A reverse proxy server is a type of proxy server that inspects, transforms and routes web requests before they reach your web servers. It retrieves the resources on behalf of a client from one or more servers and returns those requests to the client as though it originated from the reverse proxy itself. This increases security by cloaking your network topology and back-end servers by removing the need for direct internet access to them.
Why should I use a reverse proxy with my VIP Enterprise Gateway (EG)?
The VIP Self-Service Portal (SSP) and My VIP are cloud-based web applications for end-users to perform tasks, such as registering their credentials. The VIP EG acts as the IdP between the SSP/My VIP portal and your end-users. If your enterprise decides to enable remote user access from outside your enterprise network, implementing a reverse proxy in your enterprise's perimeter network provides front-end protection and security for the SSP IdP on the VIP EG hosted inside your enterprise network. If an administrator decides users can only access the VIP Enterprise Gateway from within an enterprise network, the VIP Enterprise Gateway IdP could be located in your back-office network, most likely on the same machine as the VIP Enterprise Gateway. However, this decision means remote users cannot perform VIP Self Service tasks without being physically connected to the enterprise network, and the IT help desk can assist to complete these tasks.
Options are available for accessing the VIP SSP/My VIP. For example, a connector to the VIP SSP can be added to your enterprise single sign-on (SSO) solution. The Enterprise Gateway acts as the IdP. When a 3rd-party is the IdP, the SSP/My VIP is the SP. Refer to the Symantec VIP Third-Party Configuration Guide for details
Prior versions of the VIP EG included a VIP SSP IdP Proxy. This has been removed from the current VIP EG and is no longer a supported feature.
Sample reverse proxy layout:
The following are general instructions for configuring for an Apache Squid proxy for use with the Symantec VIP SSP IdP. Please refer to http://www.squid-cache.org/ for additional assistance.
An active Apache Squid installation
VIP Enterprise Gateway with the SSP IDP component configured
3. CREATE A WILDCARD SSL CERTIFICATE WITH OPENSSL:
The wild card certificate is created for your domain (e.g, *.secureproxy.com)
Name the domains in-line as the certificate is created (e.g., *.secureproxy.com)
[demoCA]#openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes Generating a 2048 bit RSA private key .......................................+++ ..................+++ writing new private key to 'cert.pem' -----
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :India Locality Name (eg, city) [Default City]:Bangalore Organization Name (eg, company) [Default Company Ltd]:Symantec Organizational Unit Name (eg, section) :EG Common Name (eg, your name or your server's hostname) :*.secureproxy.com Email Address :email@example.com
Add each SSP site in the squid Configuration File. By default, this file is located here: /etc/squid/squid.conf cache_peer <EG SSP IDP Hostname> parent <SSP IDP Port(8233)> 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=<websitename> acl <sites_server_1> dstdomain websitea.secureproxy.com cache_peer_access <websitename> allow <sites_server_1> http_access allow <sites_server_1>
If SSL is used, sslflags=DONT_VERIFY_PEER is useful if using a self-signed cert.
Dstdomain name should be in the same domain to which the wild card cert was created earlier.
websitea.secureproxy.com is chosen as the wild card cert. It is created to the *.secureproxy.com domain. Any dstdomain <name>.secureproxy.com can be chosen.
A sample squid.conf with minimal configuration changes is attached to this article. Notice that the HTTPS reverse proxy is set.
The configurations must appear at the top of squid.conf above all other forward-proxy configurations (e.g., http_access, etc.). Otherwise, the standard proxy access rules may block the viewing of the accelerated site.
Check that the Enterprise Gateway hostname can be resolved by the Squid reverse proxy.
Ensure dstdomain is within in the same domain in the wild card certificate
4. RESTART THE SQUID REVERSE PROXY
Sample command for restarting the Squid Reverse Proxy: service squid restart
5. CONFIGURE THE VIP ENTERPRISE GATEWAY
Ensure the dstdomain set in Squid (e.g., websitea.secureproxy.com) can be resolved by the VIP Enterprise Gateway.
Ensure the load balancer URL in the VIP Enterprise Gateway SSP configuration page is set to dstdomain (e.g., https://websitea.secureproxy.com).
6. SETUP COMPLETE! TEST THE REVERSE PROXY SETUP
The SSP Login URL will be https://dstdomain (e.g., https://websitea.secureproxy.com)