Let the Appliance Listen to Requests Redirected by DNS
When requests under the HTTPS protocol are redirected to an appliance according to DNS entries, you can configure the proxy on the appliance to listen directly on the appropriate port. You also need to ensure that only SSL-secured connections are served.
Before you begin
If you want to configure the proxy in this way, make sure of the following:
- The host names of the requested web servers are not resolved to the appliance when the appliance does a DNS lookup.
You can achieve this by entering the IP addresses of the web servers into the /etc/hosts file on the appliance or by using an appropriately configured internal DNS server. - A rule set that handles content inspection is implemented on the appliance and enabled.
A suitable rule set is provided in the default rule set system as nested rule set of the SSL Scanner rule set.
When using DNS entries, a port redirect rule cannot be applied because the purpose of such a rule is forwarding requests for other destinations to the appliance. However, due to the DNS entries, the appliance is already the destination.
You also need to ensure that only SSL-secured connections are served.
- Select Configuration | Appliances.
- On the appliances tree, select an appliance for listening to requests and click Proxies (HTTP(S), FTP, ICAP, and IM).
- Under HTTP proxy port, make sure Enable HTTP proxy is selected and click Add.
The Add HTTP Proxy Port window opens. - Configure the following settings for a new HTTP proxy port:
- Listener address — 0.0.0.0:443
This setting lets the appliance listen to requests for any web servers, regardless of their IP addresses. You can also specify a particular IP address here and restrict the appliance to listening for requests to the server in question.
If you are running several network interface cards on your appliance, you can specify IP addresses (separated by commas) for as many web servers as there are network interface cards.
- Serve transparent SSL connections — Selected
- Ports treated as SSL — *
- Listener address — 0.0.0.0:443
- Leave the other settings at their default values and click OK.
The window closes and the new proxy port appears on the list.
If a web server should also be accessible under the HTTPS protocol, you need to add another HTTP proxy port with listener address 0.0.0.0:80 or the address of a particular web server.
- Click Save Changes.