Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

PCS as Reverse proxy with authentification only access problem

louis
louis
Occasional Contributor
‎04-16-2019 02:37:AM
‎04-16-2019 02:37:AM

PCS as Reverse proxy with authentification only access problem

Hi Everybody,


I got an issue on my PCS. I want to set my PSA3000 as a reverse proxy using the sign in policy "Authentification Only Access". I explain my case :

I got three applications with webserver in my DMZ, all have their own certificate :

www.mydomain.fr (used by internal port)

myapp1.mydomain.fr (used by virtual port 1)

myapp2.mydomain.fr (used by virtual port 2)

Thoses three DNS name are redirected toward a unique external public IP Adress.

My firewall in front of the PCS redirected all traffic "https://*.mydomain.fr" to my external public IP adress toward the internal port of my PCS. In this case, my setting of sign in policy( Auhtorization only access) works because I 'm redirected to my app1 BUT I got an certificate warning. I understand that is because the internal port use the certificate of "www.mydomain.fr" and not the app1 one.

So, I set the virtual port with their certificate on the PCS. On my firewall, I redirect a port I choose like 4445 for example and then, the user try to connect to "https://myapp1.mydomain.fr:4446", my firewall do the NAT job and redirect this to the virtual port 1 so with his certificate I got no warning this time but the PCS doesn't do the job and don't redirect to my app1. Do you know why ? Or having some solutions ?

Thank's in advance.

0 Kudos
Reply
1 REPLY 1
zanyterp
Moderator
Moderator
‎04-18-2019 06:57:PM
‎04-18-2019 06:57:PM

Re: PCS as Reverse proxy with authentification only access problem

Unfortunately, the PCS web server is able to handle inbound traffic only on port 443 (except in the special case of passthrough proxy using a port between 11000-11099).
am i correctly interpreting your note to mean that the primary certificate is neither a wildcard nor SNI-enabled for the three application/domains needed?
0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.