Manual Chapter : Configuring Rewrite Profiles for Portal Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0
Manual Chapter

Configuring Rewrite Profiles for Portal Access

About rewrite profiles for Portal Access

A Portal Access rewrite profile defines certificate settings for Java patching, client caching settings for a virtual server, split tunneling settings, and URI translation settings. You can configure a rewrite profile and select the rewrite profile when you configure the virtual server for a portal access policy. Alternatively, you can use the default Portal Access rewrite profile,
rewrite-portal
.

Portal access rewrite profile Portal Access settings

Use these properties to configure a resource item for a portal access resource.
In the rewrite profile Portal Access settings, you can configure settings for client caching and split tunneling.
These options are available for Portal Access in the rewrite profile.
Client Cache setting
Description
CSS and JavaScript
Caches CSS and JavaScript. This is the default rewrite caching configuration, and provides a balance between performance and security.
CSS, Images and JavaScript
Caches CSS, images, and JavaScript. This provides faster client performance but is slightly less secure because of cached images in the client browser cache.
No Cache
Caches nothing. This provides the slowest client performance and is the most secure.
Cache All
Uses the unmodified cache headers from the backend server.
Enable split tunneling:
Select this option to enable split tunneling for portal access sessions that use this rewrite profile. Leave the option unselected to force all traffic through the tunnel for portal access sessions that use this rewrite profile. This option is unselected by default.

About split tunneling with rewrite profiles

Consider these factors when split tunneling is enabled:
  • Access Policy Manager matches the URI to the expressions specified on the
    Bypass
    list first. If an expression matches, then the URI is bypassed and links are not rewritten.
  • If the URI does not match the
    Bypass
    list, then it is compared to the
    Rewrite
    list. If the URI matches the expressions specified on the
    Rewrite
    list, the URI links are rewritten (using the Legacy mode of rewriting for JavaScript). If there are no matches, links are not rewritten.
  • If the URI attributes of the HTTP request matches with the URI attributes specified in the rules of Rewrite control list, the JavaScript content of HTTP response is rewritten using the specified mode (Modern or Legacy).
  • If the URI does not match anything on the
    Bypass
    ,
    Rewrite
    , or
    Rewrite Control List
    , and if the host name in the URI is a short name, not a fully qualified domain name, then links for that URI are rewritten.

Portal access rewrite profile JavaPatcher settings

Use these properties to configure a resource item for a portal access resource.
In a rewrite profile, you can configure settings for Java patching. These settings configure certificate authorities, signing rights, and certificate revocation that is required for to patch some Java apps.
These options are available for JavaPatcher in the rewrite profile.
Setting
Value
Description
Trusted Certificate Authorities
List selection
Select the certificate authority to use for Java app link rewriting from the list of predefined Certificate authorities on the system, to use with Java app rewriting.
Signer
List selection
Select the Java app signer to use for app re-signing, from a list of existing signers on the system. Select None if the app is unsigned.
Signing Key
List selection
Select the private key from a list of existing keys on the system for Java app re-signing. Select None if the app is unsigned or does not require a signing key.
Signing Key Pass Phrase
Text (obscured)
To encrypt the private signing key with a passphrase, type the private key pass phrase.
Certificate Revocation List (CRL)
List selection
Select the CRL from the list, if one is defined on the system.

Portal access rewrite profile URI translation settings

Use these properties to configure URI translation for a rewrite profile with Portal Access.
In a rewrite profile, you can configure settings for rewriting headers in the request and the response.
These options are available for URI translation in Request Settings.
Property
Description
Rewrite Headers
Select this option to rewrite headers in Request Settings.
Insert X-Forwarded For Header
Select this option to add the X-Forwarded For (XFF) header, to specify the originating IP address of the client.
Insert X-Forwarded Proto Header
Select this option to add the X-Forwarded Proto header, to specify the originating protocol of the client.
Insert X-Forwarded Host Header
Select this option to add the X-Forwarded Host header, to specify the originating host of the client.
These options are available for URI translation in Response Settings.
Property
Description
Rewrite Headers
Select this option to rewrite headers in the response.
Rewrite Content
Select this option to rewrite links in content in the response.

Creating a rewrite profile

You can create a rewrite profile to specify the rewriting and bypass lists, and define client caching in the virtual server definition.
  1. Click
    Access
    Connectivity / VPN
    VDI / RDP
    Portal Access
    Rewrite
    .
    The Rewrite Profile List screen opens.
  2. Click
    Create New Profile
    .
    The Create New Profile Rewrite screen opens.
  3. In the
    Name
    field, type a name for the rewrite profile.
  4. From the
    Parent Profile
    list, select a parent profile.
    For Portal Access, you should select the
    /Common/rewrite
    or
    /Common/rewrite-portal
    profile as the parent. The new rewrite profile inherits the
    Client Caching Type
    setting from the parent profile.
  5. From the
    Rewrite Mode
    list, select
    Portal (Access)
    .
  6. On the left side, click the Portal (Access) link.
  7. From the
    Client Caching Type
    list, select the caching option.
  8. To enable split tunneling for portal access connections, select
    Split Tunneling
    from the list.
    Split tunneling provides three options to access your web page:
    Rewrite
    ,
    Bypass
    and
    Rewrite Control List
    . If you enable split tunneling, Access Policy Manager presents only web pages that satisfy any of these filters. Others are blocked (although a blocked public site may still be available outside the webtop). If you do not use split tunneling, Access Policy Manager processes all portal access URLs through the rewriting engine (Java script rewrite mode is Legacy mode). You can specify a URL pattern using the following syntax:
    scheme: //host[:port]/path
    . You can also use wildcards such as the asterisk ( * ) to denote any sequence of characters and the question mark ( ? ) for any single character. Access Policy Manager rewrites links in all pages specified for
    Rewrite
    (using the Legacy mode of rewriting for JavaScript). If you want to choose between legacy mode and modern mode of JavaScript, you select the mode and specify the match conditions in the
    Rewrite Control List
    .
    • Rewrite
      List- Rewrites URLs. When you use this option, Access Policy Manager controls the redirection of the URL. Use this option to access URLs inside the network. Type a URL match pattern for the sites where you need to create the reverse-proxy and click the
      Add
      button.
    • Bypass
      - Directly accesses the URL and leaves the URL unmodified. Use this option to speed up serving public sites. Type a URL match pattern for URLs to be accessed directly, bypassing the rewrite engine, and click the
      Add
      button.
      If you want all other URLs that are not specified in the
      Rewrite Control List
      to be rewritten in the Legacy mode, then add *://* in the
      Rewrite List
      field.
    • Rewrite Control List
      Rewrites the URLs that match the conditions specified, using the mode you selected (Modern or Legacy). Specify the following details:
      • Mode
        : The type of Java script standard for URI rewriting. Available options are Modern and Legacy. The Modern mode applies the modern JavaScript standard for rewriting, such as ECMAscript. The Legacy mode applies the old JavaScript standard for rewriting.
      • Protocol
        : The protocol for the connection. Available options are HTTP and HTTPS.
      • Host Match
        : The match conditions for the host name of the URI. Available options are Any String, Start With, Ends With, Contains, and equals.
      • Host
        : The host name of the URIs you want to rewrite. URIs with the specified host name are rewritten.
      • Path Match
        : The match condition for the complete path. Available options are Any String, Start With, Ends With, Contains, and equals.
      • Path
        : The path that you want to rewrite. The URI that includes the specific path is rewritten.
        • If you only mention the host, all the URIs with the specified host name are rewritten. If you mention the host and the path, only the URI that includes the specific host name and path is rewritten.
        • In the
          Rewrite Control List
          field, to rewrite a URL using the Modern mode, it is recommended to set the
          Host Match
          field to
          Any String
          and use the default values in the other fields. You can also specify the hostname and path in the
          Host
          and
          Path
          fields, respectively.
  9. To configure Java patching, click
    JavaPatcher Settings
    . Configure the Java Patcher options for verification and re-signing of signed applets.
  10. To configure the
    Trusted Certificate Authorities
    , from the list select a CA against which to verify signed applets signatures.
  11. To configure a
    Signer
    ,from the list select a certificate to use for re-signing.
  12. To configure a
    Signing Key
    , from the list select a corresponding private key for re-signing.
  13. To set a
    Signing Key Pass Phrase
    , type a passphrase with which to encrypt the private key.
  14. To select a
    Certificate Revocation List (CRL)
    , from the list select a CRL with which to check certificate validity.
  15. To configure URI Translation request and response settings, under
    URI Translation
    select
    Settings
    .
  16. Configure translation settings.
  17. Click
    OK
    to complete the rewrite profile.
The rewrite profile appears in the Rewrite Profiles list.
To use this profile for portal access rewriting, you must next assign the rewrite profile to the virtual server that is also assigned the access profile for portal access.