Passthrough Proxy Overview
The passthrough proxy feature enables the admin to specify Web applications for which the system performs minimal intermediation. Unlike traditional reverse proxy functionality, which also rewrites only selective parts of a server response but requires network changes as well as complex configuration, this feature only requires that you specify application servers and the way in which the system receives client requests to those application servers. Passthrough proxy also supports SNI TLS Extension:
•Via a Connect Secure port - When specifying an application for the passthrough proxy to intermediate, the admin specifies a port on which the system listens for client requests to the application server. When the system receives a client request for the application server, it forwards the request to the specified application server port. When you choose this option, you must open traffic to the specified system port on your corporate firewall.
•Via virtual hostname - When specifying an application for the passthrough proxy to intermediate, the admin specifies an alias for the application server hostname. You need to add an entry for this alias in your external DNS server that resolves to the system. When the system receives a client request for the alias, it forwards the request to the port you specify for the application server.
This option is useful if your company has restrictive policies about opening firewall ports to either internal servers or servers in the DMZ. When using this option, we recommend that each hostname alias contains the same domain substring as your hostname and that you upload a wild card server certificate to the system in the format: *.domain.com.
For example, if your system is iveserver.yourcompany.com, then a hostname alias should be in the format appserver.yourcompany.com and the wild card certificate format would be *.yourcompany.com. If you do not use a wild card certificate, then a client's browser issues a certificate name check warning when a user browses to an application server, because the application server hostname alias does not match the certificate domain name. However, this behavior does not prevent a user from accessing the application server.
When you configure passthrough proxy to work in virtual hostname mode, users must use the hostname that you specify through the System > Network > Overview page of the admin console when signing into the device. They cannot access the use passthrough proxy feature if they sign into the device using its IP address.
Just as with the Content Intermediation Engine, the passthrough proxy option offers increased security relative to the Secure Application Manager, because when enabled for an application, the system allows the client to send only Layer 7 traffic directed to fixed application ports to the enterprise network. Use this option to enable the system to support applications with components that are incompatible with the Content Intermediation Engine, such as Java applets in Oracle e-business suite applications or applets that run in an unsupported Java Virtual Machine (JVM).
- Passthrough proxy URLs must be hostnames. Paths of hostnames are not supported.
- Ivanti strongly recommends that you not mix passthrough proxy Port mode and passthrough proxy Host mode.
- The passthrough proxy option works only for applications that listen on fixed ports and where the client does not make direct socket connections.
- To use passthrough proxy with Oracle E-Business applications, you must install a real certificate on the system and you must configure Oracle Forms to use the Forms Listener Servlet mode.
- The following advanced features of the framed toolbar are not available in passthrough proxy: bookmark current page, display the original URL, display the favorite bookmarks.