartLog.
Note - The destination is not shown in logs.
For advanced troubleshooting instructions, contact Check Point Technical Support.
To configure reverse proxy to send traffic logs:
OR
The logs are available in SmartLog > Mobile Access logs.
Identify Reverse Proxy logs by these criteria:
The Access section of the log can show:
To allow a blocked URL:
ReverseProxyCLI show rules
ReverseProxyCLI show applications
OR ReverseProxyCLI show rules
in the Internal Server column. Make sure that this hostname can be resolved from the gateway. To do this, run nslookup
on the host to see that the gateway can resolve it.To turn on debugging for reverse proxy:
/opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_common.conf
file > ReverseProxyHandlerTraceLog
parameter, change Off to On.See the reverse proxy trace logs in: /opt/CPcvpn-R80/log/trace_log/
/opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_ssl.conf
file > LogLevel
parameter, change emerg to debug, for HTTPS.See the log files for HTTPS: $CVPNDIR/log/reverseproxy_ssl_debug_log
/opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_clear.conf
file > LogLevel
parameter, change emerg to debug, for HTTP. See the log files for HTTP: $CVPNDIR/log/reverseproxy_debug_log
To enable cvpnd logs:
cvpnd_admin debug set TDERROR_ALL_ALL=5
$CVPNDIR/log/cvpnd.elg
To disable, run: cvpnd_admin debug off
To make sure that reverse proxy processes are running:
ps –ef | grep httpd
ReverseProxySSL/httpd.conf
(for HTTPS) and ReverseProxyClear/httpd.conf
(for HTTP).ReverseProxyCLI
to add all rules to one member, and then synchronize the rules with the other members.To synchronize reverse proxy rules between cluster members:
$CVPNDIR/conf/ReverseProxy_conf/
, copy the file $CVPNDIR/conf/ReverseProxy_conf/ReverseProxyConf.xml
from the configured member to other members.ReverseProxyCLI apply config