Forum Discussion
martyn
Altostratus
AltostratusCheckpoint Web Smartconsole behind reverse proxy.
Does anyone have any experience at trying (and hopefully suceeding) to put a Checkpoint (CP) FW Provider-1 based web smartconsole behind a reverse proxy. The thing is that CP use local IP addresses ...
Jeff_Granieri
Employee
EmployeeHi Martyn,
I have not tried this setup before, so please take caution and ensure you test this in a NON-Prod environment.
From a BIG-IP config perspective you will likely need:
- HTTPS VS listening on 443 using a FQDN so smart console traffic comes here first
- Create a pool of all Checkpoint MGT servers, if these are on different servers or use different backend IP's this pool will need to be setup more dynamically. I suggest start with 1 backend first.
- Use a HTTP + Stream + Web Socket Profile ( may need to remove stream profile .. TBD)
- Use SNAT - Auto-Map
- Need's an IruleLX plugin created and an irule to call it... so create the IruleLX first
const f5 = require('f5-nodejs'); const url = require('url'); const ilx = new f5.ILXServer(); ilx.addMethod('rewriteTransportUrl', function(req, res) { const payload = req.params()[0]; // Original JSON string let json; try { json = JSON.parse(payload); } catch (e) { return res.reply(payload); // Return original if invalid JSON } const newHost = req.params()[1]; // External host (e.g., smartconsole.example.com) // Access nested transportUrl if (json.data && json.data.loginToDomain && json.data.loginToDomain.transportUrl) { const oldUrl = url.parse(json.data.loginToDomain.transportUrl); const internalHost = oldUrl.host; // Extract internal host (e.g., 100.64.20.29:443) const ott = json.data.loginToDomain.transportOtt || ''; // Extract OTT // Rewrite host oldUrl.host = newHost; json.data.loginToDomain.transportUrl = url.format(oldUrl); // Return array: [rewritten JSON, OTT, internalHost] res.reply([JSON.stringify(json), ott, internalHost]); } else { res.reply([payload, '', '']); // No match, return original } }); ilx.listen();Now create the Irule:
when RULE_INIT {
# Define subtable for OTT mappings (global, with TTL)
set static::ott_map_ttl 3600; # 1 hour timeout
set static::json_uri_pattern "/smartconsole"; # URI pattern for JSON responses (adjust if specific)
}
when CLIENT_ACCEPTED {
# Initialize iRulesLX handle (once per connection)
set rpc_handle [ILX::init "json_rewrite_ws_plugin" "json_rewrite_extension"]
}
when HTTP_REQUEST {
# Handle WebSocket upgrade requests to /smartconsole/transport
if { [HTTP::uri] starts_with "/smartconsole/transport" && [HTTP::header exists "Upgrade"] && [string tolower [HTTP::header "Upgrade"]] eq "websocket" } {
# Extract OTT from query param (e.g., ?ott=uuid)
set ott [URI::query [HTTP::uri] ott]
if { $ott ne "" } {
# Lookup internal host from table
set internal_host [table lookup -subtable "ott_map" $ott]
if { $internal_host ne "" } {
# Route to the correct node (assume port 443)
node [lindex [split $internal_host ":"] 0] 443
} else {
# Fallback: reject or default pool
reject
}
} else {
# No OTT: reject or log
log local0. "WebSocket request without OTT: [HTTP::uri]"
reject
}
}
}
when HTTP_RESPONSE {
# Collect JSON responses for rewriting (check URI or Content-Type)
if { [HTTP::header Content-Type] contains "application/json" && [HTTP::status] == 200 && [HTTP::uri] contains $static::json_uri_pattern } {
HTTP::collect [HTTP::header Content-Length]
}
}
when HTTP_RESPONSE_DATA {
# Call iRulesLX to rewrite JSON and extract OTT/internalHost
set payload [HTTP::payload]
set result [ILX::call $rpc_handle "rewriteTransportUrl" $payload [HTTP::host]]
# Result is list: {rewritten_json ott internal_host}
set rewritten_json [lindex $result 0]
set ott [lindex $result 1]
set internal_host [lindex $result 2]
if { $ott ne "" && $internal_host ne "" } {
# Store mapping in table
table set -subtable "ott_map" $ott $internal_host $static::ott_map_ttl
}
# Replace payload with rewritten JSON
HTTP::payload replace 0 [string length $payload] $rewritten_json
}Ensure the irule is applied to the VS and give it a go... I have not tested this out so there may be plenty of errors.
