ASBCE Proxy Reverse to SMGR - No Login screen

[vtt2019]

Hi Specialists:
I have a SBC Remote Worker configuration working as it is expected (J100 Phone – (TLS)--- SBC r7.2 --- (TLS) --- SMr7.1). Phone is registered to SM and no problem with calls in any direction. I am using in SBC both profiles for this configuration: TLS CLIENT (which includes CA CERTIFICATE from SMGR) and TLS SERVER (which includes Certificate ID for SBC created in SMGR). I now need to create a REVERSE PROXY configuration in SBC to connect my station (web browser) to SMGR from Internet (

https://sbc-public-addres.domain).

I am using this PDF document as a guide (

https://www.devconnectprogram.com/fileMedia/download/f4e62c69-6c78-4380-b586-c3ef3ffe700c

- pages 67,68,69). When I try to connect to SBC IP Public Address (B1 – port 443) at the beginning all seems fine (looking for traces with Wireshark, TLS Client and TLS Server Hellos are flowing in both directions) and after that it appears the attached message (see JPG file below) in my browser. Then I click on LOGON button, the screen goes blank and It stops, it never returns any message else.
Of course, if I try to connect to SMGR in my Local Network (using the same Windows machine), no problems at all because I have installed previously the CA CERTIFICATE in that machine. I simply receive a login screen (username + password) and all works as expected.

Please give me some advice to figure out what is hapenning!!

 

[kyle555]

I tried and gave up.

Google up nginx reverse proxy for jboss and you'll see there's some voodoo to do to make the session sticky.

Smgr is just behaving like that RE:the cert because you have a cert loaded on your sbc that it's providing in the 2 way tls handshake. You'd need a different client profile with no cert for mutual tls at the least - otherwise, even if you could make it work, anyone coming in on the reverse proxy assumes the account of CN of the cert you're doing 2 way tls to smgr with.

Still, nginx+jboss=pain. I'd look at doing it with a load balancer/app delivery controller/F5 or NetScaler thing that is intended to be the front door for all web traffic in an enterprise. If you find the magic nginx config, feel free to post it.

But I don't trust the sbc to not corrupt configs for other reverse proxies because you went in the nginx conf files to build something custom

 

[vtt2019]

Thanks Kyle555:
I was thinking off in other way. I have tried the same Proxy Reverse config with other Internal Webserver (Station ---(HTTPS)---SBC---(HTTP)---WebServer) and it works, no surprise.
Question: is there some way to access SMGR console using HTTP (port 80)? I know in SMGR HTTP is redirected to HTPPS by default (how could I change that?) and it is no secure, bla, bla, bla, but at least it would be useful for testing purposes.
Please guide me!!

 

[vtt2019]

Hi Kyle555, I did it. As you said, SMGR is a different beast. You need to follow 3 steps:
1) Create a second TLS SERVER PROFILE installing a new Certificate ID in SBC with CN and SAN DNS equal to your SMGR FQDN in your internal domain (CN = smgr.internaldomain).
2) Create a REVERSE PROXY rule (port 443, external and internal) using the new TLS SERVER PROFILE and the same TLS CLIENT PROFILE as before (which is based on the same CA Certificate).
3) Connect to

https://smgr.externaldomain

(in this case, you need to match smgr.externaldomain = smgr.internaldomain) and you get the same login screen as always!!

I hope it is useful for someone else.

 

[kyle555]

seriously? you were able to login and do stuff in SMGR from the internet thru a SBC reverse proxy?

hats off to you dude.