Error "403 Forbidden" accessing Linux Access Gateway heartbeat URL

  • 7006205
  • 04-Jun-2010
  • 26-Apr-2012


Novell Access Manager 3.1 Linux Access Gateway


Load balancer healthcheck configuration script setup to validate Linux Access Gateway (LAG) health. Following the documentation at a seperate reverse proxy service was created for the health check.

The L4 switches required an IP address rather than the DNS name when defining the health URL - there was no additional option to set the Host HTTP header. If the IP address of the Access Gateway is, and you have configured the Access Gateway for HTTPS, the configured heartbeat had the following URL:

Generating this request caused a "403 Forbidden" response from the LAG, as it checks the Host HTTP header to determine whether or not there is a matching service.


Create a proxy service for the healthcheck URL but define the DNS name of the proxy service using the systems IP address.

Since we could not add a Host HTTP header to the healthcheck request from the L4, changing the proxy service to match the incoming HTTP host header worked around the issue. The following steps explain how to do this:

1. create new Proxy that is used for the healthcheck
2. define the 'Published DNS Name' as the real ip address of the LAG e.g.  <== publish dns name is ip address.
3. change Reverse Proxy to 8080
4. Web Server Addresses is and Connect Port is 8080
5. Protecteed Resource is /* (or /nesp/app/heartbeat) and we have to make public (without authentication)
This will allow the L4 send the following request to the LAG and get a success back, in the case where the L4 cannot set the Host HTTP header:

http://agipaddress:8080/nesp/app/heartbeat .