For publication of HTTP/HTTPS servers, it is recommended that you use publication based on the reverse proxy rules.
Unlike the DNAT-based publication, the reverse proxy publication offers the following advantages:
-
Publication of HTTP servers using HTTPS, and vice versa
-
Balancing of requests to web server farms
-
Ability to limit access to the published servers with certain Useragents
-
Ability to replace domains and paths of the published servers.
To publish a server using the reverse proxy, perform the following steps:
Name |
Description |
---|---|
Step 1. Create a reverse proxy server. |
Go to Security policies-->Reverse proxy servers, click Add and create one or more web servers for publishing. |
Step 2. Create a balancing rule for the reverse proxy servers (optional). |
When a balancing for published server farms is required, go to Network policies-->Load balancing and create a new reverse proxy balancer. Use the reverse proxy servers that you have created in the previous step. |
Step 3. Create a reverse proxy rule. |
Go to Security policies-->Reverse proxy rules and create a new rule that defines the publication conditions for servers or server farms. Important! Publication rules are applied from top to bottom in the list of rules. Only the first publication rule for which all its specific conditions are met will be applied. |
Step 4. Allow the Reverse proxy server in the zone where you want to grant access to the internal resources. |
Go to Network-->Zones and allow the Reverse proxy service in the zone where you want to grant access to the internal resources (in most cases, it is the Untrusted zone). |
To create a reverse proxy server, go to Security policies-->Reverse proxy servers, click Add and fill out the following fields:
Name |
Description |
---|---|
Name |
Name of the published server. |
Description |
Description of the published server. |
Address |
IP address of the published server. |
Port |
TCP port of the published server. |
HTTPS to server |
Defines whether it is necessary to use the HTTPS protocol to access the published server. |
Check SSL certificate |
Enables or disables validation of the SSL certificates installed on the published server. |
Keep original source IP address |
Leaves the original IP address of the source in packets sent to the published server. When this option is disabled, the source IP address is replaced with the UserGate's IP address. |
To create a balancing rule for the reverse proxy servers, go to Network policies-->Load balancing, select Add-->Reverse proxy balancer and fill out the following fields:
Name |
Description |
---|---|
Enabled |
Enable or disable the rule |
Name |
Name of the rule |
Description |
Description of the rule |
Reverse proxy servers |
The list of the reverse proxy servers among which the workload will be distributed (created in the previous step). |
To create a new reverse proxy rule, click Add in Security policies-->Reverse proxy rules and fill out the mandatory fields.
Important! Rules are applied from top to bottom in the same order as they appear in the console. Only the first rule for which all its specific conditions are met will be applied. Therefore, make sure to place more specific rules above the more common ones in the list. Use the Up/Down buttons to change the order of rules in the list.
Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).
Name |
Description |
---|---|
Enabled |
Enable or disable the rule |
Name |
Name of the rule |
Description |
Description of the rule |
Reverse proxy server |
A reverse proxy server or reverse proxy balancer to which UserGate will be resending user requests |
Port |
A port on which UserGate will be listening for incoming requests. |
Use HTTPS |
Enable the HTTPS support |
Certificate |
A certificate used for establishing HTTPS connections |
Authenticate by certificate |
When this option is enabled, browsers will be required to provide user certificates. To do this, make sure to add the user certificate to the list of UserGate certificates, and also assign it the User certificate role and the corresponding UserGate user account. For more details on user certificates, please refer to the Managing certificates section. |
Source |
A source zone and/or a list of source IP addresses for the traffic. |
Users |
The list of users and groups to which a given rule is applied. Users of the Any, Unknown or Known types can be added. To apply the rules to given users or users of the Known type, you need to set up user identification. |
Useragent |
Useragent of user browsers for which a given rule will be applied |
Path rewrite |
Replace a domain and/or path in the user request URL. For example, incoming requests to http://www.example.com/path1 can be changed to http://www.example.loc/path2. Change from - a domain and/or path that you want to replace in the URL. Change to - a domain and/or path that you want to use as a replacement in the URL. If a domain is specified in the Change from field, then the publication rule will be applied for the requests sent to this domain only. In other words, this will be a condition for rule triggering. |