search cancel

How to configure a reverse proxy to secure access to VIP Enterprise Gateway IDP portals

book

Article ID: 150611

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Protecting VIP Enterprise Gateway IDP portals.

Resolution

What is a reverse proxy?

reverse proxy server is a type of proxy server that inspects, transforms, and routes web requests before they reach your web servers. It retrieves the resources on behalf of a client from one or more servers and returns those requests to the client as though originating from the reverse proxy itself. This increases security by cloaking your network topology and back-end servers by removing the need for direct internet access to them. Access to the VIP SSP, My VIP, or the VIP Manager IdP should always be protected by a proxy.

Why should I use a reverse proxy with my VIP Enterprise Gateway (EG)? 

The VIP Self-Service, My VIP, and VIP Manager portals are hosted in the VIP cloud. The portals allow end-users or your helpdesk administrators to manage users and tokens/credentials. Your organization acts as the IdP (Identity Provider) through the VIP Enterprise Gateway for controlling access. If your enterprise decides to enable remote users to access one of these portals from outside your enterprise network to perform tasks, such as registering their credential, a reverse proxy placed in your enterprise's perimeter network can proxy requests to the IdP portals hosted inside your enterprise network and provide protection and security for your enterprise network. 

If a VIP administrator decides users can only access these portals from within an enterprise network, place the VIP Enterprise Gateway IdP in the back-office network. This decision means remote users cannot perform VIP Self Service tasks without being physically connected to the enterprise network. 

Options are available for accessing the VIP SSP, My VIP, and VIP Manager. For example, a connector to the My VIP, VIP SSP, and VIP Manager can be added to your enterprise single sign-on (SSO) solution. When a 3rd-party is the IdP, the SSP/My VIP is the SP. Refer to the Symantec VIP Third-Party Configuration Guide for details 

Prior versions of the VIP EG included a VIP SSP IdP Proxy. This has been removed from the current VIP EG and is no longer a supported feature.  

 

Sample reverse proxy layout:

The following are general instructions for configuring an Apache Squid proxy for use with the Symantec VIP SSP IdP or My VIP. Please refer to http://www.squid-cache.org/ for additional assistance. 

1. PRE-REQUISITES:

  • An active Apache Squid installation
  • VIP Enterprise Gateway with the SSP IDP component configured
     

2. ENABLE SSL TO SQUID PROXY

 

3. CREATE A WILDCARD SSL CERTIFICATE WITH OPENSSL:

  • The wild card certificate is created for your domain (e.g, *.secureproxy.com)
  • Name the domains in-line as the certificate is created (e.g., *.secureproxy.com)

[demoCA]#openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
Generating a 2048 bit RSA private key
.......................................+++
..................+++
writing new private key to 'cert.pem'
-----

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:India
Locality Name (eg, city) [Default City]:Bangalore
Organization Name (eg, company) [Default Company Ltd]:Symantec
Organizational Unit Name (eg, section) []:EG
Common Name (eg, your name or your server's hostname) []:*.secureproxy.com
Email Address []:[email protected]

  • Add each SSP site in the squid Configuration File. By default, this file is located here: /etc/squid/squid.conf
    cache_peer <EG SSP IDP Hostname>  parent <SSP IDP Port(8233)> 0 no-query originserver ssl
    sslflags=DONT_VERIFY_PEER  name=<websitename>
    acl <sites_server_1> dstdomain websitea.secureproxy.com
    cache_peer_access <websitename> allow <sites_server_1>
    http_access allow <sites_server_1>

    Example:
    cache_peer vip4-rhel65-p1-ap  parent 8233 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER  name=websitea
    acl sites_server_1 dstdomain websitea.secureproxy.com
    cache_peer_access websitea allow sites_server_1
    http_access allow sites_server_1

    • If SSL is used, sslflags=DONT_VERIFY_PEER is useful if using a self-signed cert.
    • Dstdomain name should be in the same domain to which the wild card cert was created earlier.
    • websitea.secureproxy.com is chosen as the wild card cert. It is created to the *.secureproxy.com domain. Any dstdomain <name>.secureproxy.com can be chosen.
       
  • A sample squid.conf with minimal configuration changes is attached to this article. Notice that the HTTPS reverse proxy is set. 
  • The configurations must appear at the top of squid.conf above all other forward-proxy configurations (e.g., http_access, etc.). Otherwise, the standard proxy access rules may block the viewing of the accelerated site.
  • Check that the Enterprise Gateway hostname can be resolved by the Squid reverse proxy.
  • Ensure dstdomain is within in the same domain in the wild card certificate

4. RESTART THE SQUID REVERSE PROXY

  • Sample command for restarting the Squid Reverse Proxy:
    service squid restart

5. CONFIGURE THE VIP ENTERPRISE GATEWAY

  • Ensure the dstdomain set in Squid (e.g., websitea.secureproxy.com) can be resolved by the VIP Enterprise Gateway.
  • Ensure the load balancer URL in the VIP Enterprise Gateway SSP configuration page is set to dstdomain (e.g., https://websitea.secureproxy.com).

6. SETUP COMPLETE! TEST THE REVERSE PROXY SETUP

  • The SSP Login URL will be https://dstdomain (e.g., https://websitea.secureproxy.com)

 

Attachments

squid.conf get_app