1 2 Previous Next 15 Replies Latest reply on Mar 22, 2011 9:58 AM by asabban

    MWG7 Reverse Proxy

    harry82

      Hi,

       

      we are trying to replace our existing reverse proxy wih MWG7.

       

      Unfortunately I have some trouble with the ruleset.

       

      That's what we currently try to migrate to MWG:

       

      https://external_address1.com/example_urlpath_1  forwarding to https://internal.address1/internal_urlpath_1

      and

      https://external_address1.com/example_urlpath_2 forwarding to https://internal.address1/internal_urlpath_2

      and

      https://external_address1.com/example_urlpath_3 forwarding to https://internal.address2/internal_urlpath3

       

      Here is what we have configure so far:

       

      RuleSet_internal_address1 (URL.Destination.IP equals external_address1)

      -SSL Scanner

      -Anti-Malware

      -forward (request) (URL.Path equals "example_urlpath1" OR example_urlpath2"

           --urlpath1

                URL.Path equals "/example_urlpath1" OR URL.Path equals "example_urlpath1/"

                Action=Continue

                Event= Set URL.Path = "/internal_urlpath1"

          

           --urlpath2

                URL.Path equals "example_urlpath2" OR URL.Path equals "example_urlpath2/"

                Action=Continue

                Event= Set URL.Path = "/internal_urlpath2"

       

           --forward1

                always

                Action=Continue

                Event= Enable Next Hop Proxy <internal.address1>

       

      RuleSet_internal_address2 (URL.Destination.IP equals external_address1)

      -SSL Scanner

      -Anti-Malware

      -forward (request) (URL.Path equals "/example_urlpath3")

           --urlpath3

                URL.Path equals "/example_urlpath3" OR " URL.Path equals "example_urlpath3/"

                Action=continue

                Events= Set URL.Path = "/internal_urlpath3"

       

               --forward2

                     always

                      action=continue

                       Event= Enable Next Hop Proxy <internal.address2>

       

      These RuleSets don't work together for some reason, one RuleSet by itself (disable other) works fine.

      It seems that Rule Criteria -forward (URL.Path "example_urlpath[123]" doesn't match and the request runs through both rulsets.

      Does anybody have an idea or other solution?

      Thanks!

       

      greets

       

      h

        • 1. Re: MWG7 Reverse Proxy
          asabban

          Hi Harry,

           

          for both Rule Sets you use "URL.Destination.IP equals external_address1". Is this a typo?

           

          Can we probably geta copy of the Rules to have a look?

           

          Thanks,

          Andre

          • 2. Re: MWG7 Reverse Proxy
            harry82

            Hi Andre,

             

            thanks for your really quick answer!

             

            no it's not a typo.

             

            One external_address --> two internal addresses --> 3 different paths.

             

            the ruleset is attached.

             

            thanks

             

            harry

            • 3. Re: MWG7 Reverse Proxy
              asabban

              Hey Harry,

               

              I had a quick look and I think you probably have messed up with the properties/criteria here.

               

              Have a look at the below Rule Set:

               

              Bildschirmfoto-70.jpg

               

              In the criteria of the Rule Set you tell MWG "Only enter this Rule Set if URL.Path equals /example_path1 or /example_path2". So you will only enter this Rule set if the path is /example_pathX. But within the Rule set you say "Change the URL Path if the URL.Path equals /example_urlpath".

               

              this will never trigger because either the path is /example_pathX, then you will never apply the rules within that Rule Set, or the path is "/example_urlpathX", then your rules WOULD trigger, but you will never enter the Rule Set because of the criteria set for it.

               

              I would basically go ahead and change the way you build your Rule Set. I will try to make some screenshots and post them here.

               

              Best,

              Andre

               

              Nachricht geändert durch asabban on 18.03.11 03:38:48 CDT

               

              Nachricht geändert durch asabban on 18.03.11 03:39:51 CDT
              • 4. Re: MWG7 Reverse Proxy
                harry82

                Hi Andre,

                 

                my bad, I messed something up when i built this example ruleset.

                 

                In my "real" ruleset the top and bottom criteria are the same.

                 

                sorry for that.

                 

                harry

                • 5. Re: MWG7 Reverse Proxy
                  asabban

                  Okay.

                   

                  One really big thing you need to be sure about is what "forwarding to" means.

                   

                  If you say:

                   

                  URL.Path equals "/example_urlpath1"

                  Action=Continue

                  Event= Set URL.Path = "/internal_urlpath1"

                   

                  This only works for a request like this:

                   

                  http://www.mcafee.com/example_urlpath1

                   

                  Only this request is taken and this changes ONLY the request that is sent out by MWG to the Webserver:

                   

                  http://internal.mcafee.com/internal_urlpath1

                   

                  If you access

                   

                  http://www.mcafee.com/example_urlpath1/index.html

                   

                  this will no longer work.

                   

                  I think this is more a static alias than a forward. There are several ways to "forward", but you need to know what you want to do.

                   

                  I have been working on the "redirect path to a different server" thing, but I don´t think this works or at least I have not yet understood. Once the Client establishs an SSL connection to the Proxy, the Proxy will talk to the Webserver to build a connection. After this has been done the SSL Scanner will decrypt the traffic, so once we get access to the URL.Path attribute we alredy have an established SSL tunnel to the remote server, and we can´t move away from this. This works fine when talking HTTP to the remote server, but won´t work with HTTPS between Client <-> MWG AND MWG <-> Webserver.

                   

                  If you can live with having HTTPS between Client <-> MWG and use HTTP between MWG <-> Webserver this should be working.

                   

                  I have added a Rule Set for you which you may have a look into. It basically does the following:

                   

                  Clients are accessing www.csm-testcenter.org or extranet.webwasher.com, both via HTTP and HTTPS. The DNS entries point to MWG, and on MWG there are two Rule Sets for different handling of these two URLs, e.g. two different "policies" are applied.

                   

                  For the "www.csm-testcenter.org" I have created basic filtering Rule Sets and after that, call a "Redirect Rules" Ruleset, in which several "forwards" or "aliases" are called. The examples I hade are:

                   

                  Access to http://www.csm-testcenter.org/Upload is pointing to a Subsite where Examples can be uploaded.

                  Access to http://www.csm-testcenter.org/Download is pointing to a Subsite where Examples can be downloaded.

                   

                  Both "Aliases" are not accessible without those rules.

                   

                  Then I have created a rule that redirects a complete folder. When you access to

                   

                  http://www.csm-testcenter.org/Folder/whatever/index.html

                   

                  you will see the Server replies with an error message:

                   

                  "The requested URL /New_Directory/whatever/index.html was not found on this server."

                   

                  You can see that "/Folder" is rewritten to "/New_Directory".

                   

                  Then I have a disabled Rule Set which tries to redirect "/McAfee" to a different server. This does not yet work, I am having a look into this.

                   

                  Last example is a "/Redirect". If you browse to

                   

                  http://www.csm-testcenter.org/Redirect"

                   

                  the MWG will respond back with a 302, which will cause the browser to open a seperate page.

                   

                  The Rule Set and the exisiting Aliases work fine. Maybe you can have a look if that helps you to understand how to create a Rule Set that matches for your requirements.

                   

                  Best,

                  Andre

                   

                  Nachricht geändert durch asabban on 18.03.11 07:32:43 CDT
                  • 6. Re: MWG7 Reverse Proxy
                    harry82

                    Hi Andre,

                     

                    thanks for the rulset.

                     

                    I tried it in our enviroment.

                     

                    Unfortunately it looks like that the criteria in the rulset doesn't work.

                     

                    It only matches when i enable the criteria in the rule.

                     

                    doesn't work

                    doesnt_work.JPG

                     

                    works:

                     

                    works.JPG

                     

                    any idea?

                     

                    harry

                    • 7. Re: MWG7 Reverse Proxy
                      asabban

                      Hey Harry,

                       

                      I don´t really see a reason why this is not working. Looks good for me.

                       

                      Would it be ok to stick with adding the criteria to the Rules for the moment?

                       

                      Maybe this is a bug and we should file an SR for this.

                       

                      Best,

                      Andre

                      • 8. Re: MWG7 Reverse Proxy
                        harry82

                        hey Andre,

                         

                        we are running on 7.0.2.4.0, could it be a bug in this release?

                         

                        greets

                         

                        harry

                        • 9. Re: MWG7 Reverse Proxy
                          Troja

                          Hi Andre, Hi Harry,

                           

                          tested at my Reverse Proxy in my envirionment. The same behaviour.

                           

                          Url.Path Rules are working within Rules but NOT within Rulesets.

                           

                          Cheers,

                          Thorsten

                          1 2 Previous Next