Showing results for 
Search instead for 
Did you mean: 

SSL VPN - Passthrough as Transparent Reverse Proxy - TCP Error

Not applicable

SSL VPN - Passthrough as Transparent Reverse Proxy - TCP Error

Hi, I'm trying to set up an SA-2000 as a transparent reverse proxy to enable external access to an internal site. I want users to be redirected for authentication when they first hit the virtual host, and from there on, to access the site transparently.

On the internal DNS server, I have established, pointing to the foo application ( The SA-2000 is configured with an external IP address of ( and an external virtual port of (

On the external DNS server, I have pointing to

From there, I create a Resource Profile for Foo, where the base URL is (which is the, internal destination). The Web Access Control is set to* ALLOW, and the rewriting is set to Passthrough Proxy with a virtual host of I do not have any of the checkboxes checked under rewriting.

Now, here's where things aren't working. First, when I access, I do not get redirected to to sign in; instead, I'm redirected to, which starts a redirect loop. If I login first and click on the web bookmark (or change the URL manually), I get into the same redirect loop.

I don't think this will matter, but full disclosure is good when asking for help. I'm doing this for a proof of concept, and don't have the network set up exactly like I described above. (Above is how I'll set it up once it's been proven out.) Instead, the whole thing exists on the internal network. The external address is bogus, and I'm playing with my local hosts file to trick out to be IP of the virtual port assigned to the SA-2000. The setup works when I do URL rewriting, so I don't think it's an issue of connectivity.

Any help or insight would be fine. I read over the administration guide, which wasn't much help.

Thank you,


Regular Contributor

Re: SSL VPN - Passthrough as Transparent Reverse Proxy - TCP Error

Are you able to customize the initial URL you send to users?


If yes then try the format: https://ssl-vpn-hostname/dana/home/launch.cgi?url=


With the above the users should be redirected to the appropriate sign-in page (as defined in sign-in policies) and upon successful authentication the request will be sent through pass through proxy


If you can't customize the initial URL then you will have to do the following:

1. Make sure you have the appropriate external hostname name under Admin UI > Network > overview

2. Ensure you have a default sign-in policy for "*/" or for "external-ssl-hostname/" that ties the user signin page to appropriate realm

3. Now when users access it should redirect them to sign in page and then to the application


Note: when you use as a virtual hostname in passthrough config you cannot use the same name in any of the sign-in policies