We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SSL VPN

What is a Web Forward and how can I configure one on my Barracuda SSL VPN?

  • Type: Knowledgebase
  • Date changed: 8 years ago

Solution #00003716

Scope:
This solution applies to all Barracuda SSL VPNs, all firmware versions.

Answer:

A web forward is a resource that points to a URL via the Barracuda SSL VPN. There are four different web forward types, each with implementation specific benefits and drawbacks. These four can be explained as follows:

 

Tunneled proxy: A tunneled proxy uses the SSL VPN Agent to open up a tunnel from the local client to the destination web URL. This type of forward does not modify the data stream, but will only work as long as all links stay on the same destination host (external links will jump out of the tunnel)

 

Strengths: Just a simple point to point tunnel, SSL VPN does not interact in any way with the source code.

 

Weaknesses: Requires the Agent to run, some sites check their requested headers and may not like the localhost requests they see, if a link goes offsite, it is no longer in the tunnel and may not work.

 

Host File Redirect - A hosts file redirect option makes use of an additional executable which when launched will write temporary changes to the client systems hosts file allowing web sites to be accessed through localhost. At present, hosts file tunneled proxy only supports Windows XP, Vista and Windows 7.

 

Strengths: Gets around problems with some tunnelled sites which either require the host header for the server host to be correct, or performs a redirect to a hostname when you log on. The host file redirect will make sure the requested hostname will resolve to localhost for the duration of the web forward session and hence the data will be pushed down the tunnel.

 

Weaknesses: Requires the SSL VPN Agent. The user logged onto the local client machine needs write permission to the computer’s hosts file. Windows only.

 

Proxy - The proxy option will prompt the SSL VPN agent to download a PAC file and inject proxy settings into the browser to use this file. This will cause the browser to use a proxy for the URL of the web forward only (all other system behavior will remain unaffected).

 

Strengths: Performs no replacements on the source, instead just pipes everything through a tunnel to a local squid proxy running on the SSL VPN and injects a proxy.pac into the browser. Should be very compatible if the proxy.pac injection works. If you define extra hosts, then any external links from a web site should work perfectly.

 

Weaknesses: Requires the SSL VPN Agent to run, proxy.pac insertion may not always work depending on local security policy settings.

 

Path-based reverse proxy: Generally the best proxy type to use, if possible. A path-based reverse proxy web forward only works for web sites that exist solely in sub-directories of the root of a web server. This type of forward does not modify the data stream. The proxy works by matching unique paths in the request URI with the configured web forwards. For example, if you have a web site that is accessible from the URL http://example.com/blog you can configure the reverse proxy web forward with a  path of /blog so that all requests to the SSL VPN server URL https://sslvpn/blog are proxied to the destination site. This type of proxy will only be suitable if you know the paths used by the web application. If your web site runs on the root of the web server, i.e. http://example.com, there are no defined paths to proxy so another method will have to be used.

 

Strengths: This is one of the most compatible reverse proxy types as it doesn’t do any replacements in the source code

 

Weaknesses: Only one web forward with the same path may be launched at any one time

 

Host-based reverse proxy: A host-based reverse proxy works in a similar way to a path-based reverse proxy, but is not restricted to subdirectories. However, the host must resolve properly via DNS. That is,

you will define a host header of myserver.example.com, this host must resolve to the same IP address as the SSL VPN server. Then, rather than checking all paths in incoming HTTPS requests, the server will also check the host requested in the host headers and match to a corresponding web forward this way.


Strengths: Has the potential to be the most compatible of all web forward types. Only notable exception that can be thought of would be where the target server requires the host headers to contain the correct server hostname.

 

Weaknesses: Requires external DNS settings to be configured for each host header used.

 

Replacement proxy: A replacement proxy is generally used if any of the above web forward types cannot be used. This proxy type attempts to find all links in the web site code and replace them with links pointing back to the SSL VPN server. Due to the number of ways it is possible to create links (in many different languages), this proxy type is not always successful. However, it is possible to create custom replacement values to get a web site working via a replacement proxy web forward.

 

Direct URL: The direct URL web forward is unlike other web forward types in that it does not send any information through the SSL VPN, instead the web forward goes directly to the URL and loads the site. The primary purpose of the direct URL is to provide a direct link to sites that may be of use to users but do not require the encryption and security.

 

Strengths: Handy if you need to provide links in SSL VPN for users which point to publicly addressable sites, performs no work in SSL VPN itself, the browser will connect directly to the target.

 

Weaknesses: Will not proxy any internal web sites.

 

To create a web forward, follow the below steps:

  1. Switch to the user database for which this web forward is intended by selecting the correct user database from the drop-down menu in the upper right hand corner.
  2. Navigate to Resources > Web Forwards.
  3. Provide a Name and a Destination URL. You can also use replacement variables here by clicking on the ${} to the left of the Destination URL field. 
  4. Add the desired policies to the Selected Policies column by selecting the policy and clicking the Add > button. 
  5. Once you have finished, click the Add button.


Link to This Page:
https://campus.barracuda.com/solution/50160000000HTrJAAW