cancel
Showing results for 
Search instead for 
Did you mean: 
harry82
Level 9

MWG7 Reverse Proxy

Hi,

we are trying to replace our existing reverse proxy wih MWG7.

Unfortunately I have some trouble with the ruleset.

That's what we currently try to migrate to MWG:

https://external_address1.com/example_urlpath_1  forwarding to https://internal.address1/internal_urlpath_1

and

https://external_address1.com/example_urlpath_2 forwarding to https://internal.address1/internal_urlpath_2

and

https://external_address1.com/example_urlpath_3 forwarding to https://internal.address2/internal_urlpath3

Here is what we have configure so far:

RuleSet_internal_address1 (URL.Destination.IP equals external_address1)

-SSL Scanner

-Anti-Malware

-forward (request) (URL.Path equals "example_urlpath1" OR example_urlpath2"

     --urlpath1

          URL.Path equals "/example_urlpath1" OR URL.Path equals "example_urlpath1/"

          Action=Continue

          Event= Set URL.Path = "/internal_urlpath1"

    

     --urlpath2

          URL.Path equals "example_urlpath2" OR URL.Path equals "example_urlpath2/"

          Action=Continue

          Event= Set URL.Path = "/internal_urlpath2"

     --forward1

          always

          Action=Continue

          Event= Enable Next Hop Proxy <internal.address1>

RuleSet_internal_address2 (URL.Destination.IP equals external_address1)

-SSL Scanner

-Anti-Malware

-forward (request) (URL.Path equals "/example_urlpath3")

     --urlpath3

          URL.Path equals "/example_urlpath3" OR " URL.Path equals "example_urlpath3/"

          Action=continue

          Events= Set URL.Path = "/internal_urlpath3"

         --forward2

               always

                action=continue

                 Event= Enable Next Hop Proxy <internal.address2>

These RuleSets don't work together for some reason, one RuleSet by itself (disable other) works fine.

It seems that Rule Criteria -forward (URL.Path "example_urlpath[123]" doesn't match and the request runs through both rulsets.

Does anybody have an idea or other solution?

Thanks!

greets

h

0 Kudos
15 Replies
asabban
Level 17

Re: MWG7 Reverse Proxy

Hi Harry,

for both Rule Sets you use "URL.Destination.IP equals external_address1". Is this a typo?

Can we probably geta copy of the Rules to have a look?

Thanks,

Andre

0 Kudos
harry82
Level 9

Re: MWG7 Reverse Proxy

Hi Andre,

thanks for your really quick answer!

no it's not a typo.

One external_address --> two internal addresses --> 3 different paths.

the ruleset is attached.

thanks

harry

0 Kudos
asabban
Level 17

Re: MWG7 Reverse Proxy

Hey Harry,

I had a quick look and I think you probably have messed up with the properties/criteria here.

Have a look at the below Rule Set:

Bildschirmfoto-70.jpg

In the criteria of the Rule Set you tell MWG "Only enter this Rule Set if URL.Path equals /example_path1 or /example_path2". So you will only enter this Rule set if the path is /example_pathX. But within the Rule set you say "Change the URL Path if the URL.Path equals /example_urlpath".

this will never trigger because either the path is /example_pathX, then you will never apply the rules within that Rule Set, or the path is "/example_urlpathX", then your rules WOULD trigger, but you will never enter the Rule Set because of the criteria set for it.

I would basically go ahead and change the way you build your Rule Set. I will try to make some screenshots and post them here.

Best,

Andre

Nachricht geändert durch asabban on 18.03.11 03:38:48 CDT

Nachricht geändert durch asabban on 18.03.11 03:39:51 CDT
0 Kudos
harry82
Level 9

Re: MWG7 Reverse Proxy

Hi Andre,

my bad, I messed something up when i built this example ruleset.

In my "real" ruleset the top and bottom criteria are the same.

sorry for that.

harry

0 Kudos
asabban
Level 17

Re: MWG7 Reverse Proxy

Okay.

One really big thing you need to be sure about is what "forwarding to" means.

If you say:

URL.Path equals "/example_urlpath1"

Action=Continue

Event= Set URL.Path = "/internal_urlpath1"

This only works for a request like this:

http://www.mcafee.com/example_urlpath1

Only this request is taken and this changes ONLY the request that is sent out by MWG to the Webserver:

http://internal.mcafee.com/internal_urlpath1

If you access

http://www.mcafee.com/example_urlpath1/index.html

this will no longer work.

I think this is more a static alias than a forward. There are several ways to "forward", but you need to know what you want to do.

I have been working on the "redirect path to a different server" thing, but I don´t think this works or at least I have not yet understood. Once the Client establishs an SSL connection to the Proxy, the Proxy will talk to the Webserver to build a connection. After this has been done the SSL Scanner will decrypt the traffic, so once we get access to the URL.Path attribute we alredy have an established SSL tunnel to the remote server, and we can´t move away from this. This works fine when talking HTTP to the remote server, but won´t work with HTTPS between Client <-> MWG AND MWG <-> Webserver.

If you can live with having HTTPS between Client <-> MWG and use HTTP between MWG <-> Webserver this should be working.

I have added a Rule Set for you which you may have a look into. It basically does the following:

Clients are accessing www.csm-testcenter.org or extranet.webwasher.com, both via HTTP and HTTPS. The DNS entries point to MWG, and on MWG there are two Rule Sets for different handling of these two URLs, e.g. two different "policies" are applied.

For the "www.csm-testcenter.org" I have created basic filtering Rule Sets and after that, call a "Redirect Rules" Ruleset, in which several "forwards" or "aliases" are called. The examples I hade are:

Access to http://www.csm-testcenter.org/Upload is pointing to a Subsite where Examples can be uploaded.

Access to http://www.csm-testcenter.org/Download is pointing to a Subsite where Examples can be downloaded.

Both "Aliases" are not accessible without those rules.

Then I have created a rule that redirects a complete folder. When you access to

http://www.csm-testcenter.org/Folder/whatever/index.html

you will see the Server replies with an error message:

"The requested URL /New_Directory/whatever/index.html was not found on this server."

You can see that "/Folder" is rewritten to "/New_Directory".

Then I have a disabled Rule Set which tries to redirect "/McAfee" to a different server. This does not yet work, I am having a look into this.

Last example is a "/Redirect". If you browse to

http://www.csm-testcenter.org/Redirect"

the MWG will respond back with a 302, which will cause the browser to open a seperate page.

The Rule Set and the exisiting Aliases work fine. Maybe you can have a look if that helps you to understand how to create a Rule Set that matches for your requirements.

Best,

Andre

Nachricht geändert durch asabban on 18.03.11 07:32:43 CDT
0 Kudos
harry82
Level 9

Re: MWG7 Reverse Proxy

Hi Andre,

thanks for the rulset.

I tried it in our enviroment.

Unfortunately it looks like that the criteria in the rulset doesn't work.

It only matches when i enable the criteria in the rule.

doesn't work

doesnt_work.JPG

works:

works.JPG

any idea?

harry

0 Kudos
asabban
Level 17

Re: MWG7 Reverse Proxy

Hey Harry,

I don´t really see a reason why this is not working. Looks good for me.

Would it be ok to stick with adding the criteria to the Rules for the moment?

Maybe this is a bug and we should file an SR for this.

Best,

Andre

0 Kudos
harry82
Level 9

Re: MWG7 Reverse Proxy

hey Andre,

we are running on 7.0.2.4.0, could it be a bug in this release?

greets

harry

0 Kudos
Troja
Level 14

Re: MWG7 Reverse Proxy

Hi Andre, Hi Harry,

tested at my Reverse Proxy in my envirionment. The same behaviour.

Url.Path Rules are working within Rules but NOT within Rulesets.

Cheers,

Thorsten

0 Kudos