Creating a Passthrough Proxy Resource Policy
Passthrough proxy resource policies specify Web applications for which the system performs minimal intermediation. To create a passthrough proxy resource policy, you need to specify two things:
- Which Web application to intermediate with the passthrough proxy
- How the system listens for client requests to the application server
To write a passthrough proxy resource policy:
- In the admin console, choose Users > Resource Policies > Web.
- If your administrator view is not already configured to show rewriting policies, make the following modifications:
- Click the Customize button in the upper right corner of the page.
- Select the Rewriting check box.
- Select the Passthrough Proxy check box below the Rewriting check box.
- Click OK.
- Select the Rewriting > Passthrough Proxy tab.
- On the Passthrough Proxy Policies page, click New Application.
- Enter a name to label this policy (required) and a description of the policy (optional).
- In the URL field, specify the application server hostname and the port used to access the application internally. Note that you cannot enter a path in this field.
- Choose the way in which you want to enable the passthrough proxy feature:
- Use virtual hostname—If you choose this option, specify a hostname alias for the application server. When the system receives a client request for the application server hostname alias, it forwards the request to the specified application server port in the URL field.
If you choose this option, you must also define the name and hostname in the Network Identity section of the System > Network > Internal Port tab. In order to make Sharepoint work successfully through the system, you must select the Override automatic cookie handling check box in Internet Explorer under Tools Internet options > Privacy > Advanced Privacy Settings if the following conditions true:
- You select the Use virtual hostname option during Pass Through Proxy configuration.
- The virtual hostname that you specify in your Sharepoint configuration is different from the hostname that you configure through the system setup (that is, if the domains are different).
- You enable persistent cookies through the Users > User Roles > Select Role > General > Session Options page of the admin console.
- Use SA port—If you choose this option, specify a unique port in the range 11000-11099. The system listens for client requests to the application server on the specified port and forwards any requests to the application server port specified in the URL field.
- In the Action section, specify the method to use to intermediate traffic:
- Rewrite XML—If you select this option, the system rewrites URLs contained within XML content. If you disable this option, the system passes the XML content “as is” to the server.
- Rewrite external links—If you select this option, the system rewrites all URLs. If you disable this option, the system rewrites only those URLs that contain a hostname specified in the passthrough proxy policy.
- Block cookies from being sent to the browser—If you select this option, the system blocks cookies destined for the client’s browser. The system stores the cookies locally and sends them to applications whenever they are requested.
- Host-Header forwarding—If you select this option, the system passes the hostname as part of the host header instead of the actual host identifier.
The Host-Header forwarding option is only valid in passthrough proxy Virtual Host mode.
- Click Save Changes.
- On the Pass-through Proxy Policies page, order the policies according to how you want to evaluate them. Keep in mind that once the system matches the application requested by the user to an application specified in a policy’s (or a detailed rule’s) Resource list, it performs the specified action and stops processing policies.
- If you select:
- Use virtual hostname, you must also:
- Add an entry for each application server hostname alias in your external DNS that resolves to the system.
- Upload a wildcard server certificate to the system (recommended).
- Use SA port, open traffic to the port you specified for the application server in your corporate firewall.
If your application listens on multiple ports, configure each application port as a separate passthrough proxy entry with a separate port. If you intend to access the server using different hostnames or IP addresses, configure each of those options separately; in this case, you can use the same port.
External passthrough proxy links that are embedded in a passthrough proxy page may not work. For example, if the bar.company.com page contains a link to foo.company.com and foo.company.com is configured as a host-mode passthrough proxy application, the link to foo.company.com fails. To avoid this, use port-mode passthrough proxy for passthrough proxy links embedded in passthrough proxy applications.