Reverse Proxy for the Access Portal

In Fireware v12.5 or higher, you can configure reverse proxy actions in the Access Portal configuration. With reverse proxies, remote users can securely connect to internal web applications and Microsoft Exchange services without a VPN client. The reverse proxy forwards HTTP traffic from external networks to Exchange servers or other web applications on internal networks that are behind a Firebox.

For example, you can configure reverse proxy actions so remote users can connect to common enterprise web applications. Apps must use HTML, HTML5, or JavaScript. Browsers must support TLS (we recommend TLS 1.2 or higher).

We recommend that you limit the number of concurrent RDP connections based on the RAM allocated to each Firebox. Each RDP or SSH session consumes approximately 15 MB of RAM.

Proxy buffering is enabled by default for this feature. You can use the Fireware command line interface (CLI) to disable proxy buffering.

You can also configure a reverse proxy action for Microsoft Exchange. To connect to Exchange services, remote users can connect to an external URL with any of these methods:

  • Mobile devices with Microsoft mail clients (through ActiveSync)
  • Microsoft Outlook
  • Microsoft Outlook Web Access
  • Microsoft Outlook Web Access through the Access Portal (with automatic sign-in)

Requirements

When you configure reverse proxy actions for internal web applications, be aware of these requirements:

  • You must have an FQDN for the Access Portal and you must log in to the Access Portal with the FQDN (not the IP address)
  • Each internal web application must have an FQDN that is in the same domain as the Access Portal (for example, if the FQDN of the Access Portal is portal.example.com, the web application should be value.example.com)
  • You cannot configure the same URL for a web application and a reverse proxy action
  • When you add a URL path action, for Client Authentication you must select Access Portal (not HTTP Basic)
  • If a web application uses HTTPS, the CA certificates in the trust chain must be stored on the Firebox or you must select the Trust Certificate option for the reverse proxy action

To avoid certificate warnings on client side, the Firebox web certificate should include the host names of your web applications as subject alternative names or use a wildcard host name such as *.example.com as the common name.

Authentication and Access to Web Apps

To access internal web applications, users can authenticate in these ways:

  • By Exchange ActiveSync through the Firebox for mobile email applications
  • By HTTP over TLS through the Firebox for select email applications
  • By MFA through the Firebox to access internal web applications

When you configure a reverse proxy for a custom web application, we recommend that you specify the Authentication with Access Portal option and select to add the URL as an Access Portal application. With this configuration, users must connect to the Access Portal to connect to the application. The Access Portal provides a layer of authentication and authorization.

Forward Access Portal Credentials

With reverse proxy actions, there is an option to forward Access Portal credentials. Enable this option to automatically log in users to web applications with their Access Portal credentials.

When this feature is enabled, the Access Portal caches user credentials. The cached credentials are sent to the web app with HTTP authorization header over TLS.

To log in to web applications with Access Portal credentials, the web application must accept HTTP-based authentication. The Access Portal and the web application must also share the same authentication domain.

Do not enable the option to forward Access Portal credentials in these cases:

  • Users log in to the Access Portal with SAML
  • Users log in to the Access Portal with a different authentication domain than the web app (for example, with Firebox-DB)

Enable Reverse Proxy

To enable reverse proxy functionality from Web UI or Policy Manager:

  1. Select Subscription Services > Access Portal.
  2. If you have not already done so, select Enable Access Portal.
  3. Select the Reverse Proxy tab.
  4. Select Enable Reverse Proxy.

After you enable reverse proxy functionality, you must add one or more reverse proxy actions.

Add Reverse Proxy Actions

To add a reverse proxy action, you must specify an external URL and an internal URL for each internal web server you want to access from the Access Portal. The external URL resolves to the external IP address of the Firebox and the internal URL resolves to the IP address of the internal web server. When you try to connect to an internal web server from the Access Portal, the browser uses the external URL to match the inbound WatchGuard SSLVPN policy of the Firebox and connect to it. Then, the Firebox uses its configured DNS Servers to resolve the internal URL to the internal IP address and forwards the connection to the IP address that resolved for the internal URL.

You can add a reverse proxy action with a wizard or you can skip the wizard to manually configure an action.

To configure Exchange services, we recommend that you use the wizard because it includes predefined configurations for Exchange-based services.

Add Reverse Proxy Actions with the Wizard

Manually Add Reverse Proxy Actions

URL Path Actions

URL Path Actions determine the necessary URL translation that happens when a user navigates to the Access Portal URL and successfully authenticates.

The default Path Action (from “/” to “/”) allows anything from the external host to the internal host. You might add a URL Path Action if you only want to expose specific paths.

When you add a URL path action:

  • We recommend that the From path and the To path match
  • Paths are case sensitive
  • If the path is a virtual directory on the web server, we recommend that the path end with a forward slash (/)
  • Paths followed by a query string should not end with a forward slash (/)
  • For internal web applications, for Client Authentication you must select Access Portal

Reverse proxy actions for the Access Portal do not support URL redirection.

Related Topics

Configure the Access Portal

SSL/TLS Settings Precedence and Inheritance

Customize the Access Portal Design