Print Download PDF Send Feedback

Previous

Next

Reverse Proxy

In This Section:

Configuring Reverse Proxy

Troubleshooting Reverse Proxy

Reverse Proxy Known Limitations

You can configure a Mobile Access gateway to be a reverse proxy for Web Applications on your servers. Reverse proxy users browse to a URL that is resolved to the gateway IP address. Then the gateway passes the request to an internal server, based on the Reverse Proxy rules. This lets external clients access resources on internal servers, while the internal addresses of the servers are hidden.

Configure the reverse proxy with rules that:

By default, reverse proxy is disabled. Enable and configure it in the CLI.

Configuring Reverse Proxy

In CLI, you can:

Note - After each change in the Reverse Proxy rules that you make in the CLI, you MUST run this to apply the changes: ReverseProxyCLI apply config

Description

Configure reverse proxy.

Syntax

ReverseProxyCLI {on | off | show {rules|applications} | add {rule <rule_name> | application <app_name> {capsule_docs | outlook_anywhere} <ext_hostname> <int_hostname>} | edit rule <rule_name> | remove rule <rule_name> | apply config}

Parameters

Parameter

Description

on

Turn reverse proxy on.

off

Turn reverse proxy off.

show {rules|applications}

Show the reverse proxy rules and applications.

add {rule <rule_name> | application <app_name> {capsule_docs | lync | outlook_anywhere} <ext_hostname> <int_hostname>}

Add a reverse proxy rule or application.

The Add rule command runs in interactive mode. Select actions as prompted. Note that for external hostname and internal hostname, when you enter the URL, you can specify:
- The protocol: http or https
- The internal port

The Add application command adds a set of one or more reverse proxy rules that allows access to supported internal applications. The supported applications are: Outlook Anywhere and Capsule Docs.

edit rule <rule_name>

Edit a reverse proxy rule. This command option runs in interactive mode. Select actions as prompted.

remove rule <rule_name>

Delete a reverse proxy rule.

apply config

Apply the reverse proxy configuration changes.

Note - To apply reverse proxy rule configuration changes, you must run the apply command at the end of each configuration session.

Important Notes:

For complete examples and advanced CLI and XML configuration, see sk110348.

Troubleshooting Reverse Proxy

You can troubleshoot the reverse proxy through standard Check Point monitoring tools, such as SmartLog.

Note - The destination is not shown in logs.

For advanced troubleshooting instructions, contact Check Point Technical Support.

To configure reverse proxy to send traffic logs:

  1. In SmartDashboard > Mobile Access tab, go to Additional Settings > Logging.
  2. In the Tracking area, select Log Access for Web Applications, and select events to log:
    • Unsuccessful access events (Denied and Failed logs)

      OR

    • All access events (Allowed, Denied and Failed logs)
  3. Install Policy.

The logs are available in SmartLog > Mobile Access logs.

Identify Reverse Proxy logs by these criteria:

The Access section of the log can show:

To turn on debugging for reverse proxy:

  1. In /opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_common.conf file > ReverseProxyHandlerTraceLog parameter, change Off to On.

    See the reverse proxy trace logs in: /opt/CPcvpn-R80/log/trace_log/

  2. In /opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_ssl.conf file > LogLevel parameter, change emerg to debug, for HTTPS.

    See the log files for HTTPS: $CVPNDIR/log/reverseproxy_ssl_debug_log

  3. In /opt/CPcvpn-R80/conf/ReverseProxy_conf/httpd_clear.conf file > LogLevel parameter, change emerg to debug, for HTTP.

    See the log files for HTTP: $CVPNDIR/log/reverseproxy_debug_log

To enable cvpnd logs:

  1. Run: cvpnd_admin debug set TDERROR_ALL_ALL=5
  2. See the logs in: $CVPNDIR/log/cvpnd.elg

To disable, run: cvpnd_admin debug off

To make sure that reverse proxy processes are running:

  1. Run: ps –ef | grep httpd
  2. In the output, find: ReverseProxySSL/httpd.conf (for HTTPS) and ReverseProxyClear/httpd.conf (for HTTP).

Reverse Proxy Known Limitations