TitelTable of contents1. Airlock Secure Access Hub1.1. Semantic versioning scheme for Airlock Secure Access Hub components2. About this document2.1. How information is structured in this manual2.2. Leveled prerequisites2.3. Warning tiers in this document2.4. Additional panel types2.5. Advanced Lucene searches within this online help3. About Airlock Gateway 3.1. Airlock Gateway license and sales3.2. 3rd party software license conditions3.3. System and hardware requirements3.3.1. Resource requirements for on-premises installations3.3.2. Resource requirements for cloud installations3.3.3. Performance considerations on load and configuration3.3.4. Hardware configuration recommendations3.3.5. Supported SSL/TLS versions3.4. About the Airlock Gateway user interfaces3.4.1. About the Airlock Gateway admin menu3.4.2. About the Airlock Gateway Configuration Center4. Release notes4.1. New features in Airlock Gateway 8.34.2. Actions required when upgrading4.3. Changelog Airlock Gateway 8.35. Getting started5.1. Prepare the installation media5.2. Quick installation guide for Airlock Gateway on-premises installation5.3. Updating Airlock Gateway using the admin menu5.3.1. Apply an update interactively5.3.2. Apply an update non-interactively5.4. NIC setups for cloud and on-premises installations5.4.1. Public cloud installations5.4.2. On-premises installations6. General warnings and recommendations7. Basic concepts and functional overviews7.1. Airlock Anomaly Shield7.1.1. Terms and definitions related to Airlock Anomaly Shield7.1.2. Architecture overview7.1.3. Anomaly detection7.2. Airlock Gateway rewrite engine with URL encryption7.3. Airlock Gateway Smart Form Protection7.4. API access control with Airlock Secure Access Hub7.4.1. Solution overview7.4.2. Tech-Client management7.5. Attribute locking in the Configuration Center7.6. Back-end load balancing and failover7.6.1. Runtime behavior7.6.2. Load balancing example cases7.7. Clustering, load-balancing, and failover scenarios for Airlock Gateway setups7.8. Cookie handling and cookie types7.8.1. Environment cookies7.8.2. Cookie security attributes7.9. Cross-Site Request Forgery (CSRF) protection7.10. Dynamic back-end group selection7.11. Entry path to back-end path settings7.11.1. Entry path as Directory or Regular expression7.11.2. Option Enforce trailing slashes7.12. HTTP/HTML rewriting7.13. JSON parsing and filtering7.14. JWKS and JWK selection by filtering7.14.1. Reference lists of supported JWKS algorithms7.15. Multitenancy feature7.15.1. Terms and definitions7.15.2. Role and rights management for tenant-users7.15.3. Security considerations7.15.4. Manage tenant-users7.15.5. Practical applications and examples7.16. Rewrite variables7.17. Rule-based filtering7.18. Simultaneous administration and configuration merge7.18.1. How does configuration merge work in general?7.18.2. When does the merge process fail?7.18.3. Cancel vs. overwrite a configuration8. REST API based Airlock Gateway configuration and management interface9. Configuration Center (web-based GUI)9.1. Button – Activate9.2. Menu – Dashboard9.2.1. Section – Users logged in9.2.2. Section – System health9.2.3. Section – Proxy statistics9.3. Menu – System Setup9.3.1. Submenu – License9.3.2. Submenu – Updates9.3.3. Submenu – Nodes & Interfaces9.3.4. Submenu – Routes9.3.5. Submenu – Hosts9.3.6. Submenu – Network Services9.3.7. Submenu – Threat Intelligence9.3.8. Submenu – IP Address Lists9.3.9. Submenu – System Admin9.4. Menu – Application Firewall9.4.1. Submenu – Reverse Proxy9.4.2. Submenu – Policy Learning9.4.3. Submenu – Anomaly Shield9.4.4. Submenu – Geolocation Filter9.4.5. Submenu – Certificates9.4.6. Submenu – JWKS Providers9.4.7. Submenu – Session9.4.8. Submenu – Default Actions9.4.9. Submenu – Deny Rules9.4.10. Submenu – API Security9.4.11. Submenu – Dynamic IP Blacklist9.4.12. Submenu – Error Pages9.5. Menu – Log & Report9.5.1. Submenu – Log Viewer9.5.2. Submenu – Reporting9.5.3. Submenu – Session Viewer9.5.4. Submenu – System Monitor9.5.5. Submenu – Settings9.6. Menu – Configuration9.6.1. Submenu – Configuration Files9.6.2. Submenu – Configuration Summary9.7. Menu – Expert Settings9.7.1. Submenu – Security Gate / Apache9.7.2. Submenu – Add-on Modules10. Configuration examples and guides for general configuration tasks10.1. Airlock Anomaly Shield configuration10.1.1. Part 1 – Preconfigure an Airlock Anomaly Shield application10.1.2. Part 2 – Training and model enforcement10.1.3. Part 3 – Trigger, pattern and rule configuration10.1.4. Part 4 – Activate detection and response action (log-only mode)10.1.5. Part 5 – Analyze and adjust threat handling settings10.1.6. Optional configuration of Traffic Matchers10.1.7. Recommendations for assigning mappings to Anomaly Shield applications10.1.8. Airlock Anomaly Shield logs, tuning and advanced configuration10.2. Airlock Gateway failover setup for on-premises installations10.2.1. Setup a failover cluster10.2.2. Remote activation within an Airlock Gateway failover cluster10.2.3. Maintaining actions on cluster nodes10.2.4. Hardware replacement in failover cluster10.3. Allow rule configuration10.4. API access control configuration for Airlock IAM and Airlock Gateway10.4.1. Configure the Airlock IAM API policy service10.4.2. Configure Tech-Client management in Airlock IAM10.4.3. Configure API gateway for API key-based access control10.5. Configure and manage custom HTTP error pages10.6. Customize Elasticsearch data archiving10.7. Configuration example cases for URL encryption 10.8. Configure filter rules using regular expression patterns10.8.1. Regular Expressions basic examples10.8.2. Regular Expressions advanced examples10.9. Cookie parsing according to RFC 626510.10. Customizing events10.11. Deny rule configuration10.11.1. Blocking levels10.11.2. Blocking and logging10.11.3. Deny rule exceptions10.12. How to choose/switch to the best session handling mode10.13. HTTP compression10.14. Remote Elasticsearch access with HTTPS10.15. Syslog forwarding with SSL10.16. TLS/SSL Certificate creation10.17. Using the policy learning feature11. Integration tasks for web applications and 3rd-party software11.1. Control API11.1.1. Control API cookie11.1.2. ICAP control API header11.1.3. General command syntax11.1.4. Session authorization11.1.5. Basic-Auth propagation11.1.6. NTLM propagation11.1.7. Session control11.1.8. Selecting session tracking mode via API11.1.9. Audit token11.1.10. Setting HTTP headers11.1.11. Kerberos user and domain11.1.12. Session timeout11.1.13. Authentication workflow11.1.14. Session variables11.1.15. Pseudo code11.1.16. Unconditional control API commands11.1.17. Summary of syntax rules11.1.18. Expert Settings11.2. Using header tokens for session tracking11.3. Cross-Site Request Forgery (CSRF) protection for SPAs11.4. ICAP configuration11.5. Local and remote JWKS Providers configuration11.6. GraphQL integration11.7. Let's Encrypt as certificate provider11.8. Threat Intelligence by Webroot BrightCloud11.9. Microsoft integration guides11.9.1. Integration of Microsoft Exchange 2016 / 201911.9.2. Publishing Microsoft SharePoint 201611.9.3. Publishing Microsoft SharePoint 201911.9.4. Publishing Microsoft WebDAV11.9.5. Kerberos integration12. Tasks to maintain and improve the operation12.1. Working with Airlock Anomaly Shield dashboards12.2. Airlock Gateway failover cluster upgrade with full system installation12.3. Airlock Gateway Configuration Center access via IAM12.3.1. Configure Airlock IAM access management using URL parameters (recommended)12.3.2. Configure IAM access management using cookies (alternative)12.3.3. Emergency access and troubleshooting12.4. Automatic configuration backup with SCP12.5. System backup/restore via the Airlock Gateway admin menu or scripts12.6. Client connection handling keepalive using the Apache MPM module instead of the Apache HTTP Server12.7. Configure automatic updates for the geolocation database12.8. Increasing the Java heap space for Configuration Center Tomcat and the Airlock management agent12.9. Logs and diagnostics12.10. List of frequent events12.10.1. Possible ICAP problem - response time repeatedly too high12.10.2. Possible back-end problem – response time repeatedly too high12.10.3. Possible attack - many requests with status code 40412.10.4. Possible attack - many requests blocked12.11. SSH login with public/private key authentication13. Reference documentation13.1. Airlock Gateway default deny rule groups and request/response actions13.1.1. Default Deny Rules13.1.2. Default Request Actions13.1.3. Default Response Actions13.2. Reference lists of log messages and events13.2.1. Log messages13.2.2. Events13.3. Administrative roles in Airlock Gateway14. Expert settings collection14.1. Regular Expressions advanced examples14.2. Modification of default Apache SSL/TLS settings14.3. Deploy Apache mod_status for analysis purposes15. Troubleshooting and support15.1. Network traffic tracing using tcpdump and TShark/Wireshark15.2. Network traffic tracking based on conntrace log messages