This post is more than 5 years old
16 Posts
0
4423
September 12th, 2011 14:00
External access for Web Access through SSL Gateway
Forgive this basic question...
I have a SSL Gateway in our DMZ with public IP and an SSL cert. I have the Web Access server inside our network with a private address. We have users that will access this from the inside network so we wanted all that traffic to stay inside the firewall and only want external users going through the firewall. Access inside seems to be working fine.
So here is my basic question. From the outside, what is the URL that they should be using? It sounds like they should be using the FQDN for the SSL Gateway but there is no web site on there so where does the page get published? Or is this architected wrong?
No Events found!
DELL-Andrew W1
378 Posts
1
September 12th, 2011 14:00
Hello,
In the control panel of the SSL Gateway server. You'll have the Secure-IT control panel.
Open that and you can set up the Web Proxy
Set the Web Proxy so the destination address is the address for your actual webserver.
Your Users will type the External FQDN of the SSL Gateway, this will then forward the request through to the Web Server on the internal network (Assuming you have access from the DMZ to the internal webserver on port80)
You'll also want to set up an RDP Proxy at the same time.
With these configured, you only need 443 open to the SSL Gateway and then port 80 open from the SSL Gateway to the Web Server and 3389 open from the SSL Gateway to the actual Terminal Servers/VDI.
Thanks, Andrew
david.caddick-q
16 Posts
0
September 13th, 2011 19:00
Hi Shareen,
I have some examples of redirect.asp files that will also allow you to redirect te user to HTTPS at the same time
Redirect example 1:
<%
Response.Redirect("/Provision/web-it/")
%>
Redirect example 2:
<%
strHTTPS = "https://" & Request.ServerVariables("SERVER_NAME") & "/Provision/web-it/"
strHTTP = "http://" & Request.ServerVariables("SERVER_NAME") & "/Provision/web-it/"
If InStr(Request.ServerVariables("REMOTE_ADDR"), "192.168.1.") Then
Response.Redirect strHTTP
Else
Response.Redirect strHTTPs
End If
%>
Redirect example 3:
<%
'**************************************************************
'**************************************************************
' Edit the next line to be your local subnet
' DO NOT CHANGE ANYTHING ELSE
strLocalSubNet = "10.228."
'**************************************************************
'**************************************************************
strIP = Request.ServerVariables("REMOTE_ADDR")
strHTTP = "http://" & Request.ServerVariables("SERVER_NAME") & "/Provision/web-it/"
strHTTPS = "https://" & Request.ServerVariables("SERVER_NAME") & "/Provision/web-it/"
strHTTPAdmin = "http://" & Request.ServerVariables("SERVER_NAME") & "/Provision/web-it/admin/default.aspx"
strHTTPSAdmin = "https://" & Request.ServerVariables("SERVER_NAME") & "/Provision/web-it/admin/default.aspx"
If InStr(Request.ServerVariables("URL"), "/web-it/admin") Then
If InStr(strIP, "192.168.") or InStr(strIP, "10.") or InStr(strIP, "172.16.") Then
Response.Redirect strHTTPAdmin
End If
Else
If InStr(Request.ServerVariables("REMOTE_ADDR"), strLocalSubNet) Then
Response.Redirect strHTTP
Else
Response.Redirect strHTTPs
End If
End If
%>
I hope this helps?
Cheers,
Dave
slklos
16 Posts
0
September 13th, 2011 19:00
Thank you. That helps clear that up. I can now get to my certificate on SSL gateway. However, when it tries to redirect me to the web server, I get a error on the page.
On the web server I have a default.aspx file that redirects the URL to add the /provision/web-it for the users. When I am coming from the outside and it tries to pass the web page through it does it on http://XXX/provision/web-it. As soon as I change it to https:// in the URL the site comes up.
How do I keep the outside users using https://?
Thanks,
Shareen
slklos
16 Posts
0
September 14th, 2011 17:00
David,
Thank you so much for your response. The first example worked like a charm. After I got that working I realized that a lot of my users go between internal usage and external. So they may have bookmarked one or the other http vs https URL. So if they bookmarked the HTTP:// and try to go outside it will not work and if they bookmarked HTTPS:// and try to use it on the inside that doesn't work. I tried to use your default2.asp script. But it doesn't seem to work. Any thoughts on how to do this?
Thanks,
Shareen
david.caddick-q
16 Posts
0
September 14th, 2011 19:00
Hi Shareen,
I'm afraid not - I would not describe myself as a coder at all - I was passed those scripts almost 2 years ago and have always simply used the the first one (based on the KISS principle) and it has been pretty reliable.
Perhaps someone else can offer some advice here?
Dave
DELL-Andrew W1
378 Posts
0
September 15th, 2011 08:00
Hello,
It is only the RDP over SSL that causes a real overhead on the SSL Gateway so I wouldn't worry about making this too complicated.
With a correct SSL Gateway setup, you can detect if a User is Internal or External.
I'd tell everyone to use HTTPS (and update their bookmarks) and redirect everyone to https using the script David pasted above. This way, when they log in, you have the extra security of the encryption.
After this, I'd make sure the Default Address translation was set to SSL but I'd have a Custom Address Translation for the internal ip subnet set to "Normal"
This way, when a User clicks on an App, the App will launch the session over SSL unless the User is on the internal network, then it will launch a direct connection.
Thanks, Andrew.
P.S If you want an External User to get redirected to HTTPS when they try to go to HTTP you'd need to open up port 80 on the firewall so they can then get to the redirection page, which is why it is better to just update their bookmarks.
Message was edited by: Andrew Wood due to Yoda style of writing I have.