of 3

Documentation

Unblu 7 (latest)

The Airlock Web Application Firewall (WAF) is one of the reverse proxy products specifically supported by Unblu for securing public internet access to on-premises Unblu installations. This article describes how to configure an Airlock Web Application Firewall (WAF) that proxies your on-premises Unblu server and your Unblu-enabled web application (such as e-banking) to your public visitors using a site-embedded architecture.

There are two guides for configuring the Airlock WAF. Go through the checklist to choose the appropriate instructions for your use case before you start configuring the Airlock WAF.

Before you start

Before you start, verify that your current installation meets the requirements to run Unblu with Airlock WAF.

  1. For the Unblu server, complete the following steps:

  2. Open the Airlock administration interface and navigate to System Setup  License. Make sure the version of Airlock WAF you’re using is 5.3 or higher.

  3. Check that:

    • ICAP is on.

    • Expiry is a date in the future.

    Airlock license screen
    Figure 1. Airlock license screen

Configuring the Airlock WAF

Remember to click on the Activate button once you’ve finished configuring the Airlock WAF.

Configure the Unblu back-end group

  1. In the left sidebar of the Airlock administration interface, navigate to Application Firewall  Reverse proxy.

  2. Create the back-end group for the Unblu server if you haven’t already done so.

  3. On the Basic tab, fill in the following details:

    • The Name of the group.

    • The appropriate Protocol.

    • The name of your Unblu server’s Back-end host.

    • The Port the Unblu server uses.

    Airlock Unblu back-end group
    Figure 2. Airlock Unblu back-end group, Basic tab

Configure the mapping for the Unblu server

Next, create the mapping for the Unblu server. Start with a new empty mapping. Give it a name that makes it clear which environment and version of Unblu it maps and work through the various tabs as outlined below.

The Basic tab

On the Basic tab, make the following changes:

  1. In the Service and Mode section, set the Entry path and the Back-end path to the value of Unblu’s PUBLIC path prefix as defined in com.unblu.identifier.publicPathPrefix, followed by a trailing slash /.

  2. In the Application section, set Session handling to Use available session.

  3. Set Passthrough cookies to Use regular expression.

  4. In the line below the radio button, add the values of the following configuration properties, separated by an OR (|):

    • com.unblu.identifier.singleAccountSessionCookieName or com.unblu.identifier.multiAccountSessionCookieName, depending on whether you have multiple accounts set up on your Unblu server.

    • com.unblu.identifier.deviceCookieName

    • com.unblu.domcap.originCookieName

    • com.unblu.domcap.cookieName

    • com.unblu.conversationsession.cookieName

    With the default values for the configuration properties listed above, the regular expression looks like this:

    Listing 1. Regular expression for passthrough cookies with a single Unblu account
    x-unblu-session | x-unblu-recorder-session | x-unblu-device | x-unblu-worker-origin | x-unblu-conversation-session
    The default values for the configuration properties above contain variables. In the regular expression, you must replace the variable with its value, like in the example above.

When you’ve finished, the Basic tab should look like this:

Airlock Unblu server mapping
Figure 3. Airlock Unblu server mapping, Basic tab

The Request Actions tab

On the Request Actions tab, complete the following steps:

  1. Create a custom copy of the (default) Request header whitelist.

  2. Adapt the name and add the following headers to the Header Name Pattern:

    • x-unblu-client

    • x-unblu-page

    • x-unblu-referer

    • x-unblu-xui

    Separate the header names with an OR (|).

  3. Make sure you have an action that adds an X-Forwarded-Proto header to all requests. The action should look something like this:

    Request action to add or replace an X-Forwarded-Proto header to requests

    Request action to add or replace an <code>X-Forwarded-Proto</code> header to requests

  4. Create an action that adds an X-Forwarded-Host header to all requests. The action should look similar to the one that adds an X-Forwarded-Proto header.

The Response Actions tab

On the Response Actions tab, create a custom copy of the (default) Response header whitelist. Adapt the name and make sure that the Header Name Pattern includes the following headers:

  • Pragma

  • Cache-Control

  • Expires

  • x-unblu-xui

  • x-unblu-client

  • x-unblu-page

  • x-unblu-start-time

Add any missing headers to the pattern with an OR (|).

The Limits tab

On the Limits tab, increase the Max path length to 4kB.

Airlock Unblu server mapping
Figure 4. Airlock Unblu server mapping, Limits tab

Connect the Unblu mapping

When you’ve finished configuring the Unblu mapping, connect it to the virtual host and to the back-end group of the Unblu server.

Configure Airlock WAF to use the Unblu resource history

The steps below ensure that your agents see the same thing as your visitors in embedded co-browsing sessions.

Configure the ICAP network service

  1. In the left sidebar of the Airlock administration interface, navigate to System Setup  Network Services.

  2. Add a new entry in the section ICAP Server - Antivirus, SOAP/XML filtering etc.

    Airlock network services screen
    Figure 5. Airlock network services screen
  3. Give the new entry a name of your choice and enter the ICAP Service URL:

    Listing 2. Airlock ICAP service URL for an Unblu server with a single account
    https://<unblu-server-fqdn:port>/<system-path-prefix>/airlockicap/MZsy5sFESYqU7MawXZgR_w (1) (2)
    # Example
    https://unblu.yourcompany.com:12345/system/airlockicap/MZsy5sFESYqU7MawXZgR_w
    1 Replace <unblu-server-fqdn:port> with the fully qualified domain name and port of your Unblu server.
    2 replace system-path-prefix> with the value of the configuration property com.unblu.identifier.systemPathPrefix.

    With the URL in the picture above, Unblu uses the default API key MZsy5sFESYqU7MawXZgR_w.

    If you have multiple accounts on your Unblu server, or if you use account ingress in your setup, you must add the account’s API key to the URL for each account.

    Choose a name for the ICAP service that makes it clear which Unblu account uses it. This makes it easier to select the right ICAP service when you configure the mapping for your application back-end.

    When you’ve finished, the ICAP Service URL should look something like this:

    Listing 3. Airlock ICAP service URL for an Unblu server with multiple accounts
    https://<unblu-server-fqdn:port>/<system-path-prefix>/airlockicap/<APIKEY> (1)
    # Example
    https://unblu.yourcompany.com:12345/system/airlockicap/NYtz6tGFTYqV8NbxBWgS_x
    1 Replace <APIKEY> with the API key for the Unblu account in question.

Configure the mapping for the application back-end

To configure ICAP for the mapping of your Unblu-enabled application back-end:

  1. In the left sidebar of the Airlock administration interface, navigate to Application Firewall  Reverse proxy.

  2. In the main window, select the mapping from your virtual host to the application back-end and click on its pencil icon Pencil icon to edit it.

  3. Open the ICAP tab.

  4. Create a new ICAP Response Client View:

    • Select the name of the ICAP Service you set up.

    • Enter Cookie as the Request Header Name Pattern.

    • Enter the value of com.unblu.domcap.cookieName followed by an equals sign = as the Request Header Value Pattern. If you haven’t changed the default values for the cookie name and the cookie name prefix, the value to enter is x-unblu-recorder-session=.

      You may need to add the name of the cookie specified in the configuration property com.unblu.conversationsession.cookieName to the pattern, too. (The default name is x-unblu-conversation-session) Before doing so, speak with a solution architect or solution integration engineer from Unblu to check whether this is required for your use case.

    Airlock application back-end mapping
    Figure 6. Airlock application back-end mapping, ICAP tab

Configure ICAP for the Unblu mapping

Open the mapping for the Unblu server. On the ICAP tab, make sure there are no ICAP services configured for the Unblu server.

Airlock Unblu server mapping
Figure 7. Airlock Unblu server mapping, ICAP tab

Configuring Unblu to use the Airlock WAF

Set the following configuration properties in the properties file of your Unblu server:

com.unblu.identifier.siteEmbeddedSetup=true
com.unblu.domcap.server.filter.airlock.enableAirlockIcap=true
com.unblu.domcap.server.filter.airlock.request.hostScheme[PROPERTIES,https] (1)
1 Set this configuration property to the scheme used by the backend application you provide embedded co-browsing for, such as e-banking. This is required by Unblu to construct the request URI, because the ICAP interface doesn’t provide this information.

See also