Force Clients to Use HTTPS Seamlessly


Forum Sentry is often used as a reverse proxy / gateway for HTML web sites and portals. Sentry administrators might want to force clients (e.g. web browsers or mobile apps) to use HTTPS, without having any errors returned if the clients use HTTP.

 

This How To guide details a method of seamlessly enforcing  that SSL is used by your clients, without the client receiving any errors when they use HTTP. 

Attached is a Sentry HTML Policy (fsg file) that demonstrates this use case setup, which is outlined below.

Notes on FSG file: The import password is password. The FSG import will create 3 listener policies using ports 88, 8088, and 4443.  It is recommended to backup your existing Sentry configuration prior to importing this FSG.

Use Case Setup:


1.  Create 3 network listener policies:

    a. "HTTP_Outside" using HTTP on port 88
    b. "HTTP_Inside" using HTTP on port 8088
    c: "HTTPS _Listener" using HTTPS on port 4443


2. Create 2 network remote policies:

    a. "HTTP_Loopback" using HTTP pointing to the "HTTP_Inside" policy on port 8088 (IMPORTANT - response processing needs to be turned ON)
    b. HTTPS policy pointing to www.forumsys.com on port 443 (specify an SSL Initiation policy without any mutual authentication). You can use any web site your Sentry instance has access to.

3. Create a redirect policy:

    a. enable the redirect on "No Credentials"
    b. you can enter whatever you want in the URL field as this value will be overwritten with a task list.
    c. do not enable any other options.

4. Create 1 HTML policy with 3 virtual directories:

    a. "HTTP Outside"
           
            1. associate listener on port 88
            2. set virtual directory to /
            3. set remote path to /
            4. set the remote policy to the "HTTP_Loopback" policy (pointing to the listener on port 8088)

    b. "HTTP Inside"
            1. associate listener on port 8088
            2. set virtual directory to /
            3. disable the 'send to remote server' option (this will be a "service mode" policy)

    c. "HTTPS"
            1. associate the HTTPS listener on port 4443
            2. set the virtual directory to /
            3. set the remote path to /
            4. set the remote policy to the back-end HTTPS remote policy (e.g. www.forumsys.com)
            

5. Associate the redirect policy  created in step 3 to the "HTTP Inside" virtual directory.
 

6. Create 2 Task Lists and then associate each task list to its own Task List Group:

    a. Task List 1 "Map From First Request"

            1. Map Attributes and Headers (per screen shot below)

tasklist1.JPG
               

    b. Task List 2 "Map Into Location Header of Redirect"
               
          1. Identify Document (as shown below)
tasklist2_a.JPG
          2. Map Attributes and Headers (as shown below)

tasklist2_b.JPG

7. Associate the Task List Groups to the "HTTP Outside" virtual directory.

    a. Set the "Map Host and Path From First Request" as the Request Task List Group.
    b. Set the "Map Into Location Header of Redirect"  as the Response Task List Group.


8. Test the policy by accessing the following URL in a web browser.
Be sure to replace the IP with your Sentry listener IP and be sure to enter HTTP as the protocol (notice after the transaction the protocol is switched to HTTPS):
http://sentry_listener_IP:88/
Your browser address bar should show the following URL after a successful connection:
https://sentry_listener_IP:4443/
For more information on securing HTML traffic with Sentry see:   https://helpdesk.forumsys.com/entries/81693056-How-To-Passing-Web-Browser-Traffic-through-Forum-Sentry
Have more questions? Submit a request

0 Comments

Article is closed for comments.