Redirecting authenticated requests to alternative servers in IAG

Updated: February 10, 2010

Applies To: Intelligent Application Gateway (IAG)

Whale Communications Intelligent Application Gateway (IAG) 2007 uses initial host selection to transparently redirect requests to alternative servers within your organization, based on authentication credentials. This option enables you to configure a one-to-many access control scheme, where one trunk controls access to multiple servers, while throughout a session each user is allowed access to only one server.

You configure the initial host selection in the following two stages:

Initial host selection is only applicable when directly publishing Web applications. In portal trunks, using host address translation (HAT) eliminates the need to use initial host selection.

Configure host selection. Note that this procedure involves customization of authentication pages. For more information about customization, see Customizing IAG user authentication pages.

To configure host selection in the authentication pages

  1. Access the following custom folder; if it does not exist, create it:


  2. Under the customUpdate folder, create one of the following inc hooks, which will be activated before the PostValidate.asp reaches the client side:


    Name the file as follows:


    For example:

    For an HTTPS trunk named "WhaleSite", to create a "PrePostValidate" hook, create the file:

    If a file by this name already exists, you can use the existing file; you do not need to create a new file in this case.

  3. In the hook file you defined in step 2, implement the required host selection by using any one of the following server variables or any combination of the variables, describing the server to which the request is directed:

    1. IP address:

      SetSessionParam g_cookie, "WhlRWSIP", "<Application_Server_IP_Address>"

    2. Server name:

      SetSessionParam g_cookie, "WhlRWSName", "<Application_Server_Name>"

    3. Port number:

      You can add a port number at the end of either of the server variables. For example, add a port number to the WhlRWSIP variable as follows:
      SetSessionParam g_cookie, "WhlRWSIP", "<Application_Server_IP_Address>:<Port_Number>"

    For example:

    To configure a rule whereby users who are authenticated against the IAG server are routed to the application server to port 81, and all other users are routed to, enter the following:


    Repository = session( repository1 )

    if Repository = "whale" then

    SetSessionParam g_cookie, "WhlRWSIP", ""


    SetSessionParam g_cookie, "WhlRWSIP", ""

    end if


    Where repository1 is the authentication server used for session authentication, as retrieved from the Session Manager.

Make sure that, for every server you define in the authentication pages, you configure corresponding access rules in the Microsoft Internet Security and Acceleration (ISA) Server firewall. For more details, consult the ISA Server help system.

Configure initial host selection as follows:

To configure initial host selection in the Server Name Translation tab

  1. In the Advanced Trunk Configuration window, select the Server Name Translation tab.

  2. Select the Use Server Name Translation check box.

  3. In Virtual Web Server, select the service type, HTTP or HTTPS, and then in Server Name, specify the name or IP address of the virtual Web server.

  4. Select Translate In. It must be enabled for incoming connections.

  5. In Application Server, select the service type, HTTP or HTTPS, and then in Server Name, specify the name of the server variable you entered in the authentication hook, either WhlRWSIP or WhlRWSName. In addition, if you used a port number to define the server, enter a WhlRWPort variable (for example, WhlRWSIP:WhlRWSPort). In this case, the port number you define in the authentication hook overrides the port number defined in Port to use.

  6. In Port to use, specify a port number.

If users access the server by the server name, create a rule with the server name, not the IP address.

You can create two rules for the same virtual web server, one with the server's name and one with the server's IP address. You cannot, however, configure two rules translating the same virtual web server into two different application servers.

This section describes additional steps you need to take if you configure Initial Host Selection for Outlook Web Access for Microsoft Exchange Server 2000 or Microsoft Exchange Server 2003 Outlook Web Access, for an HTTPS trunk. In this setup, when IAG sends requests to the Exchange server by using HTTP, it adds the header Front-End-Https: On to each request. This header indicates to the Exchange server that the original request was sent over HTTPS, and the server sends the replies in HTTPS, accordingly.

In order for the reply to be routed to the requesting server, you have to configure an additional Server Name Translation rule, which will translate the HTTPS reply. For example, in the example specified in the procedure above "To configure Initial Host Selection in the Server Name Translation tab", you will have to configure the following additional rules:

  • Rule 1

    • Virtual Server Name: http:

    • Application Server Name: http:// WhlRWSIP:WhlRWSPort

    • Port: 80

    • Translate Out: Yes

    • Translate In: Yes

  • Rule 2

    • Virtual Server Name: http:

    • Application Server Name: http:// WhlRWSIP:WhlRWSPort

    • Port: 80

    • Translate Out: Yes

    • Translate In: No