Apache Link Translation

**ICTNUT** · 3rd March 2008, 02:22 PM

Hello all,

I am in the process of replacing our ISA firewall for a new shiny Sonicwall Pro 3060.

I have spoken to them about the issue below but womdered if it is smoething that Apache2 itself could do.

On the ISA firewall you have a thing called link translation where if you access a website (www.external.co.uk) ISA would translate all the link in the page to (www.internal.local) is this something that Apache could do?? If so how would i set it up??

If I have not made it clear what I am after please let me know.

Many thanks

**lonewolff** · 3rd March 2008, 03:01 PM

Apache can do lots of stuff like that, but it is not clear exactly what you want to do.

Do you mean have someone access www.external.co.uk which points to your gateway system and for apache to then access another webserver webserver.local and then send those pages to the client? - Apache can do that, we use it for that here

Or do you mean when someone access www.external.co.uk it redirects them to webserver.local and then it just serves up the pages? - apache can also do this and it is quite handy for forcing people to use SSL.

In both situations you will want to use mod_rewrite and for the first situation you will want to use mod_proxy as well.

**ICTNUT** · 3rd March 2008, 03:14 PM

Hey lonewolf,

Scenario is like this:

User opens IE at home and goes to www.john-kyrle.hereford.sch.uk this request hits our firewall and is then pushed over to our internal server and is the requested pages are served back to the user who requested the page at home.

The above works fine the problem is:

The server hosting the website is internal and has an internal DNS name as does the website (www.jkhs-pd.local) when the server pushes the pages back to the person at home all the links are broken as they are served up using the internal dns name www.jkhs-pd.local/.

ISA has the ability to change all the links from www.jkhs-pd.local to www.john-kyrle.hereford.sch.uk and then back to www.jkhs-pd.local when the request comes back in again.

Does this make more sense to you??

**Joedetic** · 3rd March 2008, 05:11 PM

You need to investigate reverse proxying.

Apache is very good at this and there are a number of tutorials on the internet that can be found via google.

http://www.apachetutor.org/admin/reverseproxies
http://httpd.apache.org/docs/2.0/mod/mod_proxy.html

**powdarrmonkey** · 3rd March 2008, 05:51 PM

It'll look something like this (from memory, so possibly not quite right):

<VirtualHost *:80>
ServerName john-kyrle.hereford.sch.uk
ServerAlias www.john-kyrle.hereford.sch.uk
ProxyRequestsOff
ProxyPass / http://your-internal-server/
ProxyPassReverse / http://your-internal-server/
</VirtualHost>

**spc-rocket** · 3rd March 2008, 07:58 PM

Originally Posted by ICTNUT

Hello all,

I am in the process of replacing our ISA firewall for a new shiny Sonicwall Pro 3060.

I have spoken to them about the issue below but womdered if it is smoething that Apache2 itself could do.

On the ISA firewall you have a thing called link translation where if you access a website (www.external.co.uk) ISA would translate all the link in the page to (www.internal.local) is this something that Apache could do?? If so how would i set it up??

If I have not made it clear what I am after please let me know.

Many thanks

ISA should be able to do this, did you set it up correctly and if so what was the problem you were having?

Going for the shiney new HW firewall for things like this is not ideal and they never match the packet inspection as the software FW do. I know a lot of people knock the isa firewall becuase it runs on on MS OS but with the right config and harderned server os using SCW you can get a really good solution using ISA server. can I ask what kinds of things were broken? when you tried to use link translation on isa. There have been lots of improvements to isa server 2006's link translatoion so you may want to try this out on virtual machine so see it the new version sorts out the issues you got.

Ash.

**ICTNUT** · 3rd March 2008, 10:57 PM

@ashok: I am not knocking ISA 2006 at all and have it working like a dream including link translation, the reason i am looking for another firewall is that ISA 2006 has a flaw in that you can no longer do SSL Tunneling i.e open as SSL tunnel on port 443 and then try to open a second connection via that tunnel to say port 3389 (RDP). This works without fail on ISA 2000 as I have this working on at least 7 pther sites, I don't know about ISA 2004

I have a Sonicwall SSL-VPN 2000 box sat behind ISA 2006, you can get the portal up no problem, you can login (verified against LDAP) no problem, try to open a link to the Terminal Server (Win Serv 2003) and bang you get kicked out with:

"Because of a protocol error, this session will be disconnected. Please try
connecting to the remote computer again."

In the ISA 2006 firewall log you simply get:

SSL Tunnel Failed Connection Attempt Port 3389

This is why I am looking at other firewalls, now I have a Sonicwall pro 3060 on eval at the moment and the SSL-VPN unit works fine but now I have lost link translation that ISA 2006 does so well.

If I am honest I would like to stay with ISA but after months of searching forums, posting to MS newsgroups, and reading numerous ISa books cover to cover I am about ready to accept defeat and look at non MS firewalls instead.

**spc-rocket** · 4th March 2008, 01:49 PM

Originally Posted by ICTNUT

@ashok: I am not knocking ISA 2006 at all and have it working like a dream including link translation, the reason i am looking for another firewall is that ISA 2006 has a flaw in that you can no longer do SSL Tunneling i.e open as SSL tunnel on port 443 and then try to open a second connection via that tunnel to say port 3389 (RDP). This works without fail on ISA 2000 as I have this working on at least 7 pther sites, I don't know about ISA 2004

I have a Sonicwall SSL-VPN 2000 box sat behind ISA 2006, you can get the portal up no problem, you can login (verified against LDAP) no problem, try to open a link to the Terminal Server (Win Serv 2003) and bang you get kicked out with:

"Because of a protocol error, this session will be disconnected. Please try
connecting to the remote computer again."

In the ISA 2006 firewall log you simply get:

SSL Tunnel Failed Connection Attempt Port 3389

This is why I am looking at other firewalls, now I have a Sonicwall pro 3060 on eval at the moment and the SSL-VPN unit works fine but now I have lost link translation that ISA 2006 does so well.

If I am honest I would like to stay with ISA but after months of searching forums, posting to MS newsgroups, and reading numerous ISa books cover to cover I am about ready to accept defeat and look at non MS firewalls instead.

Hi Ozan,

I don't know if this is any use but you may need to extend the tunnel port range - http://www.isaserver.org/articles/20...portrange.html

The above article is for isa 2004 but i suspect it might work with isa server 2006 as well.

Ash.

**lonewolff** · 4th March 2008, 02:37 PM

Originally Posted by ICTNUT

The server hosting the website is internal and has an internal DNS name as does the website (www.jkhs-pd.local) when the server pushes the pages back to the person at home all the links are broken as they are served up using the internal dns name www.jkhs-pd.local/.

This makes it sound like you have proxying working but your website is pushing out links with the FQDN in the URL - there is no need to do this - if you want to like to page2.htm in the root of the folder just link to /page2.htm not www.jkhs-pd.local/page2.htm then it will work no matter what the domain is which is used to access the site.

LinkBack

Thread Tools

Search Thread

Apache Link Translation

ISA

Tunnel port range

Similar Threads

[CLOSED] Layout Issue: English Translation

Word 2007 Translation Issue

Translation Software.

Apache on Windows with SSL.

Apache + IIS On the same box?

Thread Information

Users Browsing this Thread

Posting Permissions