cancel
Showing results for 
Search instead for 
Did you mean: 

Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

applmott_
Occasional Contributor

Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

Hi all,

I've recently been hit with a roadblock on an implementation I am working on. Here's the setup:

-We're using a SA6500 with custom sign-in page (CSP) to redirect a user to an external-facing 2-factor authentication solution (Arcot). Arcot integrates with SiteMinder to generate a SMSession cookie for users that the IVE checks for authentication/authorization.

-After successful authentication, we have Arcot configured to redirect the user's browser back through the IVE to their original requested URL, and we manually configure this link to go through the IVE properly (see example below)

Example:

-Original URL: https://server1.company.com/urldata

-Modified URL: https://server1.company.com/dana/home/starter.cgi?url=https://server1.company.com/urldata

-We have configured external DNS to point to the IVE for the hostname of the internal server (server1 external DNS = IVE, server1 internal DNS = back-end server).

This redirection works well for initial, unauthenticated requests, but any subsequent internal links of the form server1.company.com/urldata aren't caught by our CSP script.

Has anyone ever done this (even just the DNS part)? Any assistance would be most helpful! I'm just looking for a way to tunnel or rewrite the traffic destined to this server.. I have had an issue with SAM doing the job, because it seems that it automatically bypasses traffic destined for the IVE hostname that was used to launch it. Weird..

Thanks,

-C

9 REPLIES 9
zanyterp_
Respected Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

That is correct. You are using the same browser for the connection; this is picked up as a valid session and users are logged in directly (or at least attempted to be). You would need to sign out between each connection on that.

For your SAM issue, do you mean that it is not capturing traffic for the IVE? Was it configured to capture that traffic?

applmott_
Occasional Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

WSAM is configured to tunnel a handful of URLs:

URL1: url1.company.com/url1data

URL2: url2.company.com/url2data

URL3: url3.company.com/url3data

All 3 of these are configured with external DNS to point to the IP of the IVE, as well as exist on the internal LAN.When I launch WSAM through URL1, I can tunnel data to the other two destinations but not the original URL1..

Is there some built-in function of WSAM that passes through the traffic destined to the URL that was used to launch it?

zanyterp_
Respected Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

I don't believe so, not really. I believe it makes a change so it always connects to the same IP in case of events like proxy or DNS changes; but not that it passes traffic that was used to launch it because of the some other reason.

Do the internal DNS servers resolve to the IVE as well? DNS requests are proxied by WSAM to the intranet.

applmott_
Occasional Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

Internal DNS resolves to the internal server IPs.. I've actually worked around the hostname issue, by redirecting the browser to another URL of the form iveurl.company.com/dana/home/launch.cgi?url=http://url1.company.com/urldata1

Either way, I'm still having issues with WSAM.. I noticed that the traffic actually starts tunneling after about 5 minutes. I have JTAC looking into it, but I have no idea why this behavior is occurring.. Thoughts?

zanyterp_
Respected Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

What is the client OS?

Is WSAM showing as connected successfully prior to the 5 minute mark?

Is this for all connections or just some?

applmott_
Occasional Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

Client OS: Windows XP SP2, IE 6 or 7

WSAM is showing as connected the whole time

All connections seem to be untunneled.. And I was/am mistaken... traffic destined to URL2 and 3 is no longer tunneling properly.. tried flushing DNS and still no joy..

applmott_
Occasional Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

So just in case anyone is still following this or trying to do the same thing, the way that JTAC and I worked out to get it done was to modify DNS timeouts to 1 second on the host machine. This is done using the procedure found here.

The only problem with this is that by setting the DNS timeouts so low, I am afraid that there will be quite a large increase in DNS traffic (permanently, I might add). I tried using a logon/logoff script with WSAM, but by the time SAM is launched, the DNS timeout values need to be set already, so the logon script does not trigger in time.

I wonder if there's a way to pause the IVE after autolaunching SAM so that the script can run before the browser is forwarded on to the start page...

Any ideas folks?

zanyterp_
Respected Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

Unfortunately, no, there is not.

applmott_
Occasional Contributor

Re: Tunneling connections to back-end server with same hostname as IVE (via rewriter/SAM?)

Ack, not leaving me much wiggle room there zany. Is there anything you can think of that may solve/work around this problem??