Reverse Proxy

In This Section: Configuring Reverse Proxy Troubleshooting Reverse Proxy Reverse Proxy Known Limitations

You can configure a Mobile Access gateway to be a reverse proxy for Web Applications on your servers. Reverse proxy users browse to a URL that is resolved to the gateway IP address. Then the gateway passes the request to an internal server, based on the Reverse Proxy rules. This lets external clients access resources on internal servers, while the internal addresses of the servers are hidden.

Configure the reverse proxy with rules that:

• Map the external addresses of the internal servers to their real network addresses.
• Give permission to external clients to access specified resources on the servers.
• Define if the connections between users and resources use HTTP or HTTPS.

By default, reverse proxy is disabled. Enable and configure it in the CLI.

Configuring Reverse Proxy

In CLI, you can:

• Enable or disable reverse proxy.
• Show the reverse proxy rules and applications.
• Add a new rule or an application.
• Edit an existing rule.
• Delete a rule.
• Apply reverse proxy rule configuration changes.

Note - After each change in the Reverse Proxy rules that you make in the CLI, you MUST run this to apply the changes: ReverseProxyCLI apply config

Description	Configure reverse proxy.
Syntax	ReverseProxyCLI {on | off | show {rules|applications} | add {rule <rule_name> | application <app_name> {capsule_docs | outlook_anywhere} <ext_hostname> <int_hostname>} | edit rule <rule_name> | remove rule <rule_name> | apply config}

Parameters

Parameter	Description
on	Turn reverse proxy on.
off	Turn reverse proxy off.
show {rules|applications}	Show the reverse proxy rules and applications.
add {rule <rule_name> | application <app_name> {capsule_docs | lync | outlook_anywhere} <ext_hostname> <int_hostname>}	Add a reverse proxy rule or application. The Add rule command runs in interactive mode. Select actions as prompted. Note that for external hostname and internal hostname, when you enter the URL, you can specify: - The protocol: http or https - The internal port The Add application command adds a set of one or more reverse proxy rules that allows access to supported internal applications. The supported applications are: Outlook Anywhere and Capsule Docs.
edit rule <rule_name>	Edit a reverse proxy rule. This command option runs in interactive mode. Select actions as prompted.
remove rule <rule_name>	Delete a reverse proxy rule.
apply config	Apply the reverse proxy configuration changes. Note - To apply reverse proxy rule configuration changes, you must run the apply command at the end of each configuration session.

Important Notes:

• The external ports allowed through the reverse proxy are 80 and 443. All internal ports are allowed.
• For Gaia: If the Gaia portal of the Mobile Access Security Gateway is on port 443 AND at https://<gateway ip>/ with a "/" at the end, you MUST change the URL OR port. For example, change the URL to https://<gateway ip>/gaia or change the port to 4434.

  To change the Gaia portal URL:

  1. In the Gateway Properties tree, select Platform Portal and change the Main URL.
  2. Install policy.

  If you do not change either the URL or the port, the Gaia portal will not be accessible.

For complete examples and advanced CLI and XML configuration, see sk110348.

Troubleshooting Reverse Proxy

You can troubleshoot the reverse proxy through standard Check Point monitoring tools, such as SmartLog.

Note - The destination is not shown in logs.

For advanced troubleshooting instructions, contact Check Point Technical Support.

To configure reverse proxy to send traffic logs:

1. In SmartDashboard > Mobile Access tab, go to Additional Settings > Logging.
2. In the Tracking area, select Log Access for Web Applications, and select events to log:
   • Unsuccessful access events (Denied and Failed logs)

     OR

   • All access events (Allowed, Denied and Failed logs)
3. Install Policy.

The logs are available in SmartLog > Mobile Access logs.

Identify Reverse Proxy logs by these criteria:

• Category: Mobile Access
• Application: Reverse Proxy

The Access section of the log can show:

• Allowed - Authorized URL - The Reverse Proxy allowed the URL request (only shows if the All access events logging option is configured).
• Denied - Unauthorized URL - The Reverse Proxy blocked the URL request. If this is a mistake, you can allow the URL.

  To allow a blocked URL:

  • In the command line, run: ReverseProxyCLI show rules
  • Look in the relevant rule in the Paths column, find the path that is unauthorized in the log, and add the path that was blocked to the rule.
• Failed - The Reverse Proxy failed to forward the request for the EPS with one of these messages:
  • Internal Server Error - The internal server aborted the connection with the gateway. Make sure the server is up and running.
  • Proxy not found -The given proxy host could not be resolved.
  • Can't resolve host name - The <internal_host> configured in your application or rule cannot be resolved. You can see it in: ReverseProxyCLI show applications OR ReverseProxyCLI show rules in the Internal Server column. Make sure that this hostname can be resolved from the gateway. To do this, run nslookup on the host to see that the gateway can resolve it.
  • Internal host connection failed - Failed to connect to the internal server, make sure the server is up and running.
  • Invalid URL -The URL from the gateway to the internal server was not formatted correctly.
  • SSL handshake failed - A problem occurred somewhere in the SSL/TLS handshake between the gateway and the internal server.
  • Server response was too slow - Operation timeout
  • Page not found

To turn on debugging for reverse proxy:

1. In /opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_common.conf file > ReverseProxyHandlerTraceLog parameter, change Off to On.

   See the reverse proxy trace logs in: /opt/CPcvpn-R80/log/trace_log/

2. In /opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_ssl.conf file > LogLevel parameter, change emerg to debug, for HTTPS.

   See the log files for HTTPS: $CVPNDIR/log/reverseproxy_ssl_debug_log

3. In /opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_clear.conf file > LogLevel parameter, change emerg to debug, for HTTP.

   See the log files for HTTP: $CVPNDIR/log/reverseproxy_debug_log

To enable cvpnd logs:

1. Run: cvpnd_admin debug set TDERROR_ALL_ALL=5
2. See the logs in: $CVPNDIR/log/cvpnd.elg

To disable, run: cvpnd_admin debug off

To make sure that reverse proxy processes are running:

1. Run: ps –ef | grep httpd
2. In the output, find: ReverseProxySSL/httpd.conf (for HTTPS) and ReverseProxyClear/httpd.conf (for HTTP).

Reverse Proxy Known Limitations

• Not supported at this time:
  • No GUI (SmartDashboard).
  • No Access control on user level.
  • No granularity of networks or interfaces.
  • No link translation on sites returned with Reverse Proxy.
• If the Mobile Access policy contains applications configured with the Host Translation link translation method, the host names in these applications must be different from the names of the hosts in the communication through the Reverse Proxy.
• Reverse proxy has one certificate for SSL termination. To support multiple web servers over HTTPS, the certificate must be a wild card certificate, or it must use Subject Alternate Names (SAN).
• Lync (Skype for Business) is not supported.
• When you configure reverse proxy on cluster, the rules are not synchronized automatically between members. Best Practice - Use ReverseProxyCLI to add all rules to one member, and then synchronize the rules with the other members.

  To synchronize reverse proxy rules between cluster members:

  1. In $CVPNDIR/conf/ReverseProxy_conf/, copy the file $CVPNDIR/conf/ReverseProxy_conf/ReverseProxyConf.xml from the configured member to other members.
  2. Apply the configuration on each member. Run: ReverseProxyCLI apply config