Defining a Rewriting Autopolicy

By default, the system intermediates all user requests to Web hosts-unless you have configured it to serve requests to certain hosts using a different mechanism, such as the Secure Application Manager. Rewriting autopolicies enable you to "fine-tune" the default options by changing which mechanisms to rewrite Web data and defining resources that you want to minimally rewrite or not rewrite at all.

To create a rewriting autopolicy:

1.Create a custom Web application resource profile.

2.Click Show ALL autopolicy types.

3.Select the Autopolicy: Rewriting Options check box.

4.Select one of the following options:

•Passthrough Proxy - Select this option to specify Web applications for which the Content Intermediation Engine performs minimal intermediation.

•No rewriting (use WSAM) - Select this option to intermediate content using PSAM instead of the Content Intermediation Engine. Then, specify the application server for which you want to intermediate content. (At minimum, you need to click Add in order to intermediate content to and from the server that the system extracts from the Web access control policy).

•No rewriting (use JSAM) - Select this option to intermediate content using JSAM instead of the Content Intermediation Engine. Then, specify the application server for which you want to intermediate content. (At minimum, you need to click Add in order to intermediate content to and from the server that the system extracts from the Web access control policy).

•No rewriting - Select this option to automatically create a selective rewriting policy for the autopolicy's URL, thereby configuring the system to not intermediate any content to and from the resource. For example, you may choose this option if you do not want the system to intermediate traffic from web sites that reside outside of the corporate network, such as yahoo.com. If you select this option, you do not have to configure any additional rewriting settings.

Specifying Passthrough Proxy Autopolicy Options

To configure passthrough proxy autopolicy options:

1.Create a rewriting autopolicy and select Passthrough Proxy.

2.Choose the way in which you want to enable the passthrough proxy feature:

•Use virtual hostname - If you choose this option, specify a hostname alias for the application server. When the system receives a client request for the application server hostname alias, it forwards the request to the specified application server port in the Base URL field.

•Use IVE port - If you choose this option, specify a unique port in the range 11000-11099. The system listens for client requests to the application server on the specified port and forwards any requests to the application server port specified in the Base URL field.

The corresponding URL for the resource profile must specify the application server hostname and the port used to access the application internally. You cannot enter a path for the base URL.

In order to make Sharepoint work successfully through the system, you must select the Override automatic cookie handling check box in Internet Explorer under Tools Internet options > Privacy > Advanced Privacy Settings if the following conditions true:

•You select the Use virtual hostname option during Pass Through Proxy configuration.

•The virtual hostname that you specify in your Sharepoint configuration is different from the hostname that you configure through the system setup (that is, if the domains are different).

•You enable persistent cookies through the Users > User Roles > Select Role > General > Session Options page of the admin console.

3.Select the Rewrite XML check box if you want to rewrite URLs contained within XML content. If this option is disabled, the system passes the XML content "as is" to the server.

4.Select the Rewrite external links check box if you want to rewrite all the URLs presented to the proxy. If this option is disabled, the system rewrites only those URLs where the hostname is configured as part of the passthrough proxy policy.

5.Select the Block cookies from being sent to the browser check box if you want to block cookies destined for the client's browser. The system stores the cookies locally and sends them to applications whenever they are requested.

6.Select the Host-Header forwarding check box if you want to pass the hostname as part of the host header instead of the actual host identifier.

The Host-Header forwarding option is only valid in passthrough proxy Virtual hostname mode.

7.Click Save Changes.

8.If you select:

•Use virtual hostname, you must also:

•Add an entry for each application server hostname alias in your external DNS that resolves to the system.

•Upload a wildcard server certificate to the system (recommended).

•Define the system name and hostname in the Network Identity section of the System > Network > Internal Port tab.

•To use the system port, you must also open traffic to port you specified for the application server in your corporate firewall.

If your application listens on multiple ports, configure each application port as a separate passthrough proxy entry with a separate port. If you intend to access the server using different hostnames or IP addresses, configure each of those options separately; in this case, you can use the same port.

Specifying PSAM Rewriting Autopolicy Options

To configure PSAM rewriting autopolicy options:

1.Create a rewriting autopolicy and select No rewriting (use WSAM).

2.In the Destination field, specify resources for which PSAM secures client/server traffic between the client and the system. By default, the system extracts the correct server from the Web access control policy. You may choose to use this server as-is, modify it, and/or add new servers to the list.

When specifying a server, specify the hostname (the wild cards '*' or '?' are accepted) or an IP/netmask pair. Specify multiple ports for a host as separate entries.

3.Click Add.

4.Click Save Changes.

When you intermediate through PSAM using this autopolicy, the system automatically enables the Secure Application Manager option on the Users > User Roles > Select Role > General > Overview page of the admin console.

Specifying JSAM Rewriting Autopolicy Options

To configure JSAM rewriting autopolicy options:

1.Create a rewriting autopolicy and select No rewriting (use JSAM).

2.In the Server Name field, enter the DNS name of the application server or the server IP address.

3.In the Server Port field, enter the port on which the remote server listens for client connections.

For example, to forward Telnet traffic from a remote machine, specify port 23 for both the client port (on which JSAM listens) and the server port (on which the Telnet server listens).

To enable drive mapping to this resource, enter 139 as the server port.

4.In the Client Loopback IP field, provide a static loopback address. If you do not provide a static IP loopback address, the system assigns an IP loopback address dynamically.

5.In the Client Port field, enter the port on which JSAM should listen for client application connections.

Typically, the local port value is the same value as the server port; the local port value usually only differs for Linux or Macintosh users who want to add applications for port forwarding that use ports under 1024.

To enable drive mapping to this resource, enter 139 as the server port.

You may configure more than one application on a single port, such as app1.mycompany.com, app2.mycompany.com, app3.mycompany.com. Either you assign a static loopback address or the system assigns a dynamic loopback address (127.0.1.10, 127.0.1.11, 127.0.1.12) to each application. JSAM then listens on these multiple loopback addresses on the specified port. For example, when there is traffic on 127.0.1.12 on the specified port, the system forwards the traffic to the app3.mycompany.com destination host.

6.Select Launch JSAM to automatically start JSAM when the system encounters the Base URL.

7.Click Add.

8.Click Save Application or Save + New.