[Dr.WoW] [No.41] Web Proxy

Latest reply: Oct 13, 2015 07:15:33 4164 1 0 0

Although they both involve object level resource access, URL and file sharing are not the same. When accessing a URL, the HTTP protocol is used. As the SSL protocol is a natural born partner to HTTP, protocol conversion is no longer necessary in the Web proxy function. However, we still want to focus on the two most critically important areas of content in our description here: URL level access control and hiding the real URL address.

Web proxy services, means accessing an internal network's Web server resources (URL resources) using the firewall as an agent. Here, you might ask, isn't this just an ordinary proxy function: when using one server as a springboard to access a destination URL address, this server acts as a proxy―isn't the firewall doing the same? The answer is that these are not completely the same thing, as throughout the entire process the firewall not only acts as a proxy, but also rewrites the real URL, thereby achieving the goal of hiding the real internal network URL, and further protecting the security of the internal network Web server.

1 Configuring Web Proxy Resources

Let's assume that a company has already set up a Web server and provided a portal address for the company internal network (http://portal.test.com:8081/), and hopes to use the Web proxy function to provide access for remote users.

Just as with file sharing resources, in order to refine the granularity of access control to the URL level, it is necessary to configure a corresponding Web proxy resource in the virtual gateway, as shown in Figure 1-1.

Figure 1-1 Web proxy resource list―creating a new resource.

[Dr.WoW] [No.41] Web Proxy-1302741-1


In the above configuration, the most important parameter is the resource type, which defines the Web proxy method. Proxy methods include Web rewriting and Web-Link, and the differences between the two are as shown in Table 1-1.

Table 1-1 Web Rewriting and Web-Link comparison

Item compared

Web Rewriting



Rewrites the real URL, hiding the internal network server's address―confers strong security.

Cannot rewrite the URL, and directly forwards Web requests and responses, which can reveal the internal network server's real address.

Ease of use

Doesn't rely on IE controls, and can be used normally on a non-IE environment browser

Relies on IE controls, and cannot be used normally in non-IE environments.


As Web technology has developed very quickly, firewalls cannot rewrite every single class of URL resources, and there may be some problems such as misplaced pictures, abnormal looking font, etc.

Does not need to rewrite resources, and the firewall directly forwards requests and responses, so there are no problems with page compatibility.

Use advice

Web rewriting is the preferential choice, as it is the most secure and convenient type of access method. If page display abnormalities appear, then the Web-Link method can be considered.

Web-Link is the best substitute for Web rewriting, but due to its reliance on IE controls, there are still limitations on its use. Moreover, it does not rewrite the internal network URL, meaning there is a security risk.

In Table 1-2 I list the meaning of some other parameters.

Table 1-2 Details of Web proxy parameters




A Web application address that can be directly accessed by the internal network. If in a domain name format, this requires that a corresponding DNS server address be configured on the virtual gateway.

Resource group

Is equivalent to a self-defined classification of Web application addresses; after the remote user logs in they can screen needed resources by resource group―this is like the entrée and beverage groupings on a menu.

[Dr.WoW] [No.41] Web Proxy-1302741-2

Portal link

Selects whether or not Web proxy resources appear on the virtual gateway's homepage after login. If not selected, this is like preparing a 'house dish' that is not on the menu for an old customer. The 'old user' can, after logging in, manually input a URL address in the upper right hand corner address bar, and access some relatively confidential URL resources.

[Dr.WoW] [No.41] Web Proxy-1302741-3


I will take everyone on a further exploration of how Web rewriting actually works. As for Web-Link, I've only made a small introduction to this here, as I will highlight this in "8.4 port forwarding".

2 Rewriting URL addresses

From the URL address that actually appears to the user, we can see that the Web proxy resource URL configured above, http://portal.test.com:8081/, has been rewritten.

Figure 1-2 SSL VPN login interface―Web proxy

[Dr.WoW] [No.41] Web Proxy-1302741-4 

To ***yze the rewriting results, in the address, is the virtual gateway address, and the remaining portions can roughly be broken down as:

l   Webproxy: the Web proxy's exclusive directory.

l   1/1412585677/4: UserID/SessionID/ResourceID; these parameters have already been mentioned when introducing file sharing

l   http/portal.test.com:8081/0-2+: the altered form of the original URL address.

When the user accesses the rewritten address, the following exchange occurs.

1.         The remote user makes a request to the firewall for the rewritten URL address.

[Dr.WoW] [No.41] Web Proxy-1302741-5 

Before arriving at the firewall, the request packet is in an encrypted state. The above screenshot is taken from after decryption, so we can also understand this as being the real request received by the firewall.

2.         After the firewall decrypts the received packet, but before it sends the request to the internal server, it conducts the following further treatment of the original packet:

a.         The original packet header's Accept-Encoding field needs to be deleted, otherwise the Web server may encrypt the response packet and send it to the virtual firewall, which would be unable to decrypt the packet, and unable to further forward the packet. In the below screenshot, it can be seen that the firewall has already deleted the original packet's Accept-Encoding field.

b.         The real internal network Web resource address is substituted in for the host field.

[Dr.WoW] [No.41] Web Proxy-1302741-6 

c.         The referer field for some URLs related to this Web resource is rewritten to be the real internal network Web resource address.

[Dr.WoW] [No.41] Web Proxy-1302741-7 

3.         The firewall, serving as the Web client, sends the rewritten data to the real Web server.

After this comes normal HTTP exchange, which we won't elaborate further on here.

3 Rewriting Resource Paths in URLs

The firewall receives the response packet―the page that needs to be displayed for the user (we'll use the home page http://portal.test.com:8081/ as an example)―, and also needs to rewrite some resource paths in the page. If the resource paths are not rewritten, the client will use erroneous/non-existent addresses to obtain the resources, which will ultimately mean that the corresponding content cannot be normally displayed. At present, firewalls support rewriting for the following page resources:

l   HTML attributes

l   HTML events


l   VBScript

l   ActiveX

l   CSS

l   XML

The firewall can rewrite the internal paths of these resources, with the goal being normal page display and normal function use.

4 Rewriting Files Contained in URLs

Actually, in the last sub-section we already gave a partial introduction to file rewriting. However, this was all based in request page resource rewriting, which is to say that there was no need for the user to perceive the rewritten content―what the user cared about was whether the page could be normally displayed and whether Web functionality was normal. However, what we'll talk about next are the files near and dear to the user's heart, including PDF, Java Applet and Flash.

Using PDF as an example, we've embedded a.pdf into http://portal.test.com:8081/, to provide this to the user for download in the form of a link. The content in the PDF is as below, including a link that can only be accessed on the internal network (http://support.test.com/enterprise). If the firewall doesn't rewrite this, when the remote user opens the downloaded PDF and attempts to access the links in it, they will be unable to attain access, as shown in Figure 1-3.

Figure 1-3 File contained in a URL

[Dr.WoW] [No.41] Web Proxy-1302741-8 

But, through a virtual gateway download of the PDF file contained in a Web proxy resource, display is as below when this is opened locally. As you can see, the original internal network URL in the file has already been rewritten, and the rewritten URL is the beginning of the virtual gateway address. In this way, external network users can access the internal network resource embedded in the PDF file. This is shown in Figure 1-4.

Figure 1-4 Rewriting a file contained in a URL

[Dr.WoW] [No.41] Web Proxy-1302741-9




To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

Created Oct 13, 2015 07:15:33 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits