Reverse Proxy Deployment Guide

Transcription

1 Reverse Proxy Deployment Guide PDF of the Online WebGuide SGOS 6.5.x and Later

2 Third Party Copyright Notices 2015 Blue Coat Systems, Inc. All rights reserved. BLUE COAT, PROXYSG, PACKETSHAPER, CACHEFLOW, INTELLIGENCECENTER, CACHEOS, CACHEPULSE, CROSSBEAM, K9, DRTR, MACH5, PACKETWISE, POLICYCENTER, PROXYAV, PROXYCLIENT, SGOS, WEBPULSE, SOLERA NETWORKS, DEEPSEE, DS APPLIANCE, SEE EVERYTHING. KNOW EVERYTHING., SECURITY EMPOWERS BUSINESS, BLUETOUCH, the Blue Coat shield, K9, and Solera Networks logos and other Blue Coat logos are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. BLUE COAT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. BLUE COAT PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Americas: Blue Coat Systems, Inc. 420 N. Mary Ave. Sunnyvale, CA Rest of the World: Blue Coat Systems International SARL 3a Route des Arsenaux 1700 Fribourg, Switzerland 2

3 Contents About Reverse Proxy 4 Pre-Deployment Checklist 6 Deploy a Reverse Proxy 7 Virtual IP 8 Create an HTTP Service for Your Reverse Proxy 9 Create an HTTPS Service for Your Reverse Proxy 11 Create an SSL Certificate Keyring 13 Set up a Basic Policy 14 Authenticating Users 15 Configure an IWA Authentication Realm 16 Create an LDAP-Based Authentication Realm 17 Configure a Local Authentication Realm 18 Create a RADIUS Authentication Realm 19 SAML Authentication 20 Authentication Policy 23 Authentication Modes 23 Advanced Policy Tasks 25 Two-Way URL Rewrite 26 ProxyAV Integration 27 Regional Access Control 28 Monitoring Users and Resources 30 Monitoring the Appliance 31 SNMP Monitoring 32 Monitor User Activity 33 3

4 About Reverse Proxy A reverse proxy acts as a front-end for general purpose Web, FTP, streaming, and other content servers, typically to secure those servers and improve access performance. In a typical Blue Coat reverse proxy implementation, web applications reside behind a firewall, which forwards traffic to the secured ProxySG inside environment. Because the firewall allows only the ProxySG to communicate with the web application. Potential attackers would need to bypass both the firewall and the ProxySG appliance, which obscures the internal URL structure of the content server from external users. Restricting access to the content servers to only the ProxySG's IP address provides further security. In addition to securing your content and application servers, The ProxySG appliance further improves user access in the following ways: User Authentication Functioning as an intermediary between users on the Internet and your content servers, the ProxySG can challenge users to authenticate, or transparently check for existing authentication credentials. Supported authentication servers include Windows Active Directory, SiteMinder, and Oracle, with authentication methods ranging from Integrated Windows Authentication to SAML. Real-Time Virus, Malware and Trojan Scanning When deployed in conjunction with your ProxySG Reverse Proxy, a ProxyAV appliance can scan the data users upload to your content and application servers for most of today's Internet-borne threats. SSL Encryption and Termination Reducing the resource load on your content and application servers, the Reverse Proxy solution can terminate HTTPS connections from users and forward those connections to the server using HTTP. User connections remain secure with the proxy translating HTTP responses into HTTPS. Ensuring protocol compliance, limiting exposure to vulnerabilities based on non-rfc-compliant attacks. HTTP Compression To further expedite delivery of Web applications, the ProxySG provides built-in gzip and deflate HTTP compression support. These compression services effectively reduce the bandwidth required for serving content. Content Acceleration With an optimized TCP stack, the ProxySG appliance can serve HTTP and HTTPS content very quickly. Chief among the methods the appliance uses to accelerate content are object pipelining (retrieving several related elements at the same time) and adaptive refresh, where content stored in cache is evaluated regularly for freshness based on how frequently it is requested. With these advanced caching measures in place, the strain on your content servers is greatly reduced. 4

5 Typical Reverse Proxy Deployment With your ProxySG appliance deployed as detailed in the proceeding image, your content servers remain protected while the proxy transparently processes Internet-based requests for access. 5

6 Pre-Deployment Checklist Before you configure your ProxySG appliance to handle incoming traffic from the Internet, there are a few things that need to be set up. Public DNS Resolution To enable Internet users to reach your web server, you'll need to have a public DNS record set up. When you have identified the dedicated public IP address you'll be using for this web server, contact a DNS hosting service to have them translate your domain name, ( to that public IP address. Firewall configuration and port forwarding With a public IP address defined to accept traffic at your network's edge, configure your firewall to forward traffic to the ProxySG Appliance's internal IP address. This is known as port forwarding or Virtual IP addressing, depending on the firewall vendor For security, only forward the ports for which your web server serves data. Typically, that's TCP ports 80 and 443 for HTTP and HTTPS, and in some cases, FTP on TCP port 21. If your firewall provides Intrusion Detection or Prevention, (IDS/IPS) functionality or inspects and controls the flow of data, be sure to consult the manufacturer's documentation for managing these security services when hosting websites. Initial setup of your ProxySG Appliance Follow the steps to cable and configure your ProxySG Appliance in the Quick Start Guide provided with your hardware. This information is also available at Extra Blue Coat Security: ProxyAV If you would like to secure your reverse proxy infrastructure and the content that flows in and out of your network, Blue Coat recommends deploying a ProxyAV Appliance. Please see the ProxySG/AV Integration Guide at for help with initial ProxyAV configuration tasks. 6

7 Deploy a Reverse Proxy The topics in this chapter will guide you through the initial steps of configuring your ProxySG appliance as a Reverse Proxy. Virtual IP 8 Create an HTTP Service for Your Reverse Proxy 9 Create an HTTPS Service for Your Reverse Proxy 11 Create an SSL Certificate Keyring 13 Set up a Basic Policy 14 7

8 Virtual IP A Virtual IP address (VIP) is an IP address that can configured on the ProxySG appliance to take the place of a physical IP. This is especially useful if you will be configuring your appliance to handle multiple Reverse Proxy-hosted websites on the same TCP port. If your deployment serves only a single host, VIP configuration and use is optional. 1. Log in to the web-based management console 2. Browse to the Configuration tab > Network > Advanced. 3. In the VIPs Tab, click New. The Add Virtual IP dialog appears.. 4. Enter the IP Address. The IP address must be unique and congruent with the other IP addresses defined on the appliance. In your initial planning stages, this is the IP address that will be used to handle incoming traffic from either your Edge Firewall or if your ProxySG Appliance is not protected by a Firewall, the public address defined in public DNS for your website. 5. Click OK to create the VIP object. 6. Click Apply to save this object to your ProxySG's configuration. 8

9 Create an HTTP Service for Your Reverse Proxy This topic explains how to configure a listener for reverse proxy. This object contains the IP address and TCP port that the ProxySG Appliance will use to intercept traffic from the Internet or your edge firewall. 1. Log in to the web-based management console. 2. Browse to the Configuration tab > Services > Proxy Services. 3. Click the New Service button at the bottom of the page. 4. Enter a name for the new service. 5. Choose the type of Proxy Service that will be used. Proxy service types are responsible for how the ProxySG Appliance interprets and manages the traffic being passed through the service. Choose HTTP to handle a simple HTTP-based web site. 6. Enable Detect Protocol. 7. Disable the Enable ADN check mark. 8. In the Listeners section, New. 9

10 9. The Source Address configuration is used to restrict the source of clients connecting through this service. Unless your Reverse Proxy is deployed in a completely closed environment, we recommend to leave this at the default setting, All. 10. The Destination Address section is used to define the address the ProxySG is monitoring for connections that are relevant to this Reverse Proxy configuration. This can be either a physical IP address already assigned to one of the ProxySG's interfaces or a Virtual IP (or VIP) Address you've configured previously. See Creating a Virtual IP Address for steps to add a VIP to your ProxySG Appliance configuration. 11. Define a port or a range or ports that the appliance will monitor for connections. If you plan to add multiple ports for your Reverse Proxy configuration, define only one port number per service object and repeat for as many ports as you'll be configuring. 12. Set the Action to Intercept. 13. Click OK to create the new Service Object. 14. Click Apply to save the configuration. 10

11 Create an HTTPS Service for Your Reverse Proxy This topic will guide you through configuring a listener for your secure reverse proxy. This object contains the IP address and TCP port that the ProxySG Appliance will use to intercept traffic from the Internet or your edge firewall. 1. Log in to the ProxySG's web-based management console. 2. Browse to the Configuration tab > Services > Proxy Services.. 3. Click the New Service button at the bottom of the page. 4. Enter a name for the new service. 5. Choose the type of Proxy Service that will be used. Proxy service types are responsible for how the ProxySG Appliance interprets and manages the traffic being passed through the service. Choose HTTPS Reverse Proxy for this configuration. 6. Select the Keyring you've created for this configuration. If you have not yet done so, please follow the steps in the topic, Create a New Keyring. 7. Select the CA Certificate List that will be used to validate the certificate being presented to users. <All CA Certificates> is the default here, and will suffices for most configurations. 11

12 8. Enable support for SSL protocols. SSL v3 and v2 are not enabled by default as they are not recommended due to their insecure nature. 9. Disable the Enable ADN check mark. 10. In the Listeners section, click New. 11. The Source Address configuration is used to restrict the source of clients connecting through this service. Unless your Reverse Proxy is deployed in a completely closed environment, we recommend to leave this at the default setting, All. 12. The Destination Address section is used to define the address the ProxySG is monitoring for connections that are relevant to this Reverse Proxy configuration. This can be either a Physical IP address already assigned to one of the ProxySG's interfaces or a Virtual IP (or VIP) Address you've configured previously. See Creating a Virtual IP Address for steps to add a VIP to your ProxySG Appliance configuration. 13. Define a port or a range or ports that the appliance will monitor for connections. If you plan to add multiple ports for your Reverse Proxy configuration, define only one port number per Service Object and repeat for as many ports as you'll be configuring. For a standard HTTPS web server, enter 443 as the port number. 14. Set the Action to Intercept. 15. Click OK to create the new service object. 16. Click Apply to save the configuration. 12

13 Create an SSL Certificate Keyring If your Reverse Proxy deployment hosts HTTPS websites or services, the certificate for those services can be served from the ProxySG appliance. This relieves the web server behind the appliance from having to spend resources managing SSL termination. The connection between the ProxySG appliance and the server running web services can then be HTTPbased. 1. Browse to the Configuration tab > SSL > Keyrings and click Create. 2. Enter a name for the new keyring. 3. Select Show Key Pair to permit backup and portability of the configuration and click OK. 4. Click Apply to commit the configuration to your appliance. 5. Select the new keyring from the list and click the Edit button 6. Generate a Certificate Signing Request (CSR) by clicking the Create button. The Create CSR dialog displays. 7. Complete the form, paying close attention to the Common Name field. This should be a hostname or FQDN that resolves to the ProxySG appliancefrom outside of your protected network. This is the first step in ensuring that Internet-based browsers can trust the certificate the proxy presents. When you've completed the form, click OK, Close then Apply. 8. Edit the keyring again and you will find the Certificate Signing Request field has created a CSR in PKCS#10 format. Highlight the text from -----BEGIN CERTIFICATE REQUEST to -----END CERTIFICATE REQUEST and copy using CTRL+C (or on Apple systems, the Apple key and C) to copy to your system's clipboard. 9. Paste the CSR into a new text file on your local workstation. Save the file with a.csr extension. 10. Send the CSR to be signed by a Certificate Authority (CA). The CA should provide you with a Root CA certificate as well as a server certificate. In some cases, an intermediate CA certificate is also provided. 11. Edit the keyring again. This time, click the Import button under Certificate. 12. Paste the certificates into the Import Certificate text box that appears. The server certificate should be listed first, followed by the intermediate. The CA certificate should be pasted into this field last. When all certificates have been entered into the text box, click OK, Close and Apply. 13

14 Set up a Basic Policy The ProxySG appliance uses policy to control how users on the Internet to access your content servers. The steps below will guide you through creating policy to permit user access and to forward their requests to your back-end content server (s). 1. Log in to the web-based management console. 2. Browse to the Configuration tab > Policy > Visual Policy Manager and click Launch. 3. From the menu at the top of the Visual Policy Manager (VPM) click Policy > Add Web Access Layer 4. Right-click the Destination field in the rule that's been created, click Set > New > Request URL. 5. Enter the domain name users will use to access the reverse proxy web site. 6. Click Add, Close and OK. 7. Right-click the Action field, click Allow. 8. From the menu at the top of the VPM, click Policy > Add Forwarding Layer. 9. Right-click the Destination field, click Set > New Server URL. 10. Enter the domain name users will use to access the reverse proxy web site. 11. Right-click the Action field. 12. Click Set > New > Select Forwarding. 13. Name the object, (for example, MyWebServer) 14. Under Forward To, select the forwarding host you created earlier. 15. Click Add>> to add the forwarding host to the box on the right. 16. Click OK, OK. 17. Click Install Policy. 14

15 Authenticating Users There are many options available on the ProxySG Appliance for securing user access to your web server. Based on your existing security infrastructure, find the steps for configuring each type of authentication realm in this chapter. Configure an IWA Authentication Realm 16 Create an LDAP-Based Authentication Realm 17 Configure a Local Authentication Realm 18 Create a RADIUS Authentication Realm 19 SAML Authentication 20 Authentication Policy 23 Authentication Modes 23 15

16 Configure an IWA Authentication Realm If your enterprise environment uses a Windows domain and Integrated Windows Authentication (IWA), the ProxySG appliance can communicate with it to authenticate incoming users and authorize their access to web servers in your protected network. Join the ProxySG applianceto the Domain. 1. Browse to the Configuration tab > Authentication > Windows Domain. 2. Enter a hostname for your ProxySG appliancein the Hostname field. This same hostname must be configured in your internal DNS server if you will be using Kerberos IWA authentication. 3. Click Add New Domain. 4. Enter a text label for the new domain entry. Use the same name you defined in the hostname field and click OK and Apply. 5. Select the entry in the Domains list and click the Join button. 6. Enter the Windows Active Directory domain name in the DNS Domain Name field and a domain administrator account with password into the subsequent fields. When done, click OK. 7. A confirmation dialog box is displayed to report success or failure in joining the domain. Configure the Authentication Realm 1. Browse to the Configuration tab > Authentication > IWA 2. Click New and set a name for the IWA realm. Choose Direct and select the domain you created earlier, then click OK and Apply. Test the configuration 1. Click the IWA Servers tab in Authentication > IWA 2. Click the Test Configuration button. A prompt is displayed to enter a username and password. Enter a user name and password for an account in the Active Directory and click OK to see the results of the test. 16

17 Create an LDAP-Based Authentication Realm In order for your ProxySG applianceto authenticate users against an LDAP server, you need to create an LDAP realm. Follow the steps below to configure an LDAP authentication realm. For more information on LDAP realm support and advanced configuration items, please see the Authentication WebGuide at 1. In the web-based management console, browse to Configuration > Authentication > LDAP. 2. In the LDAP Realms tab, click New. 3. Enter a name for the new realm, choose the type of LDAP server and enter the server host IP address. Click OK. 4. Click the LDAP Servers tab to define: a. LDAP Protocol Version used by your LDAP directory. b. Enable the Follow Referrals check box if your LDAP directories are distributed across several servers that use continuation references. This option allows your searches to follow referrals and return all matching entries found during a search operation. c. Select the Case Sensitive check box if your LDAP directory uses case-sensitive values for the user names and passwords. d. Enter the IP address for your alternate LDAP directory server, if present, in the Alternate Server Host field. 5. Click the LDAP DN tab to configure the base Distinguished Names that will be used to match user and group names within the LDAP tree. a. Click New to create a new Base DN object. b. Enter the base DN, based on your LDAP structure, to identify the point at which user objects will be searched. 6. Click the LDAP Search & Groups tab to define a Base DN; a set of user credentials that the ProxySG appliancewill use to perform searches against the LDAP directory. a. Enable the Anonymous search allowed check box if your LDAP structure supports it,. If not, remove the check mark. b. In the Search user DN field, enter the LDAP account that will be used to perform LDAP searches, in LDAP structure (for example, cn=bc_admin,cn=users,dc=acme,dc=com). c. Click the Change Password button to enter the password for the search account. d. (Optional) To support nested group searches, enable the Nested Groups Support check box. 7. Click Apply to save your LDAP Realm configuration. 17

18 Configure a Local Authentication Realm Follow these steps to configure a Local authentication realm and some users. 1. Log in to the web-based management console. 2. Browse to the Configuration tab > Authentication > Local 3. In the Local Realms tab, click New. 4. Enter a name for the local realm. For this example, "Local" will be used as the realm name. 5. Click the Local Main tab. Make note of the local user list name, as it will be necessary in the next section. 6. Click Apply. User and group definitions are managed from the Command Line Interface (CLI). The steps below will guide you through creating users and groups. 1. Log in to the CLI and enter enable and configuration terminal mode. 2. At the (config) prompt, type: security local-user-list edit local_user_database 3. Add a group with the following command: group create users 4. (optional) Add another group with the following command: group create administrators 5. Create user accounts with the following steps: user create user1 6. Edit the user account to define the password and user group details for the user account: user edit user1 7. Create a password for the account by entering: password (Replace with an appropriate password) 8. (optional) Associate this user account with a local user group with the command: group add administrators Repeat this process for all user accounts you want to create. 18

19 Create a RADIUS Authentication Realm 1. Browse to the Configuration tab > Authentication > RADIUS. 2. Click the RADIUS Realms tab and click New. The Add RADIUS Realm dialog displays. 3. Enter a name for the realm, Primary Server host IP or hostname and define the server password, known as a RADIUS Secret. Click OK. 4. Click the RADIUS Servers tab if you have additional RADIUS servers in your environment you wish to configure for redundancy or if you wish to set server encoding, timeout values and case-sensitivity. 5. Click Apply to save your new realm. 19

20 SAML Authentication Your ProxySG appliance can authenticate incoming requests using SAML, (Security Assertion Markup Language). With the steps below, you'll be able to configure an Authentication Realm to authenticate users with this single-sign-on authentication configuration, based on your own authentication server infrastructure. In a SAML realm configuration, the ProxySG acts as the Service Provider (SP) and a back-end authentication server, (Microsoft Active Directory Federation Services server, Siteminder Federation Partnership R12, or Oracle Identity Federation) is used as the Identity Provider (IDP). For more information on configuring a SAML realm, please refer to the SGOS 6.6 Administration Guide. The ProxySG appliance and the IDP exchange data in XML documents called assertions. After a user is authenticated, the IDP sends an authentication assertion to the Proxy and establishes an authenticated session with the appropriate authorization for the user. Before you set up a SAML realm, perform the following tasks on your IDP: Install and configure the administration software. Set up the identity store for authentication. Identify the default user attribute to be passed in SAML assertions. For example, the User Principal Name attribute in LDAP. Identify any additional attributes that you want to be passed in assertions, for example, the memberof attribute, which identifies the groups of which a user is a direct member in LDAP. Determine the location (URL) of the IDP s metadata file. This is needed to complete the realm configuration. Export the IDP Metadata File To export the IDP metadata file, log in to the IDP s administration software. Exporting IDP metadata entails saving the XML document to disk. It is important to save the metdata file without opening it in a browser first. Browsers do not necessarily support XML file structure and may change the XML tags. If you use SiteMinder or Oracle, you will need to copy and paste the metadata file contents to the CLI using the inline idp-metadata command. Because XML files are text-based, it is best to use a text editor such as Notepad to open the file to copy its contents. To ensure that the SAML realm is configured correctly, Blue Coat recommends that you import metadata instead of entering the information manually. To import SiteMinder and Oracle metadata, use the #(config saml<realm-name>)inline idp-metadata <XML> CLI command. Export Metadata from Active Directory Federation Server Show steps. 1. Log in to the AD FS MMC. 2. Select Endpoints and look under Metadata for the URL beside the Federation Metadata type 3. Copy the URL and paste it into a browser address bar. 4. Save the XML document to disk. Export Metadata from SiteMinder Show steps. Before you can export metadata, make sure that you have created a SAML 2.0 IDP. The steps below assume that you 20

21 have already created the IDP (entity) in SiteMinder. 1. Log in to the CA Federation Manager 2. Select Federation > Entities 3. Beside the entity you created, select Action > Export Metadata 4. In the Partnership Name field, enter a name to identify the partnership between the ProxySG applianceand Siteminder. 5. Click Export. Siteminder generates the metadata document. 6. Save the XML document to disk. Export Metadata from Oracle Show steps. 1. Log in to the Oracle Enterprise Manager. 2. In the navigation tree on the left, select Identity and Access > OIF. 3. On the main page, select Oracle Identity Federation > Administration > Security and Trust. 4. Click the Provider Metadata tab. 5. In the Generate Metadata section, select Identity Provider from the Provider Type menu. 6. Select SAML 2.0 from the Protocol menu. 7. Click Generat. OIF generates the metadata document. 8. Save the XML document to disk. Prepare the ProxySG for SAML Authentication 1. Configure the CA Certificate List The ProxySG appliance CCL must contain at least one root certification authority (CA) certificate, but depending on other considerations, you may require more certificates. Refer to the following list to determine which certificates you must import to the CCL: Root CA certificate Required.Add the certificate for the root CA that issued the IDP s signing certificate to the CCL IDP s signing certificate Required if self-signed.if the IDP s signing certificate is self-signed, add it to the CCL. Certificates signed by the CA are included in SAML assertions. intermediate CA certificate Optional. You must import intermediate CA certificates to the ProxySG, but it is not necessary to add them to the CCL. For instructions on importing certificates to the ProxySG appliance, see the SGOS 6.5 Administration guide section, "Importing CA Certificates" (page 1178). 2. Set up an HTTPS reverse proxy service. The IDP redirects browsers to an HTTPS reverse proxy service on the appliance. While Blue Coat recommends this for security, it is only required for Active Directory IDP deployments where the SAML realm is using an HTTPS POST endpoint (SiteMinder and Oracle-based SAML realms can use HTTP). If your Reverse Proxy deployment already incorporates an HTTPS Reverse Proxy service, ensure that it is associated with a CCL that includes the CA certificate for your IDP. Configure SAML Attributes 21

22 The ProxySG appliance maps policy conditions to assertion attribute values. If you require more attributes than the ones included in SAML assertions, you can define them in the SAML realm. To define assertion attributes: 1. In the web-based management console, select Configuration > Authentication > SAML > Attributes. 2. Click New. A dialog displays. 3. Enter attribute settings: Attribute name This is the name of the attribute as it appears in the ProxySG appliance and IDP configuration, and when referring to the attribute in the attribute.<name>= policy condition. The name must be unique Attribute data type Select case-exact-string or case-ignore-string. The ProxySG appliance uses this setting to match assertion attribute values with policy conditions. SAML name This is the name of the attribute as it will appear in assertions from the IDP, in the Name=XML attribute of the <Attribute> element. For example, an assertion might include the line <saml:attributename="mail"> where mail is the SAML attribute name. 4. Click OK and Apply. Create SAML Realms 1. In the web-based management console, select Configuration > Authentication > SAML. 2. Click New. The New SAML Realm dialog displays. 3. Enter a name for the realm in the Realm name field. 4. From the Federated IDP CCL drop-down, select the CCL you created in "Configure the CCL" step earlier. 5. Do one of the following to specify configuration parameters: AD FS : Use preconfigured settings for the IDP. Copy and paste the URL for the metadata into the Federated IDP metadata URL field. SiteMinder and Oracle FS: Import metadata through the inline idpmetadata CLI command.) 6. From the Encryption keyring (optional) drop-down menu, select the keyring to use for decrypting encrypted assertions. 7. (Optional) If you need to encrypt assertions from the IDP, check the Require encryption check box. As long as encryption keyring is configured, the ProxySG appliance attempts to decrypt encrypted assertions whether or not the Require encryption check is enabled. 8. Specify the hostname for the SAML endpoint ; in other words, point to the HTTPS reverse proxy listener you set up. In the Virtual host field, enter the host and port in format <hostname_or_ip_address>:<port_number>. The hostname must match the common name in the SSL certificate for the HTTPS reverse proxy service. 9. (Optional) Define limits for assertions timestamps. Assertions with timestamps that fall outside of these limits are invalid. Specify an interval before the current time. Assertions stamped before this interval are invalid. In the Not before field, specify the number of seconds. The default value is 60. Once your realm is configured and verified, click here to configure authenticated user access policies. 22

23 Authentication Policy With an authentication realm configured, you can now configure policy on the ProxySG appliance to authenticate, log and control user access to your web server. The steps below will guide you through setting up a rules to authenticate users, restrict access for specific users and groups and to deny all other access to the web server. Create a Rule to Authenticate users: 1. Browse to the Configuration tab > Policy > Visual Policy Manager and click Launch. 2. Click the Policy menu and select Add Web Authentication Layer 3. Right-click the Destination field, click Set, New, Request URL. 4. Enter the URL for your web server, as users will access it from the Internet. Click add, close, OK. 5. Right-click the Action field, click Set, New, Authenticate. 6. Choose the authentication realm you would like to use to authenticate users. 7. Select an Origin authentication mode from the Mode dropdown, ("Authentication Modes" on page 23 for more information on Origin authentication modes) to ensure that the ProxySG sends the appropriate type of challenge to users. 8. Click OK, then OK. Secure your existing Web Access rules: 1. Browse to your Web Access layer in the VPM. 2. Identify the rule that permits users to access your Reverse Proxy web server. 3. Right-click the source in the rule, click Set, New, Group 4. Enter the group ID for the authentication realm you've selected. If your realm is an IWA or LDAP realm, you can click Browse to search the directory tree for a user group. 5. Click OK, OK once the group is defined. Prevent unauthorized access: 1. Click Add Rule and move the new rule beneath the existing Web Access Layer rule. 2. Position the rule beneath the existing allow rule. 3. Right-click the rule number next to the existing rule, click Copy. 4. Right-click the rule number next to the new rule, click Paste. 5. Right-click the Source object (currently showing the authentication user group) and select Negate. 6. Right-click the Action in this rule, select Deny. 7. Click Install Policy to commit these changes. Authentication Modes When authenticating your users, it's important to consider how the authentication challenge will be sent to the user and how the ProxySG appliancewill track that information. Specific to Reverse Proxy deployments, the Origin authentication mode will act as the Origin Content Server and issue authentication challenges as such. Every request that triggers an 23

24 authentication rule in policy will be subjected to additional authentication challenges, though they may be imperceptible to users as their browsers can store and serve their entered credentials. To reduce the amount of authentication challenges sent, (which can significantly reduce load on your authentication servers) authentication surrogates provide the opportunity to cache authenticated sessions with either an IP address or a cookie, stored in users' browsers. If your firewall configuration uses Network Address Translation to obscure users' source public IP addresses, only use Origin or Origin-Cookie authentication modes. More details on each of the available origin authentication modes: Origin The ProxySG acts like an OCS and issues OCS challenges. The authenticated connection serves as the surrogate credential. Origin-IP The ProxySG acts like an OCS and issues OCS challenges. The client IP address is used as a surrogate credential. Origin-IP is used to support IWA authentication to the upstream device when the client cannot handle cookie credentials. This mode is primarily used for automatic downgrading, but it can be selected for specific situations. Origin-cookie The ProxySG acts like an origin server and issues origin server challenges. A cookie is used as the surrogate credential. Origin-cookie is used in forward proxies to support pass-through authentication more securely than origin-ip if the client understands cookies. Only the HTTP and HTTPS protocols support cookies; other protocols are automatically downgraded to origin-ip. 24

25 Advanced Policy Tasks Now that your ProxySG appliance is configured to pass user requests from the Internet to your back-end content server, there are some advanced configuration tasks you can use to improve performance, security and control. Two-Way URL Rewrite 26 ProxyAV Integration 27 Regional Access Control 28 25

26 Two-Way URL Rewrite The ProxySG appliancecan use policy to accept the URL entered by a user on the Internet and alter it to match what the internal web server expects. The two primary uses for this are: 1. SSL offloading.the proxy accepts secure connections from users on HTTPS, while the back-end web server hosts the website as HTTP. 2. Web Servers configured with absolute links. This affects cases where users will access the web server from the Internet via one address, ( but the structure of the web servers URL links includes an absolute link ( This set of policy elements will ensure that absolute links work as expected, while users never see internal or nonsecure addresses while accessing your web site content. Policy Example In this example, users on the Internet access the page via while the web server URLs are defined as absolute links to For your scenario, simply replace the URLs with your own. Note the order: the publicly accessible URL that will direct users to the ProxySG appliance is first, while the second URL in the rewrite represents the URL the proxy will use to communicate with the web server. define url_rewrite P rewrite_url_prefix " " end define action portal rewrite(url," transform P end define action force_uncompressed delete (request.header.accept-encoding) end <Proxy> url= action.portal(yes) <Cache> action.force_uncompressed(yes) 26

27 ProxyAV Integration While the ProxySG appliancecan help to secure and control access to your content servers, a ProxyAV Appliance can help to further protect your data by scanning for viruses and control the types of files that can be transferred. Before you start In order to make use of your ProxyAV in your ProxySG Reverse Proxy deployment, you will need to make sure that your ProxyAV is configured and licensed, with the most up-to-date virus definitions for the anti-virus provider of your choice. A specialized webguide located here will help you with your initial configuration. Policy Configuration - Virus Scanning Scan data uploaded to your content server. 1. Launch the Visual Policy Manager. 2. In the Policy menu, click Add Web Access layer. 3. Name the new layer "AV Scan" 4. Right-click the action in the default rule, click Set, New, ICAP Request Service. 5. Choose your ICAP server from the list of available services on the left, click Add>> to move the server to the list of selected servers. 6. Error handling - Decide if you want to permit users to upload files if the ProxyAV appliance is unavailable. Select either Deny the client request or Continue without further ICAP request processing, depending on your security practices. 7. Click OK and Install Policy. Policy Configuration - File Upload Control Configure a policy to control the types of files users can upload to your back-end content server. To use the ICAP scanning function here, you make sure that a ICAP Request Modification rule is in place. 1. Launch the Visual Policy Manager. 2. In the Policy menu, click Add Web Access Layer, name it "File access" or something similar to identify this policy layer as the one used to control the types of files that can be uploaded. 3. Right-click the source field, click New, Apparent Data Type. 4. Name the object "blocked file types". 5. Select the file types you do not want users to be able to upload to your server. 6. Check the Enable ICAP Scanning box to leverage the ProxyAV to examine the file types contained within file archives (such as zip, rar, or gz).click OK, OK. 27

28 Regional Access Control Blue Coat's Geolocation service identifies public IP address blocks and their countries of origin. This allows you to control what regions can access your Reverse Proxy-protected web services. Enable Geolocation Services 1. In the web-based management console, browse to the Configuration tab > Geolocation > General. 2. Check the Enable Geolocation box to enable Blue Coat's geographic location service on the device and click Apply. If you receive an error message at this point that reads: Device is not entitled to download Geolocation Database your ProxySG Appliance is not licensed for Blue Coat's Geolocation service. Speak with your Blue Coat sales point of contact or Blue Coat Customer Care to inquire about adding this service to your appliance. Define Geolocation Policy 1. In the web-based management console, browse to the Configuration tab > Policy > Visual Policy Manager and click Launch. 2. Open your Web Access layer and add a new rule to the top of the list. 3. Right-click the source field and click Set> New > Client Geolocation. The Set New Client Geolocation dialog displays.. 4. Select the countries your intended users are in and click OK, OK. 5. Right-click the Action field and click Allow. Define Restrictive Geolocation Policy 28

29 1. Still in your Web Access layer, create a new rule beneath your initial Geolocation rule. 2. Right-click the source field, click Set > New > Client Geolocation. 3. Select all of the countries except for those you defined in the preceding rule and click OK, OK. 4. Click Install Policy. 29

30 Monitoring Users and Resources The ProxySG appliance offers several solutions for monitoring your deployment. From on-box tracking of users and system resources to our off-box Blue CoatReporter solution, it's easy to monitor your Reverse Proxy. Monitoring the Appliance 31 SNMP Monitoring 32 Monitor User Activity 33 30

31 Monitoring the Appliance The ProxySG appliance offers in-depth on-box monitoring capabilities in the Statistics tab of the web-based management console.this is where to find your appliance's health and other system monitoring information. ProxySG appliance Statistics Tab Important sections 1. System Here you'll find detailed statistics for system resources including CPU, Memory and Disk usage. Data is displayed in time-selectable graphs that show hourly, daily, weekly or monthly resource statistics. 2. Active/Errored Sessions This section shows the session details for all users on the system in real time. You can see how much data is transferred, how long they've been connected and what URL they are accessing. Options are also present here for terminating individual sessions or all sessions. 3. Health Monitoring System health is reported here. That includes CPU, memory, and interface utilization. You can set thresholds for alerts when these values reach or exceed usage percentage points.the Status tab in this section reports the state of hardware monitors as well as overall health check status. 4. Health Checks This page displays the access and test results for all authentication realms, DNS servers, external services like ICAP servers, and forwarding hosts. Here, you can see the current state of these services, how long they've been in that state, and what the results of automated health check were at past intervals. 5. Authentication Authenticated user sessions are tracked here. You can view user details such as authentication duration, bytes transferred and their connecting IP address. Available options include logout for one or all users and to refresh authentication surrogates or credentials. 31

32 SNMP Monitoring All ProxySG appliancesystem events are logged to the local event log. If configured, these same events are also sent SNMP server. Enable the SNMP management service 1. Browse to the Configuration tab of the web management console. 2. Click Services > Management Services. 3. Click the empty checkbox in the Enabled column and click Apply. 4. Browse to the Maintenance tab > SNMP. Your ProxySG appliancecan now be queried by your SNMP tool. To configure SNMP reporting, continue to step Define your SNMP version 1, 2, or 3 server settings here and click Apply. For more information on interpreting SNMP events on your monitoring utility, see the Critical Resource Monitoring Guide here: 32

33 Monitor User Activity You can monitor user access to your content servers in real-time via the Log Tail option in the Statistics tab > Access Logging. To view the current requests being made to your content servers, click Start Tail to output the access log to this live window. Depending on the busyness of your content servers, this might appear to flow too fast to read. Click Stop Tail to stop the output for easier reading. For longer-term and archival reporting, the ProxySG appliance can be configured to upload access log data to several types of log processing services. Blue Coat Reporter is uniquely tasked as the best method to analyze and report on user activity. Information about installing and configuring Blue Coat Reporter in your environment can be found on Blue Touch Online here: 9.x. 33