Reverse proxying allows your NetManager to act as a gateway between the Internet and other internal webservers. This has the following advantages:
- Only a single external IP address needed
- Single unified log for remote web access
- All machines can share a single SSL certificate
- No need to expose whole web space on internal webservers to outside world, so more secure against attack
- No need to worry about firewalling on internal webservers
- No reconfiguration needed on internal webservers
To configure reverse proxying, go to http://netmanager:880/private/webserver/reverse/ (replacing netmanager by the appropriate name if necessary). This is the same as choosing Web Server, then Reverse Proxy in webadmin. You will see:
Add new entries by entering the path that the website will appear under on the NetManager in the left-hand box and the destination URL in the right. Bear in mind that the NetManager, like most webservers in the world, is case-sensitive, whereas the destination machine may not be (if, for example, it is running Microsoft IIS). Therefore, you may need to map the same URL twice but with different cases. You also need to ensure that all relevant folders on the destination machine are entered. In the example above, 2 separate paths on the destination server are reverse-proxied. You could visit
http://netmanager/exchange/ to access the internal webserver, replacing netmanager by the suitable name when accessing remotely.
N.B. When reverse proxying Outlook Web Access please see Gotchas below
You can also reverse proxy on the basis of hostname. This is useful if you want to share the whole webspace on a destination server (this is a workaround for Gotcha 5 below). To use this simply enter a full URL in the path box, e.g. http://remote.mysite.co.uk/. You will need to ensure that the host name (remote.mysite.co.uk in this case) points to your NetManager's external IP address. To access over HTTPs, please use a https:// URL (e.g. https://remote.mysite.co.uk/), but please note that unless you are using a wildcard SSL certificate, you will not be able to secure more than one domain name with an SSL certificate. It is very unlikely that you will need specify a further path after the domain (i.e. not http://remote.mysite.co.uk/something/else/ ).
There are two options that can be set when reverse-proxying. These are:
- Only over HTTPS - If reverse-proxying by path (i.e. not a whole domain), then usually this will apply for both http and https. With this option set,
https://external/portalwill work, but
http://external/portalwill not. This is useful if the page asks for passwords, etc.
- Redirect from HTTP to HTTPS - If users visit the page using http, they will be redirected to the https version of the same. This also works for whole domain reverse proxying if the Path on NetManager box contains a https:// URL.
- Destination webservers that look at the host name used by the browser will probably required the Pass through Host: when reverse proxying option to be set in Web Server > Settings. N.B. Outlook Web Access requires this to be set.
- Some Windows-based services will try to use non-standard or inappropriate authentication methods. For example, IIS/Outlook Web Access can be set to do transparent authentication using the non-standard NTLM method (this is referred to as Integrated authentication). When using Internet Explorer this can cause the page not to be displayed correctly (Firefox works fine as it ignores NTLM). To work around this, enable the Block NTLM authentication requests and/or Block Negotiate authentication requests options in Web Server > Settings. Alternatively, just disable Integrated authentication as it is useless externally (and of dubious use elsewhere).
- You must be consistent about slashes at the end of your path and URL - if your destination URL does not have a slash at the end, your path must not have a slash either.
- Destination webservers that hardwire absolute URLs in the HTML (e.g. http://myserver/page/) will probably not work as the client's browser will not be able to find the webserver referenced from outside your site (myserver in this case).
- Destination webservers that use absolute paths, that cannot be replicated on the NetManager, will probably not work (or will require lots of individual entries), e.g. if you try to reverse proxy http://myserver/ as path /myserver/, then when you visit http://netmanager/myserver/, the page may attempt to use / as a path and thus will point to the wrong place. A potential way round this is to redirect a whole domain.
If things don't work, then look at the HTML source to see what is being accessed and add appropriate maps.