Error "403 Forbidden" accessing Linux Access Gateway heartbeat URL

  • 7006205
  • 04-Jun-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway

Situation

Load balancer healthcheck configuration script setup to validate Linux Access Gateway (LAG) health. Following the documentation at https://www.novell.com/documentation/novellaccessmanager31/basicconfig/?page=/documentation/novellaccessmanager31/basicconfig/data/bafxbt1.html a seperate reverse proxy service was created for the health check.

The L4 switches required an IP address rather than the DNS name when defining the health URL - there was no additional option to set the Host HTTP header. If the IP address of the Access Gateway is 10.10.16.172, and you have configured the Access Gateway for HTTPS, the configured heartbeat had the following URL:

https://10.10.16.172:443/nesp/app/heartbeat

Generating this request caused a "403 Forbidden" response from the LAG, as it checks the Host HTTP header to determine whether or not there is a matching service.

Resolution

Create a proxy service for the healthcheck URL but define the DNS name of the proxy service using the systems IP address.

Since we could not add a Host HTTP header to the healthcheck request from the L4, changing the proxy service to match the incoming HTTP host header worked around the issue. The following steps explain how to do this:

1. create new Proxy that is used for the healthcheck
2. define the 'Published DNS Name' as the real ip address of the LAG e.g. 192.168.30.66  <== publish dns name is ip address.
3. change Reverse Proxy to 8080
4. Web Server Addresses is 127.0.0.1 and Connect Port is 8080
5. Protecteed Resource is /* (or /nesp/app/heartbeat) and we have to make public (without authentication)
 
This will allow the L4 send the following request to the LAG and get a success back, in the case where the L4 cannot set the Host HTTP header:

http://agipaddress:8080/nesp/app/heartbeat .

Feedback service temporarily unavailable. For content questions or problems, please contact Support.