Anonymous_User Absent Member.
Absent Member.
347 views

Public access and Privite access


I need some help trying to figure out an issue we are having.
We have a SaaS app that is pointed to the ID server for logging in. ex
https://mycompany.box.com. We need to make this available to the public.
I am protecting the ID server with the AG server. 'LINK'
(http://tinyurl.com/pdwc6mm) If I make the id server vip a public ip,
all of our apps that are setup for ID auth are then public and we do not
want them public. So I try to protect box.com with reverse proxy and we
loose deep links. The AG vip is nat'ed so I point the app that need to
be public to the public ip and keep internal only pointed at the local
ip. So everything that is behind the reverse proxy is easy to setup.

How are other companies doing this? Is everyone creating a new cluster
just for these apps?

Thank you for your help and time.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=49143

0 Likes
11 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access

danvarela wrote:

>
> I need some help trying to figure out an issue we are having.
> We have a SaaS app that is pointed to the ID server for logging in.
> ex https://mycompany.box.com. We need to make this available to the
> public. I am protecting the ID server with the AG server. 'LINK'
> (http://tinyurl.com/pdwc6mm) If I make the id server vip a public ip,
> all of our apps that are setup for ID auth are then public and we do
> not want them public.


How's that? Your other proxies on the AG are not natted to the internet
right? Or do you just have proxy with numerous domain based and path
based multi homing or something?


--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access


The VIP to the AG's is nat'ed and we use DNS to point to the public ip
or the private ip. Our issue comes when we have an id initiated app
that needs to be public. If we create a revers proxy for the app, we
lose deep links. If we nat the id server vip, we expose all the id
initiated apps to the public. I know split DNS will fix this, but is is
not available at this time. Just wanted to see how others are doing
this so A: I can go to the DNS team and tell them they have to setup
split DNS. B: Change the way I have nam setup. Thank you for your
help.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=49143

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access

danvarela wrote:

>
> The VIP to the AG's is nat'ed and we use DNS to point to the public ip
> or the private ip. Our issue comes when we have an id initiated app
> that needs to be public. If we create a revers proxy for the app, we
> lose deep links. If we nat the id server vip, we expose all the id
> initiated apps to the public. I know split DNS will fix this, but is
> is not available at this time. Just wanted to see how others are
> doing this so A: I can go to the DNS team and tell them they have to
> setup split DNS. B: Change the way I have nam setup. Thank you for
> your help.


So how do you currently do your DNS then? You have something hosted
externally on which you enter all your private addresses?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access


mycompanyag url has two entries. a 10. and a public ip address. So,
when I create a new revers proxy, it is app.mycompany.com. If I want it
public, I point it to the public ag ip address. If I want it private, I
point it to the private 10. ag ip address.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=49143

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access

danvarela wrote:

>
> mycompanyag url has two entries. a 10. and a public ip address. So,
> when I create a new revers proxy, it is app.mycompany.com. If I want
> it public, I point it to the public ag ip address. If I want it
> private, I point it to the private 10. ag ip address.


Sorry, maybe I didn't make myself clear with my question. Do you have a
internal DNS server and a external/public DNS server or does the
external DNS hold all your internal resources as well?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access


One DNS server External.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=49143

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access

danvarela wrote:

>
> One DNS server External.


Hmm...challenging. What you could try, not sure if this will work, is
to create a "broker". This will create additional overhead tho from an
administration point of view and require some additional IP addresses.

The broker would be app.mycompany.com which resolves to a public IP. On
this app you create a authorization policy that does redirects based on
IP addresses. If the address is a known internal subnet you redirect to
app.internal.mycompany.com and if the address doesn't match any known
internal IP you can either do a redirect to app.external.mycompany.com
or just stay on app.mycompany.com. This will require some testing, but
i built something in the past in a lab but never put it in production.
It might be worth a shot I guess?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access


I can get the app.mycompany.com to work with DNS. The issue is the apps
that are not setup as a reverse proxy because it drops deep links. if
we create a reverse proxy for these apps, we lose deep links. Example:
mycompany.service-now.com. If we go this link we have no problems with
deep links. If we go to servicenow.mycompany.com as a revers proxy,
deep links are lost.

Thank you for your time.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=49143

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access

danvarela wrote:

>
> I can get the app.mycompany.com to work with DNS. The issue is the
> apps that are not setup as a reverse proxy because it drops deep
> links. if we create a reverse proxy for these apps, we lose deep
> links. Example: mycompany.service-now.com. If we go this link we
> have no problems with deep links. If we go to
> servicenow.mycompany.com as a revers proxy, deep links are lost.


Sorry, i'm a bit lost now and read your initial post. How does the SaaS
app authenticates? You say its pointing to the IDP for authentication,
does this mean the SaaS app has a ESP or something?

--
Cheers,
Edward
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access


Not sure about the esp terminology. I know it stands for Embedded
Service Provider. In service now, you are able to enable and disable
SSO and get metadata info form the site.

What I mean by it authing at the idp is, there is no revers proxy for
that app. So I only have a setting for it on the Identity servers. I
go to https://mycompany.service-now.com and I get redirected to the
identity server url. What I would like to happen is create a reverse
proxy for service now and be able to keep deeplinks. So the url would
look like this: servicenow.mycompany.com. I can set this up as a revers
proxy but deeplinks are broken. So, If I go to
servicenow.mycompany.com/ticket123456 it directs me to the home page.
Not the page with the ticket on it. Hope this makes since.


--
danvarela
------------------------------------------------------------------------
danvarela's Profile: https://forums.netiq.com/member.php?userid=231
View this thread: https://forums.netiq.com/showthread.php?t=49143

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Public access and Privite access

danvarela wrote:

>
> Not sure about the esp terminology. I know it stands for Embedded
> Service Provider. In service now, you are able to enable and disable
> SSO and get metadata info form the site.
>
> What I mean by it authing at the idp is, there is no revers proxy for
> that app. So I only have a setting for it on the Identity servers. I
> go to https://mycompany.service-now.com and I get redirected to the
> identity server url. What I would like to happen is create a reverse
> proxy for service now and be able to keep deeplinks. So the url would
> look like this: servicenow.mycompany.com. I can set this up as a
> revers proxy but deeplinks are broken. So, If I go to
> servicenow.mycompany.com/ticket123456 it directs me to the home page.
> Not the page with the ticket on it. Hope this makes since.


Ah ok, so your app uses SAML or similar to authenticate users. That
makes sense now.

Exposing your IDP VIP wouldn't make your 'internal' apps public. The
applications have their own VIP I assume which would be a private IP
address (e.g. 10.something). This wouldn't route over the internet so I
hit your-internal-app.yourcompany.com it would get a non-routable
address back. If you only have one VIP for all your apps then it
becomes a little more tricky.

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.