In Reverse Proxy mode, the proxy directs incoming requests from other servers to the client without providing the origin details. To set up a reverse proxy using the Barracuda CloudGen Firewall, configure the listening port and reverse proxy settings.
Before You Begin
Verify that you activated the HTTP Proxy service in reverse proxy mode. For instructions, see How to Set Up and Configure the HTTP Proxy.
Configure the Listening Port
In the settings for the HTTP Proxy, use TCP listening port 80.
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > HTTP Proxy Settings.
In the left menu, select IP Configuration.
Click Lock.
In the TCP Listening Port field, enter
80
. Verify that you have port 80 available for your reverse proxy.When you change the listening port, you must also change the port used in the host firewall rule OP-SRV-PX. By default, the rule uses TCP 3128. If you want to use HTTP, change TCP 3128 to HTTP. If you want to use HTTP and HTTPS, change TCP 3128 to HTTP+S. For more information on configuring Host Firewall rules, see Host Firewall.
Click Send Changes and Activate.
Configure Reverse Proxy Settings
To configure the reverse proxy settings:
Go to CONFIGURATION > Configuration Tree > Box > Assigned Services > HTTP Proxy > HTTP Proxy Settings.
In the left menu, select Reverse Proxy Settings.
Click Lock.
Specify your Reverse Proxy Settings. For more information on these settings, see the following Reverse Proxy Settings section.
Click Send Changes and Activate.
Reverse Proxy Settings
The following table provides more detailed descriptions of the Reverse Proxy Settings:
Setting | Description |
---|---|
Backend Web Site | Enter the IP address of the internal web server behind the reverse proxy. If there is no host header, enter your primary domain (for example, |
ACL Mode | Select the ACL mode:
|
Use TLS | Select yes from the Use TLS list to provide HTTPS and HTTP support for the reverse proxy. Import your certificate and key by clicking Ex/Import for TLS Certificate and TLS Private Key. Switch to Advanced View and click on TLS Settings in the left menu to configure SSL cipher settings. When set to Disallow Weak Ciphers (default), the following cipher string is used: !aNULL:ALL:!EXPORT:!LOW:!MEDIUM:!RC2:!3DES:!DSS:!SEED:!RC4:!PSK:@STRENGTH |
TLS Listening port | The SSL listening port (default: 443). |
TLS Certificate | When using TLS, import a certificate to secure the connection. This should be the certificate of the backend website. |
TLS Private Key Type | Select the type of private key that belongs to the certificate.
|
TLS Version for Backend | Select the SSL or TLS version to be used for the backend. To let the proxy determine the version, select Auto. |
Custom Cipher String for Backend | Enter a custom colon-separated string of ciphers. This setting is only valid for reverse proxy mode. |
Front-End HTTPS Header | Set to On to enable the front-end HTTPS header. Set to Auto to add this header if the forwarded request is using HTTPS. The front-end HTTPS header is required when using the reverse proxy for SSL offloading in front of Microsoft OWA. |
MS Authentication Forwarding | Microsoft connection-oriented authentication forwarding (NTLM, Negotiate, and Kerberos) |
Backend IP Addresses | In this table, add the IP addresses of your backend servers. You must add the IP address of at least one backend server. |
Round Robin | Unless you want to use domain or URL-based mapping, you can enable round-robin load balancing between multiple backend servers by selecting yes from the Round Robin list. |
Pass Login to Backend | Set to Yes if you want the proxy to pass on all authentication headers to the backend servers. |
Additional Backend Domains | In this table, you can add additional domains for domain-based virtual hosts. |
Domain to Backend Mapping | To map either a domain or a specific URL to a backend server, click +, enter a descriptive name for the map (for example,
|