Protecting VIP Enterprise Gateway IDP portals.
A reverse proxy server is a type of proxy server that inspects, transforms, and routes web requests before they reach your web servers. It retrieves the resources on behalf of a client from one or more servers and returns those requests to the client as though originating from the reverse proxy itself. This increases security by cloaking your network topology and back-end servers by removing the need for direct internet access to them. Access to the VIP SSP, My VIP, or the VIP Manager IdP should always be protected by a proxy.
The VIP Self-Service, My VIP, and VIP Manager portals are hosted in the VIP cloud. The portals allow end-users or your helpdesk administrators to manage users and tokens/credentials. Your organization acts as the IdP (Identity Provider) through the VIP Enterprise Gateway for controlling access. If your enterprise decides to enable remote users to access one of these portals from outside your enterprise network to perform tasks, such as registering their credential, a reverse proxy placed in your enterprise's perimeter network can proxy requests to the IdP portals hosted inside your enterprise network and provide protection and security for your enterprise network.
If a VIP administrator decides users can only access these portals from within an enterprise network, place the VIP Enterprise Gateway IdP in the back-office network. This decision means remote users cannot perform VIP Self Service tasks without being physically connected to the enterprise network.
Options are available for accessing the VIP SSP, My VIP, and VIP Manager. For example, a connector to the My VIP, VIP SSP, and VIP Manager can be added to your enterprise single sign-on (SSO) solution. When a 3rd-party is the IdP, the SSP/My VIP is the SP. Refer to the Symantec VIP Third-Party Configuration Guide for details
Prior versions of the VIP EG included a VIP SSP IdP Proxy. This has been removed from the current VIP EG and is no longer a supported feature.
Sample reverse proxy layout:
The following are general instructions for configuring an Apache Squid proxy for use with the Symantec VIP SSP IdP or My VIP. Please refer to http://www.squid-cache.org/ for additional assistance.
2. ENABLE SSL TO SQUID PROXY
3. CREATE A WILDCARD SSL CERTIFICATE WITH OPENSSL:
[demoCA]#openssl req -new -x509 -keyout cert.pem -out cert.pem -days 365 -nodes
Generating a 2048 bit RSA private key
writing new private key to 'cert.pem'
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) :India
Locality Name (eg, city) [Default City]:Bangalore
Organization Name (eg, company) [Default Company Ltd]:Symantec
Organizational Unit Name (eg, section) :EG
Common Name (eg, your name or your server's hostname) :*.secureproxy.com
Email Address :[email protected]
Add each SSP site in the squid Configuration File. By default, this file is located here: /etc/squid/squid.conf
cache_peer <EG SSP IDP Hostname> parent <SSP IDP Port(8233)> 0 no-query originserver ssl
acl <sites_server_1> dstdomain websitea.secureproxy.com
cache_peer_access <websitename> allow <sites_server_1>
http_access allow <sites_server_1>
cache_peer vip4-rhel65-p1-ap parent 8233 0 no-query originserver ssl sslflags=DONT_VERIFY_PEER name=websitea
acl sites_server_1 dstdomain websitea.secureproxy.com
cache_peer_access websitea allow sites_server_1
http_access allow sites_server_1
sslflags=DONT_VERIFY_PEERis useful if using a self-signed cert.
4. RESTART THE SQUID REVERSE PROXY
5. CONFIGURE THE VIP ENTERPRISE GATEWAY
6. SETUP COMPLETE! TEST THE REVERSE PROXY SETUP