I'd like to know if Cisco ACE can be used as reverse proxy specifically for System Center 2012 R2 and also have it filtered to only allow a specific list of non-standard HTTP verbs through. We would like to see if we can place an ACE device in our DMZ that will forward traffic from our Internet Based laptops through to our internal Config Manager server only after it passes device certificate authentication and inspects the packets to ensure only approved traffic types get through even after passing authentication.
Can you configure ACE as a reverse proxy that only allows a set list of custom HTTP methods through to an internal server?
http://technet.microsoft.com/en-us/library/gg712701.aspx
- Support HTTP 1.1
- Allow HTTP content type of multipart MIME attachment (multipart/mixed and application/octet-stream)
- Allow the following verbs for the Internet-based management point:
- HEAD
- CCM_POST
- BITS_POST
- GET
- PROPFIND
- Allow the following verbs for the Internet-based distribution point:
- Allow the following verbs for the Internet-based fallback status point:
- Allow the following HTTP headers for the Internet-based management point:
- Range:
- CCMClientID:
- CCMClientIDSignature:
- CCMClientTimestamp:
- CCMClientTimestampsSignature:
- Allow the following HTTP header for the Internet-based distribution point:
| Refer to your firewall or proxy server documentation for configuration information to support these requirements. For similar communication requirements when using the software update point for client connections from the Internet, see the documentation for WSUS. For example, for WSUS on Windows Server 2003, see the deployment appendix for security settings:http://go.microsoft.com/fwlink/?LinkId=143368. |
- SSL bridging to SSL:
The recommended configuration when you use proxy web servers for Internet-based client management is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must be authenticated by using computer authentication, and mobile device legacy clients are authenticated by using user authentication. Mobile devices that are enrolled by Configuration Manager do not support SSL bridging.
The benefit of SSL termination at the proxy web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy web server, the client identity (client GUID) is securely contained in the packet payload so that the management point does not consider the proxy web server to be the client. Bridging is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP.
