Troubleshooting
Problem
How to configure an IBM WebSphere DataPower SOA Appliance Service to proxy an SSL request to a remote proxy server using the CONNECT method for SSL tunneling?
Cause
Many common forward proxy servers expect requests in different formats depending on if they are proxying non-SSL or SSL requests.
For example, a non-SSL request to be proxied may come in the form of GET hostname:port/URI.
For SSL requests to be proxied, remote proxy servers are commonly configured to tunnel the request from the client to the backend server.
In the SSL request scenario, remote proxy servers will typically expect a CONNECT request and then tunnel the SSL request from the client to the backend server.
Users configuring DataPower may need a way to implement this CONNECT method for SSL tunneling to a remote Proxy Server.
For example, a non-SSL request to be proxied may come in the form of GET hostname:port/URI.
For SSL requests to be proxied, remote proxy servers are commonly configured to tunnel the request from the client to the backend server.
In the SSL request scenario, remote proxy servers will typically expect a CONNECT request and then tunnel the SSL request from the client to the backend server.
Users configuring DataPower may need a way to implement this CONNECT method for SSL tunneling to a remote Proxy Server.
Resolving The Problem
Non-SSL Proxy requests will work using either:
a) an XML Firewall when configuring in the HTTP Options tab, where the user can configure the Proxy Host and Port
b) a Multi-Protocol Gateway when configuring an HTTP Proxy Policy in the User Agent
SSL Proxy requests will work using the CONNECT method for SSL Tunneling when using a Multi-Protocol Gateway when configuring in a User Agent's HTTP Proxy Policy. In this use-case, the outbound requests from DataPower would use the CONNECT method. Please note the CONNECT method for inbound requests to DataPower is not supported.
a) an XML Firewall when configuring in the HTTP Options tab, where the user can configure the Proxy Host and Port
b) a Multi-Protocol Gateway when configuring an HTTP Proxy Policy in the User Agent
SSL Proxy requests will work using the CONNECT method for SSL Tunneling when using a Multi-Protocol Gateway when configuring in a User Agent's HTTP Proxy Policy. In this use-case, the outbound requests from DataPower would use the CONNECT method. Please note the CONNECT method for inbound requests to DataPower is not supported.
The XML Firewall service is not designed to use the CONNECT method for SSL Tunneling.
[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;5.0.0;6.0.0;6.0.1;7.0.0","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
15 December 2020
UID
swg21612222