Reverse Proxy for the Access Portal

In Fireware v12.5 or higher, you can configure reverse proxy actions in the Access Portal configuration. With reverse proxies, remote users can securely connect to internal web applications and Microsoft Exchange services without a VPN client. The reverse proxy forwards HTTP traffic from external networks to Exchange servers or other web applications on internal networks that are behind a Firebox.

For example, you can configure reverse proxy actions so remote users can connect to common enterprise web applications. Apps must use HTML, HTML5, or JavaScript. Browsers must support TLS (we recommend TLS 1.2 or higher).

We recommend that you limit the number of concurrent RDP connections based on the RAM allocated to each Firebox. Each RDP or SSH session consumes approximately 15 MB of RAM.

You can also configure a reverse proxy action for Microsoft Exchange. To connect to Exchange services, remote users can connect to an external URL with any of these methods:

  • Mobile devices with Microsoft mail clients (through ActiveSync)
  • Microsoft Outlook
  • Microsoft Outlook Web Access
  • Microsoft Outlook Web Access through the Access Portal (with automatic sign-in)

Authentication and Access to Web Apps

To access internal web applications, users can authenticate in these ways:

  • By Exchange ActiveSync through the Firebox for mobile email applications
  • By HTTP over TLS through the Firebox for select email applications
  • By MFA through the Firebox to access internal web applications

We recommend that custom enterprise web applications use the Access Portal for security reasons to provide a layer of authentication and authorization based on the above-mentioned options.

Forward Access Portal Credentials

With reverse proxy actions, there is an option to forward Access Portal credentials. Enable this option to automatically log in users to web applications with their Access Portal credentials.

When this feature is enabled, the Access Portal caches user credentials. The cached credentials are sent to the web app with HTTP authorization header over TLS.

To log in to web applications with Access Portal credentials, the web application must accept HTTP-based authentication. The Access Portal and the web application must also share the same authentication domain.

Do not enable the option to forward Access Portal credentials in these cases:

  • Users log in to the Access Portal with SAML
  • Users log in to the Access Portal with a different authentication domain than the web app (for example, with Firebox-DB)

Enable Reverse Proxy

To enable reverse proxy functionality from Web UI or Policy Manager:

  1. Select Subscription Services > Access Portal.
  2. If you have not already done so, select Enable Access Portal.
  3. Select the Reverse Proxy tab.
  4. Select Enable Reverse Proxy.

After you enable reverse proxy functionality, you must add one or more reverse proxy actions.

Add Reverse Proxy Actions

You can add a reverse proxy action with a wizard or you can skip the wizard to manually configure an action.

To configure Exchange services, we recommend the wizard because it includes predefined configurations for Exchange-based services.

Add Reverse Proxy Actions with the Wizard

Manually Add Reverse Proxy Actions

See Also

Configure the Access Portal

SSL/TLS Settings Precedence and Inheritance

Customize the Access Portal Design

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search