Application Offloading and HTTP(S) Bookmarks Overview

SRA appliances use HTTP(S) bookmarks and application offloading to provide access to Web-based applications running on servers within the intranet. This includes SharePoint 2007 and the enhanced versions of commonly-used Web mail interfaces, such as Microsoft OWA Premium and Domino Web Access 8.0.1, 8.5.1, and 8.5.2. SharePoint 2010 is supported with application offloading, but not with HTTP(S) bookmarks. SharePoint 2013 is supported with application offloading. Note that third-party modules that are not proxy friendly may not be supported by SharePoint.

Both application offloading and HTTP(S) bookmarks use an HTTP(S) reverse proxy. A reverse proxy is a proxy server that is deployed between a remote user outside an intranet and a target Web server within the intranet. The reverse proxy intercepts and forwards packets that originate from outside the intranet. An HTTP(S) reverse proxy specifically intercepts HTTP(S) requests and responses.

Application Offloading provides secure access to both internal and publicly hosted Web applications. An application offloading host is created as a special-purpose portal with an associated virtual host acting as a proxy for the backend Web application.

Unlike HTTP(S) bookmarks, access to offloaded applications is not limited to remote users. The administrator can enforce strong authentication and access policies for specific users or groups. For instance, in an organization certain guest users may need Two-factor or Client Certificate authentication to access Outlook Web Access (OWA), but are not allowed to access OWA public folders. If authentication is enabled, multiple layers of advanced authentication features such as One Time Password, Two-factor Authentication, Client Certificate Authentication and Single Sign-On can be applied on top of each other for the offloaded host.

The offloaded application portal must be configured as a virtual host with a suitable SRA domain. It is possible to disable authentication and access policy enforcement for such an offloaded host.

Web transactions can be centrally monitored by viewing the logs. In addition, Web Application Firewall can protect offloaded application hosts from any unexpected intrusion, such as Cross-site scripting or SQL Injection.

Access to offloaded Web applications happens seamlessly as URLs in the proxied page are not rewritten in the manner used by HTTP or HTTPS bookmarks.

Benefits of HTTP(S) Bookmarks

By using HTTP(S) bookmarks, users can access the full-featured versions of SharePoint 2007, Microsoft OWA Premium, and Domino Web Access 8.0.1, 8.5.1, and 8.5.2 Web mail interfaces. These interfaces are easier to use and provide more enhanced features than their basic counterparts.

Benefits of Application Offloading

An offloaded Web application has the following advantages over configuring the Web application as an HTTP(S) bookmark in SRA:

Application offloading can be used in any of the following scenarios:

Supported Platforms

Appliance Platforms

On SRA 6.0 and higher, Application Offloading and HTTP(S) bookmarks are supported on the following SRA appliances:

HTTP Versions

HTTP(S) bookmarks and application offloading portals support both HTTP/1.0 and HTTP/1.1.

Certain performance optimization features, such as caching, compression, SSL hardware acceleration, HTTP connection persistence, TCP connection multiplexing and transfer-chunk encoding for proxies are automatically enabled depending on the usage.

Applications

Beginning in SRA 6.0, SharePoint 2010 and SharePoint 2013 are supported with application offloading, but not with HTTP(S) bookmarks. The following features have been tested and verified as working well on the indicated browsers:

 

Table 10. Supported SharePoint features

SharePoint Features

Browsers

Add Announcement

Delete Announcement

Download Document

Add Document

Delete Document

Add New Item

Delete Item

Internet Explorer 9

Firefox 16.0 and later

Chrome 22.0 and later

The following Web applications have been tested and verified to work with HTTP(S) bookmarks and as offloaded applications:

Microsoft Outlook Web Access 2010

Microsoft Outlook Web Access 2007

Windows SharePoint 2007 (supported only using App Offloading)

Windows SharePoint Services 3.0

Lotus Domino Web Access 8.5.1

Lotus Domino Web Access 8.5.2

 

Exchange ActiveSync is supported on the following:

Authentication Schemes

The following authentication schemes are supported for use with application offloading and HTTP(S) bookmarks:

Basic – Collects credentials in the form of a username and password.
NTLM (Microsoft NT LAN Manager) – Provides automatic authentication between Active Directory aware applications.
Forms-based authentication – Uses a Web form to collect credentials.

Software Prerequisites

The following end-user requirements must be met in order to access the complete set of application offloading and HTTP(S) bookmarks features:

NOTE:  
 

Supported Application Deployment Considerations

Be aware of these installation and general feature caveats when using application offloading and HTTP(S) bookmarks with the following software applications:

Application Offloading is only supported on SharePoint 2013 and with any application using HTTP/HTTPS. SRA has limited support for applications using Web services and no support for non-HTTP protocols wrapped within HTTP.

The application should not contain hard-coded self-referencing URLs. If these are present, the Application Offloading proxy must rewrite the URLs. Since Web site development does not usually conform to HTML standards, the proxy can only do a best-effort translation when rewriting these URLs. Specifying hard-coded, self-referencing URLs is not recommended when developing a Web site because content developers must modify the Web pages whenever the hosting server is moved to a different IP or hostname.

For example, if the backend application has a hard-coded IP address and scheme within URLs as follows, Application Offloading must rewrite the URL.

<a href="http://1.1.1.1/doAction.cgi?test=foo">

This can be done by enabling the Enable URL Rewriting for self-referenced URLs setting for the Application Offloading Portal, but all the URLs may not be rewritten, depending on how the Web application has been developed. (This limitation is usually the same for other WAF/SRA vendors employing reverse proxy mode.)