434 votes
HTTP Reverse Proxy
Add a Reverse proxy to ASG which is mainly requested for securing OWA as customers do not want to put it directly onto the internet. - some customers ask for Authentication prior allowing access - other customer want SSL-Offloading - third want Webseite security by preventing Cross site scripting... more
Status:
planned
This is planned for ASG V8.000
Mustafa Nasser
One of the main strengths of Astaro is providing a rich set of proxies, however, lacking a reverse proxy for OWA is a weakness as I have to forward the traffic directly to the server without scanning content, or I have to use a front end server in the DMZ. Adding this feature will minimize risk and reduce costs.
nils
Single Sign On feature like the ISA SSO would be necessary.
Phugh
I agree with this feature. We will win more deal with this.
gnujuba
If you are thinking about securing OWA and Sharepoint and all other MS stuff with the reverse proxy feature please consider implementing kerberos constrained delegation as in MS IAG/ISA or juniper SA plus support for OTP so that the domain credentials never traverse the network between client and proxy.
Heiko Bickenbach
The reverse Proxy could be usefull to share ONE external TCP Adress:Port combination to different servers on the DMZ, depending on the requested url.
Sample:
You have got one external IP-Adress on your DSL PPPOE Interface, but you have multiple webservers/webservices on your DMZ.
http://extern-ip/exchange -> http://intern-ip-01/exchange
http://extern-ip/webservice1 -> http://intern-ip-02/webservice1
http://extern-ip/webservice2 -> http://intern-ip-02/webservice2
http://extern-ip/others... more
The reverse Proxy could be usefull to share ONE external TCP Adress:Port combination to different servers on the DMZ, depending on the requested url.
Sample:
You have got one external IP-Adress on your DSL PPPOE Interface, but you have multiple webservers/webservices on your DMZ.
http://extern-ip/exchange -> http://intern-ip-01/exchange
http://extern-ip/webservice1 -> http://intern-ip-02/webservice1
http://extern-ip/webservice2 -> http://intern-ip-02/webservice2
http://extern-ip/otherservice -> http://intern-ip-03/otherservice
We already had webservices which did adressrewriting with links in their responses, so using differnt external Ports and DNAT caused broken links. With the above solution even this wouldn't be ab problem.
HTTPS should be supported an maybe loadbalancing too.
William Warren
this is redundant as owa already uses ssl just on a different port.
BrucekConvergent
I vote for this as well; it would be nice to be able to route SSL website traffic through the IPS to have the traffic scrutinized; right now, all a website attacker has to do to circumvent the IPS is to use SSL...
Gustavo Mendez
It is important to have resolved the issue of digital certificates. In the case of the pound (reverse proxy gnu) is a problem that interacts with ssl protocol.
Thomas Aumüller
I agree. OWA and Sharepoint have to be behind a reverse proxy if you like to have basic security. As long as there is no reverse proxy running on the security solution we have to run a dedicated one. For smaller companies surely a reason to choose an integrated solution. Securing "Outlook over https" via the integrated reverse proxy would be great but not mandatory as with OWA/Sharepoint.
Peter Radig
I would love to the see the reverse proxy mainly for OWA and ActiveSync. If you use Apache, that need some specific setup.
Tim Cronin
See also Single Packet Authentication (SPA) for this reason among others. I added that separately, but it would allow the packet filter to drop packets on a default drop state unless an authenticate packet was sent - then the packet filter would open a rule for a specified amount of time before closing. For session oriented protocols, this could be as low as a few seconds, then conntrack will take over and allow through the packet filter until the session ends.
surfaren
We have alot of customers who whants to access exchange owa and also using pushmail in a secure way.
BarryG
The Credit Card industry's PCI DSS specifies a Web Application Firewall.
A reverse proxy in combination with an IPS could qualify; e.g. Apache's ModSecurity in a reverse Apache proxy.