You are on page 1of 33

AMS Advanced Messaging Security

eFront
eFront Management Tool

Administrator's Guide
by DIaLOGIKa GmbH

15 September 2005

This document contains confidential information and is made available under a license
agreement or nondisclosure agreement only. The information may not be assigned or
transferred to any third party without DIaLOGIKas express prior consent. No part of this
manual may be reproduced without the express written permission of DIaLOGIKa.
Information in this document is subject to change without notice.
The software described in this document is furnished under a license agreement or
nondisclosure agreement and may be used or copied only in accordance with the terms
of that agreement. It is not permitted to copy the software except as specifically allowed
in the license or nondisclosure agreement.
Copyright 2005
DIaLOGIKa GmbH
Albertstrae Pascalschacht
66125 Saarbrcken
Tel. 06897 935-0
Fax 06897 935-100
AMS@dialogika.de
http://www.AMS.lu
All rights reserved.

Contents
Introduction

What is eFront? ..................................................................................... 1


eFront Architecture ............................................................................... 2
eFront and AMS .................................................................................... 2
eFront Setup .......................................................................................... 3
eFront Sample Configuration ................................................................ 3
Reference

10

eFront Workbench............................................................................... 10
New Proxy Service............................................................................... 10
New Application .................................................................................. 16
Application Rules................................................................................. 20
Routing ................................................................................................. 25
Tools Commands.................................................................................. 26

eFront Management Tool

Contents

Document History
4 Aug 2005
12 Aug 2005
15 Sep 2005

ii

Document History

Draft version by Judith Engelkamp


Post-editing by Amy Bryant
First final version by Sascha Kiefer and Judith Engelkamp

eFront Management Tool

Introduction
What is eFront?

eFront is a reverse proxy. A reverse proxy is a proxy server that is installed in the
neighbourhood of one or more web servers. All connections coming from the Internet
addressed to one of the web servers are routed through the proxy server, which either
deals entirely with the request itself, or passes the request wholly or partially on to the
main web server.
There are several reasons for installing reverse proxy servers. eFront addresses the
following three reasons:
 Security: eFront is an additional layer of defence, therefore protecting web servers
further up the chain.
 Logging: eFront can be configured to log all connections to one of the web servers
(cf. eFront Architecture).
 AMS support: in the context of AMS, eFront is responsible for SSL support (cf.
eFront and AMS).
The eFront Management Tool described in this guide is an administrator tool for
configuring eFront (e.g. for specifying the web servers to be protected by eFront).
The following section provides an overview of what you can do with eFront. Details on
each command are to be found in the Reference section.

eFront Management Tool

Document History

eFront Architecture

eFront is able to handle HTTP(s), POP3(s), SMTP(s) and telnet(s) traffic. All connections
coming from an intranet or the Internet addressed to one of the web servers are routed
through eFront. eFront ensures that only authorized users have access to the servers
(via NTLM). The routing rules define where eFront is to route the connection. Using the
application rules (for HTTP(s) traffic only), eFront is able to replace parts of the client
requests before sending them on to the server. eFront is also able to replace parts of the
server reply before sending it on to the client.
In addition, eFront can be configured to log all traffic. This log file can be used as-is for
archiving purposes. It can be re-played using the ePlayer program (part of the AMS
suite, cf. ePlayer documentation). The log file can also be processed by CondenseLog
(cf. CondenseLog documentation) to produce a condensed version of the log file
according to individually definable mapping rules. This enables information relevant only
for a specific application to be logged.
eFront and AMS

In the context of AMS (cf. AMS documentation), eFront is responsible for SSL support.
eGuard and eMIM need eFront in order to be able to provide HTTPS links in
notifications when these notifications are read via Outlook Web Access (OWA), for
example. When using eFront in this manner there is no need to configure it as the
default settings are sufficient, meaning there is no need to call the eFront Management
Tool described in this guide.
The user property Secure Web has to be set to 1 in order to get HTTPS links (instead of
HTTP links) in eGuard and eMIM notifications. To set this property, call Rdexpo (AMS
Management Tool) and set the property to 1 for those users reading their notifications
using OWA (or similar).
eFront is also used by eWebMail to provide SSL support for SMTP, HTTP and POP3.
2

Document History

eFront Management Tool

eFront Setup

To install eFront, run eFront's setup (eFrontSetup.exe) and follow the instructions
displayed on the screen.
eFront Sample Configuration

This section describes an eFront sample configuration.


Situation: A company uses several web applications running on different servers, e.g.
 http://srv1.company.com:9810/app1
 http://srv2.company.com:9810/app2.php
 http://srv3.company.com:9810/app3
eFront is used to log all web traffic between clients and these web servers. This is
illustrated by the following figure.
http://srv1.company.com:9810/app1

eFront
http://srv2.company.com:9810/app2.php

http://srv3.company.com:9810/app3

Full HTTP Log

To implement this scenario, the server on which eFront is running needs as many IP
addresses as there are web servers are to be supported. These IP addresses have to be
inserted in the name server using appropriate names. In our example we use the names
of the original server prefixed by an "e", thus, eSRV1 = 192.54.38.1, eSRV2 =
192.54.38.2 eSRV3 = 192.54.38.3.
The original web servers have to be registered in eFront. This is done as follows:
1. Call eFront Management Tool

eFront Management Tool

Document History

2. Create a new proxy service by calling the command New proxy service in the File
menu

3. Enter the name of the service to be displayed in eFront and set the other options (cf.
Service Application Settings for more details on each option).
4

Document History

eFront Management Tool

4. Click on Next to enter the Server Settings, e.g. as shown in the following screenshot:

5. Click on Next to choose the client authentication. Assuming that the three
applications have different user access rights, the actual client authentication settings
would be defined for each application separately (cf. step 7 below). In this case the
client authentication for the Sample Service does not matter.

eFront Management Tool

Document History

Now you can register the three web servers in our example as follows:
6. In the context menu of the Sample Service node just created, choose the command
Create new application and enter the data as shown in the following screenshot:

7. Click on Next to choose the client authentication. Here you select the users/groups
allowed to access SRV1 (cf. Security Settings for more information on how to do this).

Document History

eFront Management Tool

8. Perform the same steps for SRV2 and SRV3. The results of your entries are as
follows:

9. Now the mapping (routing) between the eFront IP addresses and web servers
registered in eFront has to be defined. To do this, call the Add command in the
context menu of the Routing node in the left pane.

eFront Management Tool

Document History

10. Do the same for the other two IP addresses. Result:

11. The standard HTTP replacements (cf. Application Rules) are predefined.
12. Assuming that the three applications have cross-links (i.e. one application references
another application), the following replacements have to be defined. In the context
menu of SRV1 call the Insert replacements from command, and select Sample
Service/SRV2. Do the same for Service/SRV3 and vice versa in the context menus of
SRV2 and SRV3. The result rules are as shown in the screenshot below.

Document History

eFront Management Tool

Now you have finished configuring eFront and can exit the eFront Management Tool.
The three web servers should now be configured to only allow HTTP requests from
eFront on the specified port. All other ports and HTTP requests from other PCs should be
blocked.
The web applications are now called via their eFront names, eSRV1, eSRV2 and eSRV3
in our example. This might be considered for portal pages or favourites already defined.
eFront now accepts the registered HTTP requests (e.g. eSRV1), establishes a connection
to the corresponding web server (e.g. SRV1), transfers the HTTP request to this server,
and sends back the reply received from the server to the browser (both actions are
logged).
If there is a link to another web server in the reply (e.g. to SRV2), this link is
automatically replaced with the "correct" link, pointing to eSRV2.
A user accessing one of these web servers cannot bypass the logging of HTTP traffic. If
they try to access the web server directly in the browser, they are rejected (even
"localhost" is not allowed). Since the web servers accept HTTP requests from eFront, the
eFront server should be protected against direct usage.

eFront Management Tool

Document History

Reference
eFront Workbench

Left pane
Details pane

Here you can choose which service configuration you want to


view (or edit).
Here you see the details of the item selected in the left pane.

New Proxy Service

Calling the New proxy service command from the File menu opens the eFront wizard
for configuring a new proxy service.

10

Document History

eFront Management Tool

Clicking on Next in the welcome screen of the eFront wizard displays the Application
Settings wizard page.
Service Application Settings

eFront Management Tool

Document History

11

Proxy servicefriendly name


Proxy service protocol type

Log information

Next

The name of the service to be displayed in eFront.


Choose HTTP to handle HTTP(s) requests. Choose Any other
to handle other requests (e.g. POP3(s), SMTP(s) or
telnet(s)). Check the box Require secure connection if this
service listens to secure requests, only (e.g. requires HTTPS
instead of HTTP).
Check the Log traffic box if eFront is to log the traffic to a
log file. By default, eFront uses the path specified under
Tools Options. Use the Browse button to specify another
path to be used instead.
Note: If installed together with CondenseLog this box has to
be checked since this is the log file evaluated by
CondenseLog.
Click on Next to display the Server Settings wizard page.

Server Settings

Port to listen on
Maximum number of
connected clients
Response timeout
12

Document History

Enter the port to be used.


Enter the maximum number of clients allowed to connect to
the server.
Time to wait for the response from the application server.
eFront Management Tool

Receive timeout
Send timeout
Next

Time to wait for the client request.


Time to send a request or response to the server or client.
Click on Next to display the Security Settings wizard page
(note: this page is not displayed unless the Require secure
connection box is checked on the Application Settings wizard
page).

Server Security Settings

Certificate

Click on Browse to select the server certificate.

Password

Enter the certificate password.

Security layer
Next

Select the security protocol to be used by eFront.


Click on Next to display the Client Authentication wizard
page.

Client Authentication

eFront allows domains to be approved:


 for specified users or groups only or
 for NTLM-authenticated users only.
eFront Management Tool

Document History

13

NTLM can be activated/deactivated per service or per web application. The following
inheritance rules apply:
 If NTLM is activated for a proxy service, all applications belonging to this service
inherit this attribute.
 If the NTLM specification for the service contains certain tokens (i.e. groups or users),
all applications belonging to this service inherit the tokens.
 If NTLM is deactivated for a service, it may still be activated for some of the
applications belonging to the service.
 If a service and an application belonging to this service both have NTLM tokens, the
set of both tokens are relevant for the application.
If NTLM authentication is activated, eFront produces, if applicable, HTTP error pages to
inform about the authorization status. The pages to be used by eFront are located in the
file system under eFront\ErrorPages\<error number>.html. If a page is not available
eFront creates default pages. These pages may be edited/adapted by the administrator
for further usage.

Authentication type
Add

14

Document History

Select the authentication type to be used (None or NTLM


authentication).
Click on Add to select the users or groups to be identified via
NTLM authentication.
If no user and no group is added, all users authenticated via
NTLM are allowed to access the server. If only one or more
users or groups are added these users are allowed to access
the server (after being authenticated).
eFront Management Tool

Remove
Next

Click on Remove to remove the selected user or group from


the list.
Click on Next to display the Summary wizard page.

Select Users or Groups Dialog Box

Look in
Add
Check Names

OK

eFront Management Tool

Select the domain or server to refer to for users or groups.


Click on Add to mark the selected item to be identified via
NTLM authentication.
Any name or part of a name entered in the edit box below
the Check Name button can be completed/checked by
clicking on the Check Name button.
Click on OK when you have finished adding users and groups
to the list.

Document History

15

Click on Finish to close the wizard. A new node representing the server just configured is
now available in the left pane of the eFront Workbench.
Note: all settings defined in the wizard may be viewed or modified as follows:
 Right-click on the service
 Choose the Edit command.
New Application

Calling the Create New application command from the context menu of a proxy service
opens the eFront wizard to configure an application belonging to this service.

16

Document History

eFront Management Tool

Clicking on Next in the welcome screen of the Application wizard displays the Application
Settings wizard page.

eFront Management Tool

Document History

17

Application Settings

Application-friendly name
Local host
Remote host
Remote Port
Log information

Next

18

Document History

The name of the application to be displayed in eFront.


The URL entered in the browser of a client.
The IP address or name of the server to be accessed by
eFront.
The port to be used for the remote host.
Check the Log traffic box if eFront is to log the traffic to a
log file. By default, eFront uses the path specified under
Tools Options. Use the Browse button to specify another
path to be used instead.
Click on Next to display the Security Settings wizard page
(note: this page is not displayed unless the session belongs
to a server with the option Require secure connection set).

eFront Management Tool

Security Settings

Refer to Server Security Settings for more information on these settings and the settings
on the Client Authentication wizard page.
Next

eFront Management Tool

Click on Next to display the Summary wizard page.

Document History

19

Click on Finish to close the wizard. A new node representing the application just
configured is now available in the left pane of the eFront Workbench.
Note: all settings defined in the wizard may be viewed or modified as follows:
 Right-click on the application
 Choose the Edit command.
Note: the first application added to a server is the default application, i.e. it is used if
several applications are available and no specification has been made which application is
to be used. The default application name is bold-faced and marked with an asterisk. To
make another application the default application, right-click the application and select the
Use as default application command from the context menu.
Application Rules

For each application you can define four sets of rules to be processed by eFront: Header
From Client, Body From Client, Header From Remote Server and Body From Remote
Server. There is a node below the application node for each of these rule sets. Selecting
one of these nodes in the left pane displays the corresponding rules in the details pane.
To delete a rule, select the rule in the details pane and press the DEL key on your
keyboard. The rules are described in the following sections.

20

Document History

eFront Management Tool

eFront Variables

eFront provides the following variables to simplify application rules. The values for these
variables are specified in the wizard (on the Application Settings page) and can be edited
using the Edit command in the context menu of an application.
The Insert Default Replacements command in the context menu of an application causes
default replacement rules to be inserted. In most cases these rules are sufficient,
however they may require manual adaptation in some cases.
<<$LocalHost>>

<<$LocalPort>>

<<$LocalUrl>>

<<$RemoteHost>>

eFront Management Tool

The host entered under Local host on the Application


Settings page.
Example:
Local host = external.company.com
The port to be listened to entered under Port to listen on on
the Server Settings page.
Port to listen on = 1234
Concatenates the protocol type, <<$LocalHost>> and
<<$LocalPort>>. Thus, in the above example this would be:
https://external.company.com:1234
The host entered under Remote host on the Application
Settings page.
Example:
Remote host = internal.company.com
Document History

21

<<$RemotePort>>

<<$RemoteUrl>>

The port entered under Remote port on the Application


Settings page.
Example:
Remote port = 5678
Concatenates "http://" (remote communication between
eFront and the application server is always HTTP and never
HTTPS), <<$RemoteHost>> and <<$RemotePort>>. Thus
in the above example this would be:
http://internal.company.com:5678

Example: eFront is configured to have the following service and applications:


Service 1
Port:
443
Protocol type: HTTPS
Routing
[default]:
App 1
App 1
Local host:
A
Remote host: B
Remote port: 678
Rule Type

Rule

Replaces

Body From Client REP <<$LocalUrl>> <<$RemoteUrl>> https://A


Body From
Remote Server

with

http://B:678

REP <<$RemoteUrl>> <<$LocalUrl>> http://B:678 https://A

eFront variables may also be combined in order to allow replacements for applications
referring to another server. This means you can prefix the above variables with Service X
and Application Y, e.g. <<$Service 1\App 1\LocalUrl>>
The Insert replacements from command in the context menu of an application causes
default replacement rules for the selected service and application to be inserted. In most
cases these rules are sufficient, however they may require manual adaptation in some
cases.
Note: The service can be omitted as long as the rules do not refer to another service.
Example:
eFront manages two servers: B and D. B has references to D and vice versa, e.g. B
sends pages to the browser containing links like http://D/test and D sends pages
containing links like http::/B:678/sample.
eFront would be configured to have the following service and sessions:
Service 1
Port:
443
Protocol type: HTTPS
Routing
IP1:
App 1
IP2:
App 2
App 1
Local host:
A
22

Document History

eFront Management Tool

Remote host: B
Remote port: 678
App 2
Local host:
C
Remote host: D
Remote port: 80
Now you can use combined variables as follows:
Rule Type

Rule

Replaces

Body From Client REP <<$LocalUrl>> <<$RemoteUrl>> https://A


REP <<$App 2\LocalUrl>>
<<$App 2\RemoteUrl>>
Body From
Remote Server

https://C

with

http://B:678
http://D

REP <<$RemoteUrl>> <<$LocalUrl>> http://B:678 https://A


REP <<$App 2\RemoteUrl>>
<<$App 2\LocalUrl>>

http://D

https://C

Header From Client

These rules are processed to modify the header received from the client before it is sent
to the application server.
Select the Add.. command in the context menu of Header From Client to add another rule
to this section.

Type

eFront Management Tool

Select the rule type.


SET: Add the key entered under Find what with the value
entered under Replace with to the header from the client
document before sending the information to the remote
server.
REP: Replace all occurrences of Find what with Replace with
in the header of the client document before sending the
Document History

23

Find what
Replace with
Weight

information to the remote server.


DEL: Delete the key entered under Find what from the client
document before sending the information to the remote
server.
You can select one of the variables described under eFront
Variables or enter a string.
You can select one of the variables described under eFront
Variables or enter a string.
Enter the weight of the rule. The weight controls the order in
which the rules are processed. The highest weights are
processed first.

Body From Client

These rules are processed to modify the body received from the client before it is sent to
the application server.
Select the Add.. command in the context menu of Body From Client to add another rule
to this section.

Find what
Replace with
Weight

You can select one of the variables described under eFront


Variables or enter a string.
You can select one of the variables described under eFront
Variables or enter a string.
Enter the weight of the rule. The weight controls the order in
which the rules are processed. The highest weights are
processed first.

Header From Remote Server

These rules are processed to modify the header received from the remote server before it
is sent to the client.
24

Document History

eFront Management Tool

Select the Add.. command in the context menu of Header From Remote Server to add
another rule to this section.
See Header From Client for a description of rule parameters.
Body From Remote Server

These rules are processed to modify the body received from the remote server before it
is sent to the client.
Select the Add.. command in the context menu of Body From Remote Server to add
another rule to this section.
See Body From Client for a description of rule parameters.
Routing

After defining all the applications belonging to a service, you now need to define the
routing for it. To do this, rightclick on the Routing entry below the service name.

In the Routing dialog box, enter the IP address and select the application for this IP
address.

eFront Management Tool

Document History

25

Repeat this step for all applications belonging to the service.


To delete a routing entry, select the routing entry in the details pane and press the DEL
key on your keyboard.
Tools Commands
MIME Types

The header is always processed by e Front. The body is not processed unless its type is
included in the list of converted MIME types. This list is maintained by the MIME Types
command in the Tools menu.

Add

Remove
26

Document History

Select one or more MIME types on the left (untouched MIME


types) and click on the Add button to move these entries to
the right (list of converted MIME types).
Select one or more MIME types on the right (converted MIME
types) and click on the Remove button to move these entries
eFront Management Tool

Add Type
Edit Type
Delete Type
OK
Cancel

to the left (list of untouched MIME types).


Click on the Add Type button to add a new entry to the
MIME types.
Click on the Edit Type button to edit a MIME entry, e.g. to
rename it.
Click on the Delete Type button to delete a MIME entry
from the list.
Click on the OK button to save all actions performed in the
MIME Types dialog box and close it.
Click on the Cancel button to discard all actions performed in
the MIME Types dialog box and close it.

Options

The Options command in the Tools menu enables you to specify the default path to be
used by eFront to log traffic.
Note: If installed together with CondenseLog this is the log file evaluated by
CondenseLog.

eFront Management Tool

Document History

27

Index

A
Application Rules 20
Application Settings 11, 18
Application-friendly name 18
Authentication type 14

B
Body From Client 20
Body From Remote Server 20

Maximum number of connected clients 12


MIME Types 26

N
New Application 16
New Proxy Service 10
NTLM 14

O
Options 27

C
P
Certificate 13
Client Authentication 14
CondenseLog 27
Create New application 16

Port to listen on 12
Proxy service 10, 12
Proxy service protocol type 12

eFront Variables 21
eFront Workbench 10

Receive timeout 13
Remote host 18
Remote Port 18
Response timeout 13
Routing 7, 25

H
Header From Client 20
Header From Remote Server 20
HTTP replacements 8

Sample Configuration 3
Security layer 13
Security Settings 13, 19
Send timeout 13
Server Settings 12

Insert Default Replacements 21


Insert replacements from 8, 22

T
Tools Commands 26

Local host 18
Log information 12, 18

V
M

Variables 21

Mapping 7

eFront Management Tool

Document History