cancel
Showing results for 
Search instead for 
Did you mean: 

PCS behind reverse proxy

tfboy
New Contributor

PCS behind reverse proxy

We have a PCS that has been accessed directly via https. That's OK.

Now, we want to access it via a reverse proxy in front (for additional security reasons) with a DNS entry pointing to the reverse proxy's IP that then forwards to the PCS's real external-facing IP address.

 

This has been set up, however, it does not load the page correctly, we get the generic Pulse Secure header with a "The page you requested could not be found." message instead of the customised home page.

 

If I append the /admin at the end of the URL, this works fine and I'm brought to the admin login page.

If I access the PCS directly via it's IP address, this works of course.

 

When accessing directly, the PCS adds /dana-na/auth/url_<randomstring>/welcome.cgi

 

When accessing via reverse proxy, this doesn't happen.

 

Should the reverse proxy forward to a special URL like the /dana-na/auth/url_<randomstring>/welcome.cgi or something else?

5 REPLIES 5
tfboy
New Contributor

Re: PCS behind reverse proxy

I presume this is some kind of rewrite.

I did just notice this KB post: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44291

 

So I presume it's save to have the full url including the random string as the URL to forward to from the reverse proxy?

zanyterp
Moderator

Re: PCS behind reverse proxy

it is not possible to reverse proxy access into the appliance. if the reverse proxy in front does not make any changes, to the URL or cookies or anything, it may work…however, anything that changes those will prevent access

the reverse proxy will need to forward to the path, e.g /userlogin, and the appliance will reply with the /dana-na/url_<randomstring>/welcome.cgi. connecting directly to the redirected url will cause connection issues
tfboy
New Contributor

Re: PCS behind reverse proxy

Thanks Zanyterp.

Hmm that's a bit of a shame.

In fact, we tried setting it up with forwarding to the full URL with the random string.

It worked for a while.

But now, we get an error with too many redirects...

I'll continue to play around with this. It's a real shame if this isn't supported as I would think it's a pretty common setup when you need further protection / authentication upstream of the PCS.

zanyterp
Moderator

Re: PCS behind reverse proxy

i am impressed it ever worked; unfortunately, this is the only time i have seen this in 10+ years. most of the time i have seen the appliance behind a firewall or load balancer; i have not yet seen it behind another reverse proxy
r@yElr3y
Moderator

Re: PCS behind reverse proxy

@tfboy Personally, I have not tried this setup before but if the R.proxy can forward everything (request) and relay the responses back to client, then it would work.

PCS Expert
Pulse Connect Secure Certified Expert