Reverse Proxy
You can configure a Mobile Access Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. to be a reverse proxy for Web Applications on your servers. Reverse proxy users browse to a URL that is resolved to the Security Gateway IP address. Then the Security Gateway passes the request to an internal server, based on the Reverse Proxy rules. This lets external clients access resources on internal servers, while the internal addresses of the servers are hidden.
Configure the reverse proxy with rules that:
-
Map the external addresses of the internal servers to their real network addresses.
-
Give permission to external clients to access specified resources on the servers.
-
Define if the connections between users and resources use HTTP or HTTPS.
By default, reverse proxy is disabled. Enable and configure it in the CLI.
Configuring Reverse Proxy
In CLI, you can:
-
Enable or disable reverse proxy.
-
Show the reverse proxy rules and applications.
-
Add a new rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. or an application.
-
Edit an existing rule.
-
Delete a rule.
-
Apply reverse proxy rule configuration changes.
Note - After each change in the Reverse Proxy rules that you make in the CLI, you MUST run this to apply the changes: ReverseProxyCLI apply config
Syntax
ReverseProxyCLI {on | off | show {rules|applications} | add {rule <rule_name> | application <app_name> {capsule_docs | outlook_anywhere} <ext_hostname> <int_hostname>} | edit rule <rule_name> | remove rule <rule_name> | apply config}
Parameters
Parameter |
Description |
---|---|
|
Enable the reverse proxy. |
|
Disable the reverse proxy. |
|
Show the reverse proxy rules and applications. |
|
Add a reverse proxy rule or application. The Add rule command runs in interactive mode. Select actions as prompted. Note that for external hostname and internal hostname, when you enter the URL, you can specify:
The Add application command adds a set of one or more reverse proxy rules that allows access to supported internal applications. The supported applications are: Outlook Anywhere and Capsule Docs. |
|
Edit a reverse proxy rule. This command option runs in interactive mode. Select actions as prompted. |
|
Delete a reverse proxy rule. |
|
Apply the reverse proxy configuration changes. Note - To apply reverse proxy rule configuration changes, you must run the apply command at the end of each configuration session. |
Important Notes:
-
The external ports allowed through the reverse proxy are 80 and 443. All internal ports are allowed.
-
If the Gaia Portal Web interface for the Check Point Gaia operating system. of the Mobile Access Security Gateway is:
https://<IP Address of Security Gateway>/
with a "/" at the end, you MUST change either the URL or the port.For example, change the URL one of these:
-
https://<IP Address of Security Gateway>/gaia
-
https://<IP Address of Security Gateway>:4434
To change the Gaia Portal URL:
-
In the Security Gateway object, click Platform Portal.
-
Change the Main URL.
-
Click OK.
-
Install policy.
If you do not change either the URL or the port, the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal is not accessible.
-
For complete examples and advanced CLI and XML configuration, see sk110348.
Troubleshooting Reverse Proxy
You can troubleshoot the reverse proxy through standard Check Point monitoring tools, such as SmartLog.
Note - The destination is not shown in logs.
For advanced troubleshooting instructions, contact Check Point Technical Support.
To configure reverse proxy to send traffic logs:
-
In SmartDashboard Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. > Mobile Access tab, go to Additional Settings > Logging.
-
In the Tracking area, select Log Access for Web Applications, and select one of the events to log:
-
Unsuccessful access events (Denied and Failed logs)
-
All access events (Allowed, Denied and Failed logs)
-
-
Install Policy.
The logs are available in SmartLog > Mobile Access logs.
Identify Reverse Proxy logs by these criteria:
-
Category: Mobile Access
-
Application: Reverse Proxy
The Access section of the log can show:
-
Allowed - Authorized URL - The Reverse Proxy allowed the URL request (only shows if the All access events logging option is configured).
-
Denied - Unauthorized URL -The Reverse Proxy blocked the URL request. If this is a mistake, you can allow the URL.
To allow a blocked URL:
-
In the command line, run:
ReverseProxyCLI show rules
-
Look in the relevant rule in the Paths column, find the path that is unauthorized in the log, and add the path that was blocked to the rule.
-
-
Failed - The Reverse Proxy failed to forward the request for the Endpoint Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. with one of these messages:
-
Internal Server Error - The internal server aborted the connection with the Security Gateway. Make sure the server is up and running.
-
Proxy not found -The given proxy host could not be resolved.
-
Can't resolve host name - The
<internal_host>
configured in your application or rule cannot be resolved.You can see it in the Internal Server column with one of these commands:
-
ReverseProxyCLI show applications
-
ReverseProxyCLI show rules
Make sure that this hostname can be resolved from the Security Gateway.
To do this, run
nslookup
on the host to see that the Security Gateway can resolve it. -
-
Internal host connection failed -Failed to connect to the internal server, make sure the server is up and running.
-
Invalid URL -The URL from the Security Gateway to the internal server was not formatted correctly.
-
SSL handshake failed -A problem occurred somewhere in the SSL/TLS handshake between the Security Gateway and the internal server.
-
Server response was too slow - Operation timeout
-
Page not found
-
To turn on debugging for reverse proxy:
-
In the
/opt/CPcvpn-R80.40/conf/ReverseProxy_conf/httpd_common.conf
file, find the parameterReverseProxyHandlerTraceLog
, and change its value from Off to On.See the reverse proxy trace logs in:
/opt/CPcvpn-R80.40/log/trace_log/
-
For HTTPS:
In the
/opt/CPcvpn-R80.40/conf/ReverseProxy_conf/httpd_ssl.conf
file, find the parameterLogLevel
, and change its value from emerg to debug.See the log files for HTTPS:
$CVPNDIR/log/reverseproxy_ssl_debug_log
-
For HTTP:
In the
/opt/CPcvpn-R80.40/conf/ReverseProxy_conf/httpd_clear.conf
file, find the parameterLogLevel
, and change its value from emerg to debug.See the log files for HTTP:
$CVPNDIR/log/reverseproxy_debug_log
To enable cvpnd logs:
-
Run:
cvpnd_admin debug set TDERROR_ALL_ALL=5
-
See the logs in:
$CVPNDIR/log/cvpnd.elg
To disable, run: cvpnd_admin debug off
To make sure that reverse proxy processes are running:
-
Run:
ps -ef | grep httpd
-
In the output, find:
-
For HTTPS:
ReverseProxySSL/httpd.conf
-
For HTTP:
ReverseProxyClear/httpd.conf
-
Reverse Proxy Known Limitations
-
Not supported at this time:
-
No GUI (SmartDashboard).
-
No Access control on user level.
-
No granularity of networks or interfaces.
-
No link translation on sites returned with Reverse Proxy.
-
-
If the Mobile Access policy contains applications configured with the Host Translation link translation method, the host names in these applications must be different from the names of the hosts in the communication through the Reverse Proxy.
-
Reverse proxy has one certificate for SSL termination. To support multiple web servers over HTTPS, the certificate must be a wild card certificate, or it must use Subject Alternate Names (SAN).
-
Lync (Skype for Business) is not supported.
-
When you configure reverse proxy on cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., the rules are not synchronized automatically between members.
Best Practice - Use
ReverseProxyCLI
to add all rules to one member, and then synchronize the rules with the other members.To synchronize reverse proxy rules between Cluster Members:
-
In the
$CVPNDIR/conf/ReverseProxy_conf/
directory, copy this file from the configured Cluster Member Security Gateway that is part of a cluster. to other Cluster Members:$CVPNDIR/conf/ReverseProxy_conf/ReverseProxyConf.xml
-
Apply the configuration on each member.
Run:
ReverseProxyCLI apply config
-