locked
Reverse proxy implementation question - disable portal page? RRS feed

  • Question

  • Hi all,

    I want to deploy a reverse proxy in front of my company's IIS web servers. I keep hearing that Forefront is a good solution for this, but so far have found the documentation for achieving this a little vague. I started with TMG 2010 but read that TMG is more suited to protecting an internal network as well as securing outbound access, and that UAG 2010 was a better fit. If this factors into my question, please feel free to point that out!

    So I'm using UAG right now. The main issue I need help with is that while I've successfully set up a portal trunk and an "other web" application, no matter what I do the URL brings me to a portal page - "Application and Network Access Portal" that is doing some sort of endpoint/compliance checking or "Installation and Detection" which for the most part doesn't even work. I've tried to turn this off (remove portal application, uncheck the portal page in the application and trunk, etc) but there doesn't seem to be a way to get this page to go away. I've tried both an application with application-specific hostname and a portal hostname with no portal link. Nothing seems to do away with the UAG landing pages.

    My goal is to have a reverse proxy that is not apparent to the end user. I get the feeling that UAG is more geared to providing VPN-like access rather than a simple reverse proxy. If I'm using the wrong product or going about it the wrong way, please point me in the right direction.

    Thanks in advance for your help!

    Wednesday, June 8, 2011 11:38 AM

Answers

  • Hi Amigo. You are right that UAG is mainly aimed to be a VPNSSL portal, but what you want to do can also be done.

    1) To prevent the endpoint detection checking go to "Configure trunk settings" in the Trunk Configuration section of the main pane. Then, in the Session tab mark the option "Disable component installation and activation".

    2) To launch your web application instead of the portal, in the section Initial Internal Application of the main pane, change the "Portal Home Page" from "Portal" to your application

    3) An alternative to point 2) is to publish your application with a "application specific" hostname. This way, the name of the portal will be "portal.domain.com" but the published application will be "application.domain.com". Register in DNS both names (portal and application) with the same IP and when the user navigates to application.domain.com he will not see the "portal" but the published application instead (if using authentication, the initial form will be the same as in the portal)

    Hope it helps


    // Raúl - I love this game
    • Marked as answer by BML42 Thursday, June 9, 2011 12:32 PM
    Wednesday, June 8, 2011 4:09 PM

All replies

  • Hi Amigo. You are right that UAG is mainly aimed to be a VPNSSL portal, but what you want to do can also be done.

    1) To prevent the endpoint detection checking go to "Configure trunk settings" in the Trunk Configuration section of the main pane. Then, in the Session tab mark the option "Disable component installation and activation".

    2) To launch your web application instead of the portal, in the section Initial Internal Application of the main pane, change the "Portal Home Page" from "Portal" to your application

    3) An alternative to point 2) is to publish your application with a "application specific" hostname. This way, the name of the portal will be "portal.domain.com" but the published application will be "application.domain.com". Register in DNS both names (portal and application) with the same IP and when the user navigates to application.domain.com he will not see the "portal" but the published application instead (if using authentication, the initial form will be the same as in the portal)

    Hope it helps


    // Raúl - I love this game
    • Marked as answer by BML42 Thursday, June 9, 2011 12:32 PM
    Wednesday, June 8, 2011 4:09 PM
  • The checkbox in 1) above is what I was looking for. Kind of frustrating that it wasn't more obvious but I'm thrilled to finally get rid of that portal! I did try 2 and 3 and didn't have any luck. Maybe I was doing something wrong, but the server either wouldn't answer my http request or it would bring up the portal page anyway.

    Thanks for the help!

    Thursday, June 9, 2011 12:32 PM
  • You´re welcome :)

    Second one should work straightforward. The third one requires some addtional steps, like issuing a SAN certificate (if the portal is secured), registering the application name in DNS, and maybe reviewing host headers in the internal web server

    Regards


    // Raúl - I love this game
    Tuesday, June 14, 2011 4:51 PM