IBM Verify

@Scott Exton: dear Scott, Could you guide me how to intergrate webseal reverse proxy behind the external WAF (i'm using imperva appliance) with ssl end-to-end, i don't find any IBM documents about this topic for IBM IAM/ISVA intergration. for this intergration, what importance params need to configure in webseal reverse-proxy?

thank you very much

If Imperva is sending HTTP requests to the Web Reverse Proxy you can set the following to allow the Reverse Proxy to accept that traffic:

[server]
...
web-http-port = 443
web-http-protocol = https

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-port

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-protocol

Try that out and confirm whether you get positive results.

Thank JACK and Scott Exton, we try to configure with your options in Reverse Proxy, but it's not right option, we still got the error code: DPWIV1227W . 

Then we try reconfigured in WAF with option encrypt in virtual service, it's worked nice, current we check logs request, message log in webseals, we don't find any information about real client' IP, we only find the WAF's IP which facing with reverse-proxy, in LB, WAF we also configured with x-forwarded-for option in header request. do you have any idea for this usecase?

If Imperva is sending HTTP requests to the Web Reverse Proxy you can set the following to allow the Reverse Proxy to accept that traffic:

[server]
...
web-http-port = 443
web-http-protocol = https

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-port

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-protocol

Try that out and confirm whether you get positive results.

Thank JACK and Scott Exton, we try to configure with your options in Reverse Proxy, but it's not right option, we still got the error code: DPWIV1227W . 

Then we try reconfigured in WAF with option encrypt in virtual service, it's worked nice, current we check logs request, message log in webseals, we don't find any information about real client' IP, we only find the WAF's IP which facing with reverse-proxy, in LB, WAF we also configured with x-forwarded-for option in header request. do you have any idea for this usecase?

If Imperva is sending HTTP requests to the Web Reverse Proxy you can set the following to allow the Reverse Proxy to accept that traffic:

[server]
...
web-http-port = 443
web-http-protocol = https

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-port

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-protocol

Try that out and confirm whether you get positive results.

thank Scott, how do I configure WebSEAL to use X-forward-For HTTP header from external WAF?

Thank JACK and Scott Exton, we try to configure with your options in Reverse Proxy, but it's not right option, we still got the error code: DPWIV1227W . 

Then we try reconfigured in WAF with option encrypt in virtual service, it's worked nice, current we check logs request, message log in webseals, we don't find any information about real client' IP, we only find the WAF's IP which facing with reverse-proxy, in LB, WAF we also configured with x-forwarded-for option in header request. do you have any idea for this usecase?

If Imperva is sending HTTP requests to the Web Reverse Proxy you can set the following to allow the Reverse Proxy to accept that traffic:

[server]
...
web-http-port = 443
web-http-protocol = https

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-port

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-protocol

Try that out and confirm whether you get positive results.

thank Scott, how do I configure WebSEAL to use X-forward-For HTTP header from external WAF?

Thank JACK and Scott Exton, we try to configure with your options in Reverse Proxy, but it's not right option, we still got the error code: DPWIV1227W . 

Then we try reconfigured in WAF with option encrypt in virtual service, it's worked nice, current we check logs request, message log in webseals, we don't find any information about real client' IP, we only find the WAF's IP which facing with reverse-proxy, in LB, WAF we also configured with x-forwarded-for option in header request. do you have any idea for this usecase?

If Imperva is sending HTTP requests to the Web Reverse Proxy you can set the following to allow the Reverse Proxy to accept that traffic:

[server]
...
web-http-port = 443
web-http-protocol = https

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-port

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-protocol

Try that out and confirm whether you get positive results.

yes Scott, we'll use it in policy decisions (in a POP), in the request log

thank Scott, how do I configure WebSEAL to use X-forward-For HTTP header from external WAF?

Thank JACK and Scott Exton, we try to configure with your options in Reverse Proxy, but it's not right option, we still got the error code: DPWIV1227W . 

Then we try reconfigured in WAF with option encrypt in virtual service, it's worked nice, current we check logs request, message log in webseals, we don't find any information about real client' IP, we only find the WAF's IP which facing with reverse-proxy, in LB, WAF we also configured with x-forwarded-for option in header request. do you have any idea for this usecase?

If Imperva is sending HTTP requests to the Web Reverse Proxy you can set the following to allow the Reverse Proxy to accept that traffic:

[server]
...
web-http-port = 443
web-http-protocol = https

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-port

https://www.ibm.com/docs/en/sva/10.0.7?topic=stanza-web-http-protocol

Try that out and confirm whether you get positive results.