Astaro Gateway Feature Requests Forum

Log in or Sign up |

434 votes
Vote

HTTP Reverse Proxy

Add a Reverse proxy to ASG which is mainly requested for securing OWA as customers do not want to put it directly onto the internet. - some customers ask for Authentication prior allowing access - other customer want SSL-Offloading - third want Webseite security by preventing Cross site scripting... more

Status: planned

This is planned for ASG V8.000

Default-avatar Gert Hansen Admin
  1. Comments
  1. Default-avatar

    One of the main strengths of Astaro is providing a rich set of proxies, however, lacking a reverse proxy for OWA is a weakness as I have to forward the traffic directly to the server without scanning content, or I have to use a front end server in the DMZ. Adding this feature will minimize risk and reduce costs.

  2. Default-avatar

    Single Sign On feature like the ISA SSO would be necessary.

  3. Default-avatar

    I agree with this feature. We will win more deal with this.

  4. Default-avatar

    If you are thinking about securing OWA and Sharepoint and all other MS stuff with the reverse proxy feature please consider implementing kerberos constrained delegation as in MS IAG/ISA or juniper SA plus support for OTP so that the domain credentials never traverse the network between client and proxy.

  5. 3 Default-avatar

    The reverse Proxy could be usefull to share ONE external TCP Adress:Port combination to different servers on the DMZ, depending on the requested url.

    Sample:
    You have got one external IP-Adress on your DSL PPPOE Interface, but you have multiple webservers/webservices on your DMZ.

    http://extern-ip/exchange -> http://intern-ip-01/exchange
    http://extern-ip/webservice1 -> http://intern-ip-02/webservice1
    http://extern-ip/webservice2 -> http://intern-ip-02/webservice2
    http://extern-ip/others... more

  6. N1012225483_510

    this is redundant as owa already uses ssl just on a different port.

  7. Default-avatar

    I vote for this as well; it would be nice to be able to route SSL website traffic through the IPS to have the traffic scrutinized; right now, all a website attacker has to do to circumvent the IPS is to use SSL...

  8. 1 Default-avatar

    It is important to have resolved the issue of digital certificates. In the case of the pound (reverse proxy gnu) is a problem that interacts with ssl protocol.

  9. 1 Default-avatar

    I agree. OWA and Sharepoint have to be behind a reverse proxy if you like to have basic security. As long as there is no reverse proxy running on the security solution we have to run a dedicated one. For smaller companies surely a reason to choose an integrated solution. Securing "Outlook over https" via the integrated reverse proxy would be great but not mandatory as with OWA/Sharepoint.

  10. 3 Default-avatar

    I would love to the see the reverse proxy mainly for OWA and ActiveSync. If you use Apache, that need some specific setup.

  11. Default-avatar

    See also Single Packet Authentication (SPA) for this reason among others. I added that separately, but it would allow the packet filter to drop packets on a default drop state unless an authenticate packet was sent - then the packet filter would open a rule for a specified amount of time before closing. For session oriented protocols, this could be as low as a few seconds, then conntrack will take over and allow through the packet filter until the session ends.

  12. 3 Default-avatar

    We have alot of customers who whants to access exchange owa and also using pushmail in a secure way.

  13. Default-avatar

    The Credit Card industry's PCI DSS specifies a Web Application Firewall.

    A reverse proxy in combination with an IPS could qualify; e.g. Apache's ModSecurity in a reverse Apache proxy.

Log in to leave a comment

powered by UserVoice