Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dor_Marcovitch
Advisor

Reverse Proxy Feature of MOB (R80.10)

i am trying to figure out how the Reverse Proxy works "under the hood".
the only information is from sk110348.

If my MOB Portal is on: https://vpn.company.com/
I have an ActiveSync application for our mobile phones on the FQDN: https://pop.company.com
And I configure my Outlook Anywhere clients which ar using RPC over HTTP to use the URL: https://pop.company.com

What I have seen is that ActiveSync Traffic have stopped working and also the MOB portal which was also available on https://pop.company.com was not available any more, and any request was forwarded to my backend server (as expected I belive)

I had some research and the RPC over HTTP is using the “/rpc/” so have tried to configure the Outlook Anywhere Rule on the Reverse Proxy setting to have the allowed path to be “/rpc/” , now what I got is :

  1. outlook client is working
  2. Active sync client not working
  3. MOB Portal on https://pop.company.com is not working (but I don’t really need it on this URL (I have vpn.team.co.il for it)
  4. Any traffic that is not in the “/rpc/” path I get “403 Forbidden”

So I don’t understand:

  1. how and which component device which path belongs to MOB and which belongs to Reverse Proxy?
  2. Can MOB and Reverse Proxy listen to the same FQDNS and Port but on different paths?
  3. Can Reverse Proxy feature do it’s “thing” only for specific path or the allow path is only used for blocking anything else?
  4. If so than my conclusion is that if I decide to use Reverse Proxy for https://pop.team.co.il anything for that FQDN and Port will go to the Reverse Proxy feature.

Additional information that is missing me is what blades are able to "scan" the traffic that is proxied on the FW ?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

There is an underlying infrastructure called MultiPortal that allows multiple components to use the same port.

Depending on the specific URL accessed, the correct component will be called (Gaia portal, MAB, reverse proxy, etc).

Two components cannot share the same URL, obviously, and each one should be configured to use a unique one.

However, it can only use ONE TLS certificate, so your certificate needs to account for all the URLs that might be accessed.

Based on what you've described, it sounds like you need to configure the Mobile Access portal to use a different URL (either a different hostname, different URI on same hostname, or both).

IPS and AV scan the proxied traffic, as noted here: ATRG: Mobile Access Blade 

Dor_Marcovitch
Advisor

hey

i am going over the SK again and it still not clear. because some scenarios conclude that "path" can be the one that devide the MAB and ReverseProxy resources

Reverse Proxy will be overridden by Mobile Access Portal (conflict), when:

  • When Mobile Access Portal is configured with IP address and slash "/" (e.g."https://1.1.1.1/"), all Reverse Proxy requests will be mapped to the Mobile Access Portal - you should change the URL of the Mobile Access Portal to something with FQDN, or different path - e.g., "https://mabportal/", "https://1.1.1.1/sslvpn".    << here the "/sslvpn" or "/" 

  • When "Host translation" is enabled in Mobile Access blade, you can NOT use the wildcard domain for Reverse Proxy.

    For example: If Mobile Access blade is enabled on : *.mabportal.com, then you can not use anything with that sub-domain for Reverse Proxy, but you can use a totally different host such as reverseporxy.com << here i cannot use any xxx.mabportal.com , but i think also no mabportal.com/xxxx

i also could not understand the use of the "dest" in the example configuration

      <allowedPaths>             <path source="/owa" dest="/owa"/>         </allowedPaths>
0 Kudos
PhoneBoy
Admin
Admin

You’re correct on the first two points.

On the third, this option is for translating the URI. For example, you could translate /owa to /webmail as it goes through the proxy.

0 Kudos
Dor_Marcovitch
Advisor

so it conflict with what you said:

"Two components cannot share the same URL, obviously, and each one should be configured to use a unique one.

However"

or you mean that in general the Multiportal "route" the request based on the URL to the component, but in my previous post i see that we can seperate the MAB and the Reverese Proxy by the "Path" of the URL Request.

0 Kudos
PhoneBoy
Admin
Admin

They are the same concept.

MAB and Reverse Proxy (or Gaia portal, etc) cannot share the same exact URL.

That said some URIs on the same hostname can potentially be serviced by MAB or Reverse Proxy depending on the configuration.

When you're using the Host Translation feature in MAB, you must use a completely different hostname for Reverse Proxy feature.

Di_Junior
Advisor
Advisor

Hi there

 

Did you perhaps get everthing to work? if yes, is there any documentation that you followed?

I am also in the process of making these services available using Check Point.

Exchange Activesync /Exchange OWA//Exchange Autodiscovery

Your feedback will be kindly appreciated.

 

Thanks in advance

0 Kudos
Upcoming Events

    CheckMates Events