Create a Post
Showing results for 
Search instead for 
Did you mean: 

Reverse Proxy Feature of MOB (R80.10)

i am trying to figure out how the Reverse Proxy works "under the hood".
the only information is from sk110348.

If my MOB Portal is on:
I have an ActiveSync application for our mobile phones on the FQDN:
And I configure my Outlook Anywhere clients which ar using RPC over HTTP to use the URL:

What I have seen is that ActiveSync Traffic have stopped working and also the MOB portal which was also available on was not available any more, and any request was forwarded to my backend server (as expected I belive)

I had some research and the RPC over HTTP is using the “/rpc/” so have tried to configure the Outlook Anywhere Rule on the Reverse Proxy setting to have the allowed path to be “/rpc/” , now what I got is :

  1. outlook client is working
  2. Active sync client not working
  3. MOB Portal on is not working (but I don’t really need it on this URL (I have for it)
  4. Any traffic that is not in the “/rpc/” path I get “403 Forbidden”

So I don’t understand:

  1. how and which component device which path belongs to MOB and which belongs to Reverse Proxy?
  2. Can MOB and Reverse Proxy listen to the same FQDNS and Port but on different paths?
  3. Can Reverse Proxy feature do it’s “thing” only for specific path or the allow path is only used for blocking anything else?
  4. If so than my conclusion is that if I decide to use Reverse Proxy for anything for that FQDN and Port will go to the Reverse Proxy feature.

Additional information that is missing me is what blades are able to "scan" the traffic that is proxied on the FW ?

0 Kudos
6 Replies

There is an underlying infrastructure called MultiPortal that allows multiple components to use the same port.

Depending on the specific URL accessed, the correct component will be called (Gaia portal, MAB, reverse proxy, etc).

Two components cannot share the same URL, obviously, and each one should be configured to use a unique one.

However, it can only use ONE TLS certificate, so your certificate needs to account for all the URLs that might be accessed.

Based on what you've described, it sounds like you need to configure the Mobile Access portal to use a different URL (either a different hostname, different URI on same hostname, or both).

IPS and AV scan the proxied traffic, as noted here: ATRG: Mobile Access Blade 



i am going over the SK again and it still not clear. because some scenarios conclude that "path" can be the one that devide the MAB and ReverseProxy resources

Reverse Proxy will be overridden by Mobile Access Portal (conflict), when:

  • When Mobile Access Portal is configured with IP address and slash "/" (e.g.""), all Reverse Proxy requests will be mapped to the Mobile Access Portal - you should change the URL of the Mobile Access Portal to something with FQDN, or different path - e.g., "https://mabportal/", "".    << here the "/sslvpn" or "/" 

  • When "Host translation" is enabled in Mobile Access blade, you can NOT use the wildcard domain for Reverse Proxy.

    For example: If Mobile Access blade is enabled on : *, then you can not use anything with that sub-domain for Reverse Proxy, but you can use a totally different host such as << here i cannot use any , but i think also no

i also could not understand the use of the "dest" in the example configuration

      <allowedPaths>             <path source="/owa" dest="/owa"/>         </allowedPaths>
0 Kudos

You’re correct on the first two points.

On the third, this option is for translating the URI. For example, you could translate /owa to /webmail as it goes through the proxy.

0 Kudos

so it conflict with what you said:

"Two components cannot share the same URL, obviously, and each one should be configured to use a unique one.


or you mean that in general the Multiportal "route" the request based on the URL to the component, but in my previous post i see that we can seperate the MAB and the Reverese Proxy by the "Path" of the URL Request.

0 Kudos

They are the same concept.

MAB and Reverse Proxy (or Gaia portal, etc) cannot share the same exact URL.

That said some URIs on the same hostname can potentially be serviced by MAB or Reverse Proxy depending on the configuration.

When you're using the Host Translation feature in MAB, you must use a completely different hostname for Reverse Proxy feature.


Hi there


Did you perhaps get everthing to work? if yes, is there any documentation that you followed?

I am also in the process of making these services available using Check Point.

Exchange Activesync /Exchange OWA//Exchange Autodiscovery

Your feedback will be kindly appreciated.


Thanks in advance

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events