Proxy Rule configuration

A Proxy Rule is a configuration of what should happen if a client is requesting resources on a specific path.

Property

Description

Name

The path identifier name that this rule is for. This name is used as a listener unique friendly name in the logs. It may also be used as the name of a specific log file in trace logging features (see Lync module for more information).

Path

The path that this rule is valid for.

Exact Path

Indicates if the incoming path has to be exact to match. If disabled, then the path of a request is only required to start with the configured path.

Default: disabled

Query

The query that this rule is valid for.

Exact Query

Indicates if the incoming query has to be exact to match. If disabled, then the query of a request is only required to start with the configured query.

Default: disabled

Certificate Authentication is Enabled

Indicates whether the client may use certificate authentication or not.

Default: disabled

Use Cookie

Indicates whether the cookie should be used or not. If disabled, then this rule ignores the listener’s cookie configuration.

Default: enabled

HTTP Host Header

The value that is set in the HTTP header field "Host" in the request to the back-end server. Check the From Request to use the same value as given by the request. If the value is empty, then the host address is used.

Default: From Request

Add port to Host header

Add port number to the HTTP header "Host" sent to back-end if port does not already exist.

Default: disabled

Back-end Server URL

The URL to the back-end server. May be empty or not used, depending on the configured modules (see Resource module and Redirect module).

Any trailing part of the path of the request that did not match the path of this rule will be concatenated to this URL. However the trailing "/" of the client request will determine if the request to the back-end server should trail with a "/" or not (independent of the configured back-end server URL). The following table provides examples of the described cases.

Client Request

Rule Path

Back-end URL

Request to the back-end

host/my/path

/my

behost

behost/path

host/my

/my

behost/my/

behost/my

host/my/

/my

behost/my

behost/my/

If rule using a server farm and the server farm is configured with "Hosts"; replace the host part in back-end Server URL with the text serverfarm. During a request, the text serverfarm is replaced by the back-end server received from the Server Farm.

Server Farm

The back-end Server URL can be configured as a "set" of servers for load balancing and redundancy purposes. Server Farms can be configured in the "General" section, see Server Farms for load balancing.

Connection Timeout

The time in seconds that the rule should wait for the back-end server to respond.

Default: 120

Session Timeout

The time in seconds that the rule allows it to take for an read/write operation to finish.

Default: 3600

Module Configuration Names

The names of the module configurations to be used if this rule is applied. Click Add to add modules.

Module ID	The identifier of the module type that the selected configuration is for.
Name	The name of the selected module configuration.

Update Proxy Forward Header

Updates the X-Forwarded-For header. Syntax: X-Forwarded-For: client, proxy1, proxy2, …. If a header does not exist, header is added with this server as first entry.

Update Proxy Forward Host Header

Updates the X-Forwarded-Host header. Syntax: X-Forwarded-Host: [Host] If a header does not exist, header is added with this server as first entry.

Authentication Validation

Reject all unauthenticated requests.

Property	Description
Reject unauthenticated requests	If no module have authenticated this request, reject request with following error code sent to client. Default: Unchecked
HTTP Code	The HTTP code sent in the response to client. Default: 403 - Forbidden
Message	The message set in the response body.

Property

Description

Reject unauthenticated requests

If no module have authenticated this request, reject request with following error code sent to client.

Default: Unchecked

HTTP Code

The HTTP code sent in the response to client.

Default: 403 - Forbidden

Message

The message set in the response body.

Authorization Validation

Reject all unauthorized requests.

Property	Description
Reject unauthorized requests	If no module have authorized this request, reject request with following error code sent to client. Default: Unchecked
HTTP Code	The HTTP code sent in the response to client. Default: 403 - Forbidden
Message	The message set in the response body.

Property

Description

Reject unauthorized requests

If no module have authorized this request, reject request with following error code sent to client.

Default: Unchecked

HTTP Code

The HTTP code sent in the response to client.

Default: 403 - Forbidden

Message

The message set in the response body.

Access Control

Reject all users not matched by access control.

Property	Description
Enabled	Enable or disable Access Control.
Access Control Polices	List of polices to match with user attribute values.
User Attribute	User attribute name, its value will be matched with Pattern.
Pattern	The pattern value to be matched with user attribute value. Examples: * (allow all) Examples: @domain.net (allow values ending with domain.net) Examples: user (allow values starting with user) Examples: user@domain.net (match exact values)

Property

Description

Enabled

Enable or disable Access Control.

Access Control Polices

List of polices to match with user attribute values.

User Attribute

User attribute name, its value will be matched with Pattern.

Pattern

The pattern value to be matched with user attribute value.

Examples: * (allow all)

Examples: *@domain.net (allow values ending with domain.net)

Examples: user* (allow values starting with user)

Examples: user@domain.net (match exact values)

Environment Variables

A set of dynamic values that can be used for various tasks, such as content rewrite or header creation.

Pre-defined variables with example content:

LOCAL_IDENTITY: NT AUTHORITY\NETWORK SERVICE

REQUEST_ADDR: 192.168.1.1

REQUEST_PORT: 5095

REQUEST_TYPE: GET

REQUEST_HOST: onehost.ps.net

REQUEST_IDENTITY:

CONFIG_VERSION: 7.2.0.0

CONFIG_REVISION: 1123

GATEWAY_IDENTITY: 234dc148-9277-47d1-bb75-649882a5b84e

Dynamic variables from PSID AD attributes with example content:

userprincipalname: john.doe@company.com

mail: john.doe@company.com

samaccountname: john

Property	Description
Enable Environment Variables	Enable or Disable usage.
Variables from user Attributes	Create custom Variables from AD attributes.
Debug all Variables	Debug log will list all pre-defined variables and custom AD attributes.
Start Token	Start character(s) used to find a Variable in pattern. Examples: {CONFIG_VERSION}:{CONFIG_REVISION}
End Token	End character(s) used to find a Variable in pattern.

Property

Description

Enable Environment Variables

Enable or Disable usage.

Variables from user Attributes

Create custom Variables from AD attributes.

Debug all Variables

Debug log will list all pre-defined variables and custom AD attributes.

Start Token

Start character(s) used to find a Variable in pattern.

Examples: {CONFIG_VERSION}:{CONFIG_REVISION}

End Token

End character(s) used to find a Variable in pattern.

Back-end connection configuration

Connection to back-end Server before proxy.

Property	Description
Back-end Connection Type	HttpClient - Use .NET HttpClient API. TcpClient - Use .NET TcpClient API. HttpWebRequest - Use .NET HttpWebRequest API.
Back-end, Use Keep-Alive on Client Close	Send Connection: Keep-Alive header to back-end if client sends Connection: Close.
Enable Connection Pool	Enable or Disable back-end connection pool.
Key: Client IP Address	Use Client IP Address as a part of back-end connection pool key.
Key: Client Port	Use Client Port as a part of back-end connection pool key.
Key: Listener Rule Name	Use Listener Rule Name as a part of back-end connection pool key.

Property

Description

Back-end Connection Type

HttpClient - Use .NET HttpClient API.

TcpClient - Use .NET TcpClient API.

HttpWebRequest - Use .NET HttpWebRequest API.

Back-end, Use Keep-Alive on Client Close

Send Connection: Keep-Alive header to back-end if client sends Connection: Close.

Enable Connection Pool

Enable or Disable back-end connection pool.

Key: Client IP Address

Use Client IP Address as a part of back-end connection pool key.

Key: Client Port

Use Client Port as a part of back-end connection pool key.

Key: Listener Rule Name

Use Listener Rule Name as a part of back-end connection pool key.