IVE as reverse proxy?

  • Hi,
    I was wondering: can the IVE be used as a reverse proxy (SSL)?
    The purpose would be to let someone on the Internet open an HTTPS connection to one of our servers, via the IVE, but unauthenticated (by which I mean: without passing the sign-in page).

    This question may sound strange, since an SSL VPN and a reverse proxy are quite different conceptually, but technically they’re not so different I guess, so perhaps there’s a way to achieve this??

    PS: I have a Juniper SA-2000 SSL VPN

  • In your Web Application Resource Profile, configure the site as a Passthrough-proxy under Autopolicy: Rewriting Options.  Unfortunately we had to do this for a few obscure ActiveX applications that just would not rewrite well.

    Click on your IVE’s “Help” button on the top right and do search for:
    “passthrough-proxy overview”

    There’s even a good example in there at the bottom.  However, I question why you would do this unless you’re just trying to avoid buying a certificate for the OWA front-end server.  I’m not sure that there is any security benefits to going about it this way, versus doing a PAT on your firewall to redirect to your OWA on a public address.

    Hope this helps.

  • Okay, I configured the anonymous authentication & the custom homepage, no problems there (thanks for the supplied info by the way!).
    The next problem I encounter is authentication.

    See, the intranet server is a Outlook Web Access server, and it needs to be accessible from a PocketPC, to retrieve emails (using MS ActiveSync). At the moment our PocketPC users go to a Microsoft ISA server (as a reverse proxy) to contact the OWA server, but I want to use the SSL VPN instead.

    So basically the PocketPC’s ActiveSync should be able to negociate authentication messages (basic authentication or NTLM authentication) with the OWA server. The problem is that when IVE sees OWA demanding authentication, it will display a html form demanding the user to identify himself. This is fine for a human VPN user, but of course MS ActiveSync doesn’t like this.
    Is there a way to prevent IVE doing this??

  • Sure, you can use Anonymus Authentication, so noone will have to log in. And you can use the rewrite engine to rewrite the web content of the intranet webserver.
    And you can configure, that the internal Web-Application automatically comes as startside, without need to klick a Link on the Juniper Webportal.