Setup Guide

Installation

The installer of IQProxy is wizard based and consists of the installation of the engine (service and NDIS driver) and the GUI. You can have only-GUI or only-engine installations. Once the installation wizard ends, you should reboot Windows for driver installation to guaranteed to be completed. IQ Proxy Server can safely be installed to remote servers over RDP.

IQ Reverse Proxy Setup

After you reboot, you are ready to explore the rich feature set for protecting and accelerating your web servers with IQ Reverse Proxy. First thing you should setup is from web server IP/port/paths. To do this open RProxy, Web Servers and now you need to make a decision: Do you need to use routed or redirected web server entries? A routed web server is where all the traffic is proxied through IQ Reverse Proxy is this is what 90% of the time what customers need. A redirected web server is for pure redirection with 301/302/307 HTTP redirection codes. If you choose the latter, you won't have failover as after redirection the connectionis out of control of your IQ Reverse Proxy.

Screenshot of the reverse proxy Web Servers tabsheet. You can set as many web server definitions -on your LAN/WAN or over the Internet- to assign to the URL Rules you will define.

Once you create your web server entries, it is time to assign them to URL Rules--assignment rules for the HTTP/HTTPS ports. In its most simple form, these may mean domains. Now IQ Reverse Proxy supports regular expressions. If you upgraded from an older version, you will see that your URL Rules are upgraded to regex automatically. Basically in the old syntax we used to only allow the wildcard character * (asterix). Now it is replaced with .* (dot and asterix). Also since . (dot) is the escape character in regex, in regex it is replaced with \. (backslash and dot). If you use the "Add" button in URL Rules, it will accept the old syntax and convert automatically. If you use the "Add regex" button, you would find the chance of setting with no conversion for all the power of regex. After you create your URL Rules, make sure you assign the Web Servers you created to them so that the routing path is ready.

Screenshot of the reverse proxy URL Rules tabsheet. You can specify different target web servers IP/port/path for each domain. IQProxy can load-balance to multiple web servers with smart failover. Web servers are checked in real-time and via HTTP(S) ping every 15 secs.

You can use the syntax http://domain/path or ssl://domain/path or *://domain/path (any protocol) for your URL Rules. Make sure you do not enter the port part as that should be defined from the Options tabsheet. If your path points to a file instead of a directory/folder on your web site, make sure you check URL points to file.

If you want to preserve the host header from the request so that it would be kept as is in the connection to the web servers assigned, check the Preserve Request Host Header. This might be required in the following scenario: You need to point your DNS to IQProxy yet your web servers still expect the same host header to function and serve properly for your sites needs (which is the case with OWA and Sharepoint). If you uncheck this, then the IP address of the target web server definition will be used instead in the host header.

One other thing you should decide per URL Rule is content (HTML/CSS) & link translation options. If you have absolute links on your site or relative path in your URL Rule, you should check content translation which is turned on by default. Content translation should not be checked when all the links are relative as it consumes RAM and CPU cycles to parse the content. Link translation is for location header in 301/302/307 responses.

For authentication, you can select local DB or NTLM, then you should decide in the method to be used. The most secure one is digest for local DB and Windows NTLM for NTLM. HTML based authentication sends the password in cleartext so it is strongly advised that you use it in conjunction with SSL.

Country restriction is for restricting a URL Rules application to a client request based on clients geographical location, country. Now, with one click you even can assign an entire continent! This feature is available in Reverse Proxy Enterprise edition only.

For SSL, you must have a certificate, a private key and optionally a CA File for root/intermediate certificates. In the SSL/TLS Encryption tabsheet, with the SNI feature, you can have as many certificates on single port as you want (this feature is available in Reverse Proxy Enterprise edition only). You can buy your certificates from a Certificate Authority such as Verisign or Comodo or simply create your self-signed certificate. In the latter case, the browsers of your visitors would issue a warning since they would not trust you signing your own certificate. A CSR is a Certificate Signing Request. You must make one before you order a certificate from a CA. You should always keep the private key it will generate as confidential as that is what the encryption, hence your sites security will depend on.

The DDoS firewall in the Firewall tabsheet is by default turned off only for the reason that you might want to test your site first and it might disrupt too many requests from an IP address such as in the case of web stress testing. you can safely turn it on by checking enable and clicking apply. NDIS level protection is available in the Reverse Proxy Enterprise edition only. It blocks the SYN packets before the connection is established so is smarter, faster and causes less traffic in terms of CPU, RAM and bandwidth due to malign visitors.

If you do think your web content that do not issue a cookie can be updated less frequently than a few seconds, then you can safely turn on Override web server cache expiration policy from Cache Options. This would make sure the staleness checks are at intervals you define per MIME type.

In Options tabsheet, you should decide whether you want to see the 500/501 error pages from your web servers as is or replace them with custom error pages of IQ Reverse Proxy. Un check Accept 500 responses as Server Error for the latter. If you wish to have your scripts know the client countries the easy way, you can add X-Client-Country request header and check for it in ASPX/PHP/Perl on your web servers...

IQ Content Proxy Setup

IQ Content Proxy is the most intuitive forward/transparent proxy server solution for the Windows platform. The first thing you need to decide before using IQ Content Proxy is if whether to use it in Forward Proxy or Transparent Proxy modes. The former one means you need to enter IQ Content Proxy IP/port into your browsers explicitly but the proxy can reside anywhere on your LAN or on the Internet. The latter one is better as a total cache and filter but you must install it onto your network gateway.

You can use the country firewall to block users from outside your LAN. The NPAT (Network Port Address Translation) feature is for sharing one WAN/Internet IP among multiple users. Filter is for filtering of web content only. You can find more information for these in the user guide.


Download Latest Version