Securing a WCCP reverse-proxy Content Engine

Similar Messages

• Secured connections for reverse proxy 4.0 possible?

  Hi,
  Is there any way to have a secure https to https connection while using Sun proxy server 4.0 as a reverse?
  I did the whole connect:// item with the 'connect://.*' defined in the routing table and just keep getting:
  "trying to GET /testdev/, deny-service reports: denying service of connect://testserver.***.com:481/testdev/"
  I tried defining it to https and get the "unable to find certificate".
  I am not showing the internal destination server ever receives any traffic from the reverse proxy, and the proxy logs seems to show it is blocking it all.
  So far coming in to the proxy server on an ssl https url and attempting to map it to another internal https server always fails.
  Mapping the same incoming https traffic to the same internal http server works fine (that is HTTP).
  So a client can hit our reverse proxy at HTTPS://reverseproxy.../testdev and get sent to an internal HTTP URL just fine.
  Doing the same thing to an internal HTTPS URL fails...
  Thanks much.

  The CONNECT is a method meant only for Proxies
  http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.9
  You might try searching for setting up secure reverse proxy in the docs.
  the method is to map using https->http & http->https in both sides.

• Peoplesoft Portal with Reverse Proxy, content provider also need RP?

  Hello there,
  I need your help, I am currently implementing a PS Portal, I set my CRM as content provider, for safety reasons public access portal is configured using a reverse proxy (rp), my question is: Is there a different option to configure the CRM also with reverse proxy? as static content generated by CRM are then shown through the Website Portal (already rp),
  Thanks and regards.
  Alexander C.

  I also would like overcome this issue. I could not find an answer anywhere on Metalink or OTN.
  Can a reverse-proxy (i.e. using ProxyPass & Reverse) be used with and internal Portal?
  John Z
  Butler Mfg. Co.
  [email protected]

• Content Engine NM ACNS/network access

  After searching Google and Cisco, here's my setup...
  2851 Router running 15.1T
  CE-NM-BP-80G-K9 in slot 1/0
  Bridge group 1 for LAN and Wireless WIC.
  Goal:  Either add the external CE interface to the LAN on the bridge group or use WCCP to cache traffic through the internal interface.
  I was able to access ACNS once, but I'm completely new to the design and it was only for testing with the IP scheme.  I reset the config, reloaded the router and now I can't access ACNS via the web gui nor can I access the network from the CE (ping or ftp).
  Interface ContentEngine 1/0 Config:
       ip address 10.0.0.1 255.255.255.0
       Service Module ip address 10.0.0.2 255.255.255.0
       Service Module external ip address 10.0.1.1 255.255.255.0
       Service Module ip default gateway 10.0.0.1
  Interface BVI1
       ip address 192.168.2.1 255.255.255.0
       using dhcp etc
  Service module config:
  CE#sh run
  ! ACNS version 5.5.3
  hostname CE
  http proxy incoming 80 8080
  ip domain-name mydomain.com
  interface FastEthernet external
  exit
  interface FastEthernet internal
  exit
  wmt evaluate
  wmt accept-license-agreement
  wmt enable
  ip name-server 8.8.8.8
  ip name-server 192.168.2.1
  wccp router-list 1 192.168.2.1
  wccp web-cache router-list-num 1
  wccp reverse-proxy router-list-num 1
  wccp wmt router-list-num 1
  wccp version 2
  username admin password 1 xxx
  username admin privilege 15
  username xxxx password 1 xxx uid 2001
  username xxxx privilege 15
  authentication login local enable primary
  authentication configuration local enable primary
  cdm ip 192.168.2.1
  ! End of ACNS configuration
  Here's what I get when attempting to ping:
  CE#ping 192.168.2.1
  connect: Network is unreachable
  CE#ping 10.0.0.1
  connect: Network is unreachable
  CE#ping 10.0.1.1
  connect: Network is unreachable
  And from the LAN:
  seth@Sony:~$ ping 192.168.2.1
  PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
  64 bytes from 192.168.2.1: icmp_req=1 ttl=255 time=1.79 ms
  ^C
  --- 192.168.2.1 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 1.799/1.799/1.799/0.000 ms
  seth@Sony:~$ ping 10.0.0.1
  PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
  64 bytes from 10.0.0.1: icmp_req=1 ttl=255 time=1.39 ms
  64 bytes from 10.0.0.1: icmp_req=2 ttl=255 time=1.93 ms
  ^C
  --- 10.0.0.1 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1001ms
  rtt min/avg/max/mdev = 1.396/1.666/1.936/0.270 ms
  seth@Sony:~$ ping 10.0.0.2
  PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
  ^C
  --- 10.0.0.2 ping statistics ---
  2 packets transmitted, 0 received, 100% packet loss, time 1006ms
  seth@Sony:~$ ping 10.0.1.1
  PING 10.0.1.1 (10.0.1.1) 56(84) bytes of data.
  ^C
  --- 10.0.1.1 ping statistics ---
  2 packets transmitted, 0 received, 100% packet loss, time 1007ms
  Page cannot be displayed when attempting to hit the CE on port 8001 or securely at 8003 although the CE shows it's listening
  CE#sh gui-server     
  GUI Server is enabled
  Listen on port 8001
  Secured GUI Server is enabled
  Secured GUI Listen on port 8003
  Let me know if there's some other pertinent info, but what am I missing?

  SOLVED --
  The mistake was my own...in writing this post and re-testing, I realized I had made a foolish mistake. I applied an access-list (which I forgot to include) to the "ip wccp web-cache redirect-list bypass_content_engine" in the global config of the router.
  When I installed service 95 for spoofing, I automatically added the same access list to it as well.
  This was not a good thing since the access list denied packets with a destination of our internal IP addresses from going through the content engine. This worked fine on the way *out* of the router. But as the now-spoofed packets returned, their destination was an inside IP address and they were pretty much discarded. Foolish Mistake!
  Removing the ACL from the "ip wccp 95" statement in the global config fixed the issue and I am spoofing fine.
  Sorry to waste time...
  David Hunter

• Content Engine and PHP WebSites

  Hi,
  I have Content Engines in a transparent caching scenario. The HTPP traffic being redirected to the CEs are from squid proxies.
  Sometimes, for php written sites, when the client tries to access the website or a particular link in a website, instead of getting the site content he gets a popup window asking if he wants to save the content or cancel the operation.
  I noticed that this problem does not happen if I force the client browsers to use HTTP1.1 through proxy connections or if ... I clear the cache content (the content engine content).
  If I access these sites using a dial-up line this problem doesn't happen. Only from the customer network, where I deployed the transparent caching solution does this happen.
  Does anyone have a clue regarding this issue?
  Thanks in advance for your attention.
  Regards,
  Ricardo

  Thanks for your reply.
  I do not have any rules applied on the CE configuration.
  After looking to some sniffer traces I took I suspect that my problem is related with the fact that I have requests made with browsers configured for HTTPv1.0 through proxy connections and others HTTPv1.1 through proxy connections.
  When a client browser makes the request using HTTPv1.1 through proxy connections the content will be cached in encoded gzip format.
  At a later time when another client, this time using HTTPv1.0 through proxy connections, tries to access the same content the content engine will deliver it encoded ... but the browser does not support it, and a pop-up window appears asking if the user wants to save the content.
  So, now I suspect that this has nothing to do with the site itself but only with the requests and responses.
  The clients are behind squid proxies.
  It is the traffic originated by the squid proxy that is being redirect trough WCCP to the content engine.
  I will do additional tests and try to find a way to solve this issue.
  Once again Thanks for your reply.
  I've you have any additional comments, feel free!
  I need it :)
  Ricardo

• Wacky integration of PIX,Content engine and router

  Dear All,
  I have got a situation...The situation is
  that I have a pix515e, Content Engine and
  Cisco 2620xm router...The 3 attachments contain each of the systems configuration..They are arranged in the following way..
  There is a 192.168.0.0 network ID running on the PIX inside network which is getting translated by pix to 172.16.1.11-172.16.2.254. The e0 of pix has got an IP address of 172.16.1.7. PIX firewall's gateway is the router's ethernet interface which is 172.16.1.3. I have allowed tcp etc traffic for the inside network.
  After PIX there is a content engine 565A which is getting connected via its gigabit interface with IP address of 172.16.1.2 to the network with wccp config.
  The router is running 172.16.1.3 on its ethernet interface with the wccp configuration on WAN facing interface..
  The problem is that I am able to access the Internet from inside of the PIX.. The PIX is translating perfectly...When the traffic reaches the router, it also translates into public addresses perfectly..The user's are accessing Internet without any problem..and i can see the nat maintained on router and pix..
  But the problem is that when i write sh wccp gre on content engine, it doesn't show any activity..This is the problem that content engine is not responding the way it should..
  Right now I am lost why the CE isn't working... If anyone has faced this scenerio before then any help will be greatly appreciated...
  Hoping for a response which resolves this...
  Regards,
  Noman Bari

  Dear Joerg,
  Thank you for your response... That night when I had posted my request for help, I went back to my hotel room, took a shower and focused on CE and router communication and what was configured on them (by some another consultant)...
  And then it struck to me that wccp was never enabled on the router in the global config(see the router config in my 1st posting)... once this glitch was removed, everthing now works .. This was never a pix issue bcuz I could see that it was working the way its suppose to work,xlating was happening, people were surfing the web and stuff but the show commands on CE and router weren't showing any activity..
  The following link on configuring Cisco Cache Software helped me enormously and I recommend to everyone working on CE..
  http://www.cisco.com/en/US/products/sw/conntsw/ps547/products_configuration_guide_book09186a0080087140.html
  Through this process I learned a very important lesson though...when you are troubleshooting a problem, never trust the configurations that have been done by the guy before you...start everything from the scratch by going through the documentation..
  and ofcourse this extremely useful Cisco Forum also...
  Regards,
  Noman Bari

• Content Engine on PIX DMZ

  Can we place content engine outside interface on PIX DMZ interface. At this moment both the WCCP router and content Engine are on outside. I want to place Content Engine Outside interface on PIX DMZ and then to run WCCP between Content Engine and Outside router.
  Thank you.

  Yes. You can place the content engine towards the outside interface on PIX. This should work.

• Reverse proxy retrieve failed

  Hi,
  We are using Iplanet 4.1 as a basic web server and Netscape 3.5 proxy server to reverse proxy content from a CERN web server. Both Platforms are SPARC running Solaris 2.7. The reverse proxy works well except when reverse proxying dynamic content i.e. the CERN server provides graphs on demand and therefore can take upto 60 seconds to create, however the reverse proxy server seems to timeout after about 12 seconds.
  Error in proxy logs:
  retrieve-exit-routine reports:proxy retrieve failed:Document contains no data
  Any ideas or experiences ? Cheers

  Hi All,
  Just found the answer to this - my Apache configuration was missing a very simple command (everything is simple once you find the answer )
  On my reverse proxy configuration I forgot the following:
  ProxyPerserveHost On
  Hope that helps somebody out,
  Brenton.

• Cannot access the content producer portal via reverse proxy

  Hi all,
  I hope my post is in the right forum
  We have an FPN environment using RRA with our EP (NW 7.0 SPS18) as the consumer and our BI portal (NW 7.0 SPS18) as the content producer.  The consumer is registered with the producer using HTTP protocol.  Everything works as expected.
  We're trying to implement an Apache reverse proxy for our FPN with SSL termination so that we can access the portals from the Internet with HTTPS protocol while keeping HTTP protocol for the internal users.
  Through the reverse proxy, we can access the consumer portal and we can access the producer portal directly without any problem.  The only problem is that, if we logged onto the consumer via the reverse proxy, we cannot access the content from the producer.  We'd get the browser security warning message
  "Although this page is encrypted.  The information you have entered will be sent over an unencrypted connection. ..."
  When we hit the Continue button, we'd get the eror 404 Not Found - The request resource does not exist.
  Our Unix admin tried both Apache and SAP Web Dispatcher but we couldn't get it to work properly.  We went through a lot of blogs and documents and we are at our wits end.  We would greatly appreciate if someone can point out where we should look at.
  Thank you very much in advance.
  Dao

  Hi Kevin,
  Unfortunately, our Unix admin thinks you missed the point because my question was not clear enough
  We do not have problems with the "correct name" in the reverse proxy and our main SSL termination works fine. 
  It's just that the consumer is registered with the producer using HTTP protocol; as a result, the producer's URL link is 'hard-coded' to use HTTP protocol in the consumer portal since we are not using SSL in the internal network.  Hence, we'd like to know if there's any way to change them to HTTPS for the Internet clients while keeping the HTTP protocol for the internal users.
  I hope I made it clearer this time
  Regards,
  Dao

• Content engine 510 - transparent proxy stand-alone

  Hello to all,
  after studying architecture examples about Content Engine 510, I found that there is two modes:
  1) standard proxy
  2) transparent proxy
  I need the transparent architecture !
  But every example about transparent mode seems to include a router or a switch with a particular level of software, that can send http requests to the Content Engine to have cache.
  I don't have any of these components.
  I simply need to have a Content Engine that receive any kind of IP protocols on one ethernet, and route it to the other ethernet plug, except that if it is http protocol, it will cache the pages.
  Is is simply impossible to configure the Content Engine 510 that way ?
  Is the transparent proxy mode always requires a router or a switch to give it the http flow ?
  If it is possible, where can I find some configuration examples ?
  Thanks to help a newbie in content engine...
  Olivier

  Olivier,
  You'll need to have a router running wccp in order to redirect http requests to the cache. Withouth this, the cache has no visibilty of traffic on your LAN.
  Regards,
  Dave

• Proxy Listener, Reverse Proxy and Security

  I am wondering if someone can help me regarding security. I added an additional proxy listener to do reverse proxy. Unfortunately I started to notice my bandwidth usage skyrocket - outside users were using me as a proxy. How do I limit a proxy listener that I am using externally to only process requests for my internal web servers? Thank you...
  Joe

  Hi
  Is there a way to authenticate a database user without creating
  a connection in a java application container like geronimo?If you want that the database engine authenticates the users, you have to connect to it. If you really want to do it before attempting a connection, I see no other possibility than to let the application do the authentication. In such a situation it is common to use a technical user for the database. If specific DB-features like VPD are needed, then you should use a proxy user instead. But, once more, the authentication should be performed from the application.
  HTH
  Chris

• Should the Cisco Content Engines be used as a proxy appliance

  Should the Cisco Content Engine be use as a proxy appliance like a Blue Coat appliance, Squid cache engine, ISA server, etc...
  I am pretty sure it is but just need some feedback on past experiences. Customer would like to by a Cisco product for Web filtering/proxy.
  or is it strictly used to help with web base applications.

  HI,
  the CE is basically able to check every request it supports. If you are using 3rd level products like smartfilter, websense or webwasher you can use the features of those products to supress/forbid certain requests(i.e MSN etc.)
  Kind Regards,
  Joerg

• Use of outgoing proxy with content engine

  Hi All,
  I'm experiencing problems using the "outgoing proxy" feature with a content engine running ACNS 4.03.
  When this feature is enabled, it takes a long time to get the "execute or save to disk" popup window in the web browser, but when I get it, the file is downloaded in a few seconds.
  It seems like the CE waits for the file to be completely retrieved before delivering it to the client...
  This is not service impacting when this is a small file, but when the file is bigger than 1MB, the browser fails with a timeout.
  Can anyone help ?
  Thanks,
  Phil.

  4.01b1 code had a hardcoded proxy timeout value of 300 micro seconds. The ability to set this value was introduced in 4.03 to address symptoms like the one you are describing when the CE is not able to connect to its upstream proxy within this time constraint. (also documented the following bug : CSCdv36226 - "Need CLI to configure connection timeout for outgoing proxy"
  The fix was implemented with the addition of the follwoing command to set this value: 'http proxy outgoing connection-timeout' command:
  590(config)#http proxy outgoing connection-timeout ?
  <200-5000000> Timeout period for probing outgoing proxy servers in microseconds
  590(config)#
  I hope this helps!
  Cheers,
  Perry.

• Is Web Application Proxy enough as a secure Reverse Proxy/publishing solution

  Hello,
  What are people's thoughts on using the Web Application Proxy role as a reverse proxy with only a Firewall between it and the internet...?
  We need to replace our ISA 2006 boxes and I have been advocating using WAP with ADFS.
  However other 'Reverse Proxy' solution available seem to have more capabilities then just WAP and a Firewall; without  we leave ourselves exposed. For instance FortiNet's product FortiWeb has the following 'additional' capabilities:
  Protection for application layer attacks (SQL Injection, XSS, PHP/OS/LDAP/RFI/LFI injection and more)
  Automatic layer 7 anomaly-based application baselining and threat detection
  Data Leak Prevention (CC, SSN, server/application leakage)
  IP Reputation
  Are these required? Does WAP provide these capabilities but use different terminology?

  Hi,
  https://technet.microsoft.com/en-us/library/dn383650.aspx
  You will see that Web Application Proxy is designed as a perimeter solution (=running in DMZ)
  FortiWeb's product seems a web application firewall. This is a security solution. Security solutions are seldom required, but can help keeping your environment secure.
  IIS can also server as a reverse proxy and can do some security stuff too (ip and domain restictions, request filtering,...)
  Whether one or the other is the best solution for you, depends on your requirements.
  MCP/MCSA/MCTS/MCITP

• Citrix Secure Gateway over https reverse proxy - mouse delay

  Hello,
  i've a citrix secure gateway 3.1 server behind BM 3.9 SP2. I've configured a https reverse proxy to the gateway webserver. the citrixfarm is in our internal lan. My problem is, that i've very strange delays in citrix applications with mouse movement. The delay is about 1-2 seconds. If i connect directly from the DMZ to the gatway server, no delay was happend? So, my idea is, that the reverse proxy is the problem? Any idea would help!
  Is it possible to create filter exceptions, delete the reverse proxy, and connct directly per SSL to the citrix secure gateway server. If yes, can anyone tell me the filter exception rules.
  Thanks for your help!
  Regards,
  Norbert

  On 09/26/2012 05:16 PM, NSuttner wrote:
  >
  > Hello,
  >
  > i've a citrix secure gateway 3.1 server behind BM 3.9 SP2. I've
  > configured a https reverse proxy to the gateway webserver. the
  > citrixfarm is in our internal lan. My problem is, that i've very strange
  > delays in citrix applications with mouse movement. The delay is about
  > 1-2 seconds. If i connect directly from the DMZ to the gatway server, no
  > delay was happend? So, my idea is, that the reverse proxy is the
  > problem? Any idea would help!
  >
  > Is it possible to create filter exceptions, delete the reverse proxy,
  > and connct directly per SSL to the citrix secure gateway server. If yes,
  > can anyone tell me the filter exception rules.
  >
  > Thanks for your help!
  >
  > Regards,
  > Norbert
  >
  >
  tid7004603