Redirecting authenticated requests to alternative servers in IAG
Applies To: Intelligent Application Gateway (IAG)
Whale Communications Intelligent Application Gateway (IAG) 2007 uses initial host selection to transparently redirect requests to alternative servers within your organization, based on authentication credentials. This option enables you to configure a one-to-many access control scheme, where one trunk controls access to multiple servers, while throughout a session each user is allowed access to only one server.
You configure the initial host selection in the following two stages:
Configure host selection in the authentication pages, described in Configuring host selection in the authentication pages.
Configure a translation rule, as described in Configuring initial host selection in the Server Name Translation tab.
Note
Initial host selection is only applicable when directly publishing Web applications. In portal trunks, using host address translation (HAT) eliminates the need to use initial host selection.
Configure host selection. Note that this procedure involves customization of authentication pages. For more information about customization, see Customizing IAG user authentication pages.
Access the following custom folder; if it does not exist, create it:
...\Whale-Com\e-Gap\von\InternalSite\inc\CustomUpdateUnder the
customUpdatefolder, create one of the followinginchooks, which will be activated before thePostValidate.aspreaches the client side:PrePostValidate.incOr,
PostPostValidate.incName the file as follows:
<Trunk_Name><Secure(0=no/1=yes)><Hook_Name>For example:
For an HTTPS trunk named "WhaleSite", to create a "PrePostValidate" hook, create the file:
WhaleSite1PrePostValidate.incTip
If a file by this name already exists, you can use the existing file; you do not need to create a new file in this case.
In the hook file you defined in step 2, implement the required host selection by using any one of the following server variables or any combination of the variables, describing the server to which the request is directed:
IP address:
SetSessionParam g_cookie, "WhlRWSIP", "<Application_Server_IP_Address>"Server name:
SetSessionParam g_cookie, "WhlRWSName", "<Application_Server_Name>"Port number:
You can add a port number at the end of either of the server variables. For example, add a port number to the
WhlRWSIPvariable as follows:
SetSessionParam g_cookie, "WhlRWSIP", "<Application_Server_IP_Address>:<Port_Number>"
For example:
To configure a rule whereby users who are authenticated against the IAG server are routed to the application server 192.168.1.136 to port 81, and all other users are routed to 192.168.1.23, enter the following:
<%Repository = session(repository1)if Repository = "whale" thenSetSessionParam g_cookie, "WhlRWSIP", "192.168.1.136:81"elseSetSessionParam g_cookie, "WhlRWSIP", "192.168.1.23"end if%>Where repository1 is the authentication server used for session authentication, as retrieved from the Session Manager.
Note
Make sure that, for every server you define in the authentication pages, you configure corresponding access rules in the Microsoft Internet Security and Acceleration (ISA) Server firewall. For more details, consult the ISA Server help system.
Configure initial host selection as follows:
In the Advanced Trunk Configuration window, select the Server Name Translation tab.
Select the Use Server Name Translation check box.
In Virtual Web Server, select the service type, HTTP or HTTPS, and then in Server Name, specify the name or IP address of the virtual Web server.
Select Translate In. It must be enabled for incoming connections.
In Application Server, select the service type, HTTP or HTTPS, and then in Server Name, specify the name of the server variable you entered in the authentication hook, either
WhlRWSIPorWhlRWSName. In addition, if you used a port number to define the server, enter aWhlRWPortvariable (for example,WhlRWSIP:WhlRWSPort). In this case, the port number you define in the authentication hook overrides the port number defined in Port to use.In Port to use, specify a port number.
Tip
If users access the server by the server name, create a rule with the server name, not the IP address.
You can create two rules for the same virtual web server, one with the server's name and one with the server's IP address. You cannot, however, configure two rules translating the same virtual web server into two different application servers.Configuring initial host selection for Microsoft Outlook Web Access for Microsoft Exchange Server 2000 or 2003
This section describes additional steps you need to take if you configure Initial Host Selection for Outlook Web Access for Microsoft Exchange Server 2000 or Microsoft Exchange Server 2003 Outlook Web Access, for an HTTPS trunk. In this setup, when IAG sends requests to the Exchange server by using HTTP, it adds the header Front-End-Https: On to each request. This header indicates to the Exchange server that the original request was sent over HTTPS, and the server sends the replies in HTTPS, accordingly.
In order for the reply to be routed to the requesting server, you have to configure an additional Server Name Translation rule, which will translate the HTTPS reply. For example, in the example specified in the procedure above "To configure Initial Host Selection in the Server Name Translation tab", you will have to configure the following additional rules:
Rule 1
Virtual Server Name: http: www.whalesite.com
Application Server Name: https://
WhlRWSIP:WhlRWSPortPort: 80
Translate Out: Yes
Translate In: Yes
Rule 2
Virtual Server Name: http: www.whalesite.com
Application Server Name: https://
WhlRWSIP:WhlRWSPortPort: 80
Translate Out: Yes
Translate In: No