Configuring IAG URL rules

  • Article

Applies To: Intelligent Application Gateway (IAG)

Configuring URL inspection rules in Whale Communications Intelligent Application Gateway (IAG) 2007 consists of the following steps:

  • Defining a list of URL inspection rules, including system and application-specific pre-defined rules and the custom rules that you define.

  • Defining a parameter list and unlisted parameters.

Before configuring URL rules, note the following:

  • Do not change, add, or delete any of the rules protecting IAG built-in services, including: Internal Site, Web Monitor, File Access, IAG Portal, and Certified Endpoint Enrollment. Any changes you make to those rules will be over-written when IAG software is next upgraded or a patch is applied.

  • If you change, add, or delete any of the rules protecting the applications that are supported out-of-the-box, when IAG software is next upgraded or a patch is applied, the changes you make will only be supported for backward compatibility.

  • Note the following:

    • For applications that were added to the trunk prior to the upgrade, the rule set will retain the customization.

    • For new applications that are added after the upgrade or patch application, the customization will not be retained, and the rule set will be created with the default definitions. If you wish to apply the changes to new applications, as well, make sure to back up the changes you made in an external file.

  • Disabling the option Verify URLs in the Web Settings tab of an application’s Application Properties dialog box disables application-specific URL inspection for that application.

  • Activating the option Debug Mode in the General tab of the Advanced Trunk Configuration window disables URL inspection altogether.

Defining URL rules

URL inspection rules are defined in the URL List of the URL Set tab of the portal or application trunk. URLs that are not listed here will be denied access. The rules are configured and applied per application type. For each primary rule in the URL list, you can define exclusionary rules that define exceptions to the primary rule. For example, you may wish to reject all graphic .jpg files, with the exception of the file: logo.jpg. In this case, you create a primary rule to reject all the .jpg files and then add an exclusionary rule to accept the file logo.jpg. Note that when you disable a primary rule, its exclusionary rules are also disabled. After you enable the primary rule again, the associated exclusionary rules are not automatically enabled. You have to manually re-enable each exclusionary rule.

When creating rules you do the following:

  • Create primary and exclusionary rules in the URL list.

  • Create a set of general rules in the URL list. General rules are applied globally for an entire trunk. You can create any number of general rules with a reject action, or you can create a general rule with an accept action. A general rule with an accept action must be the last rule in the list of general rules. General rules are checked prior to the application rules as follows:

    • The general rules with a reject action are run. If the request is rejected at this stage, it is not subjected to examination by the application rules.

    • The general rule with the accept action is run. Its function is to indicate to IAG that the set of general rules has been completed and that the request should now be submitted for examination by the relevant application rules. Note that if you do not configure this rule, the request will not be submitted for further examination and will be rejected.

  • Create rules in the parameter list.

  • Copy, edit, or remove rules, in both the URL and the Parameter lists.

  • Specify how to handle unlisted parameters, where the URL rule is set to handle parameters and no rule is defined for a specific parameter in the parameter list.

  • Import and export rule sets.

You can also define rules automatically by using the rule-creation utility. For more information, see About the IAG rule-creating utility.

Creating primary and exclusionary rules

The following procedures describe how you add new rules to the URL and Parameters lists.

To add a primary rule to the URL List

  1. In URL List, click Add Primary.

  2. Configure the rule in accordance with the values described in the section "URL rule values".

To add an exclusionary rule to a primary rule

  1. Select the primary rule to which you wish to add the exclusionary rule.

  2. In URL List, click Add Exclude. An exclusionary rule is added under the primary rule.

  3. Add rule parameters, as described in the section "URL rule values".

Creating general rules

You create a general rules by creating a regular rules with the GENERAL prefix. The following procedure describes how you create general rules with an accept action.

To create a set of general rules

  • Create the required general rules that have the reject action by using the following values:

    • In Name, specify the name by using the GENERAL prefix. For example, GENERAL_MyRule.

    • In Action, select Accept.

    • In URL, specify /.*.

    • In Parameters, select Ignore.

    • In Methods, ensure that you include all of the methods that might be used by any of the applications in the trunk. For example, for Microsoft Office SharePoint Portal Server 2003, include all of the following methods: GET, POST, HEAD, MOVE, COPY, PUT, DELETE, PROPFIND, OPTIONS, LOCK, UNLOCK, MKCOL, PROPPATCH, GETLIB. For Microsoft Office Outlook Web Access 2003, include all of the following methods: GET, POST, HEAD, COPY, TRACE, SEARCH, PUT, PROPPATCH, MOVE, PROPFIND, SDELETE, POLL, BMOVE, BCOPY, BPROPPATCH, SUBSCRIBE, MKCOL, DELETE.

Warning

If you create a general rule with the accept action, ensure that it is the last rule in the set of general rules. Use the arrows at the right of the URL List in order to move a selected rule up or down in the rule order. In addition, make sure that all of the values defined for the general accept rule are correct. If not, the request will be rejected, even if the rule set includes an application rule that accepts the request.

Following is an example of a set of general rules:

14851cba-b526-4567-81ef-8c9d28bc2c77

URL rule values

Value Description

Name

Rule name. A rule name must be preceded by the following prefix:

  • General rules: GENERAL

  • Portal rules: Portal

  • Internal website rules: InternalSite

  • Application rules: application-type. For portal and Web mail trunks, you must enter the application type as defined in IAG. For basic trunks, the application type is always OtherWeb.

Rule names are separated from the prefix by an underscore. For example: GENERAL_IISRule1. Note that exclusionary rules do not require a prefix.

Action

Select what action is taken when this rule is triggered:

  • Accept: IAG checks the URL against the rule. If the URL passes all checks, IAG returns the requested contents to the browser.

  • Reject: the request is denied. IAG sends the error message defined in the URL Inspection tab to the browser.

URL

A URL or group of URLs to which the rule is applied.

Use regular expressions to describe URLs.

Parameters

Action to take when the request contains parameters:

  • Reject: reject the request.

  • Handle: check the parameters. Define the list of parameters to check for this URL rule in the Parameters List area of the URL Set tab, or in the Global URL Settings tab.

  • Ignore: do not check the parameters.

Note

Optional: a note describing the rule.

Methods

Defines acceptable request methods for the URL (multiple selection is possible). If the request uses a method other than those defined here, it is rejected. After you select the method from the list, click outside the list to apply the setting.

Creating parameter rules

The parameter list defines the rules that IAG applies to URL parameters when a URL rule is set to handle parameters. The parameter list displays the parameter rules for a selected URL rule. Note that in addition to the parameters you define in the parameter list, you can define global parameter rules that apply to all URLs defined in the URL List. For more information, see Configuring IAG global URL parameters.

Add a rule to the parameter list as follows.

To add a rule in the Parameter List

  1. In Parameter List, click Add.

    The parameter rule is added at the end of the list of existing parameter rules.

  2. Define the parameter rule, as described in the table above.

Parameter values

Parameter Description

Name

Parameter name. Must match name sent by the browser.

Name Type

Type of parameter name: String or Regular Expression.

Value

Parameter value. Depends on the type of value, as defined in the Value Type column.

  • For strings, enter a regular expression that defines the acceptable values.

  • For integer and real parameters, a comma divides values, and a colon represents a range of values. Parameter values must be listed according to length in a descending order, from the longest to the shortest.

Value Type

Type of parameter value: Integer, Real, or String.

Length

Length of the value.

Existence

The possible values are the following:

  • Mandatory: URL will only be considered valid if this parameter is present.

  • Optional: this parameter is optional.

  • Reject: if this parameter appears in the request, the request will be judged invalid.

Occurrences

Define whether the parameter can appear in the URL once or multiple times.

Max total length

Total length of parameter values of all occurrences of this parameter.

Rejected values checking

Select whether to check parameters against the Rejected Values list, defined in the Global URL Settings tab.

  • On: check against the list

  • Off: do not check against the list

Copying, editing and removing rules

The following procedures describe how you use the URL Set tab to copy, edit, or remove existing rules.

To copy an existing rule

  1. Select the rule, and then below one of the following lists, click Copy:

    • URL List for URL rules

    • Parameter List for Parameter rules

  2. Click Paste below the applicable list.

    If you are copying an exclusionary rule, select its associated primary rule before pasting it. The rule, including its exclusionary rules, is added at the bottom of the rule list. If it is an exclusionary rule, it is added under the selected primary rule. For primary rules and parameter rules, a temporary name is assigned to the rule.

  3. Where applicable, name the copied rule.

To edit rule parameters

  • Place the cursor over the field of the parameter you wish to edit, and then click inside it. Do one of the following:

    • If you have to enter parameter values as text, the color of the text field changes to light blue. In the box, enter the parameter value, and then click ENTER.

    • If you have to select from a list of options, a combo box list drops down. In the list, click the parameter.

To remove rules from the URL or Parameter list

  1. Select the rule, and then below one of the following lists, click Remove:

    • URL List for URL rules

    • Parameter List for Parameter rules

    The rule is removed, together with all its exclusions where applicable.

Handling unlisted parameters

In Unlisted Parameters, specify whether to accept or reject requests that contain parameters, when the URL rule is set to handle parameters and no rule is defined for the specified parameter in the parameter list.

  • Reject: URL is rejected.

  • Accept: URL is accepted if it matches the rules configured in this area, as listed in the following table.

Unlisted parameter values include the following.

Parameter Description

Max Name Length

Maximal length of a parameter name.

Default: -1, where length of the name is not checked (length is unlimited).

Max Value Length

Maximal length of a parameter value.

Default: -1, where length of the value is not checked (length is unlimited).

Allowed Occurrences

Define whether the same parameter can appear in the URL multiple times.

Max Total Length

Available only when “Allowed occurrences” is set to “Multiple”.

Total length of parameter values of all occurrences of this parameter.

Default: -1, where the total length of the values is not checked (total length is unlimited).

Rejected Values Checking

Select whether to check parameters against the Rejected Values list, defined in the Global URL Settings tab.

  • On: check against the list

  • Off: do not check against the list

Exporting and importing rule sets

This section describes how you export the set of rules that is currently defined in a trunk. Once you create or export a ruleset, you can import it into other trunks. Note that if you want to import rules to other IAG servers, ensure that all servers use the same encryption key.

Exporting rule sets

You can export any rule set that is defined in an HTTP or an HTTPS trunk. You can then import the rule set into other HTTP and HTTPS trunks.

To export a rule set

  1. In the Advanced Trunk Configuration window, in the URL Set tab, click Export.

    The Export Ruleset dialog box is displayed.

  2. Enter the following:

    • Select the location to which you wish to export the ruleset.

    • Enter your passphrase.

    • By default, the file is encrypted when it is exported. If you wish the file not to be encrypted, select the option Export decrypted.

  3. Click Export.

    The Export Ruleset dialog box closes. The ruleset is exported to the selected location.

Importing rule sets

You can import rulesets as follows:

  • Rule sets that are created by the rule-creating utility or pre-defined rulesets can be imported into both HTTP and HTTPS trunks. For more information about the rule-creation utility, see About the IAG rule-creating utility.

  • Rules sets that you export from one trunk can be imported into other trunks of the same type, either HTTP or HTTPS.

  • You can find rulesets that support spell-checkers by AccuSpell (www.spellchecker.com) in the following location on IAG:

    …\Whale-Com\e-Gap\Von\Samples\RuleSet

    • For Microsoft Office Outlook Web Access 2000 SP3:

      Ruleset_SpellCheck_ForOWA2000SP3.rul

    • For Microsoft Office Outlook Web Access 5.5:

      RuleSet_SpellCheck_ForOWA55.rul

Import a rule set as follows.

To import a ruleset

  1. In the Advanced Trunk Configuration window, in the URL Set tab, click Import.

    The Import Ruleset dialog box is displayed.

  2. Enter the following:

    • Select the folder where the ruleset is located.

    • Enter your passphrase.

    • If you want to overwrite the rules that are already defined for the trunk, select Overwrite existing.

      If you want to append the imported rules to the existing rules, select Append to existing.

  3. Click Import. The Import Ruleset dialog box closes. The ruleset is loaded, and the rules are displayed in the Advanced Trunk Configuration window, in the URL Set tab.

  4. In the URL Set tab, in the URL List, in the Name column, edit the rules you imported in order to include the application-type prefix.