Secure Mobile Access 12.4 Administration Guide

Adding Web Application Profiles

The Web translation that AMC performs is more complete and robust in recent versions of the appliance software. Beginning in version 10.x, it is no longer possible to revert to the legacy translation for Web application profiles that worked in version 8.6.x.

Web application profiles control single sign-on characteristics, as well as content translation options for a particular Web resource. Each Web resource should have a Web application profile associated with it.

  • Single sign-on options control whether and how a user’s login credentials are forwarded to downstream Web applications. These options are disabled by default. In addition, one of the following is required to configure single sign-on:

    • Click Use Web content translation on the User Access > WorkPlace > Settings page in the AMC.

    • Define a WorkPlace link as an aliased URL. This is the approach you should take if you normally redirect traffic through a network agent, but in this case you want to force the resource to be proxied using translated, custom port mapped, or Exchange server FQDN mapped Web access for single sign-on.

    For more information, see Web Shortcut Access and Configuring WorkPlace General Settings.

    You can configure single sign-on when you create a WorkPlace shortcut for accessing a Windows Terminal Services or Citrix host. See Adding Graphical Terminal Shortcuts to Individual Hosts.

  • Content translation options control whether hyperlinks in JavaScript code, in cookie bodies, and in cookie paths are translated by the Web proxy service. The options are used only by the translated Web access agent: they are ignored by standard Web access.

Web application profiles are not used if Web shortcut access is set to Redirect through network agent on the Configure WorkPlace page in AMC. See Configuring WorkPlace General Settings.

To add a Web application profile

  1. In the AMC, navigate to System Configuration > Services.

  2. In the Access Services section, click the Configure link under Web proxy service.

    The Web Proxy Service page displays.

  3. Click the Web Application Profiles tab.

  4. Click the + (New) icon.

    The Add Web Application Profile page displays.

  5. In the Name field, type a name for the profile. If you are creating a profile to associate with a specific application, you might want to give it a name similar to that of the application.

  6. In the Description field, type a descriptive comment about the profile.

  7. In the Single Sign-On area, specify if and how you want user credentials to be passed along to the Web resource. Forwarding user credentials prevents the user from having to log in multiple times (once to get to the appliance, and again to access an application resource).

    • If you select the Forward each user’s individual username and password checkbox, the username and password used to authenticate to WorkPlace are forwarded to the back-end Web server.
    • If you select the Forward static credentials checkbox, the appliance forwards the same username and password for all users. This is useful for Web sites that require HTTP basic authentication, but don’t provide personalized content for each user based on the login name. It’s also useful for users who authenticate with a client certificate or token.
    • If you do not select either option, single sign-on functionality is disabled. If you select both options, the individual username and password option takes precedence. For example, if the user provides a username/password pair, it is forwarded, but if username/password is not provided, the Web proxy service forwards the static credentials.
    • If you select the Enable Kerberos single sign-on checkbox and specify the Kerberos realm where the resources are hosted, WorkPlace and Connect Tunnel users can access http resources. This realm is used for authenticating environments like Active Directory, Active Directory Tree, and Active Directory Forest where Kerberos is configured as a preferred authentication mechanism.
  8. In the Dynamic Single Sign-On area, configure the Dynamic Single Sign-On profile or select from the dropdown. For more information on how to configure, see Creating Forms-Based Dynamic Single Sign-On Profiles.
  9. In the Content translation area, select the items that you want the Web proxy service to translate.

    • Select the Translate JavaScript code checkbox if you want the Web proxy service to translate links embedded in JavaScript code used by the Web resource. This is useful for JavaScript that contains absolute URLs or absolute references (/to/path/xyz), or that dynamically generates URLs (for example, location=“http://” + host name + “/index.html”). This improves compatibility with Microsoft Outlook Web Access and other applications that rely on JavaScript. This option is enabled by default.

      However, if you notice problems with searching mail based on the Subject, From, or Sent To fields, or if you see an error after logging in when you access OWA using a WorkPlace shortcut, clear the Translate JavaScript code checkbox for the OWA profile.

    • Select the Translate content based on file extension checkbox if you want the Web proxy service to determine content type by examining the file extension, not the MIME type. Normally, the Web proxy service translates certain content types (including text and HTML). It determines the content type from the MIME type in the HTTP header. If a Web resource is sending the incorrect MIME type, select this option and the Web proxy service will decide whether or not to translate a file based on its file extension. This option is disabled by default.
    • Select the Translate cookie body checkbox if you want the Web proxy service to translate URLs embedded in the body of a cookie. If a Web resource uses embedded URLs in the body of a cookie (which is not common practice), and you do not have this option enabled, users can experience problems. A common symptom is being unexpectedly redirected to another URL. This option is enabled by default.
    • Select the Translate cookie path checkbox if you want the Web proxy service to translate the path attribute of cookies sent by back-end resources. The browser uses cookie paths to determine when to send a cookie back to the server. The appliance changes the path that the browser sees, so if the cookie path is not translated, the browser will never send the cookie. A common symptom of this situation is a user being prompted repeatedly for login credentials after already entering valid ones. If this occurs, you should enable this option. This option is enabled by default.
    • Select the Translate WebSocket URL checkbox if you want the Web proxy service to translate URL argument of WebSocket Javascript function calls. Selecting this option enables SMA to support all the HTML5 WebSocket based applications.
  10. Click Save.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.