For publishing HTTP/HTTPS servers, reverse proxy rules are the recommended publishing method.
Unlike DNAT rules, they offer the ability to:
-
Publish HTTP servers via HTTPS and vice versa
-
Load-balance the requests to a web server farm
-
Restrict the access to the published servers for certain useragents
-
Substitute the domains and paths used by the published servers.
To publish a server using reverse proxy rules, follow these steps:
Name |
Description |
---|---|
Step 1. Create a reverse proxy server. |
In the Global portal ➜ Reverse proxy servers section, click Add and create one or more web servers to be published. |
Step 2. (Optional) Create a balancing rule for the reverse proxy servers. |
If you need load balancing within a farm of published servers, go to the Network policies ➜ Load balancing section and create a reverse proxy load balancer. Use the reverse proxy servers created at the previous step. |
Step 3. Create a reverse proxy rule. |
Under Global portal ➜ Reverse proxy rules, create a rule that will set the conditions for publishing the servers or server farm. Important! Publishing rules are applied top to bottom in the rule list. Only the first rule for which all conditions are matched is triggered. |
Step 4. Allow the reverse proxy service in the zone from where access to the internal resources needs to be allowed. |
In the Network ➜ Zones section, allow the reverse proxy service for the zone from where access to the internal resources needs to be allowed (usually the Untrusted zone). |
To add a reverse proxy server, go to the Global portal ➜ Reverse proxy servers section, click Add, and fill in these fields:
Name |
Description |
---|---|
Name |
The name of the published server. |
Description |
A description of the published server. |
Server address |
The IP address of the published server. |
Port |
The TCP port of the published server. |
HTTPS to server |
Specifies whether or not HTTPS access to the published server is required. |
Check SSL certificate |
Enables or disables validity checking for the SSL certificate installed on the published server. |
Keep original source IP address |
Keeps the original source IP address in the packets forwarded to the published server. If this is disabled, the source IP address is substituted with NGFW's IP address. |
To create a balancing rule for reverse proxy servers, go to the Network policies ➜ Load balancing section, select Add ➜ Add reverse proxy load balancer, and fill in these fields:
Name |
Description |
---|---|
Enabled |
Enables or disables the rule. |
Name |
The name of the rule. |
Description |
A description of the rule. |
Reverse proxy servers |
The list of reverse proxy servers created at the previous step between which the load will be distributed. |
To create a reverse proxy rule, go to the Global portal ➜ Reverse proxy rules section, click Add, and fill in the relevant fields.
Name |
Description |
---|---|
Enabled |
Enables or disables the rule. |
Name |
The name of the rule. |
Description |
A description of the rule. |
Reverse proxy server |
The reverse proxy server or reverse proxy load balancer to which NGFW will forward the requests. |
Port |
The port on which NGFW will listen for incoming requests. |
Use HTTPS |
Enables HTTPS support. |
SSL profile |
An SSL profile allows you to specify SSL protocols or individual encryption and digital signature algorithms. |
Certificate |
The certificate used to support HTTPS connections. |
Authentication mode |
It is possible to authenticate using login and password via RADIUS server (AAA) or certificates (PKI). |
User certificate profile |
When PKI-based authentication is used, specify a pre-configured user certificate profile here. |
Source |
The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source. The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value. Important! The maximum number of GeoIPs that can be specified is limited to 15. Important! The traffic processing logic is as follows:
|
Users |
The list of users and groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. This tab is only available when HTTPS and certificate-based authorization is used. |
Destination |
One of the external IP addresses of NGFW, which is available from the Internet and is the destination for the external client traffic. Important! The maximum number of GeoIPs that can be specified is limited to 15. Important! The traffic processing logic is as follows:
|
Useragent |
The user browser useragents for which this rule will be applied. |
Path rewrite |
Substitute a URL domain and/or path in the user request. For example, this allows requests at http://www.example.com/path1 to be converted into requests at http://www.example.loc/path2. Change from: the URL domain and/or path that needs to be substituted. Change to: the URL domain and/or path with which the original ones should be substituted. If a domain is specified in the Change from field, the rule will be only applied to the requests arriving at that specific domain. Thus, in this case, the domain will serve as a condition for triggering the rule. |
var glosarry_items = new Array; glosarry_items[1] = 'IP-адрес -- это уникальный адрес, идентифицирующий устройство в интернете или локальной сети. Применяется на L3 уровне модели ISO/OSI. В зависимости от версии протокола IP может быть 32-битным (4-я версия), либо 128-битным (6-я версия).
'; glosarry_items[2] = 'Domain Name System - система доменных имён. Распределенная система серверов, предназначенная для конвертирования символьных имен в IP-адреса.'; glosarry_items[3] = 'URL - Uniform Resource Locator, система унифицированных адресов электронных ресурсов. Т.е. URL - это адрес, который выдан уникальному ресурсу в интернете. В теории, каждый корректный URL ведёт на уникальный ресурс. Такими ресурсами могут быть HTML-страница, CSS-файл, изображение и т.д.'; glosarry_items[4] = 'IDS - Intrusion Detection System. Система обнаружения вторжений (СОВ). Система, предназначенная для обнаружения атак на вычислительные системы в реальном времени.';