Airlock 5.3 Web Application Firewall (WAF) Integration
The Airlock WAF is a secure reverse proxy server that manages the data flow between a visitor of the website and the corporate web server(s). When you use the collaboration server, you need to configure Airlock as follows:
- Set up an ICAP connection to the server. (ICAP is a messaging protocol that proxy servers often use to communicate with other servers.)
Specify which requests to forward to the server.
Restrict requests and only forward when a co-browsing session is established. (This reduces network traffic.)
Requirements and Prerequisites
To use the unblu module you need an ICAP license. To check the license go to System Setup, click License, and make sure that ICAP is set to on:
Before you can configure the Airlock reverse proxy server, you need to install and configure the collaboration server. You can find a minimal configuration on this page in unblu Configuration. Note that while this minimal configuration is designed to show that unblu works with Airlock, it is intended for quick reference only and does not provide a comprehensive guide to running unblu in a high-security environment.
Specifying the ICAP Connection
To specify the ICAP connection, proceed as follows:
Click System Setup, and then click Network Services. The Network Services panel opens.
Click the Plus ( + ) button to add a new ICAP server.
In the Name field, type the name you want to use for the connection.
In the ICAP Service URL field, type the URL of the unblu server (here: http://unbluhost/) followed by the path sys-unblu/airlockicap.
Click the Submit button.
Adding the unblu Server to Airlock
Airlock keeps two lists of servers: The list of virtual hosts (that is, all servers that receive requests) and the list of back-end groups (that is, all servers or groups of servers that answer the requests). To add the unblu server to Airlock you need to add it to the back-end group, as follows:
In the Reverse Proxy administration screen, click the Plus ( + ) button in the Back-end Group list. Airlock creates a new back-end group (that is, a new group of servers that receive requests). The group contains one empty entry for a server.
Type the name you want to use for the unblu back-end group.
Type the protocol, host and port of the unblu server.
Mapping the Application Responses
To map the application responses, you need to configure Airlock to forward any backend responses to the unblu server via ICAP.
In the Reverse Proxy administration screen, edit the mapping of your application (for this example, we use a mapping called backend).
Click the ICAP tab.
Click the Plus ( + ) button in the ICAP Response Client View. Check the Handle response checkbox. In ICAP service drop-down list, select the unblu-ICAP service you have created in Specifying the ICAP Connection above.
- In the Request Header Value Pattern (Value, not Name!), add the regular expression
x-unblu-recorder-session=. (Make sure to be case sensitive and not inverted.)
- Click Submit. Airlock now forwards all responses in a running co-browsing session to the unblu server via ICAP.
Mapping the Co-Browsing Connection
Now you need to add a new reverse proxy mapping that forwards co-browsing requests to the unblu server. Setting this up is straightforward but requires some configuration to make sure that cookies and HTTP headers are forwarded correctly.
In the Reverse Proxy administration screen, click the Plus ( + ) button in the Mapping list. Airlock adds a new mapping.
In the Basic tab, give it a name, specify the Entry Path (use Directory type), make sure it is case sensitive and, in the Application panel, make sure the Passthrough Cookies are defined x
Press the Submit button to apply your changes.
Configuring the Allow Rules
In the Reverse Proxy administration screen click the Allow Rules tab.
Increase Max path length to at least 4kB.
Allowing unblu Request/Response Headers
If you restrict the headers that Airlock forwards, then you need to add unblu‘s request header to the list of allowed headers.
In the Reverse Proxy administration screen, click the Request Actions tab.
Select the middle icon of (default) Request header whitelist (on the extreme right of the Default Actions panel) to create a customized version of it.
In the Header Name Pattern field add the following entries to the list of the allowed headers: x-unblu-xui, x-unblu-client, x-unblu-page, x-unblu-referer (ensuring it is case insensitive and inversed).
Click Submit to apply your changes then select the Response Actions tab. The Response Actions screen displays.
Click the middle icon on (default) Response header whitelist (on the right side of the Default Actions panel) to create a customized version of it.
In the Header Name Pattern part add (or make sure they are present) the following headers: Pragma, Cache-Control, Expires,x-unblu-xui, x-unblu-client, x-unblu-page, x-unblu-start-time (ensuring it is case insensitive and inversed.)
Setting the X-Forwarded-Proto Header
Note: Failure to set the X-Forward-Proto header can cause issues such as redirect loops.
When you use a proxy device, such as the Airlock WAF, to decrypt traffic, problems can occur if the client makes (for example) an HTTP request to an HTTPS-only resource. However, there is a way to determine the protocol used between the client and the proxy. See X-Forwarded-Proto Header for more.
Here is a minimal configuration (example) setting to run the server with Airlock.
Note: This example is intended only as an overview and not as a guide on how you run unblu in a high-security environment.
com.unblu.identifier.siteEmbeddedSetup=true com.unblu.cobrowsing.hideOfflineFlap=true com.unblu.domcap.server.filter.airlock.enableAirlockIcap=true
Note: If you are using Apache Tomcat as a servlet container you need to configure Tomcat to load the property file. There are different ways to do this, depending on how you administer Tomcat and your Java platform. For example, you can add the following line to the Tomcat start script, catalina.sh:
Note: At startup, the filter configuration for the unblu filter is generated based on certain configuration properties. But it is also possible to use an external, customized filter configuration file instead. This can be done by adding the following line to your