Topic
  • 9 replies
  • Latest Post - ‏2015-10-21T19:42:49Z by KSeeker
maxbenDA
maxbenDA
10 Posts

Pinned topic DataPower and proxy policy

‏2013-05-03T15:34:07Z |

Hi,

I'm trying to connect XML Firewal to a dynamic backend through a Squid Proxy.

I created a new xml manager & user agent to use the proxy policy but it doesn't work :

 

show useragent DFJ.USER.AGENT :

Active User-Agent policies:

identifier ""

max-redirects 8

timeout 300

proxy

url matching expression tai.dev.usa   ( i tried *, .*, (.*), ...)

Remote Address 103.207.1.1

Remote Port 50000

 

in the transaction log : xmlmgr (DFJ.XML.MANAGER) DNS callback cannot resolve host tai.dev.usa : returning error

and i've got no traces in squid log or packet capture.

But it works from curl :

curl --proxy 193.207.1.1:50000 http://tai.dev.usa:9080/foo/bar

 

Ideas ?

 

Thanks for your help

Max

  • isc-hoa
    isc-hoa
    11 Posts

    Re: DataPower and proxy policy

    ‏2013-06-27T08:01:38Z  

    Hi all

    I'm facing the same problem:

    My XML Firewall config has an XML-Manager witch contains an User Agent defing a Proxy Policy.

    I tried several URL Matching Expressions (exact URL, * , .* .*) but non of these patterns worked.

    Is it possible to use an outgoing http proxy with a XML-Firewall?

    Thanks for your help!

    Regards

    André

  • HermannSW
    HermannSW
    6019 Posts

    Re: DataPower and proxy policy

    ‏2013-06-27T09:43:57Z  

    >  in the transaction log : xmlmgr (DFJ.XML.MANAGER) DNS callback cannot resolve host tai.dev.usa : returning error
    >

    this sounds like "Network->Interface->DNS Settings" in default domain, and there "DNS Servers" tab has not been setup correctly.

    Correct setup can be easily verified by "Control Panel->Troubleshooting->Ping Remote".


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

  • isc-hoa
    isc-hoa
    11 Posts

    Re: DataPower and proxy policy

    ‏2013-06-27T11:06:46Z  
    • HermannSW
    • ‏2013-06-27T09:43:57Z

    >  in the transaction log : xmlmgr (DFJ.XML.MANAGER) DNS callback cannot resolve host tai.dev.usa : returning error
    >

    this sounds like "Network->Interface->DNS Settings" in default domain, and there "DNS Servers" tab has not been setup correctly.

    Correct setup can be easily verified by "Control Panel->Troubleshooting->Ping Remote".


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

    Hi Hermann

    This is not a DNS-Problem: In my case, the name of the backend-server can be resolved, but datapower can not connect directly to the backend, because datapower is in an intranet-zone while the backend is in an external network. That's why I have to  to use our corporate-proxy for outgoing traffic.

    I setup a "proxy policy" as descriped above, but my request does not consider this proxy policy. I set up a network-sniffer but can not see a HTTP CONNECT

    BTW: If I'm setting the URL Matching Pattern to "*", The probe is no longer working, and on the proxy I can see connections for "http://127.0.0.1" from datapower. Looks like the internal probe mechanism is considering the proxy policy and therefore tries to connect even to localhost via this proxy.

    Is there an other way to force a outgoing business call to use a proxy-server?

    Thanks for your help!

    Regards

    André

  • maxbenDA
    maxbenDA
    10 Posts

    Re: DataPower and proxy policy

    ‏2013-07-01T12:31:10Z  
    • isc-hoa
    • ‏2013-06-27T11:06:46Z

    Hi Hermann

    This is not a DNS-Problem: In my case, the name of the backend-server can be resolved, but datapower can not connect directly to the backend, because datapower is in an intranet-zone while the backend is in an external network. That's why I have to  to use our corporate-proxy for outgoing traffic.

    I setup a "proxy policy" as descriped above, but my request does not consider this proxy policy. I set up a network-sniffer but can not see a HTTP CONNECT

    BTW: If I'm setting the URL Matching Pattern to "*", The probe is no longer working, and on the proxy I can see connections for "http://127.0.0.1" from datapower. Looks like the internal probe mechanism is considering the proxy policy and therefore tries to connect even to localhost via this proxy.

    Is there an other way to force a outgoing business call to use a proxy-server?

    Thanks for your help!

    Regards

    André

    Hi André,

    the proxy policy seems works only for the web application firewall service. doesn't work with XMLFW and MPGW.

    I hope that will help you.

    Regards.

    Max

     

     

  • maxbenDA
    maxbenDA
    10 Posts

    Re: DataPower and proxy policy

    ‏2013-07-01T12:37:18Z  
    • HermannSW
    • ‏2013-06-27T09:43:57Z

    >  in the transaction log : xmlmgr (DFJ.XML.MANAGER) DNS callback cannot resolve host tai.dev.usa : returning error
    >

    this sounds like "Network->Interface->DNS Settings" in default domain, and there "DNS Servers" tab has not been setup correctly.

    Correct setup can be easily verified by "Control Panel->Troubleshooting->Ping Remote".


    Hermann<myXsltBlog/> <myXsltTweets/> <myCE/>

    I'm trying to use the proxy as an intermediary. My datapower is not in the same subnet and can't ping the remote server.

  • isc-hoa
    isc-hoa
    11 Posts

    Re: DataPower and proxy policy

    ‏2013-07-01T12:50:59Z  
    • maxbenDA
    • ‏2013-07-01T12:31:10Z

    Hi André,

    the proxy policy seems works only for the web application firewall service. doesn't work with XMLFW and MPGW.

    I hope that will help you.

    Regards.

    Max

     

     

    Hi Max

    Did you find another way than "Proxy Policy" to use a proxy with XMLFW or MPGW?

    I just opened a PMR. I will post the answer as soon as I get one.

    Regards

    André

     

     

  • maxbenDA
    maxbenDA
    10 Posts

    Re: DataPower and proxy policy

    ‏2013-07-01T12:57:24Z  
    • isc-hoa
    • ‏2013-07-01T12:50:59Z

    Hi Max

    Did you find another way than "Proxy Policy" to use a proxy with XMLFW or MPGW?

    I just opened a PMR. I will post the answer as soon as I get one.

    Regards

    André

     

     

    no other solutions for the moment, I planned to open PMR, but i will wait yours ;)

  • isc-hoa
    isc-hoa
    11 Posts

    Re: DataPower and proxy policy

    ‏2013-07-01T13:04:19Z  
    • maxbenDA
    • ‏2013-07-01T12:57:24Z

    no other solutions for the moment, I planned to open PMR, but i will wait yours ;)

    Answer from IBM:

    The TechNote "How to configure a service to connect to the backend via a proxy server?" at http://www-01.ibm.com/support/docview.wss?uid=swg21596968 states in its last line:"In case you are using an XML Firewall service, the proxy server setup is made at the service level, via its HTTP Options tab instead of the user agent object."

    The HTTP Options tab can be accessed in the WebGUI via "Control Panel -> Objects -> Service Configuration -> XML Firewall Service -> <Name of XML Firewall> -> HTTP Options".

    Under the HTTP Options Tab, there are two input fields for "Proxy Host" and "Proxy Port"."

     

     

    Updated on 2013-07-02T09:22:38Z at 2013-07-02T09:22:38Z by isc-hoa
  • KSeeker
    KSeeker
    77 Posts

    Re: DataPower and proxy policy

    ‏2015-10-21T19:42:49Z  
    • isc-hoa
    • ‏2013-07-01T13:04:19Z

    Answer from IBM:

    The TechNote "How to configure a service to connect to the backend via a proxy server?" at http://www-01.ibm.com/support/docview.wss?uid=swg21596968 states in its last line:"In case you are using an XML Firewall service, the proxy server setup is made at the service level, via its HTTP Options tab instead of the user agent object."

    The HTTP Options tab can be accessed in the WebGUI via "Control Panel -> Objects -> Service Configuration -> XML Firewall Service -> <Name of XML Firewall> -> HTTP Options".

    Under the HTTP Options Tab, there are two input fields for "Proxy Host" and "Proxy Port"."

     

     

    I believe the HTTP Options works for http only request and does not work for the https type request. Thanks