cancel
Showing results for 
Search instead for 
Did you mean: 

Deep URL Bookmark and SAM 'no rewrite' for base URL

SOLVED
elevated-pulse_
Occasional Contributor

Deep URL Bookmark and SAM 'no rewrite' for base URL

If you've configured a 'deep' URL bookmark, e.g., dev.example.com/abc/xyz/123, and have configured a web application resource profile using SAM 'no rewrite,' will the bookmark URL link get wrapped in the SAM tunnel, so the users will get to the 'deep' link? My goal is to have the users click the 'deep' URL bookmark, use WSAM, and not be rewritten but redirected to the 'deep' URL.

1 ACCEPTED SOLUTION

Accepted Solutions
braker_
Frequent Contributor

Re: Deep URL Bookmark and SAM 'no rewrite' for base URL

Once the user selects a bookmark that has a no rewrite rule, the content is essentially outside of the control of the VPN server. If the user navigates from the initial page to another site, the VPN server has no way to take back control and start rewriting again. SAM can capture the traffic if the other site is part of a SAM policy. A VPN tunnel can route the traffic if the other site is part of a VPN policy. If neither of these are the case, and the other site is not externally accessible, the user will have no access.

View solution in original post

5 REPLIES 5
braker_
Frequent Contributor

Re: Deep URL Bookmark and SAM 'no rewrite' for base URL

Using no rewrite with a bookmark simply passes the real target URL directly to the user's browser without any modifications. It is essentially the same as if the user opened up a new browser window and simply entered the target URL manually.

SAM creates an application tunnel that captures any traffic for a specific host. This happens regardless of what client application used or how the hostname is selected (manually entered, existing browser favorite, etc.)

Used together, the bookmark passes the real target URL to the user's browser, when the browser attempts to connect to the target URL, SAM capture the traffic and redirects it down the tunnel.

So yes, creating a web application resource with 'no rewiriting (use J/WSAM)' allows you to present an unmodified URL to the user that connect to an internal resource using SAM. From the user's perspective they are interacting directly with the target application. You could also independently create a rewriting policy and a SAM policy manually to the same effect as long as the namespace matches as these are really two separate processes.

Just be aware that when you use no rewriting, that page is fully outside the control of the rewriting engine. Any pages or sites a user navigates to from that initial page are also not rewritten.

elevated-pulse_
Occasional Contributor

Re: Deep URL Bookmark and SAM 'no rewrite' for base URL

Booker,

Much appreciated.

Just to clarify your statement, "Just be aware that when you use no rewriting, that page is fully outside the control of the rewriting engine. Any pages or sites a user navigates to from that initial page are also not rewritten.", do you mean any links/or other page dependencies will not be rewritten and must also be added to the 'No rewrite' profile or is your concern security based?

braker_
Frequent Contributor

Re: Deep URL Bookmark and SAM 'no rewrite' for base URL

Once the user selects a bookmark that has a no rewrite rule, the content is essentially outside of the control of the VPN server. If the user navigates from the initial page to another site, the VPN server has no way to take back control and start rewriting again. SAM can capture the traffic if the other site is part of a SAM policy. A VPN tunnel can route the traffic if the other site is part of a VPN policy. If neither of these are the case, and the other site is not externally accessible, the user will have no access.

View solution in original post

elevated-pulse_
Occasional Contributor

Re: Deep URL Bookmark and SAM 'no rewrite' for base URL

Booker,

I commend your intricate knowledge, mastery and articulation of this very powerful, yet very complex device. I have the Syngress book for this device and while it's well written, it assumes a broad and fairly deep understanding of the complexities of remote access. Wish Juniper had their own VoDs for this device explaining in detail how rewriting and the thin-clients work independently and in synergy for complex scenarios.

Thanks for the insight and I look forward to learning more from you.

CaseyH_
Contributor

Re: Deep URL Bookmark and SAM 'no rewrite' for base URL


@elevated-pulse wrote:

Wish Juniper had their own VoDs for this device explaining in detail how rewriting and the thin-clients work independently and in synergy for complex scenarios.


Hopefully Pulse Secure will introduce something like this. I agree it would have a huge value add.