Hi, I'm trying to set up an SA-2000 as a transparent reverse proxy to enable external access to an internal site. I want users to be redirected for authentication when they first hit the virtual host, and from there on, to access the site transparently.
On the internal DNS server, I have foo.company.com established, pointing to the foo application (192.168.1.100). The SA-2000 is configured with an external IP address of (18.104.22.168) and an external virtual port of (22.214.171.124).
On the external DNS server, I have foo.company.com pointing to 126.96.36.199.
From there, I create a Resource Profile for Foo, where the base URL is https://foo.company.com (which is the 192.168.1.100, internal destination). The Web Access Control is set to https://foo.company.com:443/* ALLOW, and the rewriting is set to Passthrough Proxy with a virtual host of foo.company.com. I do not have any of the checkboxes checked under rewriting.
Now, here's where things aren't working. First, when I access https://foo.company.com, I do not get redirected to https://vpn.company.com to sign in; instead, I'm redirected to https://foo.company.com/dana-na/home/launch/.cgi?url=https://foo.company.com%2F, which starts a redirect loop. If I login first and click on the web bookmark (or change the URL manually), I get into the same redirect loop.
I don't think this will matter, but full disclosure is good when asking for help. I'm doing this for a proof of concept, and don't have the network set up exactly like I described above. (Above is how I'll set it up once it's been proven out.) Instead, the whole thing exists on the internal network. The external address is bogus, and I'm playing with my local hosts file to trick out foo.company.com to be IP of the virtual port assigned to the SA-2000. The setup works when I do URL rewriting, so I don't think it's an issue of connectivity.
Any help or insight would be fine. I read over the administration guide, which wasn't much help.
Are you able to customize the initial URL you send to users?
If yes then try the format: https://ssl-vpn-hostname/dana/home/launch.cgi?url=https://foo.company.com%2F
With the above the users should be redirected to the appropriate sign-in page (as defined in sign-in policies) and upon successful authentication the request will be sent through pass through proxy
If you can't customize the initial URL then you will have to do the following:
1. Make sure you have the appropriate external hostname name under Admin UI > Network > overview
2. Ensure you have a default sign-in policy for "*/" or for "external-ssl-hostname/" that ties the user signin page to appropriate realm
3. Now when users access https://foo.company.com it should redirect them to sign in page and then to the application
Note: when you use foo.company.com as a virtual hostname in passthrough config you cannot use the same name in any of the sign-in policies