Communicating through Forward and Reverse Proxies

The machine hosting the License Administration Tool can communicate with a license server located behind a forward proxy, and the license client and the License Administration Tool can communicate with a license server located behind a reverse proxy, as explained in the following sections.

This task shows you how to:

Implement a Forward Proxy for the License Administration Tool

The machine hosting the License Administration Tool can communicate with a license server located behind a forward proxy.

  1. Configure the forward proxy in HTTPS mode.

    Note: All of the following configuration examples reflect the configuration of an Apache 2.4 forward proxy, purely for illustration purposes, and are in no way intended to reflect other proxy configurations.

    Add the following lines to the httpd.conf file:

    ProxyRequests On
    ProxyVia On
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>
    AllowCONNECT 4084 4085

    where the AllowCONNECT command references the licensing and administration tool ports.

  2. Start the License Administration Tool.
  3. Click Servers > New.
    The License Server Connection Parameters dialog box appears:

  4. Enter the name of the license server (the name of the machine hosting the server, typically), set the listening port number (default is 4084), then select the Use a proxy server option and enter the proxy name and proxy port number, then click OK.



The License Administration Tool can now communicate with a license server located behind a forward proxy.

Implement a Reverse Proxy for the DS License Server

The license client and the License Administration Tool can also communicate with a license server located behind a reverse proxy.

  1. Configure the reverse proxy in HTTPS mode and map the communications between the reverse proxy and the license server.

    The maps are:

    https://myreverseproxyname:443/DSLS/client https://mylicenseserver:4085/DSLS/client
    https://myreverseproxyname:443/DSLS/admin https://mylicenseserver:4084/DSLS/admin

    where myreverseproxyname is the reverse proxy hostname and mylicenseserver is the license server hostname.

    Note: All of the following configuration examples reflect the configuration of an Apache 2.4 reverse proxy, purely for illustration purposes, and are in no way intended to reflect other reverse proxy configurations.

    Uncomment the following lines in the reverse proxy configuration file (httpd.conf):

    #LoadModule proxy_module modules/mod_proxy.so
    #LoadModule proxy_http_module modules/mod_proxy_http.so
    #LoadModule ssl_module modules/mod_ssl.so
    #Include conf/extra/httpd-ssl.conf
    #Include conf/extra/httpd-default.conf

    then edit the httpd-default.conf file and reset the value of the KeepAliveTimeout parameter:

    KeepAliveTimeout 5

    to a more appropriate value, for example:

    KeepAliveTimeout 60

    Add the following lines in the SSL configuration file for the reverse proxy (httpd-ssl.conf), before the </VirtualHost> tag:

    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    ProxyPass /DSLS/client        https://mylicenseserver:4085/DSLS/client
    ProxyPassReverse /DSLS/client https://mylicenseserver:4085/DSLS/client
    ProxyPass /DSLS/admin         https://mylicenseserver:4084/DSLS/admin
    ProxyPassReverse /DSLS/admin  https://mylicenseserver:4084/DSLS/admin

    where mylicenseserver is the name of your license server.

    Install your own certificate or a self-signed certificate you can generate by following the instructions on this site:

    http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#selfcert

    This certificate will be presented by the reverse proxy to the license client and the License Administration Tool.

  2. Configure all licensing client computers to point to the reverse proxy.

    To do so, add the following declaration to the DSLicSrv.txt file on each licensing client:

    myreverseproxyname:443

    where myreverseproxyname is the reverse proxy name and 443 is the proxy port number (443 by default).

  3. If you also want the License Administration Tool to be able to cross the reverse proxy, configure the License Administration Tool to point to the reverse proxy.

    To do so, start the License Administration Tool, and click Servers > New. When the License Server Connection Parameters dialog box appears:

    specify the reverse proxy hostname (rever1dsy in our example) in the License server name field (instead of the license server name), and set the SSL port number (443 by default) in the Administration port field, for example like this:

    Only select the Use a proxy server option if you are also using a forward proxy.

    Note: If you are using a failover cluster, you need to set up three ports on the reverse proxy, corresponding to the three license servers. For example, the DSLicSrv.txt file on each licensing client may contain in this case:
    myreverseproxy:443, myreverseproxy:444, myreverseproxy:445

    Once the reverse proxy has been implemented, the reverse proxy name appears in the Administration tab, the Usage Per User tab and in its detailed view.

The licensing clients and the License Administration Tool can now communicate with a license server located behind a reverse proxy.