Configuring a Microsoft ISA Server to serve Agile Platform web applications

Configuring a Microsoft ISA Server to serve Agile Platform web applications

  

Overview

In a customer that already has several web applications and web pages being served, it is frequent to find a Microsoft Internet Security and Acceleration (ISA) Server as a firewall/gateway between the internet and internal servers. In this scenario, it is possible to use an ISA server as an intermediary between the users and the Agile Platform, but some requirements must be observed to make sure everything works as expected.

This tutorial works for both the Agile Platform for .NET and Java, either with accesses being made via HTTP or HTTPS. I begin with illustrating the basics, then I focus on 3 scenarios: HTTP --> HTTP, HTTPS --> HTTPS and HTTPS --> HTTP.

In the below examples, www.publicname.com will be the URL used by the end-users, and outsys.mydomain.org is the internal name of the OutSystems server.


The basics

In order to access the Agile Platform, you need to make sure that:

  •  The original host header is sent to the Agile Platform server. The Agile Platform uses this name when generating URLs that go in the pages, so you need to do this to prevent the existance of links to http://outsys.mydomain.org/something in the page;
     
  • You need to have all eSpaces that are used somehow by your application available from the outside world. This means that, if you have an eSpace myApp that uses a page in EnterpriseManager eSpace for logging in, and images from a ImageRepository eSpace, then you need have the following URLs visible from the outside world:

    http://www.publicname.com/myApp/
    http://www.publicname.com/EnterpriseManager/
    http://www.publicname.com/ImageRepository/

    If in doubt, you can allow all eSpaces to be visible from outside, and possible use other mechanisms (like authentication, Zones and Internal Network) to prevent unauthorized access;
     
  • Your eSpaces must be mapped with the same name as they have in the OutSystems server. So if you want to make an eSpace available as www.publicName.com/myApp but the eSpace is called UserApp, make sure that both www.publicname.com/myApp and www.publicname.com/UserApp will work.

The last topic brings a discussion about namespaces. If you are to make an eSpace www.publicname.com/myApp available from outside, you need to make sure that no other thing named www.publicname.com/myApp exists, otherwise you will have conflicts and things will not work.


HTTP --> HTTP or HTTPS --> HTTPS

This is the simpler scenario. Make sure to configure as follows:

  •  Under the To tab, enter the internal name of the server outsys.mydomain.org and enable the option "Forward the original host header instead of the actual one";
  •  In the Public Name tab, configure it appropriately (in our example, www.publicname.com);
  •  Configure the Bridging and From tabs to redirect to the method you see appropriate: HTTP, HTTPS or both;
  •  By default, you will not need Link Translation, so leave it off.

You may also want to configure the redirect rules in the Paths tab to make only certain paths available from the outside world. Make sure to configure redirection with equal External and Internal path, e.g.:

  •   /Enterprise/*        --> /Enterprise/*
  •   /EnterpriseManager/* --> /EnterpriseManager/*

Always use equal external path and internal path (option same as published folder). If you had the scenario described in the basics (you have an eSpace UserApp that you wish to make available as myApp), you should create a virtual directory myApp pointing to the running folder of UserApp, and create the appropriate rules:

  •   /myApp/*   --> /myApp/*
  •   /UserApp/* --> /UserApp/*

 

Finally
 

I will discuss HTTPS --> HTTP in a later post. For now, I just want to say that it is possible, but it will give you more problems and will be more error-prone than HTTP-->HTTP or HTTPS-->HTTPS. Also, since you can always get in SSL certificate for your OutSystems server for free - either with SelfSSL or from the organization Certification Authority, you should opt for this alternative when the traffic is to be via HTTPS.

Feel free to post your remarks and real life experiences with ISA Server and the OutSystems Platform, as they may be useful for other users and customers.