Adding HTTP access services

Add one or more HTTP access services to provide secure access to internal applications for remote users who do not have the full HCL SafeLinx VPN client (SafeLinx Client) installed.

About this task

An HTTP access service provides a secure tunnel for HTTP communication from any HTTP Version 1.1. client. HTTP access services support client-less access so that HTTP applications can connect to internal network resources even though a VPN client is not installed on the remote device.

After you install the SafeLinx Server, you can add a single HTTP access service during the initial configuration procedure. You use the Add an HTTP Access Service wizard to add a service that is configured with some basic settings. Afterward, you can edit the service properties from the SafeLinx Administrator to modify and fine-tune settings. You can also run the wizard again to add more HTTP access services to support other applications and users.

Complete the following procedure to add an HTTP access service and specify values for basic properties.

Procedure

  1. From the Resources page in SafeLinx Administrator, right-click the SafeLinx Server to which you want to add the service and then click Add > HTTP Access Service.
  2. In the Service URL (https://) field, type the URL that device users must specify to connect to the SafeLinx Server.
    The service URL must be accessible from any Internet-connected device.

    Typically, the service URL points to the name of the target server that users configure in their client HTTP application, for example, https://connections.renovations.com.

    If you use a load balancer to distribute traffic to multiple SafeLinx Server nodes, you can specify multiple URLs values in this field. For each URL entry, specify the IP address of the node rather than its host name. Type a space character between URL entries.

    You might also minimize the number of Internet hosts you support by configuring the service URLs on multiple HTTP access services to resolve to a single IP address. The SafeLinx Server then distributes traffic that it receives for each URL to the HTTP access service whose host name appears in the Host token of the HTTP header. For more information, see Consolidation of multiple HTTP access services under one IP address.
  3. In the TCP port to listen on field, type the port number that the SafeLinx Server listens on for this service.
    Traffic to this port might be redirected from an unsecured port.
  4. In the Application server URL field, specify the full URL -- protocol (HTTP or HTTPS), and host name or IP address -- of the application server to which this HTTP access services forwards authenticated traffic.

    The service can forward traffic to more than one application server and you can use a variety of formats in this field. For more information, see Configuring HTTP access: Single URL

    You can skip this step during the initial configuration and then edit the service properties later to designate the application servers that the service supports.

    .
  5. In the Authentication profile field, open the list and click the authentication profile to assign to this HTTP access service. The profile that you assign determines how users authenticate when they access applications through the HTTP access service.
    You can assign previously configured authentication profiles only. If you did not yet create the profile that you want to assign, skip this step now, and edit the service properties later to assign the profile.
  6. To support single sign-on, in the Session cookie domain field, type the name of the DNS domain to set in HTTP active session cookies that client applications send to the SafeLinx Server.
    To eliminate redundant authentication challenges, reduce session data, and improve management of active sessions, enable single sign-on between HCL SafeLinx and internal application servers. Typically, you would list the same domain that you specified in the Service URL field, but you can specify a more general or more specific domain.
    Note: The domain that you specify in this field takes precedence over the SSO cookie domain that is specified in any authentication profile that is assigned to this HTTP access service.
  7. In the Maximum number of processing threads field, specify the maximum number of threads that the service uses to process connections.
    The HTTP access service assigns sessions to the available threads on a round-robin basis. In general, the service requires 1 thread for every 200 devices, but certain application might require higher values. You can assign values 1 - 10. For more information, see the technote, General Sizing Guide for HCL SafeLinx's HTTP Access Services.
  8. In the Maximum idle time field, specify the maximum time in minutes that connections from the service to HTTP servers or HTTP clients can remain unused before they are closed.
  9. In the Redirect HTTP ports field, list the non-secure HTTP ports that you want the SafeLinx Server to redirect to the secure listening port.
    For example, if you type 80, and a user requests a connection to HTTP://inotes.myco.com, the HTTP access service redirects this request to the secure HTTP (HTTPS) port (typically, 443).
    Separate entries in the list with a comma.
    Traffic received on the unsecured HTTP port (http://st.safelinx.renovations.com) is redirected to https://st.safelinx.renovations.com, rather than being rejected.
  10. If you want this service to accept traffic that is sent to a specific IP address only, select Bind port to a specific address, and then type the IP address in the Address to bind to field.

    The address that you specify can be an IP alias or the address of a particular network interface card that is installed on the SafeLinx Server.

    Select this field to enable port reuse. When this setting is enabled, this HTTP access service accepts connections only from applications that specify a destination address that matches the address in the Address to bind to field.

    You might enable this setting to have several HTTP access services to listen on a single port, such as port 443. The Connection Manager examines the destination address of traffic that it receives on the common port and distributes it to the HTTP access service that is bound to that address.

Results

After you complete the fields in the wizard and click Finish, the service is added to the SafeLinx Server. Before the service is ready for use, you must complete further configuration. For information about more configuration tasks for the HTTP access service, see the topics that follow.