Managing web reverse proxy configuration entries

To manage the web reverse proxy basic configuration, use the Reverse Proxy management page.

Procedure

  1. From the top menu, select Secure Web Settings > Manage > Reverse Proxy.
  2. Select the instance of interest.
  3. Select Edit.
  4. Make your changes to the settings on the Server, SSL, Junction, Authentication, SSO, Session, Response, Logging, and Interfaces tabs.
    Server
    The Server tab contains entries that are related to the general server configuration.
    Field Description
    HTTPS Select this check box to enable the HTTPS port within Reverse Proxy.
    HTTPS Port The port over which Reverse Proxy listens for HTTPS requests.
    HTTP Select this check box to enable the HTTP port within Reverse Proxy.
    HTTP Port The port over which Reverse Proxy listens for HTTP requests.
    Interface Address The network interface on which the Reverse Proxy server listens for requests.
    Enable HTTP/2 Select this check box to enable HTTP/2 incoming connections on the primary interface from clients (browsers).
    Persistent Connection Timeout The maximum number of seconds that a persistent connection with a client can remain inactive before it is closed by the server.
    Worker Threads The number of threads that are allocated to service requests.
    Cluster is Master If the Reverse Proxy clustering function is used, this check box controls whether this Reverse Proxy server acts as the cluster master.
    Master Instance Name The server name for the Reverse Proxy instance which is acting as the master within the cluster. This option is only enabled if the Cluster is Master check box is not selected.
    Message Locale The locale in which the Reverse Proxy runs.
    SSL
    The SSL tab contains entries that are related to the general SSL configuration of the server.
    Field Description
    SSL Certificate Key File The key database that is used to store the certificates which are presented by Reverse Proxy to the client.
    Network HSM Key File The key database that stores the certificates to be used by the network Hardware Security Module (HSM) device.
    SSL Server Certificate The name of the SSL certificate, within the key database, which is presented to the client. The drop-down list includes certificates from both the local and network key files. The certificates from the network key file are prefixed with the token label for the network HSM device.
    JCT Certificate Key File The key database that is used to store the certificates which are presented by Reverse Proxy to the junctioned Web servers.
    Junction
    The Junction tab contains entries that are related to the general junction configuration.
    Field Description
    HTTP Timeout Timeout in seconds for sending to and reading from a TCP junction.
    HTTPS Timeout Timeout in seconds for sending to and reading from an SSL junction.
    Ping Interval The interval in seconds between requests which are sent by Reverse Proxy to junctioned Web servers to determine the state of the junctioned Web server.
    Ping Method The HTTP method that Reverse Proxy uses when it sends health check requests to the junctioned Web server.
    Ping URI The URI that Reverse Proxy uses when it sends health check requests to the junctioned Web server.
    Maximum Cached Persistent Connections The maximum number of connections between Reverse Proxy and a junctioned Web server that will be cached for future use.
    Persistent Connection Timeout The maximum length of time, in seconds, that a cached connection with a junctioned Web server can remain idle before it is closed by Reverse Proxy.
    Managed Cookie List A pattern-matched and comma-separated list of cookie names for those cookies which are stored in the Reverse Proxy cookie jar. Other cookies are passed by Reverse Proxy back to the client.
    Authentication
    The Authentication tab contains entries that are related to the configuration of the authentication mechanisms which are used by the server.
    Basic Authentication
    Field Description
    Transport The transport over which basic authentication is supported.
    Realm Name Realm name for basic authentication.
    Forms Authentication
    Field Description
    Forms Authentication The transport over which forms authentication is supported.
    Client Certificate Authentication
    Field Description
    Accept Client Certificates Defines the condition under which client certificates are required by Reverse Proxy.
    Certificate EAI URI The resource identifier of the application that is invoked to perform external client certificate authentication.
    Certificate Data The client certificate data that are passed to the EAI application.
    Kerberos Authentication
    Field Description
    Transport The transport over which Kerberos authentication is supported.
    Keytab File Name of the Kerberos keytab file. The keytab file must contain each of the service principal names used for SPNEGO authentication.
    Use Domain Qualified Name Kerberos authentication provides a principal name in the form of "shortname@domain.com". By default, only the shortname is used as the Security Access Manager user ID. If this checkbox is selected, then the domain is also included as part of the Security Access Manager user ID.
    Kerberos Service Names

    The list of Kerberos service principal names used for the server.

    The first service name in the list is the default service name. To make a service name the default, select the service name and then click Default.
    EAI Authentication
    Field Description
    Transport The transport over which EAI authentication is supported.
    Trigger URL A URL pattern that is used by Reverse Proxy to determine whether a response is examined for EAI authentication headers.
    Authentication Levels The designated authentication level for each of the configuration authentication mechanisms.
    Token Authentication
    Field Description
    Transport The transport over which RSA authentication is supported.
    You can also click Go to RSA Configuration to access the RSA Configuration page.
    Session
    The Session tab contains entries that are related to the general session configuration.
    Field Description
    Re-authentication for Inactive Whether to prompt users to re-authenticate if their entry in the server credential cache has timed out because of inactivity.
    Max Cache Entries The maximum number of concurrent entries in the session cache.
    Lifetime Timeout Maximum lifetime in seconds for an entry in the session cache.
    Inactivity Timeout The maximum time, in seconds, that a session can remain idle before it is removed from the session cache.
    TCP Session Cookie Name The name of the cookie to be used to hold the HTTP session identifier.
    SSL Session Cookie Name The name of the cookie to be used to hold HTTPS session identifier.
    Use Same Session Select the check box to use the same session for both HTTP and HTTPS requests.
    Enable Distributed Session Cache Select the check box to enable distributed session cache on this reverse proxy instance.
    Note: The appliance must be a part of an appliance cluster to enable the distributed session cache. Also, if the cluster configuration changes and a new master is specified, this option must be disabled and then re-enabled. The instance can then pick up the details of the new cluster configuration.
    Response
    The Response tab contains entries that are related to response generation.
    Field Description
    Enable HTML Redirect Select the check box to enable the HTML redirect function.
    Enable Local Response Redirect Select the check box to enable the local response redirect function.
    Local Response Redirect URI When local response redirect is enabled, this field contains the URI to which the client is redirected for Reverse Proxy responses.
    Local Response Redirect Macros The macro information which is included in the local response redirect.
    SSO
    The SSO tab contains entries that are related to the configuration of the different single-sign-on mechanisms that are used by the server.
    Failover
    Field Description
    Transport The transport over which failover authentication is supported.
    Cookies Lifetime Maximum lifetime in seconds for failover cookies.
    Cookies Key File The key file which is used to encrypt the failover cookie.
    LTPA
    Field Description
    Transport The transport over which LTPA authentication is supported.
    Cookie Name The name of the cookie which is used to transport the LTPA token.
    Key File The key file that is used when accessing LTPA cookies.
    Key File Password The password that is used to access the LTPA key file.
    CDSSO
    Field Description
    Transport The transport over which CDSSO authentication is supported.
    Transport (generation) The transport over which the creation of CDSSO tokens is supported.
    Peers The name of the other Reverse Proxy servers that are participating in the CDSSO domain. Along with the name of the keyfile that are used by the Reverse Proxy servers.
    ECSSO
    Field Description
    Transport The transport over which e-community SSO authentication is supported.
    Name Name of the e-community.
    Is Master Authentication Server Select the check box if this Reverse Proxy server is the master for the e-community.
    Master Authentication Server The name of the Reverse Proxy server that acts as the master of the e-community. This field is not required if this Reverse Proxy server is designated as the master.
    Domain Keys The name of the other Reverse Proxy servers which are participating in the e-community. Along with the name of the keyfile that is used by the various Reverse Proxy servers.
    Logging
    The Logging tab contains entries that are related to the logging and auditing configuration.
    Field Description
    Enable Agent Logging Select the check box to enable the agent log.
    Enable Referer Logging Select the check box to enable the referrer log.
    Enable Request Logging Select the check box to enable the request log.
    Request Log Format The format of the entries that are contained within the request log.
    Maximum Log Size The maximum size of the log file before it is rolled over.
    Flush Time The period, in seconds, that Reverse Proxy caches the log entries before the system writes the entries to the log file.
    Enable Audit Log Select the check box to enable the generation of audit events.
    Audit Log Type Select the events to be audited.
    Audit Log Size The maximum size of the audit log file before it is rolled over.
    Audit Log Flush The period, in seconds, that Reverse Proxy caches the audit log entries before the system writes the entries to the log file.
    Interfaces
    The Interfaces tab contains settings that are related to WebSEAL secondary interfaces.
    • To add a new secondary interface, click New. Then, define your settings in the pop-up window that contains the following fields:
      Field Description
      Application Interface IP Address The IP address on which the WebSEAL instance listens for requests.
      HTTP Port This field contains the port on which the WebSEAL instance listens for HTTP requests.
      HTTPS Port This field contains the port on which the WebSEAL instance listens for HTTPS requests.
      Web HTTP Port This is the port that the client perceives WebSEAL to be using.
      Web HTTP Protocol This is the protocol that the client perceives WebSEAL to be using.
      Certificate Label The label of the SSL server certificate that is presented to the client by the WebSEAL instance.
      Accept Client Certificates Defines the condition under which client certificates are required by WebSEAL.
      Worker Threads The number of threads that is allocated to service requests.
      HTTP/2 Enables HTTP/2 connection.
      HTTP/2 Maximum Connections The maximum number of HTTP/2 connections allowed per specified port.
      HTTP/2 Header Table Size The size of HTTP/2 header table.
      HTTP/2 Maximum Concurrent Streams The maximum concurrent HTTP/2 streams allowed.
      HTTP/2 Initial Window Size The initial window size of HTTP/2 connections.
      HTTP/2 Maximum Frame Size The maximum frame size of HTTP/2 connections.
      HTTP/2 Maximum Header List Size The maximum header list size of HTTP/2 connections.

      Click Save to save the settings.

    • To delete a secondary interface, select the interface and then click Delete.
    • To edit a secondary interface, select the interface and click Edit. Then, update your settings in the pop-up window that contains the fields that described previously.
  5. Click Save to apply the changes.
    Note: For the changes to take effect, they must be deployed as described in Configuration changes commit process.
Parent topic: Reverse proxy instance management