1 2 Previous Next 15 Replies Latest reply on Mar 22, 2011 9:58 AM by asabban

    MWG7 Reverse Proxy




      we are trying to replace our existing reverse proxy wih MWG7.


      Unfortunately I have some trouble with the ruleset.


      That's what we currently try to migrate to MWG:


      https://external_address1.com/example_urlpath_1  forwarding to https://internal.address1/internal_urlpath_1


      https://external_address1.com/example_urlpath_2 forwarding to https://internal.address1/internal_urlpath_2


      https://external_address1.com/example_urlpath_3 forwarding to https://internal.address2/internal_urlpath3


      Here is what we have configure so far:


      RuleSet_internal_address1 (URL.Destination.IP equals external_address1)

      -SSL Scanner


      -forward (request) (URL.Path equals "example_urlpath1" OR example_urlpath2"


                URL.Path equals "/example_urlpath1" OR URL.Path equals "example_urlpath1/"


                Event= Set URL.Path = "/internal_urlpath1"



                URL.Path equals "example_urlpath2" OR URL.Path equals "example_urlpath2/"


                Event= Set URL.Path = "/internal_urlpath2"





                Event= Enable Next Hop Proxy <internal.address1>


      RuleSet_internal_address2 (URL.Destination.IP equals external_address1)

      -SSL Scanner


      -forward (request) (URL.Path equals "/example_urlpath3")


                URL.Path equals "/example_urlpath3" OR " URL.Path equals "example_urlpath3/"


                Events= Set URL.Path = "/internal_urlpath3"





                       Event= Enable Next Hop Proxy <internal.address2>


      These RuleSets don't work together for some reason, one RuleSet by itself (disable other) works fine.

      It seems that Rule Criteria -forward (URL.Path "example_urlpath[123]" doesn't match and the request runs through both rulsets.

      Does anybody have an idea or other solution?






        • 1. Re: MWG7 Reverse Proxy

          Hi Harry,


          for both Rule Sets you use "URL.Destination.IP equals external_address1". Is this a typo?


          Can we probably geta copy of the Rules to have a look?




          • 2. Re: MWG7 Reverse Proxy

            Hi Andre,


            thanks for your really quick answer!


            no it's not a typo.


            One external_address --> two internal addresses --> 3 different paths.


            the ruleset is attached.





            • 3. Re: MWG7 Reverse Proxy

              Hey Harry,


              I had a quick look and I think you probably have messed up with the properties/criteria here.


              Have a look at the below Rule Set:




              In the criteria of the Rule Set you tell MWG "Only enter this Rule Set if URL.Path equals /example_path1 or /example_path2". So you will only enter this Rule set if the path is /example_pathX. But within the Rule set you say "Change the URL Path if the URL.Path equals /example_urlpath".


              this will never trigger because either the path is /example_pathX, then you will never apply the rules within that Rule Set, or the path is "/example_urlpathX", then your rules WOULD trigger, but you will never enter the Rule Set because of the criteria set for it.


              I would basically go ahead and change the way you build your Rule Set. I will try to make some screenshots and post them here.





              Nachricht geändert durch asabban on 18.03.11 03:38:48 CDT


              Nachricht geändert durch asabban on 18.03.11 03:39:51 CDT
              • 4. Re: MWG7 Reverse Proxy

                Hi Andre,


                my bad, I messed something up when i built this example ruleset.


                In my "real" ruleset the top and bottom criteria are the same.


                sorry for that.



                • 5. Re: MWG7 Reverse Proxy



                  One really big thing you need to be sure about is what "forwarding to" means.


                  If you say:


                  URL.Path equals "/example_urlpath1"


                  Event= Set URL.Path = "/internal_urlpath1"


                  This only works for a request like this:




                  Only this request is taken and this changes ONLY the request that is sent out by MWG to the Webserver:




                  If you access




                  this will no longer work.


                  I think this is more a static alias than a forward. There are several ways to "forward", but you need to know what you want to do.


                  I have been working on the "redirect path to a different server" thing, but I don´t think this works or at least I have not yet understood. Once the Client establishs an SSL connection to the Proxy, the Proxy will talk to the Webserver to build a connection. After this has been done the SSL Scanner will decrypt the traffic, so once we get access to the URL.Path attribute we alredy have an established SSL tunnel to the remote server, and we can´t move away from this. This works fine when talking HTTP to the remote server, but won´t work with HTTPS between Client <-> MWG AND MWG <-> Webserver.


                  If you can live with having HTTPS between Client <-> MWG and use HTTP between MWG <-> Webserver this should be working.


                  I have added a Rule Set for you which you may have a look into. It basically does the following:


                  Clients are accessing www.csm-testcenter.org or extranet.webwasher.com, both via HTTP and HTTPS. The DNS entries point to MWG, and on MWG there are two Rule Sets for different handling of these two URLs, e.g. two different "policies" are applied.


                  For the "www.csm-testcenter.org" I have created basic filtering Rule Sets and after that, call a "Redirect Rules" Ruleset, in which several "forwards" or "aliases" are called. The examples I hade are:


                  Access to http://www.csm-testcenter.org/Upload is pointing to a Subsite where Examples can be uploaded.

                  Access to http://www.csm-testcenter.org/Download is pointing to a Subsite where Examples can be downloaded.


                  Both "Aliases" are not accessible without those rules.


                  Then I have created a rule that redirects a complete folder. When you access to




                  you will see the Server replies with an error message:


                  "The requested URL /New_Directory/whatever/index.html was not found on this server."


                  You can see that "/Folder" is rewritten to "/New_Directory".


                  Then I have a disabled Rule Set which tries to redirect "/McAfee" to a different server. This does not yet work, I am having a look into this.


                  Last example is a "/Redirect". If you browse to




                  the MWG will respond back with a 302, which will cause the browser to open a seperate page.


                  The Rule Set and the exisiting Aliases work fine. Maybe you can have a look if that helps you to understand how to create a Rule Set that matches for your requirements.





                  Nachricht geändert durch asabban on 18.03.11 07:32:43 CDT
                  • 6. Re: MWG7 Reverse Proxy

                    Hi Andre,


                    thanks for the rulset.


                    I tried it in our enviroment.


                    Unfortunately it looks like that the criteria in the rulset doesn't work.


                    It only matches when i enable the criteria in the rule.


                    doesn't work







                    any idea?



                    • 7. Re: MWG7 Reverse Proxy

                      Hey Harry,


                      I don´t really see a reason why this is not working. Looks good for me.


                      Would it be ok to stick with adding the criteria to the Rules for the moment?


                      Maybe this is a bug and we should file an SR for this.




                      • 8. Re: MWG7 Reverse Proxy

                        hey Andre,


                        we are running on, could it be a bug in this release?





                        • 9. Re: MWG7 Reverse Proxy

                          Hi Andre, Hi Harry,


                          tested at my Reverse Proxy in my envirionment. The same behaviour.


                          Url.Path Rules are working within Rules but NOT within Rulesets.




                          1 2 Previous Next