Reverse Proxy

Discuss and get help to configure CacheGuard to protect Web servers
Post Reply
HannesKamleitner
Posts: 1
Joined: 19 May 2016 03:38

Reverse Proxy

Post by HannesKamleitner »

Hi @all,

i have the following network configuration - see attachemnt (Network.jpg).

A Record with remote.contoso.com  10.16.17.30 exists
A Record with mail.contoso.com  10.16.17.30 exists
Trusted Certificates for both Domains exist.
RDWeb on 192.168.0.21 is configured (with certificate) and intern I can access https://192.168.0.21 website.
Exchange on 192.168.0.22 is configured (with certificate) and intern I can access https://192.168.0.22 website.

All ports from LTE modem are forwarded to CacheGuard Firewall.
From intern Network 192.168.0.0 internet and everything is working.

But I fail to create a reverse proxy that I can access via extern (Internet) over DNS with https://remote.contoso.com my RDweb (192.168.0.21)
or via https://mail.contoso.com my Exchange (192.168.0.22).

Attaced you also will find the current configuration.

Hope, someone can help 

Thanks in advance
Hannes
Attachments
configuration.txt
(5.78 KiB) Downloaded 1176 times
Network.jpg
Network.jpg (38.4 KiB) Viewed 14999 times
User avatar
david
Posts: 163
Joined: 08 Aug 2015 20:38

Re: Reverse Proxy

Post by david »

Dear Hannes

I see that you use two backend Web servers for each of your two cloaked websites (mail.contoso.com and remote.contoso.com). In your configuration one backend Web server is listening on port 80 and the other on port 443 (which probably uses HTTPS (and not HTTP)).

Please note that when you implement CG as a reverse proxy, it acts as an SSL terminator (offloader) and all communications between CG and backend servers should are done in clear HTTP.

I suggest that you do the following:

- On your CG remove backend Web servers listening on port (443). To do so use the following commands:

Code: Select all

rweb host remote.contoso.com del 192.168.0.21 443
rweb host mail.contoso.com del 192.168.0.22 443
apply
- On your backend Web servers (192.168.0.20-21), ensure that they listen on port 80 in clear HTTP (maybe you can allow the clear HTTP access for your CG only (192.168.0.1)).

Also if you use signed SSL certificates for your websites think about copying them on your CG and using them in your configuration instead of the default TLS object (see the command tls). You will have to copy all objects related to your certificate: private key, the certificate, the certificate chain if any.

Best Regards,
David Janeway
CacheGuard Technical Team
https://www.cacheguard.com
Post Reply