Reverse Proxy for the Access Portal

In Fireware v12.5 or higher, you can configure reverse proxy actions in the Access Portal configuration. With reverse proxies, remote users can securely connect to internal web applications and Microsoft Exchange services without a VPN client. The reverse proxy forwards HTTP traffic from external networks to Exchange servers or other web applications on internal networks that are behind a Firebox.

For example, you can configure reverse proxy actions so remote users can connect to common enterprise web applications. Apps must use HTML, HTML5, or JavaScript. Browsers must support TLS (we recommend TLS 1.2 or higher).

We recommend that you limit the number of concurrent RDP connections based on the RAM allocated to each Firebox. Each RDP or SSH session consumes approximately 15 MB of RAM.

Proxy buffering is enabled by default for this feature. You can use the Fireware command line interface (CLI) to disable proxy buffering.

You can also configure a reverse proxy action for Microsoft Exchange. To connect to Exchange services, remote users can connect to an external URL with any of these methods:

  • Mobile devices with Microsoft mail clients (through ActiveSync)
  • Microsoft Outlook
  • Microsoft Outlook Web Access
  • Microsoft Outlook Web Access through the Access Portal (with automatic sign-in)

Requirements

When you configure reverse proxy actions for internal web applications, be aware of these requirements:

  • You must have an FQDN for the Access Portal and you must log in to the Access Portal with the FQDN (not the IP address)
  • Each internal web application must have an FQDN that is in the same domain as the Access Portal (for example, if the FQDN of the Access Portal is portal.example.com, the web application should be value.example.com)
  • You cannot configure the same URL for a web application and a reverse proxy action
  • When you add a URL path action, for Client Authentication you must select Access Portal (not HTTP Basic)
  • If a web application uses HTTPS, the CA certificates in the trust chain must be stored on the Firebox or you must select the Trust Certificate option for the reverse proxy action

To avoid certificate warnings on client side, the Firebox web certificate should include the host names of your web applications as subject alternative names or use a wildcard host name such as *.example.com as the common name.

Authentication and Access to Web Apps

To access internal web applications, users can authenticate in these ways:

  • By Exchange ActiveSync through the Firebox for mobile email applications
  • By HTTP over TLS through the Firebox for select email applications
  • By MFA through the Firebox to access internal web applications

When you configure a reverse proxy for a custom web application, we recommend that you specify the Authentication with Access Portal option and select to add the URL as an Access Portal application. With this configuration, users must connect to the Access Portal to connect to the application. The Access Portal provides a layer of authentication and authorization.

Forward Access Portal Credentials

With reverse proxy actions, there is an option to forward Access Portal credentials. Enable this option to automatically log in users to web applications with their Access Portal credentials.

When this feature is enabled, the Access Portal caches user credentials. The cached credentials are sent to the web app with HTTP authorization header over TLS.

To log in to web applications with Access Portal credentials, the web application must accept HTTP-based authentication. The Access Portal and the web application must also share the same authentication domain.

Do not enable the option to forward Access Portal credentials in these cases:

  • Users log in to the Access Portal with SAML
  • Users log in to the Access Portal with a different authentication domain than the web app (for example, with Firebox-DB)

Enable Reverse Proxy

To enable reverse proxy functionality from Web UI or Policy Manager:

  1. Select Subscription Services > Access Portal.
  2. If you have not already done so, select Enable Access Portal.
  3. Select the Reverse Proxy tab.
  4. Select Enable Reverse Proxy.

After you enable reverse proxy functionality, you must add one or more reverse proxy actions.

Add Reverse Proxy Actions

To add a reverse proxy action, you must specify an external URL and an internal URL for each internal web server you want to access from the Access Portal. The external URL resolves to the external IP address of the Firebox and the internal URL resolves to the IP address of the internal web server. When you try to connect to an internal web server from the Access Portal, the browser uses the external URL to match the inbound WatchGuard SSLVPN policy of the Firebox and connect to it. Then, the Firebox uses its configured DNS Servers to resolve the internal URL to the internal IP address and forwards the connection to the IP address that resolved for the internal URL.

You can add a reverse proxy action with a wizard or you can skip the wizard to manually configure an action.

To configure Exchange services, we recommend that you use the wizard because it includes predefined configurations for Exchange-based services.

Add Reverse Proxy Actions with the Wizard

  1. Select Subscription Services > Access Portal.
  2. Select the Reverse Proxy tab.
  3. Click Add.

Screenshot of the settings on the Reverse Proxy tab.

  1. Click Next to continue with the wizard.

Screenshot that shows the first page of the Reverse Proxy Action wizard.

  1. On the Reverse Proxy Action page, select Predefined set of Reverse Proxy Actions for.
  2. From the drop-down list, select Microsoft Exchange.

Screenshot that shows the Reverse Proxy Action page in the wizard.

  1. Click Next.
  2. In the Internal URL text box, type the internal host URL for Microsoft Exchange Server web applications.
  3. In the Email Domain text box, type your Microsoft Exchange email domain.
  4. Select whether the web service uses a self-signed certificate.

Screenshot that shows the Microsoft Exchange page in the wizard.

  1. Click Next.
  2. In the External URL text box, type the URL that remote users will use to connect to this service.
  3. If the pre-populated value in the Autodiscover URL text box is not correct, type the URL that remote clients will use to discover this service.

Screenshot that shows the Microsoft Exchange external URL and autodiscover URL.

  1. Click Next.
  2. Select whether to add Outlook Web Access as a web application in the Access Portal.
  3. Select whether to forward credentials from the Access Portal to Outlook Web Access. Enable this option to automatically log users in to select web applications with their Access Portal credentials.

    To log in to select web applications with Access Portal credentials, the web application must accept HTTP based authentication and the Access Portal and the web application must share the same authentication domain.

Screenshot that shows the Microsoft Exchange page in the wizard.

  1. Click Next.
  2. Click Finish. You can select to edit the action after the wizard closes. You might do this if you want to specify a URL Path Action. For more information, go to URL Path Actions.

    URL Path Actions determine the necessary URL translation that happens when a user navigates to the Access Portal URL and successfully authenticates.

Screenshot that shows the last page of the Reverse Proxy Action wizard, with all settings visible.

  1. On the Exchange server, you must enable basic authentication for the virtual paths that are used, Autodiscover, EWS, and mapi.
  1. Select Subscription Services > Access Portal.
  2. Select the Reverse Proxy tab.
  3. Click Add.

Screenshot of the settings on the Reverse Proxy tab in the Access Portal window.

  1. Click Next to continue with the wizard.

Screenshot that shows the first page of the Reverse Proxy Action wizard.

  1. On the Reverse Proxy Action page, select Predefined set of Reverse Proxy Actions for.
  2. From the drop-down list, select Microsoft Exchange.

Screenshot that shows the selection of which type of reverse proxy action to add.

  1. Click Next.
  2. In the Internal URL text box, type the internal host URL for Microsoft Exchange Server web applications.
  3. In the Email Domain text box, type your Microsoft Exchange email domain.
  4. Select whether the web service uses a self-signed certificate.

Screenshot that shows the internal URL and email domain to use for Microsoft Exchange.

  1. Click Next.
  2. In the External URL text box, type the URL that remote users will use to connect to this service.
  3. If the value in the Autodiscover URL text box is not correct, type the URL that remote clients will use to discover this service.

Screenshot that shows the external URL and autodiscover URL to use for Microsoft Exchange.

  1. Click Next.
  2. Select whether to add Outlook Web Access as a web application in the Access Portal.
  3. Select whether to forward credentials from the Access Portal to Outlook Web Access. Enable this option to automatically log users in to select web applications with their Access Portal credentials.

    To log in to select web applications with Access Portal credentials, the web application must accept HTTP based authentication and the Access Portal and the web application must share the same authentication domain.

Screenshot that shows the option to add Outlook Web Access as a web app in the Access Portal.

  1. Click Next.
  2. Click Finish. You can select to edit the action after the wizard closes. You might do this if you want to specify a URL Path Action. For more information, go to URL Path Actions.

    URL Path Actions determine the necessary URL translation that happens when a user navigates to the Access Portal URL and successfully authenticates.

Screenshot that shows the last page of the Reverse Proxy Action wizard, with all settings visible.

  1. On the Exchange server, you must enable basic authentication for the virtual paths that are used, Autodiscover, EWS, and mapi.
  1. Select Subscription Services > Access Portal.
  2. Select the Reverse Proxy tab.
  3. Click Add.

Screenshot of the settings on the Reverse Proxy tab.

  1. Click Next to continue with the wizard.

Screenshot that shows the first page of the Reverse Proxy Action wizard.

  1. Select Add Simple Reverse Proxy Action.

Screenshot that shows the selection of which type of reverse proxy action to add.

  1. Click Next.
  2. In the External URL text box, specify the external URL for user connections.

Screenshot that shows the External URL page of the wizard.

  1. Click Next.
  2. In the Internal URL text box, specify the internal URL of the server.
  3. Select whether the web service uses a self-signed certificate.

Screenshot that shows the Internal URL page of the wizard.

  1. Click Next.
  2. Select whether to authenticate users with the Access Portal or HTTP Basic.
  3. Select whether to add this URL as a web application in the Access Portal.

Screenshot that shows the Client Access page of the wizard.

  1. Click Next.
  2. If you choose not to add this URL as a web application in the Access Portal, type a name and description for the URL mapping action.

Screenshot that shows the Name and Description page in the wizard.

  1. If you choose to add this URL as a web application in the Access Portal, you must specify:
    • App name
    • App description
    • Custom icon (optional)
    • Whether to forward credentials from the Access Portal to the URL

    To sign in to select web applications with Access Portal credentials, the web application must accept HTTP based authentication and the Access Portal and the web application must share the same authentication domain.

Screenshot that shows the settings required if you add the URL in the Access Portal.

  1. Click Next.
  2. Click Finish. You can select to edit the action after the wizard closes. You might do this if you want to specify a URL Path Action. For more information, go to URL Path Actions.

    URL Path Actions determine the necessary URL translation that happens when a user navigates to the Access Portal URL and successfully authenticates. The default Path Action (from “/” to “/”) allows anything from the external host to the internal host.

Screenshot that shows the last page of the Reverse Proxy Action wizard, with all settings visible.

  1. Select Subscription Services > Access Portal.
  2. Select the Reverse Proxy tab.
  3. Click Add.

Screenshot of the settings on the Reverse Proxy tab in the Access Portal window.

  1. Click Next to continue with the wizard.

Screenshot that shows the first page of the Reverse Proxy Action wizard.

  1. Select Add Simple Reverse Proxy Action.

Screenshot that shows the selection of which type of reverse proxy action to add.

  1. Click Next.
  2. In the External URL text box, specify the external URL for user connections.

Screenshot that shows the External URL page of the wizard.

  1. Click Next.
  2. In the Internal URL text box, specify the internal URL of the server.
  3. Select whether the web service uses a self-signed certificate.

Screenshot that shows the Internal URL page of the wizard.

  1. Click Next.
  2. Select the appropriate option to authenticate users.
  3. Select whether to add this URL as a web application in the Access Portal.

Screenshot that shows the Client Access page of the wizard.

  1. Click Next.
  2. If you chose not to add this URL as a web application in the Access Portal, type a name and description for the URL mapping action. For more information, go to URL Path Actions.

Screenshot that shows the Name and Description page in the wizard.

  1. If you choose to add this URL as a web application in the Access Portal, you must also specify:
    • App name
    • App description
    • Custom icon (optional)
    • Whether to forward credentials from the Access Portal to the URL

    To sign in to select web applications with Access Portal credentials, the web application must accept HTTP based authentication and the Access Portal and the web application must share the same authentication domain.

Screenshot that shows the settings required if you add the URL in the Access Portal.

  1. Click Next.
  2. Click Finish. You can select to edit the action after the wizard closes. You might do this if you want to specify a URL Path Action. For more information, go to URL Path Actions.

    URL Path Actions determine the necessary URL translation that happens when a user navigates to the Access Portal URL and successfully authenticates. The default Path Action (from “/” to “/”) allows anything from the external host to the internal host.

Screenshot that shows the last page of the Reverse Proxy Action wizard, with all settings visible.

Manually Add Reverse Proxy Actions

  1. Select Subscription Services > Access Portal.
  2. Select the Reverse Proxy tab.
  3. Click Add.

Screenshot of the settings on the Reverse Proxy tab.

  1. Click Skip to skip the wizard and manually add a reverse proxy action.

Screenshot that shows the first page of the Reverse Proxy Action wizard.

  1. Type a Name and a Description for your reverse proxy action.
  2. In the External URL text box, type the URL that remote users will use to access this web service.
  3. In the Internal URL text box, type the internal URL of the web service.
  4. If the service uses a self-signed certificate and you trust the connection and the server, select the Trust Certificate check box.

Screenshot that shows the Reverse Proxy Action and URL Host Mapping sections on the Add Reverse Porxy Action page.

  1. (Optional) To add a URL Path Action, in the URL Path Action section, click Add. You might do this if you only want to expose specific paths. For more information, go to URL Path Actions.

    URL Path Actions determine the necessary URL translation that happens when a user navigates to the Access Portal URL and successfully authenticates. The default Path Action (from “/” to “/”) allows anything from the external host to the internal host.

Screenshot that shows the default URL path action added.

  1. In the From and the To text boxes, type your URL path. Paths are case sensitive. We recommend these best practices:
    • We recommend that the From path and the To path match.
    • If the path is a virtual directory on the web server, we recommend that the path end with a forward slash (/). Paths followed by a query string should not end with a forward slash (/).
  2. Select whether to forward credentials from the Access Portal to the web application. Enable this option to automatically log users in to select web applications with their Access Portal credentials.

    To log in to select web applications with Access Portal credentials, the web application must accept HTTP based authentication and the Access Portal and the web application must share the same authentication domain.

Screenshot that shows the URL Path Action window.

  1. Click OK to add the URL path action.
  2. Click OK to add your reverse proxy action.

Screenshot that shows a URL path action added.

  1. Select Subscription Services > Access Portal.
  2. Select the Reverse Proxy tab.
  3. Click Add.

Screenshot of the settings on the Reverse Proxy tab in the Access Portal window.

  1. Click Skip to skip the wizard and manually add a reverse proxy action.

Screenshot that shows the first page of the Reverse Proxy Action wizard.

  1. Type a Name and a Description for your reverse proxy action.
  2. In the External URL text box, type the URL that remote users will use to access this web service.
  3. In the Internal URL text box, type the internal URL of the web service.
  4. If the service uses a self-signed certificate and you trust the connection and the server, select the Trust Certificate check box.

Screenshot the shows the URL Path Action page in the wizard, with the Name, Description, External URL, and Internal URL text boxes filled out.

  1. (Optional) To add a URL Path Action, click Add. You might do this if you only want to expose specific paths. For more information, go to URL Path Actions.

    URL Path Actions determine the necessary URL translation that happens when a user navigates to the Access Portal URL and successfully authenticates. The default Path Action (from “/” to “/”) allows anything from the external host to the internal host.

  2. In the From and the To text boxes, type your URL path. Paths are case sensitive. We recommend these best practices:
    • We recommend that the From path and the To path match.
    • If the path is a virtual directory on the web server, we recommend that the path end with a forward slash (/). Paths followed by a query string should not end with a forward slash (/).
  3. Select whether to forward credentials from the Access Portal to Exchange. Enable this option to automatically log users in to select web applications with their Access Portal credentials.

    To log in to select web applications with Access Portal credentials, the web application must accept HTTP based authentication and the Access Portal and the web application must share the same authentication domain.

Screenshot that shows the URL path action window.

  1. Click OK to add the URL path action.
  2. Click OK to add your reverse proxy action.

Screenshot that shows the URL Path Action page in the wizard with a URL Path Mapping added.

URL Path Actions

URL Path Actions determine the necessary URL translation that happens when a user navigates to the Access Portal URL and successfully authenticates.

The default Path Action (from “/” to “/”) allows anything from the external host to the internal host. You might add a URL Path Action if you only want to expose specific paths.

When you add a URL path action:

  • We recommend that the From path and the To path match
  • Paths are case sensitive
  • If the path is a virtual directory on the web server, we recommend that the path end with a forward slash (/)
  • Paths followed by a query string should not end with a forward slash (/)
  • For internal web applications, for Client Authentication you must select Access Portal

Reverse proxy actions for the Access Portal do not support URL redirection.

  1. Select Subscription Services > Access Portal.
  2. Select the Reverse Proxy tab.
  3. Select the reverse proxy action you want to add a URL Path Action to and click Edit.
  4. In the URL Path Action section, click Add.

Screenshot that shows the Add Reverse Proxy Action page with the default URL path action added.

  1. In the From and the To text boxes, type your URL path. Paths are case sensitive. We recommend that the From path and the To path match.

    If the path is a virtual directory on the web server, we recommend that the path end with a forward slash (/). Paths followed by a query string should not end with a forward slash (/).

  2. Select whether to forward credentials from the Access Portal to the web application. Enable this option to automatically log users in to select web applications with their Access Portal credentials.

    To log in to select web applications with Access Portal credentials, the web application must accept HTTP based authentication and the Access Portal and the web application must share the same authentication domain.

Screenshot that shows the URL Path Action window.

  1. Click OK to add the URL path action.
  2. Click OK to save the changes to your reverse proxy action.

Screenshot that shows a URL path action added.

  1. Select Subscription Services > Access Portal.
  2. Select the Reverse Proxy tab.
  3. Select the reverse proxy action you want to add a URL Path Action to and click Edit.
  4. In the URL Path Action section, click Add.
  5. In the From and the To text boxes, type your URL path. Paths are case sensitive. We recommend that the From path and the To path match.

    If the path is a (virtual) directory on the web server, we recommend that the path end with a forward slash (/). Paths followed by a query string should not end with a forward slash (/).

  6. Select whether to forward credentials from the Access Portal to Exchange. Enable this option to automatically log users in to select web applications with their Access Portal credentials.

    To log in to select web applications with Access Portal credentials, the web application must accept HTTP based authentication and the Access Portal and the web application must share the same authentication domain.

Screenshot that shows the URL Path Action window.

  1. Click OK to add the URL path action.
  2. Click OK to save the changes to your reverse proxy action.

Screenshot that shows a URL path action added.

Related Topics

Configure the Access Portal

SSL/TLS Settings Precedence and Inheritance

Customize the Access Portal Design