Embed Size (px)
Citation preview
Security from 3SP
2
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR 3SP REPRESENTATIVE FOR A COPY. IN NO EVENT SHALL 3SP OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF 3SP OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SSL-Explorer: Administrators Guide Copyright © 2007 3SP Ltd. All rights reserved. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between 3SP and any other company.
3
PREFACE .......................................................................................................................................14 DOCUMENT OBJECTIVE ...................................................................................................................................... 14
Audience ................................................................................................................................................... 14 Related Documentation .......................................................................................................................... 14 Document Organization .......................................................................................................................... 15 Document Convention............................................................................................................................. 15
OBTAINING DOCUMENTATION ............................................................................................................................ 15 3SP.com .................................................................................................................................................... 15
DOCUMENTATION FEEDBACK .............................................................................................................................. 16 OBTAINING TECHNICAL ASSISTANCE................................................................................................................... 16
INTRODUCTION............................................................................................................................17 MANAGEMENT CONSOLE ..............................................................................................................17
PURPOSE ........................................................................................................................................................... 17 ACCESSIBILITY................................................................................................................................................... 18 MANAGEMENT CONSOLE INTERFACE ................................................................................................................... 19
Areas of Functionality.............................................................................................................................. 19 Navigation Icons ...................................................................................................................................... 20 Options Icon ............................................................................................................................................. 20
WIZARDS........................................................................................................................................................... 21 Cancel Process ......................................................................................................................................... 21
SELECTION PROCESS.......................................................................................................................................... 21 Configure................................................................................................................................................... 22
GETTING HELP................................................................................................................................................... 22 AMENDING CONFIGURATION PARAMETERS .......................................................................................................... 22
SSL-VPN OVERVIEW.....................................................................................................................23 BASIC TECHNOLOGY OVERVIEW ......................................................................................................................... 23
IPsec VPNs................................................................................................................................................ 23 SSL-Based VPNs ....................................................................................................................................... 24 IPsec vs. SSL VPN.................................................................................................................................... 24
SSL-EXPLORER.................................................................................................................................................. 24 SSL-Explorer Editions .............................................................................................................................. 26
DEPLOYMENT ...............................................................................................................................27 DEPLOYMENT SCENARIOS................................................................................................................................... 27
Non-DMZ ................................................................................................................................................... 27 Within the DMZ ........................................................................................................................................ 28 Behind the DMZ ....................................................................................................................................... 28
DEPLOYMENT CONSIDERATIONS ......................................................................................................................... 29 SUMMARY .......................................................................................................................................................... 29
INSTALLING SSL-EXPLORER ........................................................................................................31 INSTALLATION .............................................................................................................................31
INSTALLATION PREREQUISITES ........................................................................................................................... 31 INSTALLATION OF SSL-EXPLORER ...................................................................................................................... 31 SSL-EXPLORER: COMMUNITY EDITION - SOURCE CODE INSTALLATION ............................................................... 39
Pre-requisites............................................................................................................................................ 39 Configuring a Service .............................................................................................................................. 41
SSL-EXPLORER RPM INSTALLATION ON REDHAT 8.0......................................................................................... 42
4
UPGRADING SSL-EXPLORER ............................................................................................................................... 43 UPGRADING FROM 0.1.16 TO 0.2.X ................................................................................................................... 44 MANAGING THE INSTANCE.................................................................................................................................. 46
Build Scripts .............................................................................................................................................. 46 Managing the Windows Service............................................................................................................. 47 Determining the Service Status ............................................................................................................. 48
ACCESSING THE INSTANCE ................................................................................................................................. 50 SERVER MIGRATION........................................................................................................................................... 51
INSTALLATION WIZARD ..............................................................................................................53 CERTIFICATE MANAGEMENT........................................................................................................53
PROTECTING PRIVATE DATA............................................................................................................................... 53 What is an SSL Certificate? .................................................................................................................... 53 Certification Authority ............................................................................................................................. 54
CONFIGURE CERTIFICATE INTERFACE.................................................................................................................. 55 CREATE NEW CERTIFICATE................................................................................................................................. 55
What is a Keystore?................................................................................................................................. 57 IMPORT EXISTING CERTIFICATE ......................................................................................................................... 58
USER DATABASES.........................................................................................................................59 WHAT IS ACTIVE DIRECTORY? ........................................................................................................................... 59
Active Directory within SSL-Explorer..................................................................................................... 59 WHAT IS HSQLDB? .......................................................................................................................................... 60
HSQLDB within SSL-Explorer ................................................................................................................. 60 WHAT IS LDAP? ............................................................................................................................................... 60
LDAP within SSL-Explorer ....................................................................................................................... 60 WHAT IS NIS? .................................................................................................................................................. 60
NIS Database with SSL-Explorer ........................................................................................................... 61 CONFIGURE USER DATABASE INTERFACE ............................................................................................................ 61 CONFIGURING THE BUILT-IN DATABASE.............................................................................................................. 62 CONFIGURING ACTIVE DIRECTORY ..................................................................................................................... 62 CONFIGURING ENHANCED ACTIVE DIRECTORY .................................................................................................... 65
Organizational Units (OUs)..................................................................................................................... 66 Organizational Unit Filter ........................................................................................................................ 66 Modifying Filters....................................................................................................................................... 67 Troubleshooting ....................................................................................................................................... 68
CONFIGURING LDAP.......................................................................................................................................... 69 CONFIGURING NIS ............................................................................................................................................ 72
CONFIGURING SUPER USER ........................................................................................................73 SUPER USER RESPONSIBILITY ............................................................................................................................ 73
Super User Rights .................................................................................................................................... 74 CONFIGURE SUPER USER INTERFACE .................................................................................................................. 74 CONFIGURING THE SUPER USER ......................................................................................................................... 75
CONFIGURING WEB SERVER........................................................................................................77 WHAT IS HTTP/S? ........................................................................................................................................... 77
SSL-Explorer HTTP/S............................................................................................................................... 77 Is it Secure?.............................................................................................................................................. 77
THE JETTY WEB SERVER .................................................................................................................................... 78 CONFIGURE WEB SERVER INTERFACE ................................................................................................................. 79 CONFIGURE WEB SERVER................................................................................................................................... 79
Listening Interface................................................................................................................................... 80 Modifying Interfaces................................................................................................................................ 81
5
EXTERNAL HOSTNAMES ...................................................................................................................................... 81 Modifying Hostnames.............................................................................................................................. 81
EXTERNAL PROXY SUPPORT ........................................................................................................83 WHAT IS A PROXY SERVER? ............................................................................................................................... 83 PROXY USE WITH SSL-EXPLORER ....................................................................................................................... 84 CONFIGURE EXTERNAL PROXIES INTERFACE........................................................................................................ 84 CONFIGURE EXTERNAL PROXIES ......................................................................................................................... 85
ENTERPRISE EDITION..................................................................................................................86 COMMUNITY EDITION VS. ENTERPRISE EDITION ................................................................................................. 86 INSTALL SSL-EXPLORER ENTERPRISE EDITION INTERFACE.................................................................................. 87
FINALIZING INSTALLATION ........................................................................................................88 THE SUMMARY PAGE .......................................................................................................................................... 88
Making Modifications ............................................................................................................................... 88 SUMMARY INTERFACE......................................................................................................................................... 88 SUMMARY .......................................................................................................................................................... 89
Unsuccessful Configuration .................................................................................................................... 90 PUBLISHING SERVER ...................................................................................................................91
PRE-REQUISITES ................................................................................................................................................ 91 CONFIGURING SSL-EXPLORER WITH A FIREWALL................................................................................................ 91 TESTING THE SSL-EXPLORER SERVICE................................................................................................................ 92
SYSTEM CONFIGURATION............................................................................................................93 SERVER CONFIGURATION............................................................................................................93
INTERFACE......................................................................................................................................................... 94 CONFIGURE WEB SERVER................................................................................................................................... 95
Web Server Interface .............................................................................................................................. 95 Configuration Parameters ....................................................................................................................... 95 Reconfigure Listening Interface............................................................................................................. 96 Reconfigure External Hostnames .......................................................................................................... 96
CONFIGURE PERFORMANCE ................................................................................................................................ 97 Performance Interface ............................................................................................................................ 97 Configuration Parameters ....................................................................................................................... 97
CONFIGURE PROXIES ......................................................................................................................................... 98 Proxy Interface......................................................................................................................................... 98 Configuration Parameters ....................................................................................................................... 98
CONFIGURE USER INTERFACE ............................................................................................................................. 99 UI Interface .............................................................................................................................................. 99 Configuration Parameters ....................................................................................................................... 99
CONFIGURE SSL .............................................................................................................................................. 100 SSL Interface .......................................................................................................................................... 100 Configuration Parameters ..................................................................................................................... 100
CONFIGURE TIME SYNCHRONIZATION ............................................................................................................... 101 Time synchronization Interface ........................................................................................................... 101 Configuration Parameters ..................................................................................................................... 101
RESOURCES ................................................................................................................................102 INTERFACE....................................................................................................................................................... 102 CONFIGURABLE RESOURCES ............................................................................................................................. 102 NETWORK PLACES............................................................................................................................................ 102
Network Places Interface...................................................................................................................... 103
6
Configuration Parameters ..................................................................................................................... 103 WEB FORWARDING .......................................................................................................................................... 104
Web Forward Interface ......................................................................................................................... 104 Configuration Parameters ..................................................................................................................... 104
MICROSOFT WINDOWS INTEGRATION .....................................................................................106 WINDOWS FILE SHARING................................................................................................................................. 106
What is CIFS? ......................................................................................................................................... 106 File Sharing Interface............................................................................................................................ 106 Configurable Parameters ...................................................................................................................... 107 What is WINS? ....................................................................................................................................... 109 What is the LMHOSTS File?.................................................................................................................. 109 What is NetBIOS? .................................................................................................................................. 109 What is DNS?.......................................................................................................................................... 110
SECURITY OPTIONS ...................................................................................................................111 INITIAL OPTIONS ............................................................................................................................................. 111 PASSWORD OPTIONS ....................................................................................................................................... 111
Password Options Interface ................................................................................................................. 112 Configuration Parameters ..................................................................................................................... 112
SESSION OPTIONS ........................................................................................................................................... 114 Session Options Interface..................................................................................................................... 114 Configuration Parameters ..................................................................................................................... 114
CONFIDENTIAL ATTRIBUTES ............................................................................................................................. 115 Confidential Attribute Interface ........................................................................................................... 115
CONFIGURATION PARAMETERS ......................................................................................................................... 115 POLICY OPTIONS ............................................................................................................................................. 116
Policy Options Interface........................................................................................................................ 116 CONFIGURATION PARAMETERS ......................................................................................................................... 116 LOGON PAGE ................................................................................................................................................... 117
Logon Page Interface............................................................................................................................ 117 CONFIGURATION PARAMETERS ......................................................................................................................... 117
MESSAGING................................................................................................................................118 MESSAGE QUEUE ............................................................................................................................................. 118 WHAT IS SMTP? ............................................................................................................................................. 118
SMTP and SSL-Explorer ........................................................................................................................ 119 MESSAGING INTERFACE.................................................................................................................................... 119 CONFIGURATION PARAMETERS ......................................................................................................................... 120
BASIC CONFIGURATION ............................................................................................................121 EXTENSION MANAGER ...............................................................................................................121
WHAT ARE EXTENSIONS? ................................................................................................................................. 121 Installation of Extensions ..................................................................................................................... 122 Anatomy of an Extension...................................................................................................................... 122
EXTENSION MANAGER INTERFACE..................................................................................................................... 123 Action Icons ............................................................................................................................................ 123
INSTALL AN EXTENSION.................................................................................................................................... 124 UPDATING AN EXTENSION ................................................................................................................................ 125 REMOVING AN EXTENSION................................................................................................................................ 126 UPLOAD AN EXTENSION.................................................................................................................................... 126 BESPOKE APPLICATION EXTENSIONS................................................................................................................. 127
SSL CERTIFICATES .....................................................................................................................128
7
REVISITING CERTIFICATES ............................................................................................................................... 128 Encryption ............................................................................................................................................... 128 Authentication ........................................................................................................................................ 129 SSL-Certificates ...................................................................................................................................... 129 Certification Authority ........................................................................................................................... 129 Trustworthy Certificates........................................................................................................................ 130
SSL-CERTIFICATES INTERFACE ........................................................................................................................ 130 Action Icons ............................................................................................................................................ 131 Certificate Actions .................................................................................................................................. 131
CREATING A CA ............................................................................................................................................... 132 PURCHASING CERTIFICATES ............................................................................................................................. 134 GENERATING A CSR......................................................................................................................................... 136 IMPORTING A CERTIFICATE .............................................................................................................................. 138 EXPORTING KEYS AND CERTIFICATES................................................................................................................ 139
ATTRIBUTES ...............................................................................................................................140 WHAT ARE ATTRIBUTES? ................................................................................................................................. 140
Security Questions ................................................................................................................................. 140 Applications ............................................................................................................................................ 141 Web Forwards ........................................................................................................................................ 141 Types of Attributes ................................................................................................................................ 142
ATTRIBUTE INTERFACE..................................................................................................................................... 142 Actions Icons .......................................................................................................................................... 143
CREATING ATTRIBUTES .................................................................................................................................... 143 EDITING A ATTRIBUTE ..................................................................................................................................... 147 DELETING A ATTRIBUTE ................................................................................................................................... 147 HOW TO USE ATTRIBUTES ................................................................................................................................ 147
Session Variable ..................................................................................................................................... 148 LICENSE MANAGER ....................................................................................................................150
LICENSE MANAGER........................................................................................................................................... 150 LICENSE MANAGER INTERFACE ......................................................................................................................... 150
Actions Icons .......................................................................................................................................... 151 UPLOADING A LICENSE ..................................................................................................................................... 151 DELETING A LICENSE ....................................................................................................................................... 151
SECURE NODE.............................................................................................................................152 WHAT IS A SECURE NODE? ............................................................................................................................... 152
What is its function?.............................................................................................................................. 152 WHAT ARE ROUTES.......................................................................................................................................... 153
Visibility ................................................................................................................................................... 153 Compatible Resources........................................................................................................................... 154
INSTALLING SECURE NODE CLIENT ................................................................................................................... 154 Authorize Secure Node ......................................................................................................................... 156
SECURE NODE INTERFACE ................................................................................................................................ 156 Action Icons ............................................................................................................................................ 156
CREATE NEW ROUTE........................................................................................................................................ 157 Enabling Routes ..................................................................................................................................... 158
EDITING A SECURE NODE................................................................................................................................. 159 EDITING A ROUTE............................................................................................................................................ 159 DELETING A SECURE NODE .............................................................................................................................. 159 DELETING A ROUTE.......................................................................................................................................... 159 SECURE NODE CONFIGURATION ....................................................................................................................... 160
PUBLIC KEY INFRASTRUCTURE .................................................................................................161
8
Encryption ............................................................................................................................................... 161 Authentication ........................................................................................................................................ 161
ACCESS CONTROL ADMINISTRATION........................................................................................164 INTRODUCTION..........................................................................................................................164
OVERVIEW....................................................................................................................................................... 164 System of Trust...................................................................................................................................... 165 Levels of Trust........................................................................................................................................ 165
ACCESS CONTROL ARCHITECTURE .................................................................................................................... 165 What is a Resource?.............................................................................................................................. 166 What is a Principal? ............................................................................................................................... 166 What is a Policy? .................................................................................................................................... 167 What is Permission? .............................................................................................................................. 167
FLEXIBILITY ..................................................................................................................................................... 168 CREATING ACCOUNTS................................................................................................................169
PRINCIPAL TYPES............................................................................................................................................. 169 SUPER USER ACCOUNT..................................................................................................................................... 169 ACCOUNT INTERFACE ....................................................................................................................................... 170
Action Icons ............................................................................................................................................ 170 CREATE NEW ACCOUNT.................................................................................................................................... 171
Assigning Groups ................................................................................................................................... 172 EDITING AN ACCOUNT...................................................................................................................................... 172 DELETING AN ACCOUNT ................................................................................................................................... 173
CREATING GROUPS ....................................................................................................................174 WHAT ARE GROUPS?........................................................................................................................................ 174 GROUPS INTERFACE ......................................................................................................................................... 175
Action Icon.............................................................................................................................................. 175 CREATE NEW GROUP ....................................................................................................................................... 175 EDITING A GROUP............................................................................................................................................ 176 DELETE GROUP ................................................................................................................................................ 177
CREATING POLICIES ..................................................................................................................178 WHAT IS A POLICY? ......................................................................................................................................... 178
Principal Pool .......................................................................................................................................... 178 Stateless.................................................................................................................................................. 178
POLICY INTERFACE........................................................................................................................................... 179 Action Icons ............................................................................................................................................ 179
CREATE POLICY ............................................................................................................................................... 179 EDITING A POLICY ........................................................................................................................................... 182 DELETE POLICY................................................................................................................................................ 182
CREATING ACCESS RIGHTS........................................................................................................183 WHAT IS A RESOURCE?.................................................................................................................................... 183 WHAT ARE ACCESS RIGHTS? ............................................................................................................................ 183 ACCESS RIGHTS INTERFACE ............................................................................................................................. 184
Action Icons ............................................................................................................................................ 184 CREATING AN ACCESS RIGHT ........................................................................................................................... 185 EDITING ACCESS RIGHTS ................................................................................................................................. 188 DELETE ACCESS RIGHTS .................................................................................................................................. 188
AUTHENTICATION SCHEMES......................................................................................................189 WHAT IS AN AUTHENTICATION SCHEME?.......................................................................................................... 189
9
AUTHENTICATION SCHEME INTERFACE.............................................................................................................. 191 Action Icons ............................................................................................................................................ 192
CREATING AN AUTHENTICATION SCHEME.......................................................................................................... 192 DELETING AN AUTHENTICATION SCHEME .......................................................................................................... 194 AUTHENTICATION MODULES............................................................................................................................. 194 PASSWORD AUTHENTICATION........................................................................................................................... 196
Creating a Password.............................................................................................................................. 196 Modifying a Password ........................................................................................................................... 196 Configuring Passwords.......................................................................................................................... 198
PERSONAL QUESTIONS AUTHENTICATION ......................................................................................................... 201 Configuring Answers ............................................................................................................................. 201
PIN AUTHENTICATION ..................................................................................................................................... 203 Modifying a PIN...................................................................................................................................... 203 Configuring PIN...................................................................................................................................... 204
OTP AUTHENTICATION .................................................................................................................................... 206 Defining Recipient Details..................................................................................................................... 207 Configure Service Provider ................................................................................................................... 209 Configuring OTP..................................................................................................................................... 211
CLIENT CERTIFICATES ...................................................................................................................................... 213 Enable Authentication ........................................................................................................................... 215 Creating a CA ......................................................................................................................................... 216 Creating Client Certificates ................................................................................................................... 218 Importing Certificate into Browser ...................................................................................................... 223 Using Active Directory Certificates ...................................................................................................... 226 Configuring Client Certificates.............................................................................................................. 229
PUBLIC KEY AUTHENTICATION.......................................................................................................................... 230 Identity Creation .................................................................................................................................... 231 Reset Identity ......................................................................................................................................... 233 Configuring Public Key .......................................................................................................................... 235 Import Identity....................................................................................................................................... 235
IP AUTHENTICATION........................................................................................................................................ 237 Creating a Restriction............................................................................................................................ 237
RADIUS AUTHENTICATION.............................................................................................................................. 238 Configuring RADIUS .............................................................................................................................. 239
REMOTE CLIENT AUTHENTICATION ................................................................................................................... 240 WebDAV .................................................................................................................................................. 240 Embedded Client.................................................................................................................................... 240
HARDWARE TOKEN AUTHENTICATION......................................................................................241 SAFENET IKEY 2032 CONFIGURATION ............................................................................................................ 241
SafeNet CIP Utilities .............................................................................................................................. 242 Importing SSL Certificates into the Devices....................................................................................... 243
ALADDIN ETOKEN PRO CONFIGURATION .......................................................................................................... 247 Using eToken Properties....................................................................................................................... 247
RSA SECURID AUTHENTICATION MANAGER ..................................................................................................... 252 Configuring an Authentication Scheme that uses RADIUS .............................................................. 252 Add an Agent Host Record for the SSL-Explorer server................................................................... 255 Add the SSL-Explorer Server as a RADIUS client.............................................................................. 256 Importing and Assigning Tokens to your Users ................................................................................ 257 Test the Authentication Process .......................................................................................................... 259 Synchronization with Microsoft Active Directory ............................................................................... 261
VASCO DIGIPASS TOKEN CONFIGURATION ...................................................................................................... 263 Configure the RADIUS server in VACMAN Middleware..................................................................... 263 Add the SSL-Explorer Server to VACMAN as a RADIUS client......................................................... 265
10
Create Users in VACMAN Middleware ................................................................................................. 266 Importing Digipass Tokens to VACMAN ............................................................................................. 267 Assign Digipass Tokens to Users ......................................................................................................... 269 Test the Authentication Process .......................................................................................................... 270
SAFEWORD ..................................................................................................................................................... 272 Installing SafeWord ............................................................................................................................... 272 Configuring SafeWord ........................................................................................................................... 278 Configuring IAS ...................................................................................................................................... 281 Configuring SSL-Explorer...................................................................................................................... 283
RESOURCE MANAGEMENT..........................................................................................................286 INTRODUCTION..........................................................................................................................286
WHAT ARE RESOURCES? .................................................................................................................................. 286 RESOURCE WIZARDS........................................................................................................................................ 287 AVAILABLE RESOURCES .................................................................................................................................... 287 EXECUTING A RESOURCE .................................................................................................................................. 288
SSL-EXPLORER AGENT ...............................................................................................................289 WHAT IS THE SSL-EXPLORER AGENT? ............................................................................................................. 289
Communication with Browser .............................................................................................................. 289 Precautions ............................................................................................................................................. 290
STARTING THE AGENT...................................................................................................................................... 290 STOPPING THE AGENT...................................................................................................................................... 291 EXECUTING RESOURCES FROM AGENT............................................................................................................... 291
WEB FORWARDS ........................................................................................................................292 WHAT IS A WEB FORWARD? ............................................................................................................................ 292 TECHNICAL OVERVIEW ..................................................................................................................................... 293
Tunneled Web Forwards....................................................................................................................... 293 Replacement Proxy Web Forwards ..................................................................................................... 293 Reverse Proxy ........................................................................................................................................ 294
WEB FORWARD INTERFACE .............................................................................................................................. 294 Action Icons ............................................................................................................................................ 295
CREATING A NEW WEB FORWARD..................................................................................................................... 296 Configuring a Tunneled Web Forward ................................................................................................ 297 Configuring a Replacement Proxy Web Forward............................................................................... 298 Configuring a Reverse Proxy Web Forward ....................................................................................... 300
EDITING A WEB FORWARD ............................................................................................................................... 304 DELETING A WEB FORWARD............................................................................................................................. 304 OUTLOOK WEB ACCESS AND MAIL CHECK......................................................................................................... 305
NETWORK PLACES......................................................................................................................307 WHAT IS A NETWORK PLACE? .......................................................................................................................... 307
Web Folders............................................................................................................................................ 307 NETWORK PLACES INTERFACE .......................................................................................................................... 308
Action Icons ............................................................................................................................................ 308 CREATING A NEW NETWORK PLACE .................................................................................................................. 309
File Management ................................................................................................................................... 312 EDITING A NETWORK PLACE............................................................................................................................. 313 DELETING A NETWORK PLACE .......................................................................................................................... 313 WEB FOLDERS WINDOWS ACCESS.................................................................................................................... 313 ENTERPRISE DRIVE MAPPING ........................................................................................................................... 319
How does this differ from WebDAV? .................................................................................................. 319 Configuring Drive Mapping ................................................................................................................... 320
11
APPLICATIONS ...........................................................................................................................321 WHAT IS AN APPLICATION SHORTCUT?............................................................................................................. 321 APPLICATIONS INTERFACE ................................................................................................................................ 323
Action Icons ............................................................................................................................................ 323 PUBLISH A NEW APPLICATION........................................................................................................................... 323
General Tab ............................................................................................................................................ 325 Display Tab ............................................................................................................................................. 326 Mouse Tab .............................................................................................................................................. 326 Protocol Tab ........................................................................................................................................... 327 Advanced Tab......................................................................................................................................... 328
EDIT AN EXISTING APPLICATION ....................................................................................................................... 330 REMOVING AN APPLICATION ............................................................................................................................. 331 ADDITIONAL APPLICATION CONFIGURATIONS.................................................................................................... 332
Linux rdesktop........................................................................................................................................ 332 Microsoft RDP Client.............................................................................................................................. 333 NX Client for Windows .......................................................................................................................... 334 PuTTY for Windows ............................................................................................................................... 339 Remote Desktop Protocol (RDP) ......................................................................................................... 340 TN5250 AS/400 Terminal Emulator .................................................................................................... 341 Virtual Network Computing (VNC) ...................................................................................................... 342
SSL-TUNNELS .............................................................................................................................343 WHAT IS AN SSL TUNNEL? .............................................................................................................................. 343
Tunnel Types.......................................................................................................................................... 343 SSL TUNNELS INTERFACE ................................................................................................................................ 344
Action Icons ............................................................................................................................................ 344 CREATE A NEW SSL TUNNEL ............................................................................................................................ 345 EDIT AN EXISTING SSL TUNNEL ....................................................................................................................... 348 REMOVING AN SSL TUNNEL ............................................................................................................................. 349
PROFILES....................................................................................................................................350 WHAT IS A PROFILE? ....................................................................................................................................... 350 PROFILES INTERFACE ....................................................................................................................................... 351
Action Icons ............................................................................................................................................ 351 CREATING A NEW PROFILE ............................................................................................................................... 352 EDITING PROFILE PARAMETERS ........................................................................................................................ 354
Editing Session Details .......................................................................................................................... 354 Editing Agent Details ............................................................................................................................. 356
EDITING A PROFILE DESCRIPTION .................................................................................................................... 358 DELETING A PROFILE ....................................................................................................................................... 358
NETWORK EXTENSIONS.............................................................................................................359 WHAT IS NEXT?.............................................................................................................................................. 359
Typical Scenarios ................................................................................................................................... 360 System Requirements ........................................................................................................................... 361
NETWORK EXTENSION INTERFACE .................................................................................................................... 361 Action Icons ............................................................................................................................................ 362
CONFIGURING THE SERVER .............................................................................................................................. 363 DHCP Configuration............................................................................................................................... 367 Install Server TAP Driver ...................................................................................................................... 369
CONFIGURING THE CLIENT ............................................................................................................................... 371 Install Client TAP Driver........................................................................................................................ 373
ADDITIONAL CONFIGURATION .......................................................................................................................... 376 Enable Server IP Routing...................................................................................................................... 377
12
RUNNING THE SERVICE .................................................................................................................................... 378 Starting the Server Interface ............................................................................................................... 378 Connecting Client................................................................................................................................... 378 Windows Service.................................................................................................................................... 381
CREATING BRIDGED CONFIGURATION ............................................................................................................... 383 Creating the Server ............................................................................................................................... 383 Configuring SSL-Explorer Bridged Server........................................................................................... 384
SAMPLE SCRIPTS.............................................................................................................................................. 387 bridge-start.sh........................................................................................................................................ 387 bridge-stop.sh ........................................................................................................................................ 388
VIRTUAL HOSTS .........................................................................................................................389 WHAT IS VIRTUAL HOSTING............................................................................................................................. 389 VIRTUAL HOST INTERFACE ............................................................................................................................... 389
Action Icons ............................................................................................................................................ 390 CREATING A NEW VIRTUAL HOST...................................................................................................................... 390 EDITING A VIRTUAL HOST................................................................................................................................ 391 DELETING A VIRTUAL HOST ............................................................................................................................. 391
MICROSOFT EXCHANGE 2003 RPC/ HTTPS ...............................................................................393 WHAT IS THIS RESOURCE?............................................................................................................................... 393
What is RPC/HTTPS? ............................................................................................................................. 393 CONFIGURATION .............................................................................................................................................. 394
Pre-requisites.......................................................................................................................................... 394 Configuring SSL-Explorer as a RPC Proxy .......................................................................................... 394 Client Configuration............................................................................................................................... 395
WHAT IS OUTLOOK MOBILE ACCESS?............................................................................................................... 399 Configuring SSL-Explorer as a OMA Proxy ......................................................................................... 399
INTERNATIONALIZATION ..........................................................................................................400 WHAT IS INTERNATIONALIZATION? .................................................................................................................. 400 INTERNATIONALIZATION INTERFACE ................................................................................................................. 401
Action Icons ............................................................................................................................................ 401 Language Status .................................................................................................................................... 402
CREATING A NEW TRANSLATION....................................................................................................................... 402 EDITING A TRANSLATION ................................................................................................................................. 403 ACTIVATING A LANGUAGE................................................................................................................................. 405 TRANSLATE EXTENSIONS .................................................................................................................................. 405 SHARE LANGUAGES .......................................................................................................................................... 408 DELETING A TRANSLATION ............................................................................................................................... 408 LANGUAGE SELECTION ..................................................................................................................................... 408
SYSTEM FUNCTIONS ..................................................................................................................410 AUDITING...................................................................................................................................410
AUDITING INTERFACE ...................................................................................................................................... 410 Action Icons ............................................................................................................................................ 410
INITIALIZING THE AUDIT MODULE .................................................................................................................... 411 CREATING A NEW REPORT ............................................................................................................................... 413 RUNNING ONE-OFF REPORTS........................................................................................................................... 415 CHECKING AUDIT REPORT INTEGRITY............................................................................................................... 418 UPLOADING A REPORT TEMPLATE ..................................................................................................................... 419 CHANGING RECORDED EVENTS......................................................................................................................... 420
STATUS .......................................................................................................................................421
13
SESSION INFORMATION.................................................................................................................................... 421 STATUS INFORMATION ..................................................................................................................................... 421 NEXT CLIENTS ................................................................................................................................................ 422 OUTLOOK CLIENT ............................................................................................................................................ 422
MESSAGE QUEUE ........................................................................................................................423 WHAT IS THE MESSAGE QUEUE ........................................................................................................................ 423 MESSAGE QUEUE INTERFACE............................................................................................................................ 423 ENABLING A DELIVERY SYSTEM ........................................................................................................................ 424 SENDING A MESSAGE ....................................................................................................................................... 424 CLEAR MESSAGE QUEUE................................................................................................................................... 425
SHUTDOWN ................................................................................................................................426 SHUTDOWN THE INSTANCE............................................................................................................................... 426 RESTARTING THE INSTANCE ............................................................................................................................. 426
14
Preface
This preface introduces the SSL-Explorer: Administrators Guide, as such it has been broken down into the following sections:
• Document Objective • Obtaining Documentation • Documentation Feedback • Obtaining Technical Assistance
Document Objective This guide has two major objectives. The first is to provide all the relevant information required to install and configure SSL-Explorer. The second is to give additional information on the features available within SSL-Explorer once running. This guide applies to both the Community/Enterprise editions of SSL-Explorer – release 0.2.15 or greater. It should be noted that not all features are available in the Community Edition.
Audience This guide is for anyone who wishes to successfully install and administrate the SSL-Explorer VPN software. Although this is often people concerned with network administration, it may also be a useful indication to managers of the ease that SSL-Explorer can be deployed. This guide is expected to be useful if performing any of the following tasks:
• Installing a test/production SSL-Explorer server. • Evaluating SSL-Explorer as a potential SSL-VPN solution. • Reconfiguring an existing implementation of SSL-Explorer. • Adding or removing features to SSL-Explorer.
Related Documentation For more information refer to the following documentation:
• Knowledge Base Articles • Forum Posts
15
Document Organization This guide has been broken down into the following sections::
• Introduction • Installing SSL-Explorer • Installation Wizard • System Configuration • Basic Configuration • Access Control Administration • Resource Management • System Functions
For ease of reference these sections reflect the organization of the menu tree in the management console.
Document Convention The following conventions are used in this document:
• Courier font characters represent system commands • ‘ single quoted text refer to buttons on a corresponding web page
Icons used in this manual are as follows:
Note additional information pertaining to the subject matter
Alert important information that requires special attention
Obtaining Documentation 3SP product documentation and additional literature is available on http://3SP.com. 3SP Ltd. also provides several ways to obtain technical assistance and other technical resources. This section explains how to obtain technical information from 3SP Ltd.
3SP.com Additional articles and FAQ’s can be found at this URL: http://3sp.com/kb You can access the 3SP Ltd. Website at this URL: http://3sp.com
Note
16
Documentation Feedback You can send comments about technical documentation to [email protected] or by writing to the following address:
3SP Ltd. 3 The Glade Business Park, Forum Road, Nottingham, United Kingdom. NG5 9RW
We appreciate your comments.
Obtaining Technical Assistance For all customers, partners, resellers, or distributors who hold valid 3SP service contracts, 3SP Ltd. Technical Support provides prompt and dedicated technical assistance. The 3SP Ltd. Knowledge base on 3SP.com features extensive articles and FAQ’s on all 3SP Ltd. products.
17
Introduction
This chapter provides an overview of SSL-Explorer detailing the basic's of interacting with the system through the Management Console aswell as reasons why you might want to install SSL-Explorer.
Management Console The management console is the main point of interaction between the administrators of the system and the system itself. This chapter introduces the reader to the management console and details its various functions. The sections included in this chapter are:
• Purpose • Accessibility • Management Console Interface • Wizards • Selection Process • Getting Help • Amending Configuration Parameters
At the end of this chapter the reader should have an understanding of the management console and its purpose.
Purpose SSL-Explorer is broken into two views – the management view which this document discusses and secondly, the user view. The management view known as the management console contains all the necessary functionality to manage the workings of the SSL-Explorer instance. From this console the user has the ability to create items which will affect users of the system whether that refers to a small group of users or the entire user base of the SSL-Explorer instance. In addition, it is from this console that the monitoring, configuring and system management is carried out. From monitoring audit reports to modifying SSL-Explorer port configurations.
Secure Access Due to the system-wide affect of changes made through the management console, it is imperative that the console is accessible only by authorized administrators.
18
Accessibility Initially only the super user of the system will be able to access the management console. The super user has access to every task and action available in the console and with this right is assigned the task of creating accounts for his administrative team.
As the diagram above shows these administrative users are responsible for managing the system, creating users of the system and assigning resources and creating policies.
Restrict access to the Super User account After correct configuration of SSL-Explorer policies, the Super User account should no longer be required and access to this account should be locked down.
In order to carry out administrative tasks as creating policies and users the administrative users must be assigned administrative control; Delegation Permission or System Permission, detailed in a future chapter. Only then will the management console view become available. Users of the system mainly access the system via the user console to perform their daily tasks, accessing the internal network, creating application shortcuts, accessing internal files and documents in accordance with your access policies.
However this is not to say that a standard user of the system cannot access the management console. In fact as the above diagram shows, if given an appropriate delegation permission or resource permission a standard user will be able to access this console too.
19
Management Console Interface All system wide tasks are controlled through the Management Interface. To access this console simply press the Management Console icon in the task bar above. Both management and user console are broken into three distinct parts. These are as follows:
• Navigation Pane: This pane contains a dynamic menu listing all functions the user is authorized to access. The contents are dependent on the permissions granted to each user. It is always located on the left-hand side of the browser screen.
• Events Pane: This pane serves a number of purposes. It will show system messages, such as warning and errors, as well as any valid actions a user can perform. This pane is always on the right-hand side of the browser screen.
• Interaction Pane: This is the main panel of the SSL-Explorer application. It is where all items are listed as well as any actions that can be performed against them. Its content style changes between lists, wizards and tabbed views.
Areas of Functionality Within the management console, on the Navigation Pane (the left-hand side column), there are a number of groups. Each of these groups is explained in greater detail below.
• Configuration: This area holds the functionality that will affect the workings of the SSL-Explorer instance. The impact of this will normally be system-wide.
• Access Control: This controls aspects of how users can enter the system and what permissions they have within the system.
• Resource Management: Usable resources that impact the assigned policy. • System: Items relating specifically to the SSL-Explorer instance.
All necessary functionality pertaining to this document is located within the ‘Access Control’ area.
Super User Access The super user has access to all areas throughout the lifecycle of the instance. All other users have subsets of these areas which can alter throughout the lifecycle of the instance.
Note
20
Navigation Icons The icons at the top right of the page allow different areas of the system to be accessed, each icon is detailed below. Some of these icons are only accessible through the enterprise edition.
The Home icon takes the user back to their defined home page
The Management Console icon switches the view from the User Console to the Management Console.
The User Console icon switches the view from management console to user console. The scope of impact is reduced from system-wide to local user only.
The SSL-Explorer agent icon activates the agent. The agent creates secure channels during the execution of insecure resources.
The virtual keyboard icon enhances security by allowing all user input to be performed through a virtual keyboard. No key presses are use and so cannot be logged by a hacker.
The Help icon provides context-sensitive information to assist the user in understanding and using the current page.
The Log out icon exits the user from the application.
The options icon. This allows a user to reduce or increase the number of visible information windows on screen
Options Icon Selecting the options icon provides a list of all windows currently accessible.
Checking these will instantly remove or add the appropriate window. In addition the user can alter the language and profile currently in use from this window.
21
Wizards Wizards have been provided to make the task at hand easier by guiding the user through each step in the process. By the end of the steps the user should have the intended item that can be used within the system. Progressing through each step in a wizard is a simply matter of clicking the Next button at the bottom right of each wizard page.
Some wizards allow backward navigation. To step back to previous pages simply press the Previous button at the bottom right of each wizard page.
Cancel Process Any wizard from the Installation Wizard to the Resource Creation Wizard can be terminated at any time. Clicking on the Cancel button at the bottom of the progress pane will instantly end the wizard and no configuration changes will be applied.
Selection Process Some steps in the wizard require the user to add and remove items from a text box to a list box.
Listing All Items The asterisk ‘*’ symbol may be entered into a text box to list all available entries that can be assigned to the corresponding list box.
To add items in this process simply enter the name of the item, for example the account name, in the text box on the left, then select the Add button on the right.
The item will appear under the Selected list box to the right. If you wish to remove an item simply select the item name from the selected list box, for example Selected Accounts, then simply press the Remove button.
These buttons have been deliberately placed together and between two list boxes to help illustrate the behavior of the buttons, taking from the list of available items on the left/ top and moving them to the chosen items to the right/ bottom.
Note
22
Configure In some of the wizards the selection buttons also have an additional Configure button. This allows the user to enter another wizard to help complete the step of the current wizard.
Getting Help SSL-Explorer includes web-based on-line help. Clicking the Help button, at the top right corner provides details on where help can be found. In addition many parameters come with tooltips to help understand what a parameter requires.
Amending Configuration Parameters Amendment of configurable items within the system also has standard controls these are as follows: To accept a parameter change such as a proxy setting from System Configuration Server Setting
Web Server the page provides the apply button.
All changes made are stored and become the new default configuration settings for the current area. If the reset button is applied the system will revert back to this configured state until a new state is saved. To disregard any changes the configuration page provides the cancel button, pressing this will remove any changes made – before the apply button has been selected.
If any configurable parameters are amended incorrectly the reset button reverts the configuration page back to the last saved state, allowing the user to reconfigure the parameter(s).
23
SSL-VPN Overview
Before starting on the installation steps it is worth reviewing some of the technology that SSL-Explorer uses, complements and competes against. This chapter can be skipped by the reader who is eager to get on with the actual installation. The following chapter is useful as a remote access primer and also for gaining an understanding of where SSL-VPN solutions fit in with other similar remote access products. It also covers core concepts of the prevalent VPN technologies as well as describing their differences. Later, the differences between the Community and Enterprise Editions or SSL-Explorer are also covered.
Basic Technology Overview A Virtual Private Network (VPN) encompasses a number of methods for allowing the connection of network devices, over an often large geographical distance. The potential benefits of integrating a remote access policy and infrastructure are hard to ignore in many business organizations. These benefits are often reduced to simply better use of existing resources. The VPN technology can be further broken down into ‘Trusted’ and ‘Secure’ methods of communication. The ‘Trusted’ method generally involves the use of a dedicated ‘leased-line’ whereas the ‘Secure’ method uses a public network (also know as the Internet). A ‘Trusted VPN’ is normally cost prohibitive, especially when compared to ‘Secure VPNs’, so will not be discussed any further in this document. Secure VPN technology is often a more viable solution for fulfilling a remote access requirement. The two dominant types of ‘Secure VPN’ technology are currently IPsec and SSL. The following subsections describe each of these technologies further, finishing with a comparison of the two.
IPsec VPNs IPsec was first proposed in the mid-nineties and has subsequently been revised a number of times. It has been designated as a mandatory part of IPv6 and is currently optional in IPv4. IPsec can run in either transport mode or tunnel modes, both have significantly different implications particularly with regard to security. All data transmitted is encrypted and therefore secure although there have been issues with the use of keys within this standard. As with SSL, IPsec uses tunnels to make a connection between two endpoints. A typical deployment will consist of one or more VPN gateways, providing full and unrestricted access to the networks to which they are authorized access. VPN client software must be installed on each remote access user’s computer. The VPN client is configured to define which packets it should encrypt and with which gateway it should build the VPN tunnel. It is argued that this makes this method more secure as it is more complex to configure, though this argument does not really stand up to scrutiny. One agreed downside though is the additional costs when maintaining such a system. These costs normally appear as additional support time, user downtime and remote access network maintenance. IPsec works at the Network Layer of the OSI Model which means it operates independently of the applications that may use it. IPsec encapsulates the original IP data packet with its own packet hiding all application protocol information. Once a tunnel is created, any number of connections and protocol types (web, email, file transfer, VoIP) can flow through it. The connecting client becomes a full member of the corporate network, able to see and access everything; even printers.
24
SSL-Based VPNs Originally developed by Netscape, the SSL protocol was revised by IETF to create the TLS 1.0 standard. The TLS has matured to version 1.1, but at the time of writing only the Opera web browser currently supports the 1.1 implementation. That said, the 1.0 version is very well supported and in widespread use. The terms ‘TLS’ and ‘SSL’ are interchangeable, though ‘SSL’ is often used in preference and will be for the remainder of this document. Although the SSL protocol resides further up the OSI stack than the other protocols, SSL does not suffer from any major disadvantages. If anything, it can offer significant advantages mainly due to its flexibility. One example of this being that SSL is supported by all major browsers, therefore the issue of client-side support for this VPN technology is covered by default. One of the key strengths of SSL lies in its ability to authenticate both the client and server. This is achieved during the initial ‘handshake’ routine where both parties identify themselves using digital certificates. In addition to authentication, the handshake process generates session keys which are used to encrypt any messages during the session. The use of the SSL protocol provides these VPNs with a secure channel between client and server that is transparent to the end user. No additional software is needed and no client application needs installing on the remotely accessing client computer. In fact since most web browsers support SSL, it is no exaggeration to state that virtually every modern computer is already equipped to connect to and take advantage of the applications and services provided via an SSL VPN gateway. Due to the lack of explicitly installed client-side VPN software (in direct contrast to IPsec), SSL VPNs are often referred to as being ‘clientless’. Although technically a misnomer, the use of this term is highly indicative of the transparency of this new VPN technology.
IPsec vs. SSL VPN There is much debate as to what method is better - IPsec or SSL. This being the case it is wise to firstly look at the factors agreed upon by both sides.
• IPsec technology is normally hindered by the burden of having to deploy, manage, and maintain a client-side application on each remote computer that wishes to access the gateway VPN. Its inability to effectively provide granular access to a network has also impacted it and as a result, most organizations tend to limit the use of IPsec remote access to a relatively small portion of their user base.
• In contrast, SSL VPNs take advantage of ubiquitous browser support and dynamically
downloaded modules to achieve the client end of an encrypted session. This introduces greater flexibility as it relieves the limitation of which computers have preinstalled client software. Home computers, computers on customers’ premises and even Internet café’s can now be utilised to achieve secure remote access.
As a result of this, IPsec implementations will often cost more to maintain. It should be noted that the true costs and benefits of using a particular method are often hard to quantify. Care should be taken in order to realistically balance cost versus the actual security benefits offered.
SSL-Explorer SSL-Explorer is the world's first open-source, browser-based SSL VPN solution. First released in 2004, the project has grown to a stage where the software now receives around ten thousand
25
downloads per month. The project is one of the few software-only SSL VPN solutions and already delivers a feature set equivalent to or better than a number of the purely commercial vendors in this market. In direct contrast to other vendors, 3SP Ltd – the developers of SSL-Explorer – work closely with their users in the open source community and constantly entertain ideas for enhancements or feature requests. This closeness between users and developers has resulted in a tight knit community following behind the software and its popularity is growing all the time. The software itself is very easy to use, with a focus placed upon usability. 3SP understands that software that is unnecessarily difficult to use, will most likely never actually be used. A powerful, extensible design also makes third party contributions in the form of ‘extensions’ possible. Many of the new features and commercial features may be seamlessly installed in this manner, meaning that users can install just the components that they need, without unnecessary complexity. SSL-Explorer currently offers Active Directory integration, LDAP and remote desktop access, as well as web forwarding via a number of methods. System administration is done via SSL-Explorer’s powerful policy-based access control infrastructure, and privileged users have the ability to grant access to resources right down to the actions that can be performed on a specific resource. SSL-Explorer’s nEXT (Network Extension) feature offers full network access to corporate resources. A number of additional tasks can be performed when using nEXT over and above the functionality offered by a basic, browser-launched SSL VPN tunnel. To summarize, SSL-Explorer is a fully-featured, end-to-end SSL-VPN without the added expense or the rigidity of fixed hardware appliances.
SSL-Explorer The leading browser-based, open source SSL VPN solution.
Note
26
SSL-Explorer Editions There are currently two versions of SSL-Explorer.
• SSL-Explorer: Community Edition - SSL-Explorer: Community Edition is an entry-level platform that has been designed for smaller businesses that find it difficult to justify the costs involved with using the expensive solutions provided by alternative vendors. The core functionality of SSL VPN is provided in an easy-to-use package that can be installed in minutes. This edition is licensed under the GNU General Public License (GPL) which allows use of the software in a commercial or non-commercial environment without payment of any licensing fees. Commercial support is also now available for this edition.
• SSL-Explorer: Enterprise Edition - The Enterprise Edition is designed for those
organizations that require enhanced features and dedicated commercial support. Cutting edge features are included such, virtual keyboards, enterprise drive mapping, a host of highly recognized and secure authentication schemes but to name a few. SSL-Explorer Enterprise Edition is at the height of SSL-VPN technology with a continually growing list of add-in functionality and features. Enterprise Edition is not open source, but it builds upon and extends the trusted open source foundation of the Community Edition.
27
Deployment
Understanding the environment is key to creating a successful SSL-Explorer deployment. In this chapter a number of deployment scenarios – as well as information on security technologies - are discussed. It is in no way meant to provide a recommended deployment structure but merely to provide the reader with an idea of what to consider when deploying SSL-Explorer. If you have already considered the environment you can always skip to the next chapter. Specifically this chapter will cover:
• Deployment Scenarios • Deployment Considerations • Summary
Deployment Scenarios The following diagrams have been provided to show some basic SSL-Explorer deployments. A brief description of some of the more major characteristics is also provided. The actual firewall configuration required to access SSL-Explorer from the internet is covered later in Chapter 13.
Non-DMZ The first diagram depicts an installation of SSL-Explorer behind only a firewall. Typically all port 443 (standard SSL port) traffic is passed through the firewall to the SSL-Explorer instance. A proxy server could easily be included by placing it on the Internet side of the SSL-Explorer instance should it be required. As the SSL-Explorer server simply sits behind the firewall all port 443 traffic passes through unchecked. This being the case care should be taken to ensure that unwanted traffic is dealt with correctly.
28
Within the DMZ In this instance SSL-Explorer sits within the DMZ. Access is made through the firewall securely on port 443. Any access to resources on the trusted network requires another port to be opened on the firewall. This allows for traffic to reach the resource as there is no direct connection for the VPN to the internal network.
Source: Kindly submitted to 3SP Ltd. by Simon Drake.
Behind the DMZ With this diagram SSL-Explorer has been placed behind the DMZ, on the trusted part of the network. Traffic enters the DMZ and is terminated at the router. The IP address is now translated to a new DMZ specific address. The DMZ can carry out authentication and then if successful forward the traffic further with yet another address and routed to SSL-Explorer which is placed within the trusted network. This is very similar in its characteristics to the Non-DMZ deployment described earlier.
29
Deployment Considerations The decision of where to place SSL-Explorer on the corporate network depends on many factors. The diagrams offered in the previous section each have their own specific characteristics, both good and bad. Ultimately it is a matter of balancing current equipment, budget (if present) and value of assets being accessed. The following list is not meant to be exhaustive but should give an idea of some more important considerations when deploying SSL-Explorer.
• Any applicable statutory requirements or compliance regulations. • SSL-Explorer performance (WAN speed, server CPU and memory etc.). • Failover/redundancy (UPS, backups, hardware failure etc.). • Corporate security policy (DMZ, Air Gap technology etc.).
Summary It is essential when installing any VPN technology that the proposed deployment is well understood. This helps ensure that the service behaves as expected as well as allowing for better management of risk or threat. SSL-VPNs provide a great benefit to the ever expanding and mobile business but as with any solution, if not properly deployed it could become more of a hindrance than a benefit. Much information is available on security approaches and considerations, as shown in RFC 2196 (Site Security Handbook. B. Fraser. September 1997). This is obviously only one source of information and many others exist. Many forums have been created that aim to provide information as well as support with self help. Even when implementing a ‘complete’ solution it is wise to have at least considered some aspects of this chapter.
30
31
Installing SSL-Explorer
This section guides an administrator through the process of installing SSL-Explorer for both editions: Community and Enterprise. Notes on upgrading and starting the instance are also detailed. By the end of this chapter the reader will have a fully installed SSL-Explorer VPN server on their target machine.
Installation The chapters covered are:
• Installation Pre-requisites • Installation of SSL-Explorer • SSL-Explorer: Community Edition - Source Code Installation • SSL-Explorer RPM Installation on RedHat 8.0 • Upgrading SSL-Explorer • Managing the Instance • Accessing the Instance • Server Migration
Installation Prerequisites The SSL-Explorer server requires the Java Runtime Environment (JRE) 5.0 to operate this can be downloaded freely from the Java website http://java.sun.com/j2se/1.5.0/download.jsp. This is only a requirement on the server side. Your clients can connect from any Java-enabled browser, including early versions of Internet Explorer that use the Microsoft VM.
Clean installation If using a clean installation of your chosen operating system it is strongly recommended that all service packs, updates, patches and hot-fixes be applied.
Installation of SSL-Explorer This section explains the steps required when using the standard SSL-Explorer installer. The process is identical for both Community and Enterprise editions of SSL-Explorer. The process is also virtually identical on Windows and Linux operating systems. Instructions for installing the Source Code distribution of SSL-Explorer: Community Edition follow later.
32
Step 1 Ensure that you are logged onto an account with the correct permissions to enable the running of an installation program. Locate the SSL-Explorer installation program and run the appropriate process below: • Windows: Simply double-clicking on the SSL-Explorer icon will launch the application. • Linux: Execute the SSL-Explorer script file by simply typing, from the same directory,
“./sslexplorer_linux_0_2_8.sh” This will start the installation program and display the following screen.
Step 2 If the SSL-Explorer installation program is unable to locate the Java environment the following message is displayed.
Step 3 Simply click on the Download button in order to retrieve the required Java environment or
alternatively select the path to an existing valid Java installation by using the locate button. The following screen shot shows what happens when selecting the download option.
33
Step 4 Once the download is complete the following screen is displayed automatically.
Step 5 Now click the Next button to advance to the next screen.
Step 6 If you agree to the licensing agreement select the, I accept the agreement radio button. This enables the Next button which should now be pressed. This then displays the following screen.
34
Step 7 Once you have selected where SSL-Explorer is to be installed simply click the Next button.
35
Step 8 This screen shows the components to be installed. There is only Program files displayed which can not be de-selected. No changes to this page can be made so just press the Next button.
Step 9 This screen allows the selection of a Start Menu Folder. By default Start Menu Shortcut are created for all recognised system users. Once the Folder has been selected simply press the Next button. This the displays the Installing screen as shown below.
36
Step 10 This screen will close automatically and display the following screen.
Step 11 Clicking the Launch button triggers the launching of the web browser.
Step 12 The systems default browser will normally be started automatically, as shown below. If not enter http://localhost:28080 as the browser address.
37
SSL-Explorer on Microsoft Windows XP with Service Pack 2 When installing SSL-Explorer on a Windows XP machine with Service Pack 2 installed, the browser will not be able to connect if the Windows Firewall is enabled. It is recommended in any case that the SSL- Explorer server should not be acting as both firewall and VPN server. If such a problem is encountered, check whether the problem disappears when the firewall has been disabled.
Step 13 There are a number of steps to complete the browser based installation wizard. These are covered in Section 2 of this guide. Once these have been completed close the browser which will show the previously mentioned screen, as below.
38
Step 14 Just click the Next button which will show the following screen.
Step 15 Now that the installation is complete it only remains for the Finish button to be clicked. This closes the installation screen. The SSL-Explorer instance is automatically stopped when leaving the web based installation wizard. Further information is available on using the SSL-Explorer service in the remaining sections of this chapter.
39
SSL-Explorer: Community Edition - Source Code Installation Both the Community and Enterprise versions are shipped with standard binary installers like many applications. Some users may however wish to run the source code distribution of SSL-Explorer: Community Edition. We recommend that most users simply use the standard installation package for the simplest installation. The following installation method is for advanced users only.
Pre-requisites • To build the SSL-Explorer: Community Edition source code an installation of Apache ANT
is required, this can be downloaded from the Apache website, http://ant.apache.org. • The Ant toolkit relies on the Java Development Kit (JDK) to run successfully. SSL-Explorer
itself also requires a Java environment to work in, in particular version 1.5.0 or above. The JDK can be downloaded freely from http://java.sun.com/j2se/1.5.0/download.jsp.
This distribution contains only source code, therefore the installation process must include the compilation of these files into an executable application. The following steps describe how to do this.
Step 1 Define the environment variables. The application has dependencies on two freely available tools, the Java runtime and the Apache Ant build tool these should already have been downloaded and installed. It should be noted that the variables created in this way only exist for the current session. If the build process should be interrupted in any way the environment variables will need to be re-entered.
Accessing Environment Variables in Windows Windows users can access Environment Variables through the GUI by selecting “Start (Right Click) My Computer Advanced (Tab) Environment Variables (Button)”. This opens an interface that allows for the creation, deletion and maintenance of system variables. This will permanently create environment variables.
Open a command prompt or shell window in the appropriate Operating System and configure the JAVA_HOME variable executing the following command appropriate to your Operating System:
• Windows: set JAVA_HOME=<Java install directory> • Linux: export JAVA_HOME=<Java install directory>
Where <Java install directory> is the home directory of the installed JRE. Also add the environment variable for ANT_HOME:
• Windows: set ANT_HOME=<Ant install directory> • Linux: export ANT_HOME=<Ant install directory>
Where <Ant install directory> is the home directory of the installed Ant build tool.
Note
40
To run Ant from the SSL-Explorer directory the bin directory must be specified in the Operating Systems Path variable.
• Windows: set PATH=%PATH%;%ANT_HOME%\bin • Linux: PATH=${PATH}:${ANT_HOME}/bin
The Ant tool relies on Java to work and so the Java executables must be accessible through the Path variable:
• Windows: set PATH=%PATH%;%JAVA_HOME%\bin • Linux: PATH=${PATH}:${JAVA_HOME}/bin
To check that all parameters have been defined successfully use the SET or ECHO commands as shown below:
• set This displays all the system variables, locate those defined. • echo %PATH% (Windows)/ $PATH (UNIX)
Step 2 Run the build script. Locate the SSL-Explorer installation directory and from the root directory
execute the script using the following command: <SSL-Explorer Installation directory>/ ant install This will begin compiling the source code and produce compilation information much like the screenshot below.
Step 3 Once completed the installation will automatically attempt to start a browser pointing to the Installation Wizard. As shown below a message will appear displaying the URL for the Installation Wizard. If a browser does not open then a browser will have to be manually opened and pointed to the URL
The Installation Wizard page below continues the installation process by configuring the newly installed instance.
41
This wizard guides the user through the steps required to successfully configure SSL-Explorer. Information on the Installation Wizard can be found in part two of this document, ‘Installation Wizard’. SSL-Explorer on Microsoft Windows XP with Service Pack 2 When installing SSL-Explorer on a Windows XP machine with Service Pack 2 installed, the browser will not be able to connect if the Windows Firewall is enabled. It is recommended in any case that the SSL- Explorer server should not be acting as both firewall and VPN server. If such a problem is encountered, check whether the problem disappears when the firewall has been disabled.
Configuring a Service The Community Edition comes with a script that can be used to execute the SSL-Explorer server as a background service so that it is automatically started upon booting of the host Operating System. To configure SSL-Explorer to run as a service, issue the following command:
ant install-service This is another target present within the build.xml file. The target detects the Operating System and executes the appropriate instructions to install the SSL-Explorer server as a service. Steps on managing the SSL-Explorer service on both Operating Systems are detailed below.
42
SSL-Explorer RPM Installation on RedHat 8.0 This guide takes you through the RPM installation process on Red Hat Linux version 8.0. You will need to download the RPM version of SSL-Explorer named sslexplorer_linux_rpm_x_x_x.zip.
Step 1 Download the Java 5.0 JRE and follow the instructions for installation. Step 2 Change directory to the location of your SSL-Explorer RPM package.
Step 3 Install the SSL-Explorer either by double-clicking on its icon using the Nautilus file browser, or by executing the following command: rpm -i ssl_explorer_0_1_14.rpm
Step 4 The rpm will begin installing SSL-Explorer. This will be installed to /opt/sslexplorer. Change to this directory in your terminal.
Step 5 If you would like SSL-Explorer to be configured as a Red Hat service, execute the following
command: /opt/sslexplorer/platforms/linux/install-service
Step 6 Run the SSL-Explorer configuration utility as follows: ./install-sslexplorer
Step 7 This will provide you with a URL which you will need to enter into your browser to begin the installation wizard:
Step 8 This wizard will guide the user through the steps required to successfully configure SSL-Explorer. Information on the Installation Wizard can be found in part two of this document, ‘Installation Wizard’.
43
Step 9 Once you have configured SSL-Explorer to your preferences you are now ready to start the SSL-Explorer server. Refer to the chapter titled Managing the Instance section, Managing Linux Service.
Upgrading SSL-Explorer Step 1 Shutdown server. This can be done either from the management console (System → Shutdown) or
specific to each operating system: • Windows: From the services window (Control Panel → Administrative Tools → Services)
select the SSL-Explorer service and press stop • Linux: From the shell run: 'service sslexplorer stop'
Step 2 Run the installer of the latest SSL-Explorer version you downloaded. This will guide you through the
standard installation process steps 4 – 7 under section Installation of SSL-Explorer. Step 7 asks for an installation directory, the original directory should be chosen. A prompt will be shown asking if you wish to overwrite the existing directory much like the image below:
You should select Yes. The installation wizard should identify the currently installed configuration files and prompt whether you wish to keep or remove these:
You should select Yes if you wish to keep your current configuration details such as certificate details, database settings etc. Selecting No will install a fresh install of the new version, the extensions should not be affected.
44
You should continue with the remaining installation steps.
Installation Wizard can be Skipped There is no need to work you way through the installation wizard again if the current information is fine. Simply press Cancel in the wizard, this will move to the end of the wizard requiring the server to be restarted. The remaining installation steps can be continued with.
Upgrading from 0.1.16 to 0.2.x This upgrade applies to versions 0.1.16 and above of SSL-Explorer being upgraded with a target of SSL-Explorer version 0.2.5 and onwards.
Step 1 Run uninstall from SSL-Explorer program group. This will leave the current data intact.
Renaming Old Installation If you wish to use the same installation location then rename the remaining SSL-Explorer folder. Currently this still holds personal data which will be used by the Upgrader tool to transfer to the new installation.
Step 2 Windows 2000 users will need to now reboot in order to properly remove the old service
Step 3 Install SSL-Explorer, completing the install wizard and then starting the service and logging in at least
once to ensure configuration was successful.
Step 4 Once satisfied that the installation has been successful shutdown the service.
Step 5 From the SSL-Explorer program group run the Upgrader tool.
Note
Note
45
Step 6 Complete the Source parameter which is required and defines the location of the old SSL-Explorer installation. The tool will detect the installation and present a number of additional options. These options detail what resources require transporting across to the new installation. Select the appropriate ones.
Step 7 Once done select the Start button to begin the transfer. The upgrader provides output of its progress.
Step 8 Once completed the SSL-Explorer instance can be restarted. When resources are transferred they are not attached to any policies. All resources should be reviewed and resources reassigned. Web forward resources transferred will lose their current credentials flag. To replicate this behaviour add ${session:username} and ${session:password} replacement variables into the authentication details.
46
Managing the Instance There are a few pre-requisites that must be fulfilled before continuing with this topic, these are highlighted below:
• Complete installation of SSL-Explorer: If this has not been accomplished yet please refer to the topic titled, ‘SSL-Explorer Installation’.
• Successful configuration of SSL-Explorer: If this has yet to be achieved please refer to the section titled, ‘Installation Wizard’.
SSL-Explorer can be started either from the build script or as a service both are detailed below.
Build Scripts SSL-Explorer comes with a main script called build.xml that is situated at the root path of the SSL-Explorer installation. It contains all the necessary targets to manage the instance. The targets and their purpose are detailed below:
Start Server
• Start: The instance is started and runs quietly in the background without any console. • Console: SSL-Explorer runs in the foreground with a console showing trace information.
Killing the console will result in termination of the server. These commands are executed with the ant tool; for example:
ant start Your location should be where the build.xml file is (usually in the home directory of the installation).
Stop Server
The only target available for this is the ‘stop’ target and is executed as follows:
ant stop The more appropriate way would be to use the Shutdown or Restart functions available from the running instance under Management Console Shutdown.
47
Managing the Windows Service If the SSL-Explorer instance has been configured to use the default SSL port to listen on (443) then the World Wide Web Publishing service, if running, should be disabled. This service also uses the default SSL port and so, if running, will prevent any other service from starting which also requires the use of port 443. As shown below the Services window should be opened, Control Panel Administrative Tools Services, the service located and bringing up the Properties page (right-click on service name) the Service Startup Type should be set to Disabled.
48
Determining the Service Status To determine the state of the service locate the SSL-Explorer service through the Services dialog (Control Panel Administrative Tools Services), as the diagram below shows and to the right of the Service is the Status tab which indicates whether the service is Stopped or Started.
Start Service
If the Service Status is set to Stopped right click the SSL-Explorer Service and select Start as shown above.
Stop Service
If the Service Status is set to Started the service can be stopped by right clicking the SSL-Explorer Service and select Stop. However it is more appropriate to use the Shutdown or Restart functions available from the Management Console of SSL-Explorer (Management Console Shutdown).
49
Managing Linux Service
The command used for the management of SSL-Explorer as a service is the service command. This command works on various flavors of Linux distributions such as Red Hat, Debian, Ubunto, Suse, Slackware plus others. If your Operating System does not support this command please check the available documentation for your distribution on how to manage services.
Determine Service Status
Red Hat uses the service command to determine information on a Service. For Linux distributions that support this command, the Red Hat command below can be used. For others the standard ps command may be substituted.
• Red Hat: service sslexplorer status • Other Linux: ps –ef If running an SSL-Explorer entry should be listed.
Start Service
The service command also allows us to start a service, as shown below. Again those distributions which support this command should use the command below, and for others an equivalent command should be used.
• Red Hat: service sslexplorer start
Stop Service
The service command can also be used to stop the service. Operating Systems that do not support this command must use any other equivalent service command.
• Red Hat: service sslexplorer stop
50
Accessing the Instance Once SSL-Explorer is running we may now try to connect using a web browser.
Step 1 Interaction between users and the SSL-Explorer server is done through a standard browser such as Internet Explorer or Firefox. To connect simply open a new internet browser.
Step 2 Enter the URL below replacing the <hostname> with the fully qualified hostname of the machine
running the instance. https://<hostname>:<port> The <port> variable requires the port number defined during configuration if the default 443 has not been chosen. If the server has been configured successfully then the browser will connect to the instance, a logon screen should be presented much like the image below:
Using your Active Directory or built-in credentials (depending how you configured the SSL-Explorer server in the Installation Wizard) you will be able to log into the server.
51
Server Migration If in the event you need to migrate SSL-Explorer to another server the steps are as follows:
Step 1 Disable any enterprise edition authentication schemes on the current server installation Step 2 Install, on the target server, the same version of SSL-Explorer using the same folder locations as the
current installation
Step 3 For enterprise edition installations take a copy of your license file which should have been emailed to you during your purchase and copy it to the target server
Step 4 From the current server copy the <SSL-Explorer_HOME>/conf folder
Step 5 Take a copy of the <SSL-Explorer_HOME>/db folder from the current server
Step 6 Copy these two folders to the same location in the new target server
Step 7 Start the SSL-Explorer server on the new server
Step 8 Log into the new instance as Super User
Step 9 Navigate to the license manager (Configuration -> License Manager) and upload the original license
previously copied over.
Step 10 Restart the service
52
53
Installation Wizard
This section provides details on how to configure the SSL-Explorer instance, once the server has been installed all new installations are forced to go through the installation wizard. For upgrades this process is not automatically initiated after an upgrade, instead an administrator can start the installation wizard by running the exe from the installation directory. .
Certificate Management SSL certificates give a website the ability to transmit data to and from SSL-Explorer securely. This chapter provides details on the first step of the configuration wizard in which SSL certificates are set up. The sections included are:
• Protecting Private Data • Configure Certificate Interface • Create New Certificate • Import Existing Certificate
By the end of this chapter you should understand what an SSL certificate is and what it is used for. More importantly you know how to successfully configure a certificate for an SSL-Explorer instance.
Protecting Private Data Secure Socket Layers (SSL) is a secure data transmission protocol that is used for protecting sensitive information across public networks such as the internet. Every email that you send, every website that you visit, every piece of data that you send may be seen by more than just the intended recipient if the data is not secured. The SSL protocol is the means by which this information can be secured. SSL is the standard, trusted protocol for internet security, and working without it is like sending your data through the mail on the back of a postcard.
What is an SSL Certificate? SSL certificates are used to verify the identity of a web server before securely exchanging any sensitive data. Without such a certificate, any information sent to a website could potentially be intercepted and viewed by a malicious user. A SSL session always begins with a cryptographic exchange of messages known as the SSL handshake. The handshake allows the server to authenticate itself to the client by using a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When a browser points to a secured domain, the secure handshake authenticates the server and client using the certificate. If the information does not match or the certificate has expired, the browser displays an error message.
54
If successful the handshake then establishes an encryption method and a unique key for the session. This key is used subsequently for rapid encryption, decryption, and tamper detection during the session. Once the exchanges are complete both parties can then begin a secure session that ensures a high degree of message privacy and integrity. Further information can be found in the SSL-Explorer: Configuration Guide under the chapter titled SSL-Certificates.
Certification Authority Without SSL encryption, packets of information are transmitted across networks in ‘plain text’ meaning that they are vulnerable to interception. We have already learnt how SSL provides protection for the data in transit across the internet, but there are other attacks that you could still fall vulnerable to. For example, imagine that an attacker was able to set up a VPN server that looked and behaved identically to one of your own trusted servers. If that individual was able to use one of the many social-engineering techniques to convince your staff to log-on to that server, he would likely be able to successfully harvest user credentials for a later, potentially damaging attack on your network. Thankfully, this does not have to be the case. In this modern era, we have a way of verifying that a secure server is exactly ‘who’ it proclaims to be. Every SSL certificate that is assigned to a particular server on a specific hostname must be for a verified business entity. Much like a passport or a driver’s license, SSL certificates for web servers are issued by a trusted third party known as a ‘Certification Authority’ (CA). Certification authorities are independent and trustworthy entities responsible for issuing and managing digital certificates. It is the role of the CA to verify an individual or organization’s identity and their claim to the hostname to which the certificate is to be registered. By digitally signing the issued certificates, the CA guarantees the legitimacy of the data held in them. Since all participants of a public key infrastructure must trust the CA, they can also trust the issued certificates and the public keys of other participants.
55
Configure Certificate Interface Step one allows the set up of an un-trusted certificate or alternatively import a trusted certificate issued by a CA. Each one of these options is further detailed.
Use Current Certificate Every subsequent execution of the installation wizard will result in an extra option becoming available, ‘Use Current Certificate’. This allows the original certificate created or imported during the previous configuration process to be used again.
Create New Certificate With this option SSL-Explorer can generate a self-signed certificate. With the additional assistance of a CA this certificate can later be converted to a trusted certificate. We will cover this process later. This self-generated certificate provides all the same functions as a certificate obtained from a CA but by being un-trusted, this will cause the browser to display an ‘un-trusted root CA certificate’ security alert (much like the one below) during log-on.
Note
56
To produce an ‘un-trusted’ certificate follow the steps below.
Step 1 The first thing required to create an ‘un-trusted’ certificate is a ‘passphrase’. This will be used to encrypt the generated keystore.
The passphrase must be at least 6 characters. A system message will appear on the message pane if not.
Keystore and Certificates A keystore contains one or many SSL certificates and is encrypted by a passphrase.
Note
57
Step 2 The actual content of a certificate is merely information on the owner of the certificate and information detailing in what capacity the certificate is to be used. The next step simply requires this information as can be seen below:
Each configurable parameter is detailed:
• Hostname: The hostname of the SSL-Explorer server running the instance. • Organizational Unit: The logical unit or department using certificate. • Company Name: Name of company using certificate. • City: The city in which the company is located. • State: The state in which the company is located. • Country code: Country such as GB=Great Britain.
All the information is required to generate an un-trusted SSL certificate.
Certificate Generated when Wizard Completed The installation will not generate the certificate until all the other steps are complete. This means that at any time in the installation process you can step back and alter your certification options and configuration details.
What is a Keystore? A keystore is a key database file that contains both public keys and private keys. Public keys are stored as signer certificates while private keys are stored in the personal certificates. Keys are used for a variety of purposes mainly for authentication and data integrity.
Note
58
Import Existing Certificate This option allows for the importing of pre-existing certificates. If you have already obtained a signed certificate from a CA, SSL-Explorer can import it using this option.
Each configurable parameter is detailed:
• Type: The certificate can be either JKS or PKCS12 • Passphrase: Passphrase protecting the importing certificate • Alias: A name that will be used by SSL-Explorer to represents the certificate • Filename: The actual certificate that relates to all the information provided above
Your CA authorized certificate has now been imported. Only when the installation wizard is complete will the certificate will be used by SSL-Explorer.
59
User Databases
All user data used and managed by SSL-Explorer must be stored somewhere. SSL-Explorer allows the configuration of a number of databases to store this information. This chapter provides information on each of the following databases:
• What is Active Directory? • What is HSQLDB? • What is LDAP? • What is NIS?
Further to this how to configure the following databases:
• Configure User Database Interface • Configuring the Built-in User Database • Configuring Active Directory • Configuring Enhanced Active Directory • Configuring LDAP • Configuring NIS
By the end of this chapter the reader should have an understanding of each type of database and be able to configure the appropriate one that suits their particular requirements.
Additional Databases SSL-Explorer can be configured with databases other than those above for details refer to the 3SP Knowledge Base at http://3sp.com/kb.
What is Active Directory? Active Directory is the directory service used in Microsoft Windows 2000 and later versions. It refers to a directory where information about users and resources are stored and that lets you access and manipulate those resources. Active Directory is a way to manage all elements of a network, including computers, groups, users, domains, security policies, and any type of user-defined objects.
Active Directory within SSL-Explorer Employing Active Directory with SSL-Explorer enables the integration of an organization’s existing Microsoft Windows user and group hierarchies, allowing users to be authenticated with their previously created Windows domain credentials and roles. For a large organization with many users this removes the headache of creating new authentication passwords and usernames all over again.
Note
60
SSL-Explorer community edition comes with the basic Active Directory module which allows basic actions as connecting and using the users installed in an existing database. SSL-Explorer Enterprise has an additional Enhanced Active Directory module which allows the administration of Active Directory from within SSL-Explorer; all administrative actions are reflected back to the actual Active Directory service.
What is HSQLDB? HSQLDB is an open source Java-based SQL relational database that is used by SSL-Explorer. The product is currently being used as a database and persistence engine in many commercial and open source projects and products. It is best known for its small size, its ability to execute completely in memory, and lastly, its flexibility and speed.
HSQLDB within SSL-Explorer The HSQLDB database is used as SSL-Explorer’s internal built-in database. This lightweight, fast database is perfect for an organization that wishes to create and manage users solely from and for SSL-Explorer only. The SSL-Explorer management console also provides an easy-to-use interface to manage your users and policies. Since the built-in database is not linked to any external application as with Active Directory, policies and users can be created, removed and modified all from one single point - the management console.
What is LDAP? Lightweight Directory Access Protocol is a standard method for communicating with a database. It is a software protocol which allows for fast search and retrieval of data. LDAP represents stored data in a directory structure much like a phone book. This makes it perfect for systems with high levels of search and retrieves actions but not so well for systems which rely on a high degree of data updates. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500 – a standard for directory services in a network.
LDAP within SSL-Explorer In order to use SSL-Explorer with LDAP you must have a fully working and configured LDAP service. During installation, the SSL-Explorer VPN server will attempt to communicate with service using parameters supplied. Since the LDAP service is tied into a third-party product such as OpenLDAP, SSL-Explorer itself cannot assign groups or accounts to the directory. Instead, user and role management must be done outside of SSL-Explorer using your LDAP directory browser.
SSL-Explorer: Enterprise Edition Feature The LDAP user database is only available with SSL-Explorer: Enterprise Edition.
What is NIS? NIS also known as yellow pages is a client-server directory service protocol for distributing amongst other things hostnames and users between computers in a network. In a common UNIX environment the list of users for identification is placed in /etc/passwd, and secret authentication hashes in
61
/etc/shadow. NIS adds another “global” user list which is used for identifying users on any client of the NIS domain.
NIS Database with SSL-Explorer To use SSL-Explorer with NIS you must a have a NIS service fully running. Even though SSL-Explorer can use the accounts provided it cannot assign groups or accounts, removal of users and roles can only be done outside of the SSL-Explorer.
Configure User Database Interface The database configuration page lists the available databases.
62
Configuring the Built-in Database Configuring the built-in database is very simple; just select the ‘Built-in’ option on the ‘Configure User Database’ page. That is all there is to it. All configurations of the database itself are done internally by SSL-Explorer. As this is a new database, once SSL-Explorer is up and running you will have to create all necessary users and groups from the management console. With the built-in database you will also be able to edit and remove users and roles directly from SSL-Explorer.
Configuring Active Directory Active directory configuration is divided into three distinct tabs.
The first of these is the configuration tab.
The following information is required:
• Domain Controller Hostname: The primary Active Directory service domain in the form of, example.3sp.co.uk. The entry must be lowercase.
• Backup Domain Controller Hostnames: if backup domain controllers have been configured then these should be added here. This list should contain active controllers which SSL-Explorer can fail over to in the event the primary domain controller is inaccessible. For more information on backup domain controllers refer to the section titled, Backup Domain Controller. Hostnames can also be specified with a port number if different from the Domain Controller Port parameter.
Service Account Authentication The standard Active Directory database uses GSS-API authentication for the service account. It is unable to authenticate credentials containing non-English characters, the service account does not need to be fully qualified.
• Domain: The domain the controllers are on for example, example.co.uk.
Note
63
• Service Account Username: The service account details needed to use authenticate Active Directory users. This account serves as a link to the Active Directory database.
• Service Account Password: The password for the service account.
Service Account It is recommended that a specific AD user account be created for the Service Account only. This is required to support some of the authentication methods available as part of SSL-Explorer: Enterprise Edition.
The next tab OU Filter is an optional tab but allows specific organizational units to be added or removed from SSL-Explorer.
• Include Organizational Unit Filter: Add any OUs that should be used when listing accounts and roles. Only the accounts residing in the OUs you specify will be shown. For further details refer to the section titled, Organizational Unit Filter.
• Exclude Organizational Unit Filter: Add any OUs that should not be used in the listing of accounts and roles.
• Include Built-in groups: This will include the default ‘Built-in’ group base CN=Builtin built from the domain name to the filter list.
• Include standard Users and groups: This will include the default ‘User’ base CN=Users built from the domain name to the filter list. All users and groups under this will be added.
The final tab, Options, allows an advanced user the ability to fine tune access to the AD service.
Note
64
• User Authentication Type: which authentication method to use for user account authentication. GSS-API type is unable to process credentials which contain none English characters but allows for the service account to be defined without full qualification. Simple authentication however is able to authenticate using non-English characters type such as, ßóràt.
• Authentication Timeout: how long the system should wait authenticating • Authentication Maximum Retries: how many times to try to authenticate. The total
authentication time will be timeout x retries. • Cache Objects In Memory: The system can cache user objects either to file or memory. If
the user population is extremely large in-memory caching can be prone to running out of memory when loading objects.
• Max Group Cache Objects: The maximum number of group objects stored in cache. • Connection timeout: generic connection timeout for active directory sessions • Page Size: The number of objects returned in each paged request, the default should be
acceptable in most cases. • User/ Group details Cache TTL: This is the minimum ‘Time to Live’ value which must be
greater than 10 seconds. Default value of 300 seconds stores Active Directory user information in cache for 5 minutes before clearing the cache. The next required action fetches user details again caching for another 300 seconds. A value too low will cause severe delays in processing any action as SSL-Explorer will continually be re-fetching data from the domain controller.
• Enforce username case sensitivity: This enables checking of username case sensitivity during log-on.
With the configured information the installation wizard will attempt to connect to the domain controller and valid the service account. If the service is unreachable for whatever reason a message will be shown like the one below:
The wizard will allow the configured details to be adjusted before selecting Next again to retry. Once a successful connection is made and the service account has been authenticated the Active Directory user database is ready to be used.
65
Configuring Enhanced Active Directory Enhanced Active directory configuration is very similar to the basic Active Directory condiguration, it to is divided into three distinct tabs.
The connections tab configures how to connect to the actual Windows Active Directory service.
The only differing information for Enhanced Active Directory is the service account details.
• Service Account DN: The service account details needed to use authenticate Active Directory users. This account needs to be fully qualified e.g. CN=John Smith, DC=Employees.
• Service Account Password: The password for the service account.
Enhanced Active Directory database uses Simple authentication for the service account. Simple authentication allows the use of non-English characters such as ßóràt. With this type of authentication the account credentials need to be fully qualified
The next tab OU Filter is an optional tab but allows specific organizational units to be added or removed from SSL-Explorer.
The differing information here is the Group OU information:
66
• Create Group OU: The OU location within the AD where new groups will be created. • Create User OU: The OU location within the AD where new users will be created.
That’s all there is that differs from the Active Directory installation detailed above.
User Account Authentication uses Simple Enhanced Active Directory uses Simple authentication for both the service account as well as user accounts.
Organizational Units (OUs) In Active Directory, ‘Organizational Units’ (OUs) are the key structure for organizing users, computers, and other object information into a more easily understandable layout. As the diagram below shows the organization structure has a root OU with three nested OUs below.
This nesting enables the organization to distribute users across multiple logical structures for easier administration of network resources. When activated, SSL-Explorer uses the current Active Directory groups and maps them directly to groups. SSL-Explorer also creates all internal data for each user within the chosen OUs. Each user will be assigned to the mapped roles.
Organizational Unit Filter The Organizational Unit Filter makes adding OUs easier.
Entries in the filter must be of the form ‘OU=<Organizational Unit name>’. For example, ‘OU=Research’. If an OU is held below another OU then the entire hierarchy up to the parent OU must be listed. If an OU called ‘Marketing’ was stored under the ‘Employees’ OU; to add ‘Marketing’ the correct syntax would be ‘OU=Marketing, OU=User’ with the separating comma being used to separate each element in the hierarchy.
Note
67
To add all OUs in the domain simply leave the Filters list box empty. When the list box is empty, all OUs will be queried by SSL-Explorer. If problems are encountered with Active Directory, try clearing the list box and seeing whether To remove an OU from the search use the exclusion operator # against the OU name. For example to exclude the Test Accounts from the search you would add #OU=Test Accounts.
Modifying Filters The OUs listed within the ‘Filters’ list box are the only items that will be used by SSL-Explorer. Clicking the ‘Add’ button takes the OU in the ‘Filter’ textbox and applies it to the list of filters.
Highlighting an OU from the Filters list and clicking the ‘Remove’ button takes the selected OU out of the list box.
68
Troubleshooting If your users are unable to connect via Active Directory, check that:
• The time settings between the Active Directory server and SSL-Explorer are synchronized. Kerberos authentication, used by Windows, allows only a few minutes of clock skew between Windows server and client. Ensure that both the domain controller and the SSL-Explorer server are synchronized to the same date and time to within one minute.
• Confirm that the Windows server is configured for Active Directory authentication. If using Windows NT4.0 server, then the server only supports NT Domain authentication.
If OUs have not been loaded successfully:
• Any organizational units held within a tree structure need to be added with the entire parental structure.
In the above diagram to include‘Tester’ into the filters list the syntax should be ‘OU=Tester,OU=Engineer,OU=Staff’. The syntax begins with the lowest branch first.
• If any OUs are stored underneath the default Windows OU such as Users the ‘OU=User’
root should not be included in the filter syntax.
• Check syntax of each filter. Every Organizational Unit must begin with ‘OU=’. If a hierarchy structure is being included, be sure to separate each element with a comma. Also avoid using unnecessary spacing.
• Clear the organizational unit filter to ensure that SSL-Explorer searches the entire Active
Directory tree.
Knowledge Base For more information on overcoming other SSL-Explorer related Active Directory problems refer to the 3SP Knowledge Base at http://3sp.com/kb
Note
69
Configuring LDAP LDAP much like active directory is divided into four distinct areas.
The first of these is the Configuration tab.
• Hostname: Hostname of the server hosting the LDAP service • Port: Listening port of LDAP service • Protocol: LDAP protocol to be used. Options include, secured ‘SSL’ communication or
‘plain’, unsecured communication • Base DN of LDAP server: The ‘base DN’ represents the location where you want to start
LDAP queries within the namespace. This may be the root of the LDAP directory tree or a specific branch.
• Service Account Authentication: The LDAP authentication method required to access the service. The ‘simple’ method will require valid user account details to access the service; ‘anonymous’ will connect to the directory anonymously with no user credentials required and ‘MD5-Digest’ uses digest authentication to securely send the user credentials as an MD5 hash to the LDAP service as opposed to plain-text as with the other two methods.
• Service Account DN: The ‘distinguished name’ to identify the Service Account User • Service Account Password: The associated user password
The next tab OU Filter is an optional tab but allows specific organizational units to be added or removed from SSL-Explorer.
70
• Create Role Organizational Unit: The OU where new roles will be created • Create User Organizational Unit: The OU where new users will be created • Include Organizational Unit Filter: Add any OUs that should be used when listing
accounts and roles. Only the accounts residing in the OUs you specify will be shown. For further details refer to the section titled, Organizational Unit Filter.
• Exclude Organizational Unit Filter: Add any OUs that should not be used in the listing of accounts and roles.
The next tab is the User Schema tab which provides schema information so SSL-Explorer can successfully link to the correct user classes at run time.
• User class: The LDAP class object used to represent a User class • Username attribute: ‘Username’ attribute from the User class, if one exists • Fullname attribute: ‘Fullname’ attribute from the User class, if one exists
LDAP Class Objects SSL-Explorer needs to understand which User and Role classes are in use by the given LDAP installation. Since each installation can use a different type of schema this information makes SSL-Explorer
Note
71
compatible with a larger number of LDAP installations.
• Email attribute: ‘Email’ attribute from User class, if one exists • Home directory attribute: ‘Home directory’ attribute from the User class, if one exists • Role membership attribute: ‘Role membership’ attribute from the User class, if one exists • Role membership contain DNs?: If the ‘role membership’ attribute value points to a
distinguished name then this box should be checked. The ‘role membership’ attribute can contain a value or otherwise refer to another object in the directory
The next tab, Role Schema, requires role information so SSL-Explorer can successfully link to the correct role classes at run time.
• Role class: The LDAP class object used to represent a Role • Rolename attribute: The ‘rolename’ attribute from the Role class, if one exists • Role membership attribute: The ‘role membership’ attribute from the Role class, if one
exists • Role membership contains DN?: If the ‘role membership’ attribute value points to a
distinguished name then this box should be checked. The ‘role membership’ attribute can contain a value or otherwise refer to another object in the directory
The final tab, Options, allows an advanced user to fine tune LDAP operations.
• Connection timeout: generic connection timeout for active directory sessions • Max Cache Objects: amount of information, retrieved from the AD, to cache. If the Ad is
large this should be set to a high value. Typically an object is cached for each user and one for each group. Calculating how many groups and users you have is a good guide when setting this. If the setting is too low some users may not be able to login.
• Page Size: The number of objects returned in each paged request, the default should be acceptable in most cases.
72
• User/ Group details Cache TTL: This is the minimum ‘Time to Live’ value which must be greater than 10 seconds. Default value of 300 seconds stores Active Directory user information in cache for 5 minutes before clearing the cache. The next required action fetches user details again caching for another 300 seconds. A value too low will cause severe delays in processing any action as SSL-Explorer will continually be re-fetching data from the domain controller.
Configuring NIS NIS only has one tab, Connection.
• Hostname: the hostname of the NIS server • Domain name: the NIS domain name • Refresh interval: Remote account and groups are cached. This value is the interval (in
minutes) between updates • Include Local Accounts: If selected, local accounts are also include in the list of available
accounts. This only works on UNIX like system that have a /etc/passwd and or /etc/shadow file
• Include Local Groups: If selected, local groups are also include in the list of available accounts. This only works on UNIX like system that have an /etc/group file
73
Configuring Super User
The main administrator of SSL-Explorer is identified as the ‘Super User’. There is only one super user in SSL-Explorer whose responsibility lies with the creation of the initial organizational structure of the system. This chapter provides further information on this special user covering the following information:
• Super User Responsibility • Configure Super User Interface • Configure a Built-in Super User • Configure a Active Directory Super User
By the end of this chapter the reader should understand the purpose of the super user and the necessary steps involved in configuring a super user.
Super User Responsibility The super user is an administrator whose responsibility lie with the configuration and over seeing of the entire system as a whole. Core activities such as running and managing the system are done by other users. The super user should be used only for installation and configuration issue, all other responsibilities should be delegated.
As the diagram above highlights, middle-tier users manage the everyday running of SSL-Explorer from creating users to assigning permissions.
Disable the Super User The super user should be disabled after handing over management duties to other users. This helps prevent security breaches against this highly privileged user account.
Note
74
Super User Rights As the super user is able to delegate duties to others, they also maintain delegation rights on all resources as well as every permission on any resource. Anything created within SSL-Explorer by the super user from policies to resources cannot be deleted by any user other than the super user.
Configure Super User Interface After the user database has been configured the next step is to identify who will be responsible as the super user.
Super user is defined in one of two ways, when built-in database is chosen as the user database or through an external database like active directory or LDAP.
75
Configuring the Super User With built-in a brand new super user account is created. For this the system requires not only the username but a secure password for the account.
Password Structure and Complexity To enable tighter security of the super user password it is recommended that an alphanumeric, mixed case password is used. As is usually the case – the more complex the password, the greater the security.
If an external user database is chosen SSL-Explorer loads in all necessary users from the external database. Since users and roles are managed outside the system the installation can only choose an existing user to act as the super user. All that needs to be done is choose an appropriate username. The installation wizard takes every user found within the OU filters previously selected. As the screenshot below shows all users found beginning with the letter ‘A’ are listed.
76
The password field is disabled as the user credentials are taken from the external database. That’s all there is to using an existing external user database. Since all the necessary work involving configuring of users and groups has already been carried out and stored within the database SSL-Explorer can now use these.
77
Configuring Web Server
SSL-Explorer has an inbuilt web server that is used to process incoming and outgoing HTTP/ HTTPS requests. This step allows the basic operation of the server to be configured. This section details the web server currently in use by SSL-Explorer and the configuration options available. This chapter includes the following sections:
• What is HTTP/ S • The Jetty Web Server • Configure Web Server Interface • Configure Web Server
By the end of this chapter the reader should have an understanding of what a web server is and how the internal SSL-Explorer web server can be configured if need be.
What is HTTP/S? Hypertext Transfer Protocol (HTTP) is the foundation protocol of the World Wide Web. It defines the rules for exchanges between browser and server. It provides for the transfer of hypertext and hypermedia, for recognition of file types and other functions. Hypertext Transfer Protocol Secure (HTTPS) is a variant of HTTP. HTTPS communications protocol is designed to transfer encrypted information using the Secure Sockets Layer protocol (SSL).
SSL-Explorer HTTP/S During the installation wizard SSL-Explorer runs using HTTP since at this stage, no SSL certificate has yet been configured for use. Certificates are the key to maintaining secure transactions and during the installation stage an appropriate certificate is configured, refer to chapter ‘Certificate Management’. Once installation is complete and everything has been successfully configured SSL-Explorer will then begin to operate strictly over HTTPS. All transactions from all users are secured.
Is it Secure? To be reassured that the SSL-Explorer service is operating securely you should see the following:
• A Secure URL: The SSL-Explorer URL will begin with ‘https’ instead of ‘http’ to denote a secure URL.
• A Secure Browser: In the bottom right corner of the browser the padlock image should be visible.
This denotes the browser is also secured.
Secure Communications
Note
78
HTTPS is a recognized worldwide standard for secure communications that was initially created by Netscape. These features are required by every web site claiming to be secure.
The Jetty Web Server SSL-Explorer uses the widely acclaimed Jetty HTTP/S server as its internal web server. Jetty is a fully-featured open source product developed by Mortbay Consulting providing a lightweight and highly scalable servlet container. As the diagram below shows, Jetty’s main responsibility within SSL-Explorer is to proxy requests between a user’s browser (client) and the backend server.
When the user communicates with SSL-Explorer via static HTML pages, the browser generates a HTTP request which is addressed to the Jetty HTTP server component. If the request requires static information such as another HTML page then the server simply services this request by locating and returning the necessary page. However, dynamic content requires much more complex processing and this is where Jetty’s servlet container comes in. The HTTP server routes the request onto the servlet container, where the controller program intercepts the request. The controller reads and decides the course of action necessary for the request. The available tasks or actions an application can perform are defined within the Model component in the form of object-oriented action classes. The Controller maps the request to an appropriate action by creating an object of the action class and calling one of its methods. If the invoked action needs to update the state of SSL-Explorer then it will create or modify appropriate objects of the Model, known as ‘state objects’. State objects represent a runtime view of the current state of the system. Once an action has completed servicing the request the Controller invokes a JSP page template, part of the View. The JSP template is then responsible for presenting the new updated state of the application to the user; this maybe a new page, a new shortcut in network neighborhood or a new application execution.
79
Configure Web Server Interface Step four configures SSL-Explorer’s internal web server.
The main body of this step is in setting up the listening interfaces, the means by which clients can enter the service. This and the remaining configurable features are detailed below.
Configure Web Server Step 1 Select the HTTPS port number the web server will listen on. The default HTTPS port is 443. All
standard HTTPS requests are sent via port 443 on all internet services just as all default HTTP requests are sent via port 80. For example: https://securesite If this URL was entered, the browser will look for securesite on port 443 regardless of the need to complete the domain name or add port 443. By specifying a different port, SSL-Explorer will listen only on that port for incoming requests. Any requests to the SSL-Explorer service will need to have the new port number prefixed. The following URL instructs the browser to use the alternate port 123: https://securesite:123
Step 2 Specify any additional listening interfaces; this process is detailed further in section, ‘Listening
Interface’. The default, ‘All Interfaces’, should be sufficient for most standard SSL-Explorer configurations.
Step 3 SSL-Explorer can specify specific external hostnames by which users can access the server however
for most standard implementations there should be no need to configure this option. Further details on this can be found below in section, ‘External Hostnames’.
That’s all there is to configuring the web server.
80
Listening Interface This option specifies which interfaces SSL-Explorer should listen on for incoming requests. The installation wizard searches for all available network interfaces on the machine. If the machine has two network cards then both of their interfaces will be loaded into the Available Interfaces.
In addition, as can be seen above, any other interfaces such as virtual interfaces created by external programs are also detected and listed as available. These define all the interfaces by which external users can physically enter the machine and by default ‘All Interfaces’ is selected.
All network cards (and any available virtual network interfaces) will be used to listen for appropriate incoming SSL-Explorer requests. This scenario should be acceptable in most situations. For more advanced configurations, restrictions to specific interfaces can be specified.
As the diagram above shows the selected listening interfaces are only two despite the SSL-Explorer machine having three. While connections to SSL-Explorer via the two selected interfaces are accepted, any connection attempted via the un-selected interface will not be allowed. If further analysis is made of the diagram all three connections are actually made and routed to the SSL-Explorer instance. Pre-login code is executed which is where the interface addresses are validated and appropriately the requests accepted or rejected.
81
Modifying Interfaces The interfaces placed in the, ‘Selected Interfaces’ list box will be the only ones able to accept client requests. To add a new interface from the ‘Available Interfaces’ list box use the ‘Add’ button to the right of the ‘Available Interfaces’ list box.
To remove an interface from the ‘Selected Interfaces’ list box use the ‘Remove’ button to the right of the ‘Available Interfaces’ list box.
External Hostnames Any hostname entered into the ‘Valid External Hostnames’ list box enforces that only connections made to those specific hostnames can access SSL-Explorer. This can be useful in cases where you may wish to deprecate an old server; transparently redirecting incoming connections to a new server. For example by specifying, ‘http://sslexplorer.com’ any user request that comes in on any other URL such as, ‘http://sslexplorer.co.uk’ will be redirected to the designated hostname, ‘http://sslexplorer.com’.
As the above diagrams shows the first request comes in on ‘http://sslexplorer.com’ (with the user having located the location from its DNS entries). SSL-Explorer validates the incoming hostname against its valid external hostname list. This hostname is not valid and so a HTTP redirect message is posted back to the client browser with the valid hostname entry. Again the browser validates this new hostname against its DNS entry and finds a match. This time the request is made using the valid hostname, ‘http://sslexplorer.co.uk’ and the connection is successful. If however the client was unable to validate the redirected hostname from its DNS list the client would be unable to gain access to SSL-Explorer.
Modifying Hostnames Hostnames placed in the ‘Valid Hostnames’ list box will be the only external hostnames acceptable. Any other URL will be asked to re-connect via a valid hostname. The given valid hostname must be available from the local machine’s DNS list else the second connection attempt by the client will fail.
82
To configure a new hostname type in the name in the text box labeled, ‘Hostname’. To then add this hostname use the ‘Add’ button to the right of the ‘Hostname’ text box.
The hostname will be added to the list box labeled, ‘Valid External Hostnames’. To remove a hostname from the list box use the ‘Remove’ button to the right of the ‘Hostname’ text box.
83
External Proxy Support
Many organizations utilize proxy servers to control access to various resources such as internet and email, as well as filtering outgoing and incoming connections. SSL-Explorer can be configured to forward outgoing requests via your organizations proxy server if a direct connection to the internet is not available. This chapter discusses the purpose of a web proxy and how to configure SSL-Explorer to use a proxy and includes the following sections:
• What is a Proxy Server • Proxy use with SSL-Explorer • Configure External Proxies Interface • Configure External Proxies
By the end of this chapter the reader should be familiar with a proxy server and its purpose and in particular how SSL-Explorer can be configured, in this step, to utilize an existing company web proxy server.
What is a Proxy Server? A proxy server is an application that enables a client to make indirect network connections to other network services. A client connects to the proxy server requesting a resource available on a different server. As the diagram below shows the proxy retrieves the resource on the behalf of the client either by connecting to the specified server or by serving it from its own cache.
In addition a proxy can also be configured to act as a firewall, controlling communication traffic to resources and from certain clients. The most common proxy application is a web proxy which proxies HTTP requests. Its main function is to keep a cache of web pages and files available on remote web servers, allowing local client to access them more quickly, reliably and without ever leaving the internal network.
84
Proxy use with SSL-Explorer Some SSL-Explorer services need to make external calls across the internet. Resources (for example, the RSS documentation feeds) need to make occasional contact with 3SP servers to provide required and up to date help for users. Connections to the Extension Store also need to make external connections to the 3SP servers providing administrators with the latest available SSL-Explorer applications. These services all make secure TCP/IP level socket connections to their hosts. The installation wizard can be used to configure the SSL-Explorer server to direct these external accesses through a company proxy server if required. This then no longer makes direct contact but gets screened via the specified proxy. Proxies are paramount to many businesses filtering communications to and from the corporate network. The installation wizard proxy configuration step enables SSL-Explorer to integrate with any HTTP server helping to maintain a company’s security policy. With HTTP proxying all HTTP services such as RSS feeds, reverse and secure proxy as well as extension store access will utilize this server. However non-HTTP services such as access to the 3SP Extension Store will continue to use direct TCP/IP sockets.
Configure External Proxies Interface This step configures the use of a proxy server.
85
Configure External Proxies The HTTP server should already be configured correctly. For further information please refer to your proxy server manuals.
Step 1 The appropriate configuration details will be made available. In order for SSL-Explorer to forward external requests to the proxy server all server and account details must be supplied:
• Hostname: hostname of the proxy server • Port: associated port number • Username: if the proxy server has a secure authenticating account on it, then the details of
this account • Password: password for the associated authenticating username • Non-proxy hosts: any hosts added to this will bypass the proxy when accessed
Step 2 Configuration of the proxy is complete. SSL-Explorer will try to connect and authenticate itself with
the proxy server once everything has been configured.
86
Enterprise Edition
SSL-Explorer has both an opensource GPL edition and an Enterprise edition. The Enterprise edition comes with high-end enterprise grade features as well as commercial support. This step in the installation allows the an Enterprise License to be installed. Both versions of SSL-Explorer can take advantage of additional extensions that are available from the 3SP Extension Store. Some extensions add further functionality to the server itself, whilst others may be applications that can be deployed and executed over the SSL-Explorer VPN. This chapter details exactly what extensions are and how to install them, the sections included in this chapter are:
• Community Edition vs. Enterprise Edition • Install SSL-Explorer Enterprise Edition Interface
Community Edition vs. Enterprise Edition Below is a table comparing both editions, some features are still in development at the time of writing but all will be available in upcoming releases in addition to many more in the pipeline.
Feature Community Enterprise
Granular policy-based rights management X X
Remotely browse Windows file systems via Windows Explorer X X
Microsoft Outlook Web Access 2003 supported - move vulnerable OWA servers out of the DMZ
X X
Reverse proxy web forwarding feature X X
Active Directory authentication supported X X
Built-in database authentication supported X X
UNIX authentication supported X X
Configurable authentication schemes X X
Access your desktop remotely X X
Intranet resources may be securely externalized using web forwarding X X
Accessible using zero-footprint VPN client X X
Connect using any modern web browser X X
Supports access through HTTP X X
Local and remote tunneling via SSL X X
Session inactivity timeouts X X
Web application URL masking X X
No dedicated appliance necessary X X
Supports Microsoft Windows XP/2000/2003 and Red Hat Linux 8.0 or later (other Linux distributions are unofficially supported)
X X
Commercial Support X X
SSL client certificate authentication - X
SMS (text message) authentication using one-time-password - X
SafeNet iKey 2032 and Aladdin eToken Pro USB devices supported for FIPS- - X
87
Feature Community Enterprise
certified PKI authentication
Enterprise Active Directory - X
LDAP authentication - X
Public-key authentication - X
PIN authentication - X
IP authentication - X
RADIUS authentication - X
Install SSL-Explorer Enterprise Edition Interface This step allows an enterprise edition license to be uploaded if you have received one with your purchase.
Simply use the Browse button to locate a valid license.
88
Finalizing Installation
Once all configuration details have been completed all that remains is the application of the configurations to the SSL-Explorer VPN server. This chapter details the final step and includes the following sections:
• The Summary Page • Summary Interface • Summary
The Summary Page All configuration data that has been provided in the previous steps is accumulated. No actual data is applied to the instance until the ‘Finish’ button is pressed.
The system provides a summary of all the configuration data that has been supplied by the user, as the snippet above shows, for the Web Server configuration step the port was configured to 443 and the interfaces ‘192.168.154.1, 192.168.1.163’. Everything is neatly detailed under the appropriate step.
Making Modifications The configuration can be modified by selecting the ‘Previous’ button to the bottom right of the page the installation wizard can move back through the installation wizard process to any step.
Any previously configured step can be modified and again when the summary appears the new details will be shown.
Summary Interface The summary page is divided into two parts; the first is the summary page, highlighting the configuration values set by the user.
89
Once Finish is pressed the installation wizard begins configuring the instance, a progress bar like the one below is shown:
The second is the result after these configurations have been applied.
Summary Step 1 The page displays a summary of all the configuration details entered by the user. To apply the
configurations details simply press the ‘Finish’ button.
If the details are incorrect simply press the ‘Previous’ button.
90
Step 2 The system begins to apply the configuration to the SSL-Explorer instances. This process takes a few seconds to complete. Results of the configuration changes are displayed with any errors or warnings clearly highlighted.
Step 3 After a successful result clicking on the ‘Exit Install’ button at the bottom of the page will complete
the process.
In order for the configurations to take affect SSL-Explorer is automatically shutdown.
The installation process is now complete. For users to begin using the newly configured instance SSL-Explorer must be started in run mode. For details on starting SSL-Explorer in run-mode refer to the section titled, Starting SSL-Explorer in this document.
Unsuccessful Configuration If any configuration is unsuccessful an error message is shown similar to one below:
In addition a new option to re-run the installation process will become available.
Clicking on this button will return the user to the start of the installation process. This will allow the user to re-configure SSL-Explorer and correct any details.
Configuration State The installation wizard is able to maintain the state of each step and so there is no need to retype all the previous configuration details in again.
Note
91
Publishing Server
An SSL-VPN’s purpose is to provide secure remote access from the internet. In order to achieve this some additional configuration will be required on your firewall to route incoming requests to the SSL-Explorer server on your internal network. In this section we cover:
• Pre-requisites • Configuring SSL-Explorer with a Firewall • Testing the SSL-Explorer service
By the end of this chapter the reader should have a working SSL-Explorer server.
Pre-requisites The following list shows the actions that should have already been performed. If these pre-requisites have not been completed it is likely that the SSL-Explorer services will either not work or perform unexpectedly.
• Install SSL-Explorer • Configure SSL-Explorer: Using the Installation Wizard. • Configure SSL-Explorer Service: This will be dependant on what operating system SSL-
Explorer is installed on.
Configuring SSL-Explorer with a Firewall There are many implementations of firewalls using software or/and hardware to enforce an access policy. The way in which these rules are created can vary greatly. This being the case it may be necessary to consult the documentation accompanying the firewall being used. SSL-Explorer needs the firewall to forward all SSL encrypted traffic in order to function correctly. This is achieved by adding a port forwarding rule (also known as a DNAT rule). Even though there is great variety with firewalls there will be a number of standard values required for SSL-Explorer to operate as expected. The following list shows some typical values required for a port forwarding rule:
• Listening Port: This is the port that the firewall will listen for SSL traffic. By default this is 443 but can be another value.
• Target Port: This is the port that all SSL traffic will be passed onto. There again, by default this is 443 but can something else.
• Target IP: The IP address of the machine running the SSL-Explorer instance is required here.
Below is an example of a simple firewall interface, the required values have already been filled.
92
Testing the SSL-Explorer service It is recommended that a test be conducted to ensure that SSL-Explorer functions as expected. This is done by pointing the browser to the SSL-Explorer server using a HTTPS connection. For example:
• https://[IP Address]:[Port] • https://www.mycomp.com:[Port]
If the connection attempt is successful then the following dialog will be presented.
Seeing the above dialog means that the SSL-Explorer server has successfully been contacted and has sent a reply to the clients browser. It is strongly recommended that you try port scanning your SSL-Explorer server from an external IP address in order to be sure that all access to ports – apart from 443 – is correctly disabled.
93
System Configuration
This section provides details on how to configure SSL-Explorer whilst it is up and running. Some of the items detailed have already been described in the installation wizard but many are only accessible once the server instance is up and running. Since configuration is a large area it has been divided into two this section covers the System Configuration function. By the end of this chapter the reader should know how to successfully reconfigure the SSL-Explorer instance.
Server Configuration The management console contains all the necessary functions that affect the workings of an SSL-Explorer VPN server. As a super user all functions are accessible and configurable. This chapter details the available options covering the following areas:
• Interface • Configure Web Server • Configure Performance • Configure Proxies • Configure User Interface • Configure SSL • Configure Time Synchronization
These pages are interacted through the standard control which can be found under the section titled, Amending Configuration Parameters in the Management Console chapter.
94
Interface The server configuration page is accessible from the Management Console System Configuration
Server.
The tabbed menu above the main page and shown below allows easy access to each section, this allows any server-related configuration parameter to be amended at any time and each section accessible in any order. As new extensions are added that have configuration options a new tab is created for the appropriate module. These configuration tabs are detailed in there own sections. Please refer to the appropriate chapters for more information on individual tabs.
95
Configure Web Server SSL-Explorer uses an in-built web server engine named Jetty to service HTTP/ HTTPS requests. All communication through SSL-Explorer is secure and the only time the insecure HTTP protocol is ever used is during the installation procedure because at this point, no secure SSL certificate has been generated to facilitate the encryption of traffic. During normal execution mode SSL-Explorer performs communication through the secure HTTPS protocol. For further information on this section refer to the chapter titled, Configuring the Web Server in the SSL-Explorer Installation Guide.
Web Server Interface As the diagram below shows many of the configurable options listed are also available in the installation wizard.
Configuration Parameters It is not advisable to alter these settings without possessing prior knowledge of web-server tuning. The defaults should suffice for most installations. Below details the basic configurable options and their meanings:
• Port: HTTPS port, the default HTTPS port is 443 this should be sufficient for most installations however if some other service relies on this port then another port can be specified. If another is used be sure users add this specific port to the URL, ‘https://server.co.uk:port’
• Bind address: refer to section, ‘Reconfigure Listening Interface’. • HTTP Port: The port number on which to listen for HTTP requests. Users cannot access the
main SSL VPN over HTTP, this service is available to extensions to add HTTP services and to redirect users to the HTTPS server.
• Valid external hostnames: refer to section, ‘Reconfigure External Hostnames’. • Invalid Hostname Action: What action to perform if an client connects from an invalid
hostname • Disable Certificate Warning: Disable un-trusted certificate warning messages
96
Reconfigure Listening Interface This option specifies which interfaces SSL-Explorer should listen on for incoming requests. The Installation Wizard detects all available network interfaces on the machine. These define all the interfaces by which external users can physically enter the machine and by default ‘All Interfaces’ is placed in the, ‘Selected Interfaces’ list box. All network cards within the machine and any additional virtual interfaces created by various applications will be included. Further information can be found in the SSL-Explorer Installation Guide in the chapter titled, Configuring the Web Server. To add a new interface from the ‘Available Interfaces’ list box use the ‘Add’ button to the right of the ‘Available Interfaces’ list box. To remove an interface from the ‘Selected Interfaces’ list box use the ‘Remove’ button to the right of the ‘Available Interfaces’ list box. More information on using this selection process can be found in Selection Process.
Reconfigure External Hostnames Any hostname entered into the ‘Valid External Hostnames’ list box enforces that only those selected hostnames can access the SSL-Explorer server. Hostnames placed in the, ‘Valid Hostnames’ list box will be the only external hostnames acceptable. Any other URL will be asked to re-connect via a valid hostname. The given valid hostname must be available from the local machine’s DNS list otherwise the second connection attempt by the client will fail. Further information can be found in the SSL-Explorer: installation Guide under the chapter titled, Configuring the Web Server. To configure a new hostname type in the name in the text box labeled, ‘Hostname’. To then add this hostname use the ‘Add’ button to the right of the ‘Hostname’ text box. The hostname will then be added to the list box labeled, ‘Valid External Hostnames’. To remove a hostname from the list box use the ‘Remove’ button to the right of the ‘Hostname’ text box. More information on using this selection process can be found in Selection Process.
97
Configure Performance The next tab in the interface list is the Performance tab. These parameters alter the way the system performs. In most deployments the default values should suffice but if you are experiencing delays using the system then altering these values could yield good results.
Performance Interface The picture below shows the Performance page.
Configuration Parameters • Minimum Threads: Threads reserved for the web server. The Jetty server pools the number
of threads defined by this parameter. Too little and the system will have to wait for threads to be free for use.
• Maximum Threads: The maximum number of threads to use before attempting to reclaim system resources. Jetty’s maximum number is restricted by the Java runtime and operating system. As a rough guide, assume one thread per VPN user.
• Max Idle Time: Threads that are idle for longer than this period are liable to be terminated until the Thread pool size reaches the minimum thread size.
• Resource Persist Time: When the Jetty listener is low on resources, this timeout is used for idle persistent connections. It is desirable to have this set to a short period of time so that idle persistent connections do not consume resources on a busy server.
• Buffer Size: SSL-Explorer will use a buffer of this size to construct its reply to the client. A larger buffer allows more content to be written before anything is actually sent, thus providing SSL-Explorer more time to set appropriate status codes and headers. A smaller buffer decreases server memory load and allows the client to start receiving data more quickly.
• Buffer Reserve: This variable defines the space reserved in the first buffer of a response to allow a HTTP header to be written in the same packet. The reserve should be large enough to avoid moving data to fit the header, but not too large as to waste memory.
• Requests per GC: If this is set greater than zero, then the system garbage collector will be invoked after approximately this number of requests. For predictable response, it is often best to have frequent small runs of the GC rather than infrequent large runs.
• Enable Request log: Request logs are a record of the requests that the server has processed. When enabled logs will be written to <SSL-Explorer installation>/logs.
98
• TCP/IP No Delay: Turn on TCP/IP No Delay option to force all data to be flushed to the network and not buffered
• Enable Statistics Log: Turn on webserver statistics log • Statistics Log Update: Time in seconds for the periodic update of the webserver statistics
log.
Configure Proxies The next tab in the interface list is the Proxies tab allowing proxy detailed to be configured. A proxy server is an application that enables a client to make indirect network connections to other network services. A client connects to the proxy server requesting a resource available on a different server, the proxy retrieves the data whether across the internet, internal network or using its internal cache. Some SSL-Explorer services need to make external calls across the internet and the Installation Wizard allows for the configuration of the SSL-Explorer instance to direct these external accesses through a company proxy server if required. ‘Configure Proxy’ allows the reconfiguration of these details in the advent that a company introduces a proxy policy or removes or even upgrades its current proxy server. More information on proxy servers can be found in the, SSL-Explorer Installation Guide, in the chapter titled, Adding External Proxy.
Proxy Interface The picture below shows the Proxy Configuration page.
Configuration Parameters • Proxy Hostname: Hostname of the HTTP proxy server. • Proxy Port: The port upon which the proxy server is listening for connections. • Proxy Username: If the proxy server has a secure authenticating account on it then the
details of this account • Password: The password for the associated authenticating username
Non-Proxied Hosts: Any host which should bypass the proxy server should be entered here for example SSL-Explorer instance accessing a server that exists on the same machine may not need to go through the proxy server; If so the target server should be keyed in here. Entries should be one per line with no termination character. Wildcards such as ‘*.foo.com’ may be entered to exclude a range of hosts.
99
Configure User Interface This tab defines the configurable options which affect the user interface. Currently this span’s the language selection options for the system, for instructions on internationalization please refer to the SSL-Explorer: Resource Management Guide and the chapter titled Internationalization.
UI Interface The screenshot below shows the interface.
Configuration Parameters • Automatically Connect to Extension store: When checked SSL-Explorer will
automatically connect to the 3SP application store whenever the application management page is loaded.
• Allow user to select language: On the logon page and throughout the entire system a user can change their language as when required. This is made available through the Language Selection box to the right of the system. By checking this option the language selection box is disabled and invisible to all users meaning that the default language must be used by all. Checking this box activates the selection box and makes it visible to all users again.
• Default language: This sets the default language throughout the system. • Retrieve Online Resources: When enabled, context sensitive links to online resources are
displayed on pages. • Allow Open Webfolders in Firefox: When enabled, Firefox users will see the Open As
Webfolder action for network places. This requires that the Open as Webfolder firefox extension is installed
100
Configure SSL This tab defines how SSL is configured within the system.
SSL Interface The screenshot below shows the interface.
Configuration Parameters • Enforce Strict SSL Trust Mode: This option enforces strict security requirements on
outgoing SSL connections. All outgoing SSL connections should have a trusted SSL certificate, either trusted by the default Java CA trust store or by the SSL-Explorer trust store. If a server presents an untrusted certificate the connection will be terminated.
• Supported Protocols: The list of protocols supported by SSL-Explorer, nothing in the selected Protocol box simply means that the default setting of all protocols is enabled.
• Supported Ciphers: The list of SSL ciphers supported by SSL-Explorer. If the selected cipher list is empty then all available ciphers are supported, if you edit this list then ensure that SSL_RSA_WITH_RC4_128_MD5 is selected as this is required by the SSL-Explorer Agent.
Potential Compatibility Issues Editing supported ciphers may cause compatibility problems with some older browsers
101
Configure Time Synchronization This tab is not part of the default setup, the Time extension needs to be installed for this to appear. This has been defined here only for the reason that it is a standalone page and has no other reference point in the application. Time synchronization allows SSL-Explorer to use NTP time servers to keep consistent time across the application. By default SSL-Explorer is configured to use the time servers from the NTP pool project. NTP pool is a dynamic collection of networked computers that volunteer to provide highly accurate time via the Network Time Protocol to clients worldwide.
Time synchronization Interface The screenshot below shows the interface.
Configuration Parameters • Enable NTP Time Synchronization: Enable the use of NTP servers. Once checked the
listed NTP servers are used for time synchronization. • NTP Servers: The NTP servers to use. The default servers in the list are part of the
pool.ntp.org domain www.pool.ntp.org. • Update Interval: Enter the time in hours of how often you wish to update the system clock • System Command: If SSL-Explorer does not support setting the time on the installed
platform natively, this parameter allows a super user to provide a command and argument to perform action via a system call.
This is the final section that can be configured from the Server configuration page. The following chapters continue with the remaining pages available from the top level System Configuration page starting with resources.
102
Resources
Resources are the main entities a user of the system will want to access once the system is up and running. Resources allow a user to access various parts of the system securely; they allow applications to be executed and intranets to be accessed securely amongst other things. This chapter details the basic configuration options available from the resources configuration page covering the following sections:
• Interface • Configurable Resources • Network Places • Web Forwarding
These pages are interacted through the standard configuration pages control which can be found under the section titled, ‘Amending Configuration Parameters,’ in the ‘Management Console’ chapter.
Interface The resources page is accessible from Management Console System Configuration Resources. The tabbed menu above each page and shown below allows easy access to each section, this allows any configuration parameter to be amended at any time and each section accessible and in any order.
Configurable Resources The resources configuration page allows the configuration of resources. As further resources are added to an installation such as nEXT an associated configuration tab becomes available. Each configuration tab for the resources highlighted above are detailed below.
Network Places A network place resource enables the access of network resources such as files, folders and directories securely. SSL-Explorer uses not only its own in-built interface to access network neighborhood resources but is also compatible with Microsoft WebFolders allowing a more intuitive means of accessing remote folders over the internet.
103
Network Places Interface
Configuration Parameters • Try current user (1st): When accessing a network resource which requires further
authentication SSL-Explorer will automatically use the user’s current username/ password. • Try guest (2nd): If the user’s current authentication details fail SSL-Explorer will try to
authenticate using guest and anonymous credentials. If both options fail the user is presented with a login box allowing the user to authenticate manually.
Configuring Guest Authentication Configuration of the guest account can be found under System Configuration Windows Integration.
Note
104
Web Forwarding On a conventional network, providing remote access to intranet websites is not straightforward as intranet resources are not designed to be externally accessible and therefore are not resolvable using the DNS system. It is for this reason that SSL-Explorer provides a web forwarding facility as a means of allowing access to the internet as well as a corporate intranet securely. Administrators can publish links to intranet resources for access in SSL-Explorer via a web forward. SSL-Explorer’s web forwarding technology provides three techniques to create web forwards each with its own unique characteristic:
• Tunneled Web Forward: This is a direct port-forwarded SSL tunnel to the remote site. This method requires that the VPN client is launched upon the client system.
• Replacement Web Forward: Requests are retrieved from SSL-Explorer which retrieves the content on the client’s behalf rewriting links so content is retrieved only from SSL-Explorer’s inbuilt web server. Does not require the VPN client.
• Reverse Proxy Web Forward: All requests bound for the client are processed by a reverse proxy beforehand who decides whether the request will be sent onto the requesting client. Does not require the VPN client.
Web Forward Interface The configurable parameters for web forwards affect all web forwards across the system, as can be seen below these options are basic items defining the content downloaded from the target web forward resource.
Configuration Parameters • Directory: When a webpage is loaded its content is cached to a temporary folder on the local
machine for quick access, this parameter defines the location of the temporary directory. As the default setting shows during execution of a web-forward the %TMP% variable is taken from the system variable TMP. This variable can be replaced either by a full directory location or another environment variable.
• Max. Size per User: The directory above is created on a client machine; this parameter defines how large that directory should be. The default of 10MB means that every user’s cache will not exceed more than 10MB.
• Max. Objects per User: An additional limit is placed on the number of objects: html page, image, CSS etc that can be stored. If the limit is exceeded either in terms of the directory size or the number of objects (which is defaulted to 10000 objects) the system continues to make cache new content making space by removing oldest cached objects.
• Max. age: The maximum number of minutes each cached item will be stored for. A value of 0 means store forever (or until logout)
105
• Clear on Logout: Checking this parameter clears the cached data once the user has logged out of the system. The default value for this is checked, retaining cached information can take up unnecessary space and compromises security by leaving behind traces of internet content visited/ accessed
• Active DNS Host Format: The format of the unique Active DNS hostname used to access reverse proxy web forwards
106
Microsoft Windows Integration
These configuration options allow advanced users to modify specific parameters related to using SSL-Explorer in a Microsoft Windows environment. The sections covered in this chapter are:
• Windows File Sharing
Windows File Sharing SSL-Explorer accesses files and shares on Windows systems by using the standard Windows CIFS protocol. This page allows modifications to be made to configurable items used by this protocol. Again these parameters shouldn’t need to be modified but if so should be carried out by an advanced network administrator who has prior knowledge of CIFS.
What is CIFS? Common Internet File System (CIFS) is used for client/server communication within Microsoft operating systems. It is designed to enable all applications, not just web browsers, to open and share files securely across the Internet by defining a remote file-accessing protocol that is compatible with the way applications already share data on local disks and network file servers. CIFS is an enhanced version of Microsoft's cross-platform Server Message Block (SMB) protocol, the native file-sharing protocol in the Windows operating system. Not intended to replace HTTP, CIFS complements HTTP while providing more sophisticated file sharing and file transfer than older protocols such as FTP.
SSL-Explorer and CIFS
SSL-Explorer integrates CIFS by using the JCIFS SMB client library which enables remote users using SSL-Explorer to access shared files and directories on SMB file servers i.e. a Microsoft Windows share in addition to domain and workgroups across the internet.
File Sharing Interface The screenshot below shows the available parameters and there default values.
107
Details on the parameters can be found in the following section.
Configurable Parameters • WINS Server Address: If a WINS server is in use the location of the server. Information on
WINS servers can be found in the section titled, What is WINS? • NetBIOS Hostname: SSL-Explorer instance NetBIOS name can be declared if clients are
having trouble locating the instance. For more information on NetBIOS refer to the section titled What is NetBIOS?
• NetBIOS Scope: A NetBIOS Scope ID provides an extended naming service; it is used to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. If scope id is used it must be set using this property or name queries will fail.
• NetBIOS local Interface Address: The IP address of the local interface the client should bind to for name queries if it is different from the default. More information on NetBIOS can be found in the section titled, What is NetBIOS?
• NetBIOS Broadcast Address: Broadcast address is an IP address that allows information to be sent to all machines on a given subnet rather than a specific machine for example if the local host's IP address is 192.168.1.15, the broadcast address would likely be 192.168.1.255. It may be necessary to set the broadcast address for certain network configurations because the default of 255.255.255.255 may throw an error. More information on NetBIOS can be found in the section titled, What is NetBIOS?
• LMHOSTS File Path: The path to an LMHOST file containing a map of IP addresses to hostnames, refer to the chapter titled ‘What is the lmHosts File?’ for more information on LMHOST file.
108
• NetBIOS Socket Timeout: Defaulted to 5 seconds this parameter restricts the datagram socket used for name service querying. If after 5 seconds the unsuccessful socket connection is closed.
• NetBIOS Retry Count: The number of times a name query should be attempted if no answer is received. This is defaulted to 2.
• NetBIOS Retry Timeout: The duration in milliseconds that the client will wait for a response to a name query. The default is 3 seconds.
• Local Interface Address: The IP address of the local interface the client should bind to for name queries if it is different from the default.
• Disable Plain Text Password: Windows is capable of authenticating using plain text to support old machines however plain text passwords should never be used and are disabled by default.
• Response Timeout: The time period a client will wait for a request to be serviced from the target server; the default value is 10 seconds.
• Socket Timeout: To prevent the client from holding server resources unnecessarily sockets are closed after this time period if there is no activity. The default is 15 seconds.
• Resolve Order: This specifics which name resolution methods to enforce and in which order with the first, in a comma separated list, being the first technique to use. If this fails the second technique is instigated and so on. By default the system is expected to resolve in this order, LMHOSTS,WINS,BCAST,DNS. The LMHOST file is interrogated if this is unable to resolve the required machine then a WINS server is checked, after which a NetBIOS name query will be broadcast on 255.255.255.255 or the address specified by the ‘NetBIOS Broadcast Address’ parameter. Should this broadcast query fail, DNS would be queried. If the DNS query fails, an unknown host error will result. For information on these techniques refer to the sections below.
Only Methods Listed Are Used If the ‘Resolve Order’ parameter does not include one of the methods for example WINS or LMHOST these will not be attempted regardless of whether or not their associated configuration parameters have been set.
• Guest user: This relates to the ‘Try Guest User 2nd’ configuration parameter available within Resources Network Places. Whenever a network resource is accessed which requires authentication setting the, ‘Try Guest User 1st’ to true will automatically supply this guest username and password. For more information on this parameter refer to the chapter titled, ‘Web Forwarding’.
• Guest Password: This defines the password used for the guest account.
Note
109
What is WINS? WINS (Windows Internet Name Service) is a name resolution service that resolves computer names to IP addresses. Using WINS, the computer name ‘ARIES’, for example, could be resolved to an IP address that enables computers on a Microsoft network to find one another and transfer information. The underlying application programming interface, or API, that enables WINS name resolution and information transfers between computers is NetBIOS (Network Basic Input/Output System). The NetBIOS API contains a set of commands that applications can use to access session-layer services. WINS provides a distributed database for registering and querying dynamic computer name-to-IP address mappings in a routed network environment. A WINS server runs on a Windows NT Server–based computer and handles name registration requests from WINS clients and registers their names and IP addresses. The server also responds to name queries from WINS clients by returning the IP address of the name being queried.
What is the LMHOSTS File? The LMHOSTS file is a static text-based file that assists (and is another method used for) remote NetBIOS name resolution on computers that cannot respond to NetBIOS name-query broadcasts and do not have a WINS or DNS server in place. It contains NetBIOS name-to-IP addresses mappings and an example can be seen below:
192.9.200.1 TESTPC 192.9.200.20 NTSERVER#20 192.9.200.21 SAMBASERVER
Each line contains the IP Address and NetBIOS name. The problem with LMHOSTS files is that you have to maintain them – every time a new resource is added to the network the LMHOSTS files on all clients need to be updated. Although you can configure clients to include information from a central LMHOSTS file or files you still have to update that file and configure all the clients to use it. This is where WINS is advantageous since it acts as a central database for maintaining NetBIOS name to IP address mappings. All you have to do is set up the WINS server and configure your clients to use it (you can use DHCP to configure the clients with the WINS server information, so that can be centrally maintained as well.)
What is NetBIOS? To transmit WINS queries and other information computers use NetBIOS. NetBIOS provides an API that allows computers on a network to communicate. When you install TCP/IP networking on a Microsoft client or server, NetBIOS over TCP/IP is also installed. NetBIOS over TCP/IP is a session-layer service that enables NetBIOS applications to run over the TCP/IP protocol stack. NetBIOS applications, such as the command-line NET utilities, rely on WINS or the local LMHOSTS file to resolve computer names to IP addresses. It offers network applications a set of hooks to carry out inter-application communication and data transfer. In simple NetBIOS allows applications to talk to the network. NetBIOS frees the application from having to understand the details of the network including error recovery. Microsoft adopted NetBIOS in the late 1980s for their LAN Manager product and it found its way into early versions of Windows and into Windows NT. It is still present today because many corporate
110
networks still have legacy (Windows 9x or Windows NT) machines which require NetBIOS to function properly on a network. Since Windows 2000 however, DNS has become the default name resolution method for Windows-based networks.
NetBIOS Names
NetBIOS names identify resources on a network, applications use these names to start and end sessions. You can configure a single machine with multiple applications each of which has a unique NetBIOS name which in affect is what SSL-Explorer VPN is, another windows networking client with its own NetBIOS name, ‘a box within a box’.
NetBIOS Hostname
The NetBIOS Hostname configuration parameter defines the SSL-Explorer instance name allowing clients to locate the instance. Again this shouldn’t need to be modified as SSL-Explorer’s use of the JCIFS API automatically generates a unique dynamic NetBIOS name (if one has not been set) that should be broadcasted to any WINS servers or central NetBIOS name database by the operating system’s network configuration. However a hostname can be reserved for the instance and in which case must be a unique name within the entire source routing network consist up to 16 alphanumeric characters.
Correct NetBIOS Hostname If the defined name is incorrectly specified, JCIFS will not use the name and will continue to generate unique names that can be meaningless when looking through audit logs.
What is DNS? WINS isn't the only name resolution service available you can also use DNS (Domain Name Service). DNS is a name resolution service that resolves Internet host names to IP addresses. Using DNS you can resolve the fully qualified domain name www.company.com for example to an IP address. While WINS is used with NetBIOS applications DNS is used with Winsock applications that operate over the TCP/IP protocol stack such as FTP or Telnet. DNS can be configured to work in conjunction with WINS.
Note
111
Security Options
The Security Options page allows the configuration of security related parameters. Security affects all areas of the system and so this page divides the configurable items into their respective areas. The section only covers those options available with the basic installation of SSL-Explorer. All other option pages are detailed in their respective chapters. The chapters covered are:
• Initial Options • Password Options • Session Options • Confidential Attributes • Policy Options • Logon Page
Initial Options In the initial installation of SSL-Explorer the security options page only has a select number of options available. These are shown below.
With the Enterprise Edition a plethora of further authentication modules become available and each has their own configuration tab accessible from this page. Documentation on the configuration options available for the additional modules can be found under the respective chapters for each module.
Password Options This page contains all necessary information pertaining to the configuration of the password authentication module. This is the default module that comes as standard with SSL-Explorer. With enterprise edition the numbers of authentication modules available are increased considerably and each adds an additional tab to this menu.
112
Password Options Interface The diagram below shows the password option interface.
Configuration Parameters • Max Logon Attempts Before Lock: A value of zero disables this option; the default value is
3 logon attempts if after 3 attempts the account is temporarily locked. • Max Lock Attempts Before Disable: The maximum number of temporary locks before the
account is permanently disabled. Use a value of zero to never lock accounts. • Lock Duration: The default value is 300 seconds; all values are in seconds. • Password Pattern: The definition of a password, how passwords for this instance must be
constructed. Details on Password patterns can be found below. • Password Pattern Description: This description is shown to the user when defining a
personal password. • Days before Expiry Warning: The default value is 21, after which the warning will be
displayed to the user informing them to change their password. • Days before Expiry: The default is 28 days approximately one month after which the user
will be forced to change password.
Password Pattern
The structure of an account password is based on regular expressions and is defaulted to, .{5,}, which defines a password with a minimum size of 5 characters. This expression is detailed in the diagram below:
113
The security function password structure is built around the Java ‘regular expression’ syntax. Any valid expression will be accepted to parse passwords an example is given below:
Expression Meaning
X(n) X exactly n number of times
X(n,m) X between n and m
.[^\s]{n,m} Any character except white spaces with a length between n-m
\w[n,m] Word character [a-z,A-Z,_,0-9] between n-m
114
Session Options Session options are security parameters used by the system to control how user sessions behave.
Session Options Interface The diagram below shows the session options interface.
Configuration Parameters • Maximum Logon Cookie Age: Maximum age of the cookie that is used persist the logon if
the browser is closed. A value of -1 will mean that the user will have to logon everytime the browser is opened.
• Multiple Sessions: Defines whether the same User can log on multiple times. Further details can be found below.
• Verify Client Address: When checking logon state, verify the remote address of the request against the address recorded at logon. This prevents re-use of logon cookies from other clients
• Lock Session on Browser Close: Enabling this option will force the user to provide their password upon opening a new browser and returning to the site
Multiple Sessions
This option configures whether the same user is able to log into the system more than once simultaneously. The option provides three alternatives depicted below.
As the diagram shows, the final ‘Single Session per User / IP Address’ is the most restrictive. This setting will prohibit the same user from accessing the SSL-Explorer server more than once, locking down the user so that he or she can open a single session from a single machine.
115
Confidential Attributes Confidential attributes are used by the system to store personal information about the user such as security questions which are used during authentication. These options configure how these attributes are encrypted.
Confidential Attribute Interface The diagram below shows the confidential attribute interface.
Configuration Parameters • Confidential Mode: Determines how the passphrase for the user's private key is established.
Attributes are stored by encrypting them with a user's public key so that they can only be decrypted by the corresponding private key. With automatic the passphrase for the private key is automatically configured as the users account password. If no account password has been provided then it will be prompted for instead. When set to Prompt the user will be prompted for the passphrase upon logon meaning that the passphrase will be independent of the users password. Disabled will prevent the key being used at all, meaning confidential user attributes will not be encrypted at all.
• Public Key Algorithm: The algorithm used to encrypt confidential user attributes. • Mask Personal Answers: Checking this option hides the actual user responses with asterisk. • Bit Length: Bit length of public/private keys used to encrypt confidential user attributes.
116
Policy Options This page simply refines some of the access abilities for policies any particular policy related configuration options are maintained within this page.
Policy Options Interface The diagram below shows the policy options interface.
Configuration Parameters • Restrict Policies to Assigned Authentication Scheme: This option restricts the available
resources to those which are attached to the policies assigned to the authentication scheme used at login
117
Logon Page This page defines the logon preferences. All users are affected by the changes made to this page.
Logon Page Interface The diagram below shows the logon page interface.
Configuration Parameters • Site Name: Define a specific name for the site. When a user is presented with the logon page
the title specified here is shown. • Welcome Text: You can configure a custom title for the logon page. Leave this blank to use
the default internationalized SSL-Explorer title • Logo: By setting an image here you can configure a custom logo for the logon page. Any
logon logo image must be placed in [SSL-Explorer_HOME]/conf/site/icons • Message Type: The type of message icon to show. This icon as well as the following
message text I shown below the logon parameter. • Message Align: Set's the alignment of the message text, options available are justify and
center • Message: The message you wish displayed beside the message type icon.
118
Messaging
SSL-Explorer enables messages to be broadcast to user of the system in a number of ways. This chapter aims to provide some background to messaging and then provides details on the available options through SSL-Explorer. The sections covered are follows:
• Message Queue • What is SMTP? • Messaging Interface • Configuration Parameters
Message Queue The message configuration page affects the functionality available from the Message Queue page available from Management Console System Message Queue. As the main page below shows this functionality allows a privileged user the ability to create messages and have that message broadcast to all or a select few members of the SSL-Explorer instance principal base.
What is SMTP? POP3 (Post Office Protocol version 3) is used to handle email between email server and a local email client like Microsoft Outlook. POP3 is used to authenticate credentials on the server and download email that comes from across the Internet to the email server. The POP3 protocol is activated when the client receives email as shown in the diagram below.
119
SMTP (Simple Mail Transfer Protocol) on the other hand is the protocol used for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another. In addition, it is used to deliver email from the email client to the recipient's email server. The email will stay on the recipient's email server until it is explicitly requested to be downloaded by the recipient's email client over the POP3 protocol.
SMTP and SSL-Explorer In order for the messaging functionality to be used successfully it requires the mail server address in order to deliver the SMTP message. Once the user has created the message to distribute SSL-Explorer sends the message using the SMTP protocol to the mail server. Once received as above the mail clients will contact the mail server and download the mail.
Messaging Interface The screenshot below shows the available messaging configuration parameters which affect messaging functionality.
With SSL-Explorer Enterprise edition a number of additional messaging related extensions can be uploaded such as the one time password extension; any configurable parameters will be accessible from this menu under an associated tab.
120
Configuration Parameters • Enable on Startup: When SSL-Explorer instance is started the email messaging service is
available to use, un-checking this option will disable message distribution via email when the instance is restarted.
• SMTP Server: Messaging is performed in two ways, through active users running the VPN client and via messages being broadcast as emails received by users email clients. To use the email option the details of the SMTP mail server needs to be specified.
• Port: In addition to the above server being defined so to must be the listening port on the server, by default mail servers listen on port 25.
• Login (HELO): HELO represents the SMTP HELO command some mail servers (usually older servers) do not accept mail requests before a SMTP HELO command is sent. Clients use HELO as the first request in every session. The HELO parameter requires the principal host domain name for the sender, for example domainname.co.uk.
• Sender Address: This parameter specifies the host sending the message and will appear on the Sender name when the mail is received by the user’s mail client.
Clickatell and SMS in Access Control Configuration of Clickatell and SMS can be found in the Access Control guide under the OTP Authentication section.
Note
121
Basic Configuration
This section details the remaining areas listed under the configuration menu. These items allow configuration of those items that directly affect user interaction for example, extension manager allows an administrator to include additional functionality into the system, which affects what functions become available to users much like SSL-Certificates which affect how users are authenticated against the system.
Extension Manager The chapters that follow detail the remaining functions available under the Configuration header in the Management Console. These are: Extension Manager, SSL-Certificates, Replacements, User Attributes and License Manager. SSL-Explorer is not a static entity but an extensible application that continues to have functionality added and one of the methods employed to extend the functionality is through extensions. These are additional applications which can be installed on the SSL-Explorer VPN server to further enhance the usability and experience of SSL-Explorer. This chapter details the extension manager which manages these additional applications; the chapter consists of the following sections:
• What are Extensions? • Extension Manager Interface • Install an Extension • Updating an Extension • Removing an Extension • Upload an Extension • Bespoke Application Extensions
By the end of this chapter the user should have a sound knowledge of extensions, the extension manager and know how to install relevant applications and plug-ins required to meet business needs.
What are Extensions? Extensions are used within SSL-Explorer to give you a quick, simple method to install new functionality or upgrade the applications that you need from the software. New software components may be installed onto the SSL-Explorer server via extensions and assigned to your users with the greatest of ease. Extensions may be classed as either one of the following two types:
• Plug-ins: These extend the functionality of the SSL-Explorer server. This can be in the form of new services, new web pages, authentication components or beta versions of upcoming new features.
• Applications: Applications extend the number of applications available to SSL-Explorer. These applications are launched from the ‘My Applications’ page and run as separate
122
services. Examples of these would be SSL-Explorer’s range of proprietary lightweight remote access applets supporting SSH, RDP, VNC, SFTP and Telnet.
Installation of Extensions Extension files reside on the 3SP Extension Store – a publicly available store accessed from within SSL-Explorer. When an extension is selected for installation the wizard contacts the remote Extension Store and downloads the new extension file. Plug-in extensions require the restart of SSL-Explorer to become active whereas applications generally work instantly once downloaded. The extension itself comes in the form of a zip file and is stored on the SSL-Explorer server locally under <SSLEXPLORER_HOME>/conf/repository/archives, where <SSLEXPLORER_HOME> refers to the SSL-Explorer home directory. The file is unzipped to the applications folder, <SSLEXPLORER_HOME>/webapp/WEB-INF/applications. Each time the server is restarted the system clears the content of the applications folder. The extension is unzipped again from the repository folder and stored back into the applications folder. Extension files These files should not be removed as they will affect the running of the SSL-Explorer instance.
Anatomy of an Extension All the contents of the extension to get it up and running make up the pieces of an extension file. For example the PuTTY plug-in extension consists of the following files:
• extension.xml
• putty.exe The most important file in the package is the extension.xml. Not only does this maintain a list of files but it is also used by SSL-Explorer to understand how to run the file and identify whether any user interaction is required to launch the application successfully.
Application extension For application extensions the extension.xml file is replaced by an application.xml file whose purpose is much the same as the extension.xml.
The actual number of additional files varies greatly depending on the complexity of the extension.
Note
Note
123
Extension Manager Interface The screenshot bellows the extension manager interface:
The page divides extensions in to tabs by type. In addition there are three tabs that provide other information:
• Installed: This shows currently installed extensions • Updateable: Extensions that have a new version available • Articles: Articles that detail how to set up extensions that cannot be included in the extension
store for licensing reasons
Action Icons The action icon performs a particular function on the associated extension; available actions for an extension are:
Install extension
Update extension
Remove extension
124
Install an Extension Step 1 Any extension that is available for installation will be visible from under the appropriate section tab
for example any remote access extensions will be listed as installable from the Remote Access tab, any extensions related to access will be installable from the Access Control tab.
Choose an extension to install. The extension will have the install action icon against it.
Step 2 The system will proceed to download the extension from the extension store and install the application. A progress bar similar to the one below shows the status of the download:
Some extensions may require the user to agree to the license.
125
Step 3 Once installed the extension will be available from the Installed tab. If an extension requires a restart
of the system the extension will have the inactive icon against it:
Also a restart message will be visible from the Warnings window in the events pane.
Once restarted the active icon will be visible against the extension:
The extension should be accessible from its defined location for example application extensions from the applications menu.
Updating an Extension Step 1 Any updates to extensions are visible and can be updated from the Updateable tab.
Step 2 Click the update icon against the chosen extension to update.
126
Step 3 The system starts to update the extension. A progress bar indicates how long the update will take. If
the system requires a restart a warning message will be shown indicating this in the events panel.
Removing an Extension
Step 1 An installed extension can be uninstalled from the Installed tab. Identify an extension to remove from the Installed extension tab. Any uninstallable extension will have the delete icon against it.
Step 2 Clicking this a warning message is updated page as shown below:
Step 3 Select the associated remove action icon. A warning message is displayed to confirm the removal of the extension.
The extension is removed and is added back to the list of available extensions.
Assigned Extensions Any application extensions assigned through the application shortcut page are also removed from all associated users.
Upload an Extension Applications not available through the extension store can be uploaded manually. Many applications can be made into an extension and through this step uploaded onto the SSL-Explorer server for use by your users.
Step 1 Construct the extension in the appropriate manner. The basic content of an extension consists of the following items:
Step 2
Note
127
• Extension.xml: Which details the parameters required for the application, how to launch the application, defines the required application files, registry information and application execution procedures.
• Application files: All files required to execute the application must be collated. This content should be stored in a directory and that directory compressed into a zip file. For more information on constructing your own extensions, please refer to the Extensions section of the 3SP Knowledge Base at 3SP.com.
Step 3 To upload the created extension, select ‘Upload Extension’ from the action pane.
Step 4 Enter the path of the extension zip file for the system to upload.
When the Upload button is pressed the system will upload the extension to the appropriate place depending on the extension type.
• Plug-ins: These extensions usually require a system restart and will be loaded into the system under the appropriate page for example, if the plug-in is a new authentication method this will be visible within the ‘Authentication Schemes’ page.
• Applications: Extensions that are applications will be visible within the Installed tab under extension manager as well as a selectable application within the ‘application shortcut’ pages.
Bespoke Application Extensions So far we have concentrated on the extensions that come part of the extension store, supplied by 3SP Ltd. SSL-Explorer however can accept any external extension and load it in this mean that an administrator can also provide extensions for their user base of applications specific to their company. You are not restricted by what SSL-Explorer provides or 3SP Ltd creates and adds to the extension store but an administrator can create their own extensions for users to install. To find out how to deploy bespoke extensions please refer to the 3SP knowledge base,www.3sp.com/kb , which contains many articles on extensions and how to create them.
128
SSL Certificates
As part of the installation wizard an SSL certificate is configured this is then used for the purpose of encrypted communication between server and client. This page enables the management of this and other types of certificates that SSL-Explorer supports. This chapter details the certificate related actions available to a user from importing new certificates and purchasing certificates, the following sections are included:
• Revisiting Certificates • SSL-Certificates Interface • Creating a CA • Purchasing Certificates • Generating a CSR • Importing a Certificate • Exporting Keys and Certificates
By the end of this chapter the reader should have a sound understanding of certificates and be able to manage certificates used by the SSL-Explorer instance. Further information can be found in SSL-Explorer: Access Control Guide, chapter Authentication Schemes and
Revisiting Certificates The SSL (Secure Sockets Layer) protocol is the standard method used in securing e-commerce transactions. SSL defines two methods for securing sensitive information during an SSL session they are encryption and authentication.
Encryption The transmission of data should be secure so that no one can view the data that is being sent. Public Key Infrastructure (PKI) is a methodology that allows secures data transmission by encrypting information in a way that if the data is intercepted by a third party it cannot be understood. This topic is explained in greater depth in Appendix I, but for the purpose of brevity we will just summarize the core concepts here. PKI relies on an entity creating two keys that are used to encrypt information. The keys are related to one another by complicated mathematical formulae; but knowing the value of one of the keys will not lead you to the other. In this concept, one key is kept secret (the private key) while the other is made public (the public key). This public key can now be used alongside standard encryption techniques to encrypt and secure messages and the only way to decrypt the message is with the closely guarded private key. Only the one with the private key can ever understand the message. This is the basis for keeping SSL transmissions private. While encryption is a powerful tool on its own it is an insufficient tool to give consumers the confidence they need when performing e-commerce transactions.
129
Authentication On the internet, any data passed between two computers travels via a public network and anyone with the desire and know-how can potentially read it. A man-in-the-middle (MITM) attack occurs when a hacker manages to ‘position’ himself between a victim and a resource, proxying the client’s personal information to and from the resource and silently snooping on their personal data. The victim is unaware that anything wrong is going on and in fact, may even be communicating with the hacker in an encrypted manner although the hacker can see all transactions and may even be able to modify them for personal advantage. This shows that encryption alone is not enough the client should be confident that data received was sent by the correct website to prevent such things as MITM attacks. Secure internet communication is viable not only because encryption is used, but also because of authentication of the website with which there is an encrypted session. In other words, you can verify that the website is the one you intended to communicate with, and not an imposter who has launched an MITM attack. A web site is generally authenticated by an X.509 certificate.
SSL-Certificates In cryptography, X.509 is an ITU-T standard for public key infrastructure. X.509 specifies, amongst other things, standard formats for public key certificates and a certification path validation algorithm. An X.509 certificate contains the following information:
• Information about the entity that owns the certificate. • The owner’s public key. • Data from a well-trusted third party confirming that all the information inside the certificate is
verified.
Web servers use certificates:
• To prove their identities to a client browser. • To provide a public key to the browser so that it and the server may communicate securely.
X.509 certificates provide a mechanism on which an SSL session can be built. If an X.509 certificate contains the relevant data to create an SSL session, it can be considered an SSL certificate.
Certification Authority A web server must have a certificate that has been vetted by a trusted third party authority known as a Certification Authority (CA). The CA vets the certificate to confirm the identity of the sender by various means as examining business documents and that the sender is allowed to own this certificate and that no forgery is taking place. Only if the vetting process confirms the entity’s identity, the CA signs the certificate and adds its identity to the ‘issuer’ field. By signing a certificate The CA signs the certificate by using its private key so that someone who examines it will be assured that that CA validated the certificate’s information.
130
Since the signing process requires possession of the CA’s private key, which is closely guarded, it is not possible for someone to forge. It is relatively easy to create your own certificate that claims to belong to another website. However since a CA relies on public trust, it will not put its reputation on the line by signing a certificate unless sure of its validity.
Trustworthy Certificates In the same way that I could create a fake website certificate, e.g. ‘www.amazon.com’, I could also then create a CA certificate issued from e.g. ‘VeriSign’ and sign my fake certificate with it. Would this phony certificate then be accepted by a browser?
How does a browser know that a certificate is trustworthy?
When you use your browser to access a secure website, the remote web server attempts to use SSL to secure the communication. The web server transmits its certificate to your browser and if the certificate is trustworthy, the server switches to SSL mode and starts the secure session. The browser checks that the certificate is valid and is properly signed. If so, it checks that the issuing CA is trustworthy by comparing against the browser’s in-built certificates. Browsers such as Internet Explorer, Mozilla and Opera come with root certificates pre-installed, so that SSL certificates from certain vendors are pre-installed and can be verified instantly. If the certificate is unknown then a message appears warning the user that the certificate may not be valid. Without first possessing a CA’s private key you cannot create a fake certificate and attempt to fool the browser in thinking the certificate has been signed by the real CA. This is the real protection against MITM attacks.
SSL-Certificates Interface The screenshot below shows the main certificates page.
The page displays certificates related to each keystore type. As can be seen above, the keystore pull-down displays three different certificate types:
• SSL-Explorer Server Certificate: Certificates installed by the SSL-Explorer server for SSL encryption of VPN sessions. Browsers connecting to the instance will receive this as proof of authenticity.
• Trusted Server Certificates: These certificates are usually provided beforehand by trusted vendors whose webserver SSL-Explorer may be expected to connect to at some point. The certificate contains a public key to allow the client and server to secure the communication.
131
• Server Authentication: This certificate is used when the SSL-Explorer instance, acting as a client, connects to another HTTPS server which requires authentication by the client through the use of a private key.
• Client Certificate Authentication: This certificate is used by the client to authenticate itself with SSL-Explorer. SSL-Explorer creates this certificate containing a private key which is imported into the browser to authenticate itself with the server.
• SSL-Explorer CA: This certificate contains the public key used to sign all client certificates.
Action Icons The action icons against each certificate perform functions on the associated certificate:
Export certificate
Export key
Certificate Actions The action panel on the right of the page shows the actions that can be performed:
• Import Certificate or Key: Any further additions to the certificate database are imported from this option.
• Purchase a Secure Certificate: Buy a discount SSL certificate through 3SP Ltd. • Download CSR: Downloads the Certificate Signing Request for the server SSL certificate
currently in use in order to be sent to a CA for signing. • Create CA: Create a new authority
132
Creating a CA A Certificate Authority is required to be able to issue certificates to the clients. This process defines SSL-Explorer as the authority to be able to issue and validate the client certificates that will be used to log into the server. An external authority can also be used; the only thing required by SSL-Explorer is the importing of the private key part of the certificates issued by this authority for each client so that SSL-Explorer is able to identify each client certificate being used to login with.
Step 1 From the Action menu select the Create CA action.
For a server which already has a CA this step will be replaced by the Reset CA action. In this situation the CA does not have to be reinitialized each time.
Step 2 This action loads the Create CA wizard. This wizard guides the user through the steps required to
configure a CA for the system. Each certificate created for a user will be issued by this authority.
The information must all be completed. The information is then used to create a valid authority. The stamp of authenticity is all based around the content that is provided here, it is recommended that correct information be supplied. The required information and their meaning are detailed below.
• Common Name: The name the certificate should be referred to. • Location: Where the authority is based • Organizational Unit: The department of the authority • Company: The name of the company or entity to which the certificate should be registered.
Step 3 To encrypt this information and the subsequent generated private keys the certificate requires an
encrypting password.
133
Step 4 The strength of the private keys is next required. The stronger the size the more complex the keys.
Step 5 Finally a summary I shown of the certificate that is about to be created. Pressing the Finish button will
create the certificate else the he Previous button will go back to each step and allow amendments to take place. That’s it. The newly generated authority will be used to issue all client certificates. This CA can be seen in the SSL-Explorer CA keystore.
134
Purchasing Certificates Step 1 The ‘Purchase a Secure Certificate’ action goes to the ‘SSL Certificate Purchase’ page at 3SP.com.
3SP Ltd. uses InstantSSL as the certificate provider.
As can be seen below, 3SP.com provides the Super User with a list of certificates to buy.
Select the appropriate certificate.
135
Step 2 Select the URL. Once the purchase has been successful a URL is sent to the recipient’s email address much like the one below. https://secure.comodo.net/frontpage?reseller=y... Inserting the URL into a browser opens the ‘Certificate Signing Request’ page from Comodo as can be seen below:
Before this request can be processed a CSR needs to be generated through SSL-Explorer.
136
Generating a CSR Step 1 Select the ‘Download CSR’ option available in the Action pane.
Convenience with 3SP.com Certificates The generated CSR can be used from any certification authority although 3SP Ltd. provides a more convenient and cost effective means of obtaining discounted certificates in partnership with InstantSSL.
Step 2 The ‘Download CSR’ action takes the content from the unsigned certificate currently in use by SSL-Explorer and produces a CSR. When ready the system makes the CSR available for download.
The file should be saved.
Remaining Steps The remaining steps detail how to continue the signing process via a certificate purchased through 3SP.com. If an alternative certification authority was used, please follow their instructions instead.
Step 3 Complete the signing request. Using a standard text editor open the downloaded CSR, copy and then paste the content into the large text box as shown below.
Note
Note
137
Select Java Web Server as the ‘server software used to generate the CSR’ and select an appropriate option from the last two questions. Select Next.
Step 4 Complete the remaining details. The registration process reads the unsigned certificate and populates some details itself. The remaining required details must be completed.
Step 5 Once complete hitting the Next button takes us to the final step in the process confirmation of details.
138
From here InstantSSL will now validate the authenticity of the CSR. Depending on the type of certificate that was chosen, the time spent by InstantSSL on validating the request will vary. For example, an ‘Intranet SSL Certificate’ is the quickest to process in usually under an hour.
Step 6 If successful, InstantSSL will sign the certificate and return a zip file containing the signed certificate and the necessary root certificates reading to be imported into the system.
Importing a Certificate Step 1 Select ‘Import Certificate or Key’ from the Action menu.
Step 2 Next, select the ‘Input Type’. SSL-Explorer is able to import several types of certificate or key:
• A certificate purchased from 3SP.com: Use this if the certificate has been purchased from 3SP.com. This speeds up the import process by automatically loading all the keys contained within received zip file.
• A reply from a CA: A DER encoded certificate from a vendor other than 3SP Ltd. • A root certificate for your web server’s CA: A root certificate to authenticate the issuer of your
installed certificate. • A certificate from a server you wish to trust: Add a specific server’s signed certificate to the CA
certificate trust store to trust the server. • A key for a server that requires client certificate authentication: A private key to perform client
authentication on outgoing connections in either PKCS2 or JKS format. • A CA certificate for verifying Active Directory user certificates: A certificate from a CA used to
authenticate Active Directory users. • A certificate you trust for client certificate authentication: Only the Super User can generate
internal certificates, use Active Directory certificates or trust a certificate. Importing a certificate through this option will trust a certificate for use with client authentication.
Step 3 Load the appropriate file.
Step 4 The system provides a summary of the action about to be performed, selecting Back will allow the details to be modified.
139
Once completed successfully the newly imported certificate will be visible from the main SSL certificate page as below.
Exporting Keys and Certificates If you need to retrieve the certificate or key for one that has been previously created then these can be exported again from the system through the export actions available against each certificate. For example if a certificate for an account has been lost then using these actions the certificate can be retrieved.
To export a certificate simply select the export certificate action associated with the certificate.
To export the associated private key, select the export private key action.
140
Attributes
As with any large user management system, functionality that makes administration easier always helps and user attributes is no exception to this rule. Its simplicity and global use make this a very powerful piece of functionality. This chapter aims to details what user attributes are and how to make the best use of them. The sections covered in this chapter are as follows:
• What are Attributes? • Attribute Interface • Creating Attributes • Editing a Attribute • Deleting a Attribute • How to use Attributes
By the end of this chapter the reader should have a sound understanding of user attributes and know how best to use them.
What are Attributes? User attributes are simply attributes that perform a similar function to ‘environment variables’, and can be created by a user and used throughout the system. SSL-Explorer comes with a set of default attributes that cannot be removed these are used by the Personal Details Authentication module.
Security Questions One of the default user attributes is placeOfBirth; all users have this attribute stored under the Security Questions tab (User Console My Account Personal Details). Each user can populate this attribute with their respective answer and when the Personal Details authentication module is used at log-on and asks a user for their place of birth, the module merely looks to the value stored under this attribute for each user logging into the system. If the attribute keyed in value matches that of the stored placeOfBirth value authentication is successful. For each user logging in the respective attribute is compared allowing for a single attribute to be used by all users.
141
Applications Attributes can be used with application shortcuts, an attribute can be created as below which defines a hostname and a port number.
Here the attribute VNC Server is a defined by each user, specifying which server they wish to connect to when using the VNC application shortcut. The VNC application shortcut is configured to use this new attribute:
Whenever the application shortcut is executed, the system takes the current user’s vncServer attribute and uses the value as the hostname to connect to. Each user can define their own vncServer attribute to point to whichever server they wish to connect to. Thus for every user the application shortcut works differently, connecting to a different server without any further modification.
Web Forwards The flexibility of user attributes also means they can be used in web forwards. An example is a web site such as a support site which requires a form to authenticate users.
A standard username attribute cannot be used as the FORM has a drop-down list for user as opposed to a text field. So here a user attributes is defined which specifies the associated users ID. Two new attributes are defined which are confidential to the user only and specify the Username Id for the user and their password.
142
When the web forward is configured the attributes are added to the authentication parameters.
When the web forward is finally executed the supportId and supportPassword attributes are submitted during authentication into the website. The FORM object takes the supportId and identifies the username then takes the supportPassword as the associated password. Instantly any user is able to access the support website using there credentials and this single web forward.
Types of Attributes The examples above all show the use of the user attribute where the attribute is assigned through the ${attr:attributeName} command. There is also another attribute type called policy attribute. Unlike the user attribute which is assigned to each user this is assigned to a policy and is referenced by the ${policyAttributes:vncHostname} variable. Policy attributes once set are set for all users under the assigned policy. So a resource can be executed under a different policy and have a different value for each policy.
Attribute Interface The screenshot below shows the user attributes main page accessible from Management Console Configuration User Attributes.
143
If you hover over an attribute (as with all resources) further information is shown in a pop-up:
• Name: Attribute name referenced wherever the attribute needs to be used • Label: A more readable name for users to know what the attribute is for • Category: Type of attribute and under what tab it should be stored in Personal Details • Visibility: Whether the attribute can be managed by user or Super User or both
Actions Icons The action icon performs a particular function on the associated attribute. Available actions for a user defined attribute are:
Delete User Attribute
Edit User Attribute
Creating Attributes Step 1 Select Create User Attribute from the action box at the top right of the page.
Step 2 The basic details of the attribute need to be completed first.
144
• Name: The name by which the system can reference the attribute. • Description: Information about the attribute • Class: Whether the attribute will be a user or policy based attribute.
o User: User attributes become associated with users. Each user will need the value for this defined either by themselves or the super user
o Policy: This attribute is attributed to a policy instead. The value defined for this will affect all users associated with the policy so this value only needs to be set once
Step 3 The attribute must now be defined. The screenshot below shows an attribute is made up of a number of
components.
• Type: The type of attribute. • Visibility: The visibility of a user attribute is divided into 4 scopes:
o User or admin, use, view, override: This is the most relaxed level of visibility. Both the Super User as well as a user can fully manage the attribute
o User use and view, admin change: Here the user is able to see the attribute, use it where necessary but cannot change the value associated with the attribute
o User use, admin view or change: The user is restricted further by only being able to use the attribute managed solely by the Super User
o User Confidential: The responsibility is reversed only the user has access to this, the Super User cannot manage nor visibly see this attribute
• Label: The name by which users can reference the attribute
145
• Default Value: The default value, depending on the visibility this value can be altered by the user or Super User.
• Category: The placement holder for the attribute, a new tab under Personal Details (User Console My Account Personal Details) is created with this value as its title.
• Weight: The order of where it should be placed in the category if there is more than one attribute under the same category. The higher the weight the lower down the list it will be shown. Weight is defaulted to 0 by placing an attribute at the top of the list.
• Validation: The validation class to use. SS-Explorer comes with a set of default validators for each type of attribute. Some validators come with parameters that can be altered:
o StringValidator: min and max length, trim blank spaces and even regEx or patterns can be used
o IntegerValidator: min and max range values can be set o BooleanValidator: nothing can be defined, the validator checks for true or false
only
Providing Specific Validators You can use your own validation class here. Simply create the class, store it in a jar and add this jar file to [SSL-Explorer_HOME]/webapp/WEB-INF/lib.
• Type Option: You can also use this parameter to provide specific options to each type of attribute.
o Text: for text attributes this parameter can be used to define the width that gets displayed.
o Checkbox: you can specify a replacement name for the default true, false values. o Text area: this parameter allows the dimensions of the text area to be displayed. By
specifying a number such as 30x2 will set the area to be 30 with by 4 height.
Step 4 Once complete, hitting the ‘Save’ button will store the attribute and it will be accessible from the user attributes page.
If the attribute is a user attribute and set to be accessible by users then it will be available under User Console My Account Attributes under the tab also titled that of the defined category parameter.
Note
146
If the attribute is a policy attribute then this will be visible under each policy. Editing a policy there will be a tab as titled in the category field or if this was left blank, under the default Attribute tab.
147
Editing a Attribute From the user attributes page select the Edit action against the required attribute, the ‘Edit User Attribute Definition’ page will be shown. From this page the current details stored can be modified.
As the screenshot above shows the name cannot be changed.
Deleting a Attribute The ‘delete’ action removes a user attribute permanently from the system. Selecting the Delete action against a user attribute will result in a warning message.
Selecting Yes will remove the attribute from the system.
Fixed System Attributes User attributes created by the system such as those categorized under Security Questions are required by the system so cannot be removed nor edited; no available actions are associated with these.
How to use Attributes Once a user attribute has been created it can be used throughout the system, wherever dynamic information can be loaded user attributes can be used.
Note
148
A user attribute is referenced via the attr command whilst a policy attribute is referenced by the policyAttr command. Below an example demonstrates how to set up a network place using user attributes.
Step 1 The user attribute ‘myNetHome’ is defined and stored under the ‘Network Places’ category.
Step 2 The network place is then defined.
As highlight in the screenshot shows the path uses the ${attr:myNetHome} variable. When this is executed the system replaces the ${attr:myNetHome} for the ‘myNetHome’ user attribute.
Step 3 Each user defines their ‘Network Home’ under the user attribute available from the Personal Details page. As the highlight shows the user attribute is available under the newly available Network Places tab as defined in the attribute definition page earlier.
That’s all there is to it. Every time the network place is launched, the system dynamically takes the value of ‘My Network Home’ from the logged in user and replaces the ${attr:myNetHome} parameter in the path. So for each user this will load their respective home share.
Session Variable Another way to use dynamic parameters in the system is by using the session variable.
149
The session variable is used mainly when creating extensions, and it allows session information to be used and not user attributes. With the above example we could also have used session as oppose to the attr variable like below.
The session variable refers to the values available during the course of the session. So as above the system would replace this with the username being used in this current session. This means that if the users home share on the network is named the same as the username used to log into SSL-Explorer (as might be the case in an Active Directory environment) then this Network Place will work and the home share of RobertsP would still be loaded. The session variable can also be used to reference the user’s password; so in an example of an application shortcut which requires both username and password we could use session:username and session:password. More information on this variable and the available parameters that are accessible will be available in later releases of the documentation.
150
License Manager
With SSL-Explorer being an evolving product each new release brings with it further modules of functionality. In order to use some of these features a valid license must be uploaded into the system. This chapter details the License Manager which manages licenses in the system the chapter covers the following sections:
• License Manager • License Manager Interface • Uploading a License • Deleting a License
By the end of this chapter the reader should have an understanding of the License Manager and when required be able to use the manager to upload licenses.
License Manager The only licenses currently required for SSL-Explorer are for the Enterprise Edition of the product. In this scenario, a license is automatically retrieved and uploaded into the License Manager. This license will either be full or temporary for evaluation. In both cases the license and its purpose will be visible from the License Manager. Other than as a visible reminder of loaded licenses, the License Manager only really becomes effective in rare occasions where a license has failed to automatically upload. In this situation a warning is relayed to the user stating that they should contact 3SP Ltd. A new license will be sent which can then be uploaded manually through the License Manager.
License Manager Interface The License Manager is accessible from Management Console Configuration License Manager.
151
Actions Icons The action icon performs a particular function on the associated license. The only available action for an installed license is:
Delete License
Uploading a License Step 1 Select the ‘Upload License’ action available from the Actions frame on the right of the page.
Step 2 Choose the license file that needs to be uploaded.
Once selected pressing the ‘Upload’ button will load the license into the system. The new license will be activated and will be visible from the main License Manager page.
Deleting a License The ‘Delete’ action removes a user attribute permanently from the system. Selecting the ‘Delete’ action against a license will result in the removal of the license from the system. Any functionality associated with the license will no longer be accessible.
152
Secure Node
The standard communication model for outgoing calls is for SSL-Explorer to simply make a direct connection to the destination host. This paradigm does not suit all business needs. Secure node provides an alternative routing framework. The framework registers interest from external clients and enables them to instead route information for a particular host. This chapter provides further information on this framework and ultimately information how a Super User can administer and manage this framework. The sections covered are:
• What is a secure node? • What are Routes • Installing Secure Node Client • Secure Node Interface • Create New Route • Editing a Secure Node • Editing a Route • Deleting a Secure Node • Deleting a Route
What is a secure node? A secure node is a small Java written client that is installed on a machine. Once installed the secure node registers itself with the SSL-Explorer instance and then sits idle. It is only when SSL-Explorer requires its assistance does the client wake and begin performing its tasks.
What is its function? A secure node’s purpose is to simply redirect traffic securely to a target host. As the diagram below shows, secure node acts as a proxy directing traffic from SSL-Explorer to the remote system. The administrator is thus able to configure an environment where there is no direct connection to the end host. For example, a secure node can be installed on a remote network and connect back to SSL-Explorer using the standard HTTPS port. With the configuration of routes an SSL-Explorer super user can then setup resources that access services on the remote network without the need to open up a single port on the firewall protecting the remote network.
153
This same process can be used to access resources inside the LAN from an SSL-Explorer server residing in a DMZ. In the diagram below SSL-Explorer sits in the DMZ with other internet facing servers. The DMZ is secured from the internet with a firewall which only has port 443 open so that SSL-Explorer is accessible. The link from LAN to DMZ is also secured by a firewall. The administrator creates a resource e.g. a web forward to a CRM system; this requires a connection to the CRM service on the LAN. Instead of opening another port on the firewall between the DMZ and LAN, the administrator can position a secure node on the LAN side with a single port open which the secure node can receive data on.
CRM client
DMZ LAN
SSL
Secure node ‘dials’ into SSL-Explorer to
service tunnel requestsSSL-Explorer
CRM System
SSL
Internet
What are Routes A route defines an endpoint host that is associated with a single secure node. A secure node can be associated with a number of routes all of which define what endpoints a particular secure node can connect to. When a connection takes place the system determines which secure node is associated with the client’s desired route and contacts that secure node passing it all the traffic.
Visibility Secure node is not something a user will actually see or select to use it is actually a background process that takes over whenever a connection needs to go out SSL-Explorer to a remote system. If the administrator has routes configured and a secure node installed the system will take advantage of this and proxy the traffic through the secure node. A user will be unaware that a secure node is proxying his or her traffic. When no secure node is installed, SSL-Explorer will continue to make direct connections to its target host.
154
Secure node is strictly an administrator feature to help reassurance of security; its activation affects all resources.
Compatible Resources Currently not all resources work with secure node; Active Directory, LDAP and nEXT are inappropriate and Network Places is currently incompatible. Those that are currently compatible are as follows:
• Web Forwards • Applications • Tunnels
Installing Secure Node Client Before any routing can begin the secure node client needs to be installed on a machine. This machine should be sufficiently placed so that the destined routes can be reached. As the diagram above shows the client is on a machine which is inside the secured LAN this allows the secure node to access any resource inside the company network.
Step 1 Select the appropriate Download Client action from the secure node page (Management Console → Configuration → Secure Nodes), this example uses the Windows client:
Step 2 The client file will need to be saved to an appropriate place. Once done the extracted file should be executed.
Step 3 Once the wizard has started and the license agreed a destination folder of the secure node client needs
to be specified
Step 4 The next step is defining the secure node properties:
• Host: The host of the SSL-Explorer server to maintain communication with • Port: The listening port of the SSL-Explorer server
155
• Authentication Method: Certificate or Password.
Certificates Supported For tighter security a certificate can used instead of a simple password
• Username: Username of a user that can access secure node • Certificate: If Certificate has been chosen as the authentication method then this will be
accessible. Browse to the appropriate certificate • Password: If Password has been chosen as the authentication method then this will be
accessible. Key in the password associated with the user • Confirm Password: Confirmation of above password
Step 5 Once installed the client needs to be started. This is run as a process and so for a windows you need to start the SSL-Explorer Secure Node service (Control Panel → Administrative Tools → Services).
The secure node service will now be running. If successfully configured the client should successfully register with the SSL-Explorer server and appear in the main secure node page.
Note
156
Authorize Secure Node Once a secure node has been created and has registered successfully with the SSL-Explorer instance in order for it to be used and have routes assigned to it the secure node needs to be authorized. Against the appropriate secure node select More… followed by the Authorize action.
Secure Node Interface The main secure node page (Management Console → Configuration → Secure Nodes) provides information on all successfully registered clients.
As you can you see above SSL-Explorer always comes with a default secure node which is the standard node all traffic goes though. This is located on the actual instance itself. Below this are all other newly registered secure nodes.
Action Icons The action icons against each secure node performs functions on the associated secure node, their respective objective is detailed below:
Delete secure node
Edit secure node details
Authorize secure node (More…)
Disable secure node (More…)
157
Create New Route Step 1 For a secure node to work a route needs to be created. Select the ‘Create Route’ action as displayed
below:
Step 2 The Create Secure Node wizard will be initiated. The first step in the wizard requires basic information for the route.
• Name: The name of the route • Description: Details of the route
Step 3 The route itself needs to be defined.
• Host Pattern: The address of the route. Any traffic destined for this host will be proxied through the selected secure node. Secure node doesn’t necessarily have to support only one address a range can be defined for example if you want this route to be used for all requests in a given domain *.domain.co.uk would be used.
• Port Pattern: Any specific host that should be identified
158
• Use Regex Pattern Match: By checking this regular expressions can be keyed into the host pattern
• Continue if Secure Node is Offline: Selecting this will allow another secure node, which has an equivalent route, to serve the request destined for this route. If there is a selection of routes all with this flag set, the system will search through the list for a route which matches and eventually if all routes happen to be offline fall back to the default secure node.
• Type: There are two types secure nodes Local and Remote
• Local: Connections are established from SSL-Explorer out to the secure node • Remote: Connections are established from the secure node back to SSL-Explorer
• Secure Node: The secure node which will service this route should be chosen here. The list
of active secure nodes is available from the list
Step 4 Once all the necessary parameters are defined the wizard displays a summary. Selecting Next will finish the creation of the route.
The newly created route will be visible from the main page under the appropriate tab Local Routes or Remote Routes.
Enabling Routes Even though the route maybe assigned to a secure node and the secure node authorize in order for the route to be used by the secure node the route needs to be enabled. To enable a route simple go to the appropriate route and choose enable from the More… button.
159
Editing a Secure Node From the secure node page select the ‘Edit’ action against the required secure node the ‘Edit Secure Node’ page will be shown. From this page the current description and assigned routes can be amended.
Editing a Route From the appropriate route (local or remote) page select the ‘Edit’ action against the required route, the ‘Edit Route’ page will be shown. From this page the current details can be amended.
Deleting a Secure Node The ‘Delete’ action removes a secure node from the system. Selecting the ‘delete’ action against a secure node (from the secure node page) will result in a warning message.
Selecting ‘Yes’ will result in the removal of the secure node. The route association will be removed.
Deleting a Route The ‘Delete’ action removes a route permanently from the system. Selecting the ‘delete’ action against a route (from the routes page) will result in a warning message.
160
Selecting ‘Yes’ will result in the removal of the route.
Secure Node Configuration The configuration menu contains a few options to allow minor refinements to how secure node works.
• Connection Timeout: The maximum wait time before a connection is considered timed-out • Require Authorization on Host Change: This should be set if a secure node needs
authorization when its host name has changed
161
Public Key Infrastructure
Public Key Infrastructure (PKI) is a security architecture that has been introduced to provide an increased level of confidence for exchanging information over an increasingly insecure Internet. Public-key cryptography uses a pair of mathematically related cryptographic keys where one key is used to encrypt information and the other related key can decrypt that information.
• A public key: Made public and freely distributed. • A private key: A corresponding (and unique) private key that is kept guarded.
Public key cryptography is used for the encryption/decryption and signing/verification of information. Encrypting information ensures privacy by preventing unintended disclosure; signing messages authenticates the sender of the message and ensures that the message has not been modified since it was sent.
Encryption In most scenarios the public key infrastructure comprises of two key pairs, one pair to encrypt and decrypt messages between two parties and another pair used to authenticate the sender of the message. We first briefly detail how the keys are used to encrypt and decrypt the messages.
Public Key
A sender wishing to send you secure information uses your public key to encrypt the information since the public key can be made public it can be distributed amongst all necessary contacts. In normal practice, the information being sent is not encrypted with public/private key algorithms (asymmetric cryptography) instead it is encrypted using a secret key algorithm (symmetric cryptography). Symmetric algorithms are much faster than public/private key algorithms. A random session key is generated and used with the symmetric algorithm to encrypt the information. The public key is still used however to encrypt only the session key only and both are sent to the recipient.
Private Key
The recipient takes the public key encrypted information and uses his corresponding private key to decrypt the message. If the data is encrypted the recipient knows that the data was meant for them but they cannot be certain who it’s from. As above in normal situation the private key is used to decrypt the session key, and that key is used to decrypt the actual information rather than the private key decrypting all the information.
Authentication The PKI method not only provides certainty of data privacy but also assurance that the data has been sent by the person who was meant to sent it and no MITM has occurred. The second key pair ensures authentication of the data.
162
Private Key
To prove to the recipient the authenticity of the sender that they are the source of the information a second private key is used to digitally sign the message (a digital signature). Unlike a typical handwritten signature, this digital signature is different every time it is made. A unique mathematical value, determined by the content of the message, is calculated using a ‘hashing’ or ‘message authentication’ algorithm. Using the private key this value is then encrypted creating a digital signature for the specific message. This encrypted hash value is sent with the message and the public key can also be sent either as part of the message or in a certificate.
Public Key
The receiver of a digitally signed message uses the correct public key to verify the signature by performing the following steps.
1. The associated public key is used to decrypt the hash value calculated for the information. 2. Using the correct hashing algorithm the hash of the information is calculated, if certificates
have been used the appropriate algorithm will be specified. 3. The two hash values are compared if the values match, the receiver knows that the person
controlling the private key corresponding to the public key sent the information and that the information has not been altered since it was signed.
4. If the public key was sent with a certificate the certificate is then validated with the CA that issued the certificate to ensure that the certificate has not been falsified and that the identity of the controller of the private key is genuine.
5. Finally, if one is available, the revocation list for the CA is checked to ensure that the certificate has not been revoked, or if it has been revoked, what the date and time of revocation were.
Public keys are stored within digital certificates along with other relevant information (user information, expiration date, usage, who issued the certificate etc.). The CA enters the information contained within the certificate when it is issued and this information cannot be changed. Since the certificate is digitally signed and all the information in it is intended to be publicly available there is no need to prevent access to reading it, although you should prevent other users from corrupting, deleting or replacing it.
163
164
Access Control Administration
This section details how the system can be accessed, from creating user account to giving users access rights to the system. Depending on what type of user database configured some functions are not accessible. By the end of this chapter the reader should have a strong understanding of how the access control infrastructure of SSL-Explorer is built up and how it achieves such a strong level of access control flexibility.
Introduction Chapter covered a little access control theory as well as how SSL-Explorer deals with common challenges. It includes the following sections:
• Overview • Access Control Architecture • Flexibility
Overview SSL-Explorer is a complete SSL VPN solution that provides secure, authenticated and controlled access to enterprise intranets, business applications and internal resources from virtually any modern desktop or notebook device.
At the heart of SSL-Explorer lies its access control engine. This is responsible for the complete management of all users from their initial log-on, right through to their exit from the system. More importantly it secures control of user access to different areas of the internal network. The engine is the key component in verifying a user accessing the system and determining the actions that they may perform. Every action performed within SSL-Explorer is monitored by the access control engine in real-time and, as the diagram depicts, it acts as the ‘guardian’ of the system.
165
System of Trust By considering an SSL VPN solution, you are obviously intent upon allowing remote access to your computer based assets or resources by other individuals or organizations. Some of these individuals you will trust more than others. The concept of trust is a fundamental part of any secure system. As such it is crucial for the security policy to cater for and control how that trust is granted, used and revoked. With trust playing such a significant part of remote access, SSL-Explorer has been designed to allow for either ‘coarsely grained’ or ‘finely grained’ access control. This approach allows SSL-Explorer to mirror more closely the actual trust relationships present in the real world. In conjunction with multi-tiered authentication schemes, SSL-Explorer’s security model is much more advanced than those offered by conventional VPN solutions. Both the Community and Enterprise editions of SSL-Explorer are conceptually identical in their approach although there is a significant difference in the number of authentication modules available between the two editions.
Levels of Trust Trust is administered in measures - the more trust a user has the more privileges they are granted. Again the opposite is said for someone who has a lesser degree of trust and consequently is given a lesser level of ownership and access.
SSL-Explorer follows this tried and tested pattern. With the access control framework, ‘super users’ are seen as the most trusted users, seeing as they control the SSL-Explorer instance. ‘Power users’ are given a lesser measure of control. Finally the standard user has a lesser degree of trust and therefore potentially the least level of access and responsibility.
Access Control Architecture The SSL-Explorer access control framework has been designed to tackle the following main issues.
• Users and Groups: Each organizations view on users and groups is almost always different. They do though share common behavior, e.g. ‘Add User/Group’ or ‘Delete User/Group’. It is also likely that the organization’s user/group directory already existed prior to the introduction of SSL-Explorer, for example an Active Directory domain or LDAP directory. The variety offered by such choice invariably gives rise to a number of different approaches and implementations.
166
• Resource Access: The intended outcome when implementing an SSL VPN solution is to allow remote access to network-based resources. The number of types of network resource is relatively varied and new methods are likely to appear. Each resource deployed can have very different access requirements, such as read or write permissions. Any resource within the system must be accessible by more than one user if so desired; the system should allow for the sharing of resources.
• Resource Distribution: A resource created within the system must be easily made accessible to those users that require it. Assigning resources on a per-user basis should be avoided wherever possible.
• Resource Permissions: Resources can have a range of permissions to limit how they may be assigned. When a resource is assigned to a user the user must be restricted to the set permissions. For example, a super user may create a resource to administer creation and assignment of application shortcuts only. This is assigned to a user who attempts to delete an existing application shortcut, this operation will be declined.
In order to resolve the aforementioned issues the access control architecture relies on three key entities:
• Principal: The intended ‘consumer’ of the resources, i.e. a user or a group. • Resource: The networked resource, internal function or property item that the principal
wishes to utilize, e.g. a web-forward or the right to manage accounts. • Policy: This is the relationship defined between the principal and resource. It is the
component that ensures that only the right people can perform the right action.
Utilizing this methodology, SSL-Explorer is able to maintain robust, secure, and flexible access control architecture.
What is a Resource? Within SSL-Explorer a ‘resource’ is defined as an application, utility, data source, or any other privileged ability that when assigned will allow the user to conduct certain tasks. Think of it as the endpoint, or objective that a user wishes to achieve. This could be something as simple as a user accessing their email client to read their mail. In this case, the resource would be the email. Similarly, an intranet website would also be classed as a resource – just as a network share would be. All accessible stores of ‘informational value’ are deemed to be resources under this concept.
What is a Principal? As already mentioned, the ‘principal’ simply refers to a user or group of users. The principal entity sits at the other end of the access control chain. The process flow begins with this entity and ends with the resource entity. In SSL-Explorer, these principals are only differentiated by the access rights they are assigned.
167
What is a Policy? A ‘policy’ is the glue by which all principals and resources within SSL-Explorer can cohesively work together. As the diagram below shows, the means by which a principal entity has access to a resource entity is through the policy and the means by which a resource entity becomes accessible is again through the policy.
Policies represent SSL-Explorer’s form of trust. A high level of trust equates to a policy of greater flexibility and responsibility; whereas a user with minimal trust may be assigned policies that grant them fewer privileges. A ‘power user’ of the system manages the SSL-Explorer server and thus must have a higher degree of trust and consequently is granted a policy that covers a much greater scope of responsibility. The opposite can be said for a standard user whose policy may only grant the bare essentials required to allow them to perform their duties.
What is Permission? A ‘permission’ is a special part of a policy. It adds the final level of control to the access control framework. As we have seen, not only can we control what resources a principal can access, but with this sub-element we can add a lower-level layer to control exactly the functionality a user can perform on any given resource. For example as the diagram below shows, the policy is associated with a resource but the permissions on the resource only permit the associated principal to use the resource despite the resource itself having further actions such as editing, assigning etc .
With permissions we are able to lock-down control to the actions of the resource itself.
168
Flexibility As we have seen, SSL-Explorer offers a great deal of flexibility with its design. This allows it to evolve as its environment changes. Should an organization decide to restructure, SSL-Explorer can easily be altered to reflect those changes. As the user base begins to evolve and expand, the internal representation of the user base can be visualized as a web of policies, interrelated and bound in all directions as depicted in the diagram below.
169
Creating Accounts
Principals in their basic form refer to the users of the system upon which the services of SSL-Explorer are delivered. Accounts are the means by which a principal is created within the system. An essential process in building a robust and flexible system is defining what your principal base is. This chapter details further what principals are and how SSL-Explorer manages these entities. This chapter includes the following sections:
• Principal Types • Super User Account • Account Interface • Create New Account • Editing an Account • Deleting an Account
By the end of this chapter the reader should have a sound understanding of principals and how to model their required principal architecture successfully.
Principal Types Principals at their lowest level represent a user, a consumer of the system. This is simply a user that will access the system. This can be in the form of a standard remote user accessing the system to carry out their work, to a ‘power user’ that maintains the system and creates users and organizes access control etc. Principals however go one step further than this definition by incorporating the concept of ‘groups’– a collection of users gathered into a single entity due to some similarities. More details on groups can be found in the chapter titled, ‘Creating Groups’.
Super User Account The only default user embedded within SSL-Explorer is the super user. This user is the only user created automatically by SSL-Explorer; if the user database has been defined as built-in the user has the choice of providing authentication information for this user. If however the selection is anything other than the built-in database, SSL-Explorer will load up the defined user list from within the database and the administrator is expected to choose from this list. All other accounts throughout the system’s lifetime are created by this super user and their purpose defined by their attached policies.
Structured Account Network A policy structure should be considered before creating any accounts. Categorizing accounts into
170
policies as ‘Administrators’ or ‘Guest’ will encourage a more structured and organized system. This is often imperative as the user base grows.
The super user however is not categorised as a standard user infact the super user is calssified as the administrator of the system only and not as a typical user. The super user is only made to install the instance and perform configurations of the instance from then on the super user should delgate its responsibilities out to other users of the system through access rights (Management Console → Access Control →Access Rights).
Account Interface The main accounts page provides information on all accounts present within the system.
Action Icons The action icons against each account performs functions on the associated account, their respective objective is detailed below:
Delete account
Edit account details
Enable account – only visible if account is disabled (More…)
Disable account – only visible if account is enabled (More…)
Unlock account after authentication failure (More…)
Furhter account related actions are added to the More... menu as and when new authenitcation related extensions are added:
171
Unsupported Database Actions as ‘Create’, ‘Edit’, ‘Delete’ will not be accessible if the chosen user databases does not support external modification by SSL-Explorer. To make such amendments the super user/ administrator must access the user database directly.
Create New Account Step 6 If a new account can be created the action pane will display the ‘Create New Account’ action as
displayed below:
Step 7 The ‘Create User Account’ screen will be shown as below:
The page requires certain information to create the user, these are detailed below:
• Username: This field defines the name to be used to log into the system • Fullname: The name of the actual user responsible for this account. This name will be visible
in the account summary page. • Email: A contactable email address. • Enabled: If checked, once the account has been given a useable policy the account will
become active automatically.
Note
172
Step 8 The created account can be assigned to a group. Enter the group name within the ‘Group Name’ field
and use the ‘add’ and ‘remove’ buttons to associate the account with the given group. Further information on group selection can be found in the section below titled, ‘Assigning Groups’.
Step 9 Select Save to store the newly created account.
Cancellation of Account Selecting the ‘cancel’ button will terminate the account being created. This can be pressed at anytime and no account will be added to the system.
Step 10 Once the account has been saved the system will ask for a password for the new account.
A new password must be entered. In addition the ‘Force user to change password at next logon’ setting ensures that the user make his or her password secure by forcing them to change it the first time they logon to the system. Selecting Save will save the password against the new account. The newly created account should be visible from the main Accounts page.
Assigning Groups Groups are loaded by the system from the underlying user database. If the database supports modification to groups then the created account will be able to join a listed group. For more information on which databases support group modification refer to the chapter in this document on ‘Creating Groups’. To add a user to a group with a user database that supports group modification, simply enter the name of the group in the ‘Group Name’ text box and select the ‘Add’ button. The group will then appear under the ‘Selected Groups’ list box. If you wish to remove a user from a group, select the group name from the ‘Selected Group’ name list box. Pressing the ‘remove’ button will separate the user from the group .The name will also have been removed from the ‘Selected Groups’ list box. For more information on navigating the wizard refer to the chapter titled, ‘System Navigation’.
Editing an Account From the accounts page select the ‘Edit’ action against the required account and the ‘Edit Account’ page will be shown. From this page the current details stored about the account can be modified.
Note
173
As the diagram above shows, the username cannot be modified.
Deleting an Account The ‘delete’ action removes a user permanently from the system. Selecting the ‘delete’ action against an account (from the accounts page) will result in a warning message informing that the user is about to be deleted, as shown below.
Selecting ‘Yes’ will result in the removal of the account from the system. If this user is associated with any policies these will also be removed along with all other associated links.
174
Creating Groups
Groups represent the alternative type of principal. Groups offer a more convenient type for larger enterprises with a greater user base. This chapter details what a group represents and how SSL-Explorer utilizes them. The sections included are as follows:
• What are Groups? • Groups Interface • Create New Group • Editing a Group • Delete Group
By the end of this chapter the reader should have a sound understanding of groups within SSL-Explorer and how they can be used to provide structure to a user base.
What are Groups? Principals define users in two forms: the singular being represented by a single account and the plural being a collection of accounts. Groups allow for a more structured approach to account management; allowing an administrative user to categorize types of accounts under one heading as the diagram below shows.
Groups can be manipulated within the system as single entities but remember that all operations on the group will affect all accounts within the group. For example, an SSL tunnel resource can be linked to a single group and instantly every user within that group will be granted access to the attached resource.
175
Groups Interface The diagram below lists the default groups.
Action Icon The action icons perform a particular function on the associated group. Available actions for a group are:
Edit group
Delete group
Create New Group Step 1 If the user database allows for the inclusion of new databases then the ‘Create New Group’ action will
be visible from the event pane on the right of the page as shown below.
Step 2 The ‘Create Group’ page will open.
176
The only detail required is the name of the group. If the supplied name already exists in the system an error message will be raised in the event pane. Once a name has been defined simply add the accounts you wish to include in the group. Selecting ‘Create’ will generate the group in the system for use. Selecting ‘Cancel’ will stop this operation. If created the group should now be visible in the Group Page and can be used as any other group to assign accounts and policies to.
Editing a Group From the group page select the ‘Edit’ action against the required group and the ‘Edit Account’ page will be shown. From this page the current details stored about the group can be modified.
177
Delete Group Step 1 To remove an existing group, select the ‘Delete’ action associated with the group from the main group
page. Step 2 A warning message will appear similar to the one below.
To proceed with the removal of the group, simply select ‘Yes’.
178
Creating Policies
Polices are the main building blocks in SSL-Explorer’s access control architecture. They form the bond between a principal and a resource. This chapter covers policies, from their purpose and usage to their unique characteristics. The sections covered in this chapter are as follows:
• What is a Policy? • Policy Interface • Create Policy • Editing a Policy • Delete Policy
By the end of this chapter the user should have a sound grasp of policy management and should be able to implement a structured policy framework.
What is a Policy? On its own a policy is of little worth. However, by acting as a middle layer between two entities this makes it very powerful tool. On one side it is able to organize principals by a common goal(s) and on the other side it collates resources of a similar purpose. This approach helps provide order in a seemingly unstructured environment.
Principal Pool A policy does not have to have a resource attached to it instantly. Policies in fact can also be used to simply group together a number of principals. As shown in the ‘Example Policy Structure’ section, the ‘London Policy’ is simply a holder of principals.
Stateless A policy is linked to a resource and a principal. Both the resource and principal can be attached to any number of policies, there is no such thing as exclusivity. By this token any single resource or principal has no knowledge of any other resource or principal attached to the same policy.
179
Policy Interface The policy screen displays a summary of available policies in the system.
It is from this screen that we can create, edit or even delete resources.
Action Icons The action icon performs a particular function on the associated policy. Available actions for a policy are:
Delete policy
Edit policy details
Create Policy Step 1 Selecting the ‘Create New Policy’ action from the event pane on the right will start the ‘Create New
Policy’ wizard.
The system loads the ‘Create Policy Wizard’, and then the wizard guides the user through the steps required to create a policy successfully. The steps included in the wizard are highlighted in the left navigation pane as shown below.
180
Step 2 The wizard requires basic information pertaining to the policy to be created.
Required Information Mandatory fields are marked with a red dot ( ). Information must be entered for these fields.
The details required are listed below:
• Name: This required name will be displayed throughout the system. It will be seen and accessed by those with the right permissions so a sensible name should be used.
• Description: The description field helps to provide further information as to the purpose of the policy. It can be used to detail anything related to the policy and will be visible to others where necessary.
Step 3 As mentioned earlier, a policy binds principals to resources. The next step in the wizard allows the
super user to select those principals that will be associated to the new policy.
To add an account simply use the selection buttons; ‘Add’ to add an Account to the ‘Selected Accounts’ list box or ‘Remove’ to remove an Account. More details on this selection process can be found in the section titled, ‘System Navigation.’ If the system’s user database supports groups then these too can be added in the same way as accounts. For more information on groups please refer to the chapter titled, ‘Creating Groups’.
Note
181
Principals are Not Mandatory A policy by default is made up of resource(s) and principal(s) but neither is compulsory. Policies can be created without any principals defined and if the user so wishes these can be added later in the ‘Edit Policy’ page. Also, policies do not necessarily require resources either – if the need arises, policies may be used for the simple purpose of logically grouping principals together.
Step 4 Before creating the policy the wizard provides a short summary.
If any of the details require modification then selecting the ‘Previous’ button will allow any previous step to be revisited and altered. Once satisfied pressing the ‘Finish’ button will create the new policy. The new policy will now be accessible from the main ‘Policy’ page.
182
Editing a Policy By selecting the ‘Edit’ action icon besides the policy of concern (from the policy page) the ‘Edit Policy’ page will be shown. From this page the current details stored can be modified.
Step 1 The tabs at the top of the page group the particular type of information, selecting each tab will allow you to modify the appropriate content.
Step 2 To save any new changes click the ‘Save’ button at the bottom right of the page. If you wish to discard
changes simply select the ‘Cancel’ button.
Delete Policy Step 1 To remove an existing policy, select the ‘Delete’ action associated with the policy from the policy
page. Step 2 A warning message will appear similar to the one below.
To proceed with the removal of the policy, simply select ‘Yes’.
183
Creating Access Rights
The final piece in the policy chain is the resource. Once a policy has been created and principals attached then these principals will require something to access – in this case a resource. Resources are defined in the system as two types. This chapter explains both types, detailing what they are and how to create these resources. The sections included are as follows:
• What is a Resource? • What are Access Rights? • Access Rights Interface • Creating an Access Right • Editing Access Rights • Delete Access Rights
What is a Resource? Within SSL-Explorer a ‘resource’ is defined as an application, utility, data source, or any other privileged ability that when assigned will allow the user to conduct certain tasks. This could be something as simple as a user accessing their email client to read their mail. In this case, the resource would be the email.
What are Access Rights? Access rights are essential in creating a well organized system. As mention earlier the super user should only be used to install SSL-Explorer and perform configuration fo the system from then on the super user should create management users who are responsible for the daily uptake of the management and running of the system. An access right allows the super user to delegate an area of responsibilities to a policy. Nearly all areas of the system can be delegated to different policies thus allowing the super user to be disabled and not used other than for re-installation tasks or important configuration tasks. All areas that can be managed are divided into their respective areas:
• Resource permissions: items that can be managed in this area are all resources such as web forwards, profiles, network places and even areas within nEXT can all have their create, edit, delete actions delegated out to a policy.
• System permissions: items that can be managed in this area that can be delegated are all system resources such as policies, SSL-Certificates, authentication schemes, accounts, auditing.
• Personal permissions: items that can be managed here are all personal resources such as profiles, passwords, personal details, favorites, attributes.
184
Access Rights Interface The access rights interface summarizes the currently available permissions.
The main page, shown above, provides information on the resource permissions currently available.
Action Icons The action icon performs a particular function on the associated resource permission; available actions are:
Delete resource permission
Edit resource permission
185
Creating an Access Right Step 1 Select the type of access right from the action box.
The wizard guides the user through the steps required to create a resource entity in the system.
Step 2 The first step in the wizard is detailing basic information pertaining to the resource to be created.
Required Information Mandatory fields are marked with a red dot ( ). Information must be entered for these fields.
The details required are listed below:
• Name: This required name will be displayed throughout the system. It will be seen and accessed by those with the right permissions and therefore a sensible naming convention should be used.
• Description: The description field helps to provide further information to the purpose of the resource. It can be used to detail anything related to the resource and will be visible to others where necessary.
Step 3 Resource permission simply defines what resources a user can access. Within this step the page
allows the user to do just that.
Note
186
Clicking on the down arrow on the ‘Resource type’ reveals all the available personal resources that can be selected.
The first step is to select a resource from the list. Once a resource has been selected Add those access rights you wish to provide permission to.
Step 4 As the policy structure states, a resource must belong to a policy. Without a policy the resource cannot be accessed or used. This step in the wizard requires a policy for which the resource is associated with.
Available polices are displayed to the left hand side and selected policies, which will have the resource assigned to them, to the right. To add or remove policies simply highlight the policy in the appropriate box (to add select policies to the left, to remove, select policies to the right) and use the ‘Add’ and ‘Remove’ buttons. Further information on using these buttons can be found in the chapter titled, ‘System Navigation’.
Step 5 Before creating the resource the wizard provides a summary.
187
If you wish to alter any of the details select the ‘Previous’ button to revisit and alter any steps. Once satisfied pressing the ‘Finish’ button will create the new resource. The new resource will now be visible and accessible from the main ‘Resource Permissions’ page.
188
Editing Access Rights By selecting the ‘Edit’ action icon against a resource permission, the ‘Edit Resource Permission’ page will be shown. From this page the current details stored can be modified.
Step 1 The tabs at the top of the page group the particular type of information that can be edited; selecting each tab will allow you to modify the appropriate content.
Step 2 To save any new changes click the ‘Save’ button at the bottom right of the page. If you wish to discard changes simply select the ‘Cancel’ button.
Delete Access Rights Step 1 To remove existing resource permissions, select the ‘Delete’ action associated with the resource
permission from the main resource permission page. Step 2 A warning message will appear similar to the one below.
To proceed with the removal of the policy, simply select ‘Yes’.
189
Authentication Schemes
Authentication is the means of verifying a user’s identity; this can be in the form of a password or a code\key. To allow for greater security SSL-Explorer uses authentication schemes to provide a multiple staged authentication process. This chapter details authentication schemes, their purpose and how to implement a scheme. The topics covered are:
• What is an Authentication Scheme? • Authentication Scheme Interface • Creating an Authentication Scheme • Authentication Modules • Password Authentication • Personal Questions Authentication • PIN Authentication • OTP Authentication (using SMS or Email for delivery) • SSL Client Certificate Authentication • Public Key Authentication • IP Authentication • RADIUS Authentication • Remote Client Authentication
By the end of this chapter the reader should have a sound understanding of authentication schemes and how to implement a necessary scheme to meet their requirements.
What is an Authentication Scheme? An authentication scheme is simply a container for any number of authentication modules, such as OTP, Passwords, and Certificates. This approach means that multi-tiered authentication can easily be implemented and even linked to existing authentication systems. The authentication scheme is then used as the basis of the logon policy. SSL-Explorer allows for more than one of these schemes to be created and used. It is important to note that certain authentication modules can only be used by themselves that is they can not be combined with other authentication modules. The following section titled Authentication Modules describes any limitations pertinent to a module if any should occur. When a user starts the authentication process they first have to enter a User ID. Once the User ID is submitted to SSL-Explorer checks are made to determine the correct authentication method to be used. This approach allows for different authentication methods to be used for different groups of users. For example users attached to a Sales policy may only have to enter a User ID and password, whereas Sales Management may be attached to a policy that uses a password and PIN authentication scheme. The SSL-Explorer authentication schemes allow those wanting to build a single, double or even a triple factored process to do so simply.
190
The first page presented to the user is as follows.
Once the username has been entered and the Login button selected the next screen in the authentication process is displayed, see below. Each defined scheme is then made available to users at login as shown in the highlighted text below:
Clicking the here hyperlink in the highlighted sentence will load the schemes page as below:
Any defined scheme is selectable and when selected with the Ok button the user is returned back to the logon page with the selected authentication scheme activated.
191
Authentication Scheme Interface All authentication schemes defined are visible from the Authentication Scheme page. Each of the schemes is listed in its order of priority.
It is from here one can see the available actions associated with each scheme.
192
Action Icons
Delete policy
Edit policy details
Enable scheme
Disable scheme
Decrease priority of scheme
Increase priority of scheme
Creating an Authentication Scheme For this example we will create a three tiered authentication process. It will be a scheme using the Password module as a primary method, then PIN and finally Personal Questions.
Step 1 From the Authentication Scheme page select the only available action Create Scheme
Step 2 This starts the authentication scheme wizard. The First step in the wizard is defining the name for the scheme its description as well as its priority. The priority value can be from 1 to 9999 and indicates the order in which a scheme is to be handled. The lower the value the higher the priority.
Step 3 Next the modules required for the scheme must be chosen. From the left pane all installed
authentication modules are listed. Once an appropriate scheme is found press the Add button and the module will be added to the list on the right. This process should be completed until all the necessary modules have been added to the Selected Modules pane.
193
To reorder the modules chosen simply use the Up and Down buttons to adjust the order of a module.
Head Must be a Primary Module At the top of the Selected Modules window there must be a module which can be a primary module. The system will not allow a scheme to be defined which does not have a primary module at the top of the list.
Step 4 An authentication scheme needs to be attached to a policy. This restricts which users can actually access the scheme.
Step 5 The final step is the summary. The system presents the details provided. If you are happy with the details pressing Finish button will result in the creation of the scheme. The scheme will be visible from the main page. However the authentication scheme itself will not be available at logon. Instead the scheme needs to be enabled. Simply press the enable action besides the new scheme.
An enabled scheme will have the enable icon besides it:
194
Whereas a disabled scheme will have the disabled icon besides it:
Deleting an Authentication Scheme To remove an existing scheme, select the Delete action associated with the restriction from the main page. A warning message is raised, pressing 'Yes' will remove the scheme.
Authentication Modules As already mention there are differences in the level of control available for the configuration of a module. This section describes each of the modules within SSL-Explorer. There are significant differences between the authentication modules available between the Community and Enterprise editions of SSL-Explorer. These differences are shown in the following table.
Authentication Community/Enterprise Type
Password Community Primary/ Secondary
Client Certificate Enterprise Primary/ Secondary
IP Enterprise Primary
Public Key Enterprise Primary/ Secondary
PIN Number Enterprise Primary/ Secondary
Personal Questions Community Secondary
OTP (One Time Password) Enterprise Secondary
RADIUS Enterprise only Primary/ Secondary
The above table also shows what type an authentication module is. Type defines the order of the associated module. A primary module defines that the authentication module is capable of accepting a username and thus these types of modules should be placed first. Any module which has ‘primary/ secondary’ type can be placed as a primary module or a secondary module but any module which is strictly typed as, ‘secondary’ can not be placed first in a scheme. The authentication scheme system enforces this by disallowing a secondary scheme to be positioned at the top of the chain.
A brief summary of the available modules, as of release of this document, are listed in the following sections.
195
196
Password Authentication This is the most commonly used authentication scheme. It is the simplest and easiest to configure and is defined as part of the authentication modules that come part of both the Community and Enterprise editions of SSL-Explorer. In fact it is also part of the default set of authentication schemes configured with a brand new installation. Both Default and Password and Personal Details rely on the Password authentication module; the first as a single scheme the second as part of a two-factor scheme. The length, format and expiration of passwords are all configurable, however initially these parameters are defaulted and whenever the Super User creates an account a password must be attached.
Creating a Password A password is assigned the first time a user is created. As the screenshot below shows the password can be redefined the first time the user logs into the system by selecting the checkbox.
For further information on creating passwords refer to the chapter titled, Creating Accounts.
Modifying a Password Once a password has been assigned to the account it can be altered at any time by both the Super User from the Management Console and by the user through the User Console.
Management Console
Step 1 Choose the account you wish to edit from the Accounts page (Access Control → Accounts) by selecting the associated More… button.
197
Step 2 A new set of actions becomes available. Selecting Set Password allows the Super User to change the password for the account.
Step 3 From here a new password can be defined. In addition the checkbox at the bottom can be selected to
force the user to change their own password when they next log in.
198
User Console
This method is used by the user allowing them to securely modify their own password without any intervention by the Super User.
Step 1 From the My Accounts section select Change Password.
Step 2 The user is now able to change their password from the Change Password page.
The user is expected to key in the original password as well before the change can occur. By default the system will lock any user that fails authentication after three attempts and again disables any user who has been locked out three times consecutively. These parameters are configurable and are detailed in the section below.
Configuring Passwords The configuration options can be accessed from System Configuration → Password Options. There are a considerable number of parameters that should be understood as the Password authentication module is commonly used as the default authentication scheme and tends to be found in most other multi-factored schemes. The configuration parameters are detailed below:
199
The available options are detailed below.
• Max Logon Attempts Before Lock: A value of zero disables this option; the default value is 3 logon attempts, if after 3 attempts the account is temporarily locked.
• Max Locks Attempts before Lock: A value of zero disables this option; the default is 3 temporary locks, after which the account is permanently locked.
• Lock Duration: The length of time an account is locked; default value is 300 seconds. • Password Pattern: The definition of a password, how passwords for this instance must be
constructed. Details on Password patterns can be found below. • Password Pattern Description: This description is shown to the user when defining a
personal password. • Days before Expiry Warning: The default value is 21, after which the warning will be
displayed to the user informing them to change their password. • Days before Expiry: The default is 28 days approximately one month after which the user
will be forced to change password.
Password Pattern
The structure of an account password is based on regular expressions and is defaulted to, .{5,}, which defines a password with a minimum size of 5 characters. This expression is detailed in the diagram below:
The security function password structure is built around the Java ‘regular expression’ syntax. Any valid expression will be accepted to parse passwords an example is given below:
Expression Meaning
X(n) X exactly n number of times
X(n,m) X between n and m
.[^\s]{n,m} Any character except white spaces with a length between n-m
200
\w[n,m] Word character [a-z,A-Z,_,0-9] between n-m
201
Personal Questions Authentication This is another commonly-used authentication module. Its simplicity and ease of use make this a favorite choice amongst multi-factored schemes. In fact much like Password authentication, Personal questions is also part of the default set of authentication schemes. Since this is a secondary-only module it is the second stage module in the Password and Personal Details scheme. Personal authentication relies on pre-defined personal information about the user. A set number of questions are managed by the system and when utilized the system takes a question and presents this to the user. A comparison is made between the current answer and the preset answer; if a match is made the user is authenticated. This authentication method is a secondary option only and must work in conjunction with a more secure module. The system uses inbuilt user attributes to define and store a set of five questions as can be seen below.
These cannot be amended nor can a user add additional question to these.
Configuring Answers Both the Super User and user are able to configure answers for these questions through the Management Console and User Console respectively, but it mainly falls within the responsibility of the user to provide secure and personal answers to each question, something that they will remember and secure enough so that no other user can guess. The steps involved in configuring these are minimal but have been detailed below nonetheless.
Management Console
The Super User can access the user’s personal details and alter these details if so required.
Step 1 From the ‘Accounts’ page (Access Control → Accounts) select the Edit action against the account to edit.
Step 2 From the Edit Account page select the Security Questions tab.
202
Step 3 This displays the available personal questions and where necessary populated with answers. These can
be altered. When satisfied with the changes pressing the Save button will store the new answers.
User Console
It should be the users responsibility to manage and update their personal details.
Step 1 Open the ‘Edit Personal Details’ page from My Account → Personal Details Step 2 Select the Security Questions tab
Once all the answers have been supplied pressing the Save button will store these for use during authentication.
203
PIN Authentication PIN authentication is something all users with a bank account will already be familiar with. Again this is a standard authentication module and much like a password a user is expected to authenticate themselves with their private number. The PIN itself can be as long or as short as the Super User defines and alerts to change this value periodically can also be configured. When combined with an Active Directory user database, PIN authentication can prevent the locking of user accounts by dictionary attacks1.
Modifying a PIN Configuration of the PIN value itself can be performed by both Super User and User. Like any authentication module the actions to configure the PIN value is only available once an authentication scheme has been configured which has the PIN authentication module. Below describes how to configure the PIN as both Super User, through the Management Console, and User, through the User Console.
Management Console
The Super User can alter the PIN value; this is best used at the start to initialize the PIN for a user.
Step 1 From the Accounts page (Access Control → Accounts) select the More… button beside the account to edit and select Change PIN.
1 Dictionary Attack – http://en.wikipedia.org/wiki/Dictionary_attack
204
Step 2 This will bring up the Set PIN page from where the PIN value can be configured.
Once a new PIN has been entered pressing the Save button will store the value.
User Console
The user should manage their PIN value and keep the PIN secure.
Step 1 From the User Console select Change PIN under the My Account section.
Step 2 The Change PIN page should be visible. From here the PIN value can be changed.
As can be seen above the user is expected to enter their original PIN value in first. Once the PIN has been altered pressing the Save button will store the PIN for use when authenticating.
Configuring PIN The configuration options can be accessed from System Configuration → Security Options → PIN. As can be seen below there are a small number of parameters but these should be used sensibly. For example defining a PIN size too great could leave users forgetting and failing authentication. Similarly with expiration time, a value that is too short could cause users to become to predictable with their new PIN numbers, i.e. incrementing the value by one upon each successive change.
205
The available options are detailed below.
• PIN Size: The default size of the PIN is 4 digits, this can be altered by this parameter, any user authenticating must supply the exact number of digits defined.
• Allows user to set PIN: Checking this switch enables a user to define their initial PIN instead of having the super user define a PIN for the user.
• Warn Number of Days: This defines at what point a warning message should be shown to a user that their PIN is about to expire. This is defaulted to 21 days, after a PIN has remained unchanged for this length of time the system will warn the user their PIN will expire.
• Expire in number of Days: This parameter defines the actual number of unchanged days a PIN will expire. After the defaulted 28 days the PIN will no longer be acceptable as authentic.
206
OTP Authentication OTP (One Time Password) authentication can be seen as an extension to Password authentication. With Password authentication the configured password is used numerous times until a defined expiration date is hit and the password needs to be changed. The expiration tends to be around a month or so but with OTP authentication, the password can only be used once and once only - not only that, the expiration of the password is measured in minutes and not days so even the OTP’s existence is short lived.
OTP significantly strengthens the security of a system but it is recommended that OTP is added to a multi-factored authentication scheme. The main reason for this is that an OTP is delivered to an external device either a mobile phone or an email account – both items managed by users and out of the control of SSL-Explorer thus can be viewed by unauthorized persons. Currently any SMS or email-enabled device can receive OTPs, meaning that your passwords may be sent by email to your inbox or by text messaging to your cell phone. Using OTP consists of a number of steps highlighted below:
• Defining Recipient Details • Configuring Service Provider • Configuring Delivery Method
In addition above all these an authentication scheme should be enabled with OTP authentication installed. Without this OTP options will not be accessible. Once these have been configured the OTP authentication scheme can be enabled. Using OTP authentication is quite simple; the steps below show you how:
Step 1 At logon select the OTP scheme.
The primary authentication module should be used as per usual and then after you will be asked for the OTP Which will have been sent to either via email or SMS depending on what has been configured.
207
Step 2 The system will have already sent you an OTP either to your cell phone or email much like the
example below.
This should be keyed in. If successfully entered the user is authenticated and given access to the system. If another authentication module is added after OTP authentication then that authentication scheme is loaded and authentication required. It is as simple as that. The sections provide details on configuration bullet points highlighted earlier. These are required to get the OTP authentication module running correctly.
Defining Recipient Details The OTP process needs to have the recipient’s details in order to send the one time password and have it reach its destination. In this step we define the contact information in the form of both cell phone and SMTP email address. Either of these can be configured however it is highly recommended that both are configured. Again like the above modules recipient information can be defined by both the Super User, through the Management Console, and user through the User Console. However the user is unable to modify their email address. This is strictly secure information that only the Super User can alter.
Management Console
The Super User is able to alter the user’s details however the user should be responsible for the management of their details.
Step 1 Configuration of any personal information by the Super User is done through the Accounts page (Access Control → Accounts). Select the edit action against the user that needs to be edited.
208
Step 2 If the cell phone details needs editing select the Contact Info tab that is visible from the Edit account
page.
The new cell phone number can be entered. When complete selecting the Save button will store the cell phone number. It is this number that will be used by the OTP authentication process when sending via SMS.
Step 3 If it is the email details that need to be entered then use the Details tab.
The email can be altered and when complete pressing the Save button with store the address. It is this address that is used by the OTP authentication process when sending via email.
Unchangeable Email for External User Databases Any system which relies on an external user database will be unable to alter the email details as these are read in from the external database. Modification to these will have to be done from the external database client.
User Console
The user should manage their contactable details. The steps below show how both cell phone number can be configured.
Step 1 Select Personal Details from the Navigation Pane on the left (My Account → Personal Details). This will load the Edit Personal Details page.
Step 2 From the Edit Personal Details page select the Contact Info tab. From the cell phone number can be
altered.
209
Once satisfied the new number can be saved by pressing the Save button. This number will be used by the OTP process.
Configure Service Provider Without a Service Provider defined the OTP authentication module is not accessible from the Authentication Scheme wizard despite having been installed. The reason for this is that without a configured service provider one time passwords have no transportation mechanism to deliver their unique passwords. Either transportation medium can be defined SMS or email or both. Configuration for both these mediums can be accessed from the Messaging Configuration Page (System Configuration → Messaging).
SMTP Transportation
Email relies on an SMTP mail server so the corporate email service should be sufficient. The parameters required merely provide SSL-Explorer with details of the email server.
• Enable on Startup: When SSL-Explorer instance is started the email messaging service is available to use. Un-checking this option will disable message distribution via email once the instance is restarted.
• SMTP Server: Messaging is performed in two ways; through active users running the VPN client and via messages being broadcast as emails received by users email clients. To use the email option the details of the SMTP mail server need to be specified.
• Port: In addition to the above server being defined so must the listening port on the server. By default mail servers listen on port 25.
• Login (HELO): HELO represents the SMTP HELO command. Some mail servers, usually older servers, do not accept mail requests before a SMTP HELO command is sent. Clients use HELO as the first request in every session. The HELO parameter requires the principal host domain name for the sender, for example domainname.co.uk.
• Sender Address: This parameter specifies the host sending the message and will appears as the senders address when the mail is received by the user’s mail client
210
SMS Transportation
SMS configuration is a little more complicated than email. For starters, before any configuration details can be defined for the SMS message itself the provider details are required. Unlike email the SSL-Explorer relies on an external SMS service provider called Clickatell. Clickatell provides the required infrastructure to be able to transport SMS messages generated by SSL-Explorer’s OTP module to cell phones not only not only locally but to cell phones around the world.
Step 1 To use SMS a Clickatell credit account needs to registered. To open an account with Clickatell clicking on the warning message in the warning box to the right as shown below. This will open the Clickatell take the user to the Clickatell site for registration.
Step 2 Once an account has been opened Clickatell will provide the required information necessary to
configure SSL-Explorer. Select the Clickatell tab in the Messaging Configuration page (System Configuration → Messaging).
The provided information can be used to fill in the above form. Once all the information has been entered selecting the Save button will store the Clickatell account information. These parameters will be used by the OTP module when sending SMS messages.
Step 3 The final step with SMS is the configuration of the SMS message itself. From the Messaging Configuration page (System Configuration → Messaging) select the SMS tab.
The parameters should be configured as appropriate. Once satisfied the Save button should be pressed to save the information. The bullet points below detail these parameters.
211
• Number Visibility: This determines whether users can view and modify their cell phone
numbers. • Originator: The sender of the SMS message. This is set as default to “SSL-Explorer”.
Whenever a password is sent the SMS message will be shown as coming from this sender. • Enable on Startup: This setting selects whether the SMS messaging service is started upon
server start up. Un-checking this option will disable message distribution via SMS once the instance is restarted.
Configure Delivery Method
The final stage in setting up a successful OTP authentication process is the configuration of the delivery method. As mentioned earlier OTP authentication can use either SMS or email to delivery its messages. Depending on which service provider has been defined, as shown in the above section Configure Service Provider, determines which delivery method should be chosen.
As can be seen above the available delivery options from the OTP configuration page (System Configuration → Security Options → OTP) are either SMS or EMAIL. If SMS has been configured as the transportation method then SMS should be chosen. If email has been configured as the transportation method then EMAIL should be selected. If however both transportation methods were configured then either can be chosen.
No OTP with Mismatched Delivery Method If the delivery method differs from the configured service provider (SMTP or Clickatell) OTP authentication will not be accessible from the authentication scheme wizard. The delivery method and the configured service provider must match. If there are no configurable details for what has been defined as the delivery method the system will disallow usage of the OTP module.
All the components have now been configured. OTP authentication is ready to be used.
Configuring OTP The OTP authentication configuration parameters provide a way of modifying how the actual message is produced. The parameters here work in conjunction with the parameters available from the Message Configuration pages (System Configuration → Messaging). The parameters are accessible from System Configuration → Security Options → OTP.
212
A brief description of each of the parameters follows:
• Mode: The OTP password can be defined to be sent to the recipient at logon time or prior to logon.
• Method of Delivery: Whether to use SMS or SMTP • Message Subject: The Subject entry for an email • Message Text: The SMS text displayed alongside the password, the replacement string
‘%PASS%’ is replaced by the generated password. • Expired Subject: The subject entry when sending expiry email notifications • Expired Message: The main body of expiration notification message • Password Length: The length of the generated password • Max Logon Attempts: Number of logon attempts • Password Expires (Hours): Expiration of the one time password in hours. This is used when
the Mode parameter is set to send password before login and expire. The default is 24 hours after which the sent password will no longer be valid to use.
• Logon Grace(Secs): Expiration of the one time password in seconds. This is used when the Mode parameter is set to send at logon. The default is 300 seconds after which the sent password will no longer be valid to use.
• Scheduler Period: How often the scheduler should run to evaluate passwords • Expiry Date Format: The format of the expiry date sent as part of a OTP message. The
formats used are those defined by the Java SimpleDateFormat class.
213
Client Certificates
SSL Client Certificate authentication can be seen as the next progression in the authentication modules. It is more secure than the previous but requires more configuration. To some degree, client certificate authentication is an automatic authentication process requiring minimal interaction from the user. All the user is required to do is provide the password for the certificate the first time that it is installed and that is it. Everything else is performed by the browser and server.
Strong Cryptography and the Law This feature requires advanced cryptography software1 from Sun Microsystems that is not installed with the standard Java JRE/JDK. This software may be subject to restrictions depending on the laws regarding the import/ export of cryptographic software in your country and we unfortunately cannot distribute this with the standard SSL-Explorer distribution. Please see our SSL Client Certificates Flash demonstration which will help guide you through the relatively simple installation process. A certificate is generated and validated before being imported into the client’s browser. When this browser connects to SSL-Explorer the two begin instantly exchanging secure information to try and identify one another. The browser uses this certificate as a means of authenticating itself to the server. The server, aware of the provided certificate, is able to verify the client and automatically grant authentication. Since a unique certificate can be assigned to each User, Client Certificates can provide a very secure means of access. Unlike the previous authentication methods client certificates requires a bit more configuring but once configured it no longer has to be configured again. The general process is highlighted below.
• Enable Authentication • Creating a CA • Creating Client Certificates • Importing Certificate into Browser
Before all these however an authentication module should be available which has client certificates included. Once these are all done using certificates is a simple process.
Step 1 All a Super User needs to do is enable the authentication scheme. As a user selecting this scheme will force the browser to begin using the certificate to authenticate itself.
Adding a Primary Authentication Layer The certificate is tied into the browser which means that anyone using this machine can log into the system as long as they know the certificate password. A primary authentication module should be used
1 Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0 http://java.sun.com/javase/downloads/index.jsp
214
in conjunction with client certificate authentication such as password authentication to tighten access.
Step 2 Once the authentication process begins the Choose a digital certificate dialog will appear. Select the
appropriate certificate you wish to use then OK or Cancel if you do wish to use any.
Step 3 The only item of information required is the password used to encrypt the certificate. Once supplied the system is able to safely authenticate the connecting client.
Step 4 If successfully a message is shown like below. Selecting like the one below is displayed.
This merely informs the user that they have successfully logged into the system. Selecting Login will either go to the user’s main page or load the next authentication module. The next sections detail the configuration steps highlighted above.
215
Enable Authentication Regardless of whether certificate authentication has been configured already and all clients are all fully equipped with their certificates, if the system has not enabled client certificates then client certificate authentication will not work. In fact even if a scheme had been configured with client certificate authentication the system would not allow the execution of the scheme. A message like below would be shown if client certificates was selected.
Enabling client certificates is a very simple process.
Step 1 From the Security Options (System Configuration → Security Options) menu select the Client Certificates tab.
Step 2 Set the ‘Mode of Operation’ to ‘Accept Certificates’
This is the switch that turns on client certificates
Step 3 Finally select the ‘Certificate Type’ you wish to use
• Internal: Internally generated certificates • Active Directory: AD generated certificates • Trusted: Imported certificates • Any: All of the above
Once selected press the Ok button and the details will be saved. Client certificate authentication is now enabled and the System is aware of which certificates will be used for authentication.
216
Creating a CA A Certificate Authority is required to be able to issue certificates to the clients. This process defines SSL-Explorer as the authority to be able to issue and validate the client certificates that will be used to log into the server. An external authority can also be used; the only thing required by SSL-Explorer is the importing of the private key part of the certificates issued by this authority for each client so that SSL-Explorer is able to identify each client certificate being used to login with. Further details on this can be found in the section titled, Import a Trusted Certificate.
Step 3 The SSL-Certificate page provides all the required options for this process. From the available Action menu to the top right select the Create CA action.
For a server which already has a CA this step will be replaced by the Reset CA action. In this situation the CA does not have to be reinitialized each time. This entire process should only need to be done once only.
Step 4 This action loads the Create CA wizard. This wizard guides the user through the steps required to
configure a CA for the system. Each certificate created for a user will be issued by this authority.
The information must all be completed. The information is then used to create a valid authority. The stamp of authenticity is all based around the content that is provided here, it is recommended that correct information be supplied. The required information and their meaning are detailed below.
• Common Name: The name the certificate should be referred to. • Location: Where the authority is based • Organizational Unit: The department of the authority • Company: The name of the company or entity to which the certificate should be registered.
217
Step 5 To encrypt this information and the subsequent generated private keys the certificate requires an encrypting password.
Step 6 The strength of the private keys is next required. The stronger the size the more complex the keys.
Step 7 Finally a summary I shown of the certificate that is about to be created. Pressing the Finish button will
create the certificate else the he Previous button will go back to each step and allow amendments to take place. That’s it. To see the newly generated authority that will be used to issue all client certificates from now on select the SSL-Explorer CA keystore from the top pull-down menu.
The authority will be displayed.
The next step now is to create certificates for the users wanting to access the system.
218
Creating Client Certificates Each client needs a certificate to log into the system. In particular, each client needs the certificates generated by the newly created authority. It is these certificates that will be eventually imported into the browser. SSL-Explorer provides three ways in which certificates can be created.
• Inclusive • Exclusive • External
The first two methods use the recently created certificate authority while the last one allows the Super User or administrator of the system the opportunity to use certificates generated by an outside authority. Each of these is detailed below.
Inclusive
This technique is the simplest method of generating certificates for the SSL-Explorer user population. In fact this process generates certificates for the entire user population in one complete process. Be warned though, certificate creation is extremely computationally expensive and this process can take a long time, especially if you have many users and require a long key length. Unlike the exclusive process detailed next this does not distinguish single users and instead creates a certificate for everyone. This doesn’t sound too convenient, but bear in mind users who don’t need a certificate will have one generated for them anyway. For example in Active Directory (Active Directory with certificates is detailed in the section titled Using Active Directory Certificates) if the entire directory has been imported into SSL-Explorer all users even objects such as machines will have certificates generated.
Step 1 From the Accounts page (Access Control → Accounts) the Action list provides the Generate Certificate action. This is a very quick way of creating certificates for all the accounts in the userbase.
Step 2 With all certificates a password is required to encrypt its content. Client certificates are no different. As the image below shows SSL-Explorer allows a user defined password to be keyed in or a system generated one can be used.
219
When satisfied with the password pressing the Create button will generate the certificates. Each user will have their own certificate. All the certificates are compressed into a zip file.
Step 3 This zip file should be saved.
Once stored the Super User must provide each certificate to their respective user. From here all that is needed is for the user to import these into their browser. This section is detailed shortly. If you are happy with this technique and prefer using this to the other two then the remaining two methods can be skipped and you can go directly to the section titled, Importing Certificate into Browser.
Exclusive
This method also relies on the previously generated authority to issue the required certificate only unlike the previous inclusive method this method produces certificates for single user’s only. An individual user can be picked out and have a certificate generated for them. This instantly avoids the unnecessary certificates generated by the inclusive method but has the problem of being effective for only a single user. Meaning for more users the process will need to be repeated. This is also a simple process to execute and is described below:
Step 1 From the Accounts page (Access Control → Accounts) select the More… button against the account you wish to create a certificate for.
This opens the actions list, choose the Generate Certificate action.
220
Step 2 Much like the previous method the system generates the certificate and compresses this into a zip file.
This certificate should be sent to the appropriate user. From here all that is needed is for the user to import this into their browser. This section is detailed shortly. If you are happy with this technique and prefer using this to the other two then the remaining method can be skipped and you can go directly to the section titled, Importing Certificate into Browser.
221
Import a Trusted Certificate
This final method does not rely at all on SSL-Explorer or the authority to create client certificates. Instead the certificate is expected to have been created externally. Here simply the public key part of a certificate is imported into the system so that SSL-Explorer is able to authenticate any client connecting with a certificate (the private key part) issued by the external authority.
Step 1 The actions for this process are located in the SSL-Certificate page. From here the visible action list has an option called ‘Import Certificate or Key’. This should be selected.
Step 2 This opens the ‘Certificate and Key Import’ wizard. Here the certificate needs to be imported into the
system. Select the ‘A Certificate you trust for client certificate authentication’ option.
Step 3 The system now needs to locate the certificate file. SSL-Explorer can import X.509 v1, v2, and v3
certificates and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. Use the Browse button to locate the certificate file.
Once located pressing the Next button will import the file into the system.
222
That’s it. The newly imported certificate will be visible from the main SSL Certificate page using the ‘Keystore’ setting of ‘Client Certificate Authentication’ as shown below.
If you have a revocation list then it would be wise to specify the URLs for example http://dc/CertEnroll/company plc.crl now in the CRLs list box available from System Configuration → Security Options → Client Certificates.
Like the other two methods, all that remains now is the imported of the other half of the certificate into the browser. This is explained in the next section.
223
Importing Certificate into Browser The client certificate process is made up of two halves. One half is the server component and its configuration which is what has been done so far. The other half is the client, or rather the browser end of the process. The server is equipped with certificates and an authority, the authentication process now requires that the client have its certificates ready too. During the authentication process it is this client certificate that will be sent to the server. The server will use the public key part of the certificate it has for the user to determine the authenticity of the client certificate. Each browser has different ways of importing a certificate but generally they all follow a similar process. Below shows hoe to import a certificate, using Internet Explorer.
Step 1 From the browser open the certificate management process. In Internet Explorer, the Certificate Manager can be accessed from Tools → Internet Options.
Step 2 Once in the process the next step is to trigger the importing procedure. The certificate will need to be
located and its associated password supplied. Step 3 If the correct file and password have been supplied it is simply a matter of informing the browser to
accept and import this file. A summary is then shown detailing the file about to be imported and where it will be located. Pressing the Finish will complete the process.
224
Step 4 The newly imported certificate should be visible from the browsers main certificate view. This is the Certificate Manager window.
Now that the certificate has been imported all that remains is connecting to SSL-Explorer with client certificate authentication. The system should instantly exchange and authenticate the certificates between browser and server. Once authenticated a message should appear like the one below informing the user that the certificate has been accepted and they have been successfully authenticated through client certificate.
225
226
Using Active Directory Certificates So far we have looked at how certificate authentication can be achieved when certificates are generated by SSL-Explorer itself. In one scenario, we also explained how a certificate generated by an external authority can be uploaded into SSL-Explorer to be able to validate externally generated client certificates. In this section we will now show how to use certificate authentication with an Active Directory environment from both the server and client side. In much the same way as before Active Directory has a server and client component. SSL-Explorer is given an externally generated CA certificate to authenticate clients with and clients are given certificates to authenticate themselves with. The certificates however are not generated by SSL-Explorer but rather by the Active Directory service known as CertServ. In much the same way as Import a Trusted Certificate, SSL-Explorer plays no part in the generation of any certificates; it is merely given the required authenticating certificate and told to use this to authenticate incoming client connections. In order to use SSL-Explorer with Active Directory certificates a number of pre-requisites must be fulfilled:
• SSL-Explorer must be configured with an Active Directory user database • A CA certificate to authenticate client certificates must be available • Microsoft’s Certificate Service should be running and be accessible
Only when these items are satisfied should you continue.
Server-side Configuration
Step 1 The first task is the importing of the CA certificate which will be used by SSL-Explorer to authenticate the client certificates with. From the SSL-Certificate (Configuration → SSL Certificates) page select the ‘Import Certificate or Key’ action from the Actions list
Step 2 This starts the Import Wizard. From here the ‘A CA Certificate for verifying Active Directory User
Certificates’ option should be selected.
227
Step 3 The wizard asks for the certificate file. As per the pre-requisite you should already have a CA
certificate file prepared. This should be located using the Browse button.
Step 4 Once found the system presents a summary of the certificate file about to be imported. If correct
pressing Finish will import the file into the System. Step 4 If you have a revocation list then it would be wise to specify the URLs for example
http://dc/CertEnroll/company plc.crl now in the CRLs list box available from System Configuration → Security Options → Client Certificates.
That completes the server side of the process. Now all that remains is the client side.
228
Client-side Configuration
Now that the server end is complete all that remains is the creation of AD client certificates. Windows 2000 Certification Service installation adds a virtual directory called CertSrv pointing to %systemroot%\System32\CertSrv. It is this service client’s need to access to request certificates over an intranet. When requiring a client certificate each user needs to generate their certificate from CertServ by going to the URL http://<Certificate Authority server>/CertSrv.
Step 1 From CertServ select the Request a certificate task.
Step 2 The next step asks for the certificate type, the User Certificate type should be chosen
Step 3 Lastly, the strength of the key encryption needs defining. As mentioned previously the stronger
strength the more secure the keys.
`
Step 4 Unlike the internal Client Certificate option CertSrv can automatically install the newly created client certificate. Selecting Install this certificate imports the certificate into the user’s browser.
229
This generated certificate is instantly imported into the browser and can be viewed through the standard certificate manager option within your browser. As long as the certificate type has been configured to use Active Directory (Enable Authentication) everything is ready to use. When client certificate authentication is triggered at logon the system and browser will authenticate the client using the Active Directory certificates and Active Directory CA authority configured in this section.
Configuring Client Certificates The client certificate configuration parameters are minimal; they can be accessed from System Configuration → Security Options → Client Certificates. These have already been defined in the opening chapter but are here again for consistency. The parameters merely turns client certificate authentication on or off. This overrides the authentication scheme, so even if there was a scheme defined with client certificates it would not be useable until client certificates has been enabled. The parameters are detailed below.
• Mode of Operation: There are two modes of operation, Disabled, which turns off the use of certificates and Accept Certificates which allows the use of certificates.
• Certificate Type: The type of certificate the system can accept can be either: Internally generated certificates against a built-in database, Active Directory certificates, externally Trusted certificates imported into the system and finally Any which configures the system to accept any form of certificate.
• Validity Period: The duration the certificate is valid for. • Bit Length: The length of the private key • CRLs: Any URLs which maintain a list of revoked certificates.
230
Public Key Authentication Public key authentication is one of the most secure of authentication methods; not so much because of its secure authenticating process, but rather the authenticating identity used in the process can be stored on a removable USB key device. Having a hardware medium which maintains the identity file adds a dimension of security standard authentication processes do not have. No longer do passwords have to be juggled in someone’s head or written down on a piece of paper but can be carried around and taken away with the user. When the user accesses the system to login with public key authentication a random ticket is generated by the system. It is this ticket or token that is used to authenticate the user. The client side private key is used to sign the ticket. This ticket is then sent to the server. On receipt the server uses the corresponding public key to validate the signature against the token. If the signature is valid the user is then successfully authenticated. This process can only take place if the user has their identity available and if that identity is stored onto a removable USB key then only the person with that USB key can actually log in to the system. Unwarranted attempts are futile as the identity file is unique to each user. Configuring public key authentication is a simple two step process. All that is needed is an authentication scheme with public key authentication and then providing each user with their identity file, this step is detailed in the next section Identity Creation. From here all a user needs to do is log into the system.
Step 1 The identity authentication scheme should be selected at logon. Step 2 The public key authentication method automatically begins to search for identity files across all the
external drives including C:\<HOME> where HOME represents the users home drive. Any files found are collated together. Using the Use a known identity option the user can then proceed to select the appropriate identity he or she wishes to use. The corresponding passphrase must also be supplied.
If however the identity file is stored anywhere else the system will be unable to locate this file. The user will have to use the Use an identity file option and manually locate the file.
231
If successfully the user will be logged into the system, simple as that.
Identity Creation An identity is the entity which uniquely defines the user it is associated with. The identity is used to sign the ticket the system produces at log on. To secure the identity even further it is highly recommended that once an identity is generated it is stored on the user’s USB key. An identity can be created both by the Super User, from the Management Console, and the user from the User Console. In this section we detail both processes.
Management Console
The Super User can initialize the identity for a user and can continue to reset the identity. Depending on the company’s strategy the Super User can be responsible for all identity renewals.
Step 1 From the Accounts page (Access Control → Accounts) press the More… button against the user. The action list is shown, select the Set Identity action.
Step 2 The system asks for a Passphrase to encrypt the identity. When a passphrase has been supplied pressing the Generate button will create an identity encrypted by the passphrase
232
Step 3 The system provides the identity in a zip file. This should be stored on to a secure location and the identity files extracted and given to the appropriate user. It is highly recommended that the user store the identity file onto a USB key for greater security. It is this created identity that will be used to authenticate the user during public key authentication.
User Console
The user can also configure there own identity. In fact the Super User, by using ‘Reset Identity’ can force users to create their own identities.
Step 1 The navigation panel to the left shows the selection of actions that can be performed by the user. Select the Update Identity action.
Step 2 This takes us to the Update Identity window. From here the user’s identity can be updated. As a
security measure the user must also provide their account password.
The system requires the new passphrase associated with this new identity. Once satisfied pressing the Generate button will create the new identity file.
Step 3 As before the identity is stored within a zip file. This should be stored, the identity file extracted and stored on a USB key. That’s all there is to it. When the user logs into the system, it is this identity the authentication module will ask for.
233
Reset Identity Here the Super User can force each user to define there own identity when they first logon with public key authentication. Selecting this when a new account is created is a great way to encourage users to configure and manage their identities and other security passwords.
Must be Two-Factored Scheme For reset to work correctly public key authentication must be in a scheme with at least two authentication modules in and public key must not be positioned as the primary module.
This action is exclusive to the Super User.
Step 1 From the Accounts page (Access Control → Accounts) press the More… button against the user you wish to reset an identity for. From the action list select the select the Reset Identity action.
Step 2 The system displays a warning message clarifying the action about to be performed. Pressing Yes will continue with the reset. That’s all there is to resetting the identity.
Step 3 Now when the next logs into the system they will be presented with the first authentication method and if successful the second authentication method, public key, will not ask for an identity but rather force the user to generate a new one much like before.
234
Much like before the identity will need to be safely stored on a secure medium as a USB key. The user will be logged into the system and will now posses a new identity which will need to be presented the next time they log in.
235
Configuring Public Key The Public Key configuration page can be accessed from System Configuration → Security Options → Key Authentication. There is only one configurable parameter and is detailed below.
• Allow User to Create Initial Identity: The Super User has the option of creating an identity for SSL-Explorer’s user base from the Edit Accounts page; this option however alleviates this need by forcing the users themselves to create their own identity files at login time. If the user chooses key authentication the system will force the creation of an identity.
• Enforce Password Security Policy: Enforce that passphrase conforms to the password policy under System Configuration → Security Options → Password Options.
Import Identity This function allows for an already existing key to be imported into SSL-Explorer as a user public key. This action can be performed by any users who have account editing privileges.
When SSL-Explorer looks on a device, such as a USB key, it tries to find the public key. This key should be in the root directory of the device in a sub-folder called “.sslexplorer-ids”. So in order for the external device to operate as required the public key file must always be in this folder for example, E:\.sslexplorer-ids\myPublicKey.pub.
Step 1 From the Accounts page (Access Control → Accounts) press the More… button against the user you wish to reset an identity for. From the action list select the select the Import Identity action.
This then displays the following page.
236
Step 1 Simply locate the *.pub file that you wish to import using the file system Browse button. Step 2 Once the file is chosen simply use the Upload button to import the identity.
That’s all there is to it.
237
IP Authentication IP authentication is the only authentication that requires no input from the user at logon. Since it relies on the physical address of a client machine as oppose to the user, IP authentication is able to determine the validity of a user even before the logon page is displayed. IP authentication ties the user to a specific IP address. During logon if an endpoint has been configured as denied an error message will be shown in the events pane. The only way to log into the system using the same account is from the attributed IP address.
Creating a Restriction Once an authentication scheme has been defined with IP authentication all that you need to do is assign a valid IP address to each user.
Step 1 From the accounts page edit a user you wish to assign an IP address to.
Step 2 From the Attribute tab enter a valid IP address. It is this IP address that will be looked at when the user logs in, if the user and IP do not match the user can not log into the system.
To allow a user to login using any machine then use the default value of, *.*.*.*
238
RADIUS Authentication SSL-Explorer Enterprise makes available the RADIUS authentication module allowing SSL-Explorer to integrate with a corporate RADIUS authentication server. The RADIUS authentication method (Remote Authentication Dial In User Service) is known as an AAA (authentication, authorization and accounting) protocol. It allows for a RADIUS server to be queried by SSL-Explorer in order to validate a user’s logon request. As the RADIUS server is outside of the control of SSL-Explorer, certain actions will not be available such as ‘create’ or ‘edit’. This also has an effect on how this module is used in an authentication scheme. As a username and password are supplied it can be used as either a primary or secondary form of authentication. It can also be combined with other modules, but of course care should be taken to ensure that the selected modules within an authentication scheme are compatible. The pre-requisite for this authentication method is:
• Operating RADIUS server The server must be available and be populated with all users that will be used for authentication, after all SSL-Explorer is merely interfacing with the results of the server and plays no part in the management of the server content. Once the scheme is activated all that is required before login should be used is the configuration of SSL-Explorer to locate the server, configuration information can be found in the section titled Configuring RADIUS. Once everything has been configured properly the user will be able to select RADIUS as the authentication scheme to use.
When the user’s authentication details are supplied SSL-Explorer forwards these onto the RADIUS server. The authentication result returned determines whether the user is authenticated into the System or not.
239
Configuring RADIUS The configuration parameters are vital to the success of the scheme. If any of these parameters are incorrect SSL-Explorer will be unable to communicate with the RADIUS server. So it is imperative that these are understood and used correctly. The parameters are accessible from System Configuration → Security Options → RADIUS as shown below.
The parameters are detailed below.
• RADIUS Server: This refers to the hostname or IP address of the RADIUS server. • Authentication Port: The port on the RADIUS server to use to service authentication
queries. • Accounting Port: A port address on the RADIUS server pertaining to all accounting traffic. • Shared Secret: If the RADIUS server requires, enter the RADIUS server's shared
password/key here. • Authentication Method: The authentication method to use to communicate with the
RADIUS server itself. • Time Out: The number of seconds to wait for a response from the RADIUS server before
failing. • Authentication Retries: The number of authentication attempts allowed before the account
is locked out. • RADIUS Attributes: Special attributes to be sent to the RADIUS server as part of the
authentication process. • Username Case: Define what case is sent to the RADIUS server • Expect Challenge: Expect an initial challenge from the RADIUS server (i.e. user does not
provide password prior to first RADIUS Access request)
240
Remote Client Authentication In addition to the Default and Password and Personal Details authentication schemes that come pre-configured as part of SSL-Explorer two further authentication schemes are available, WebDAV and Embedded client. These consist of single modules that cannot be edited nor removed. There purpose is to support remote access to resources protected by SSL-Explorer but bypassing the SSL-Explorer front-end, for example in situations where embedded access needs to be made through a bespoke application and not through SSL-Explorer. By default these are turned off and should only be enabled when required. Each scheme is detailed below.
WebDAV WebDAV is a set of extensions to the HTTP protocol which allow users to collaboratively edit and manage files on remote web servers. WebDAV enables clients on PCs or Macs to access files and folders on a server in much the same way as on the desktop, while actually residing on a remote server being accessed over the Internet.
As the diagram above shows, in order to access remote files across the internet the desktop must be running a WebDAV client such as Windows Explorer. The remote location must be running a WebDAV server to make the remote directories accessible and as the diagram depicts SSL-Explorer runs its own WebDAV server so directories on the remote machine can be accessed through SSL-Explorer. The WebDAV authentication scheme when enabled allows external applications to access the WebDAV server using username password authentication regardless of which schemes SSL-Explorer has configured. If this is disabled then WebDAV resources may only be accessed when launched from directly from SSL-Explorer’s Network Places page. Any shortcuts created on the user’s Windows desktop or in Windows Control Panel Network Places will not work.
Embedded Client The Embedded VPN client is a Java API provided by 3SP Ltd. which gives external applications the ability to create secure tunnels to hosts protected by SSL-Explorer. This allows an external application to bypass the general interface processing of SSL-Explorer and tunnel through SSL-Explorer to the remote servers for secure communication. Similarly to WebDAV, the authentication scheme allows the access of SSL-Explorer resources through the embedded client using username and password regardless of what SSL-Explorer has
241
configured as its authentication schemes. If this is disabled then clients connecting in through the embedded client API will not be able to access any resources through SSL-Explorer.
Hardware Token Authentication
SSL-Explorer: Enterprise Edition contains a range of advanced features that allow for strong multi-factor authentication measures using hardware token devices. Technologies such as RADIUS and SSL client certificates may be combined with advanced hardware authentication devices from vendors such as Aladdin, SafeNet or RSA, amongst a plethora of others. Two-factor, or multi-factor authentication is considered to be ‘strong authentication’ today and this methodology combines the principle of ‘something you know’ with ‘something you have’. In terms of SSL-Explorer usage, your users know their username/password, and may also have a hardware authentication key fob. This is considered ‘strong authentication’ because in order to compromise the system, an attacker must get access to the user’s password along with the physical authentication device that the user carries. Given that most intrusion attempts are conducted from remote locations, this makes the job of an intruder much more difficult. We do not recommend the use of weak authentication methods such as password-only. SSL-Explorer’s authentication methods are designed in such a way that you can layer them as you see fit. For example if you really wanted to, with SSL-Explorer you could configure SSL client-certificate, OTP over SMS, password, PIN and SecurID authentication to protect entry to your system. However you might find that after a little while your users no longer want to talk to you! In this chapter we will cover the setup and authentication processes involved with these products.
• SafeNet iKEY 2032 Configuration • Aladdin eToken PRO Configuration • RSA SecurID Authentication Manager • VASCO Digipass Token Configuration • SafeWord Configuration
SafeNet iKEY 2032 Configuration This product takes the form of a small USB key device that is small enough to be carried as part of a bunch of keys on a chain. It uses SSL client certificate authentication to present a certificate to SSL-Explorer, making textbook use of the ‘something you know, something you have’ security methodology by combining a secret passphrase with the certificate on the device. The SafeNet iKey 2032 requires a special utility (CIP Utilities) installing on the client PC and this software deals with certificate management as well as performing tasks such as requesting passphrase when connecting to secure websites such as SSL-Explorer. When the device is inserted into the USB slot, the client software loads the certificate into the Windows Certificate Store where it may be accessed by the client’s browser and presented to SSL-Explorer.
242
In order to set up SSL-Explorer to use the SafeNet iKey 2032 for authentication, we need to do the following things, some of which have already been covered in previous chapters. Please follow the links to sections that cover the tasks in more detail.
• Configure SSL client certificate authentication in SSL-Explorer • Create SSL client certificates to authenticate your users. Either:
o Generate SSL client for your users using the built-in SSL-Explorer CA or: o Import existing SSL client certificates purchased from an existing CA
• Configure an authentication scheme that uses SSL client certificates • Import these certificates into each device using the CIP Utilities software • Issue devices to your users
SafeNet CIP Utilities The first thing you are likely to want to do is to create a passphrase on each of your USB devices. This is an additional layer of security that is used in addition to the certificate itself. This means that an unscrupulous individual will not be able to use the key if found or stolen, without first knowing this passphrase.
243
Importing SSL Certificates into the Devices Next you will want to import the certificate generated from SSL-Explorer onto the key.
You will be prompted for a *.p12 file. This refers to the format of the certificate file that is generated by SSL-Explorer. Select the relevant certificate for this user’s key and select OK.
244
You will then be prompted to enter the password for the certificate – this is the password that was set when the certificates were generated in SSL-Explorer. Once the correct password has been entered, the certificate is imported and you can view its details in the right hand column.
You will next want to right-click on the certificate and choose ‘copy certificate to the system’. This will copy the certificate to the Windows Certificate Store, but this is useless without the corresponding private key which always remains on the USB device.
And that’s the key configured. Since SSL-Explorer knows which certificate to associate with each user, we should now be able to try connecting using our new SSL Client Certificate scheme. You will
245
notice that you are prompted by the browser to select an SSL client certificate to present to SSL-Explorer.
As an additional step of the authentication process, you will be prompted by the CIP Utilities software to enter your iKey passphrase in addition to this.
246
Once this is entered successfully, the authentication process is complete.
247
Aladdin eToken PRO Configuration Similarly to the SafeNet iKey, the Aladdin eToken PRO makes use of SSL Client certificate authentication to present a digital certificate to the SSL-Explorer server. The only real difference from the perspective of the administrator is the eToken software itself that requires installing manually on the client PCs. We will begin with the standard Aladdin eToken PRO device that uses SSL client certificate authentication. The main steps are as follows:
• Configure SSL client certificate authentication in SSL-Explorer • Create SSL client certificates. Either:
o Generate SSL client for your users using the built-in SSL-Explorer CA or: o Import existing SSL client certificates purchased from an existing CA
• Configure an authentication scheme that uses SSL client certificates • Import these certificates into each device using the eToken Properties tool • Issue devices to your users and start using them!
Using eToken Properties Aladdin eTokens can be managed quite easily using a software tool named eToken Properties. This tool can detect Aladdin devices that can be connected using the USB port and is used to initialize, set passwords and import certificates onto the devices. Insert the device into the USB port and launch eToken Properties and you will be presented with a dialog similar to the following:
248
The first thing you will probably want to do is set a password on your devices. The standard password set on factory initialized devices is 0123456789. Hit ‘change password’ and set the password to something more secure. A password complexity meter is provided to give you an indicator of how secure your password is. As is often the case, a combination of uppercase letters, numerals and punctuation marks help to create stronger passwords.
Next you will need to import the SSL client certificate onto the device. On the ‘certificates & keys’ tab, select ‘Import Certificate’ and then choose ‘Import Certificate from File’.
249
Select the P12 file and open it. You will then be prompted for the passphrase.
When the passphrase is entered successfully, the certificate is imported onto the device.
And that’s it. The device has been configured with the key, and now all that remains to be done is to test the authentication process works with SSL-Explorer. Try connecting to your SSL-Explorer VPN server.
250
When you try connecting to the VPN server, you will be prompted to select the certificate you wish to present to the SSL-Explorer server.
Select the appropriate certificate and hit OK. You will then be prompted to provide the eToken passphrase that you set in eToken Properties.
251
Hit OK and access is granted!
252
RSA SecurID Authentication Manager RSA SecurID is probably the most well known hardware token-based authentication method. SSL-Explorer: Enterprise Edition is able to make use of SecurID authentication using the RADIUS feature to provide communication between the RSA server and SSL-Explorer. When combined with Active Directory user database this method is especially powerful as account management may be centrally managed with both SSL-Explorer and RSA Authentication Manager reading accounts from your Active Directory domain. To configure RSA SecurID authentication with SSL-Explorer you will need to do the following:
• Configure an Authentication Scheme that uses RADIUS authentication as one of the authentication stages
• Add an Agent Host Record for the SSL-Explorer server in order to allow communication between SSL-Explorer and the RSA server
• Add the SSL-Explorer server as a RSA RADIUS client • Import tokens and add users • Test the authentication process
Optionally you may wish to:
• Synchronize your Authentication Manager’s accounts database with your Active Directory domain controller
Configuring an Authentication Scheme that uses RADIUS The first thing necessary to support SecurID is to configure an authentication scheme that will use RADIUS. Later we will configure SSL-Explorer to talk to the SecurID RADIUS authentication server. Firstly, browse to Configuration → System Configuration → Security Options → RADIUS and configure the RADIUS dialog similarly to as following.
253
RADIUS Properties
• RADIUS Server – Enter the IP address of the RSA Authentication Manager RADIUS server • Authentication Port – This is the port the RADIUS server is listening to for authentication
requests. • Account Port – This is the port the RADIUS server is listening to for accounting requests. • Shared Secret – This is a password that requires setting on both SSL-Explorer and the
Authentication Manager. • Authentication Method – This should be set to PAP (Password Authentication Protocol)
unless otherwise instructed. • Time out – Seconds to wait for a response from the server before timing out upon
authentication. • Authentication Retries – Number of times to reattempt a timed-out authentication request.
Next, you will need to browse to Access Control → Authentication Schemes and configure a new authentication scheme that includes the RADIUS authentication. Create a new scheme, similarly to the one below.
Next you will need to assign authentication methods to the scheme. Add ‘Password’ and also add ‘RADIUS’ to create a scheme with Password authentication as the primary method and RADIUS as the secondary method. Click Next.
254
Next choose the policies to assign this authentication scheme to. For the purposes of this example, we’ll use the ‘Everyone’ policy to assign to all users.
Review your settings and click Finish to create the new policy.
That’s the authentication scheme completed.
255
Add an Agent Host Record for the SSL-Explorer server Next you will need to create an Agent Host Record to allow the SSL-Explorer server and the RSA Authentication Manager to communicate with each other. This is done from within the Authentication Manager Control Panel software. Start the RSA Authentication Manager (named ‘RSA Authentication Manager Host Mode’ on the Microsoft Windows Start Menu).
Select Add Agent Host from the Agent Host menu. You will need to enter the values for your SSL-Explorer VPN server, such as network address. Set all other parameters similarly to as follows:
That’s it.
256
Add the SSL-Explorer Server as a RADIUS client In RSA Authentication Manager, go to the RADIUS → Manage RADIUS Server. You will need to have assigned at least one token to the administrative user at this stage. The RADIUS manager displays a dialog similar to the following.
You will now need to add a new RADIUS client, select the RADIUS Clients node and select Add from the toolbar. Fill out the dialog similarly to as follows and click OK.
Your server is now added as a RADIUS client and can talk to RSA Authentication Manager.
257
Importing and Assigning Tokens to your Users Unless you have already done so, you will need to assign tokens to your users. Since both RSA SecurID and SSL-Explorer support Active Directory authentication, you can either configure Active Directory support in both and use your existing user account database or create accounts in the Built-in databases of RSA Authentication Manager and SSL-Explorer. We will assume that you have already decided on your user database strategy at this point. To import a token, select Token → Import Token in RSA Authentication Manager.
The token is imported
Now you will need to assign imported tokens to your users. Locate your user from the User → Edit User and choose the ‘Assign Token’ button.
258
Choose select token from list. The Select Token dialog is displayed.
Click OK and the user will be assigned the RSA key fob.
259
Test the Authentication Process Now that RADIUS authentication is configured, you will want to try out authentication using your RSA key fob. Since we have Password and RADIUS methods in our authentication scheme, you will need to enter username, password and your SecurID one-time-password. This demonstration assumes that this scheme is set as the default. Enter your username when prompted
The second stage prompts you for password – this is the password to the user database you have currently configured, e.g. Active Directory.
If the password was accepted, the second password prompt will be shown. This prompt asks for the OTP displayed on the key fob.
• If you configured the key fob with a PIN, e.g. ‘4567’, you will need to enter this followed by the SecurID token code displayed on the device. For example, if the device displays ‘441370’ and your PIN number is ‘4567’; you should enter ‘4567441370’ in this field.
• If you do not have a PIN, simply enter the code displayed on the device.
260
When successfully authenticated, you will be presented with the Favorites page!
261
Synchronization with Microsoft Active Directory It is possible to synchronize RSA Authentication Manager’s account database with that of your Active Directory server which uses the LDAP protocol. To do this, you will need to configure an ‘LDAP synchronization’ in Authentication Manager. This will periodically retrieve a list of accounts from the Active Directory LDAP schema and update your account list. You should be familiar with the conventions of specifying LDAP queries before attempting this configuration, but we will demonstrate an example of a basic LDAP synchronization. In the Authentication Manager, select User → LDAP Users → Add Synchronization.
We will configure a synchronization that will retrieve all LDAP objects with a class of ‘user’ from an organizational unit within the LDAP schema, named ‘Employees’. You will need to enter information similar to as follows. This job is set to run every minute just so that we can quickly see whether the values we have entered are correct.
262
Click OK, and wait a minute for the job to be run. Go back to your list of LDAP synchronizations and you should see a status message similar to ’10 User(s) Updated’ as in the picture below – our users have been imported successfully.
And that’s Active Directory configured. Your users can now be assigned tokens in the normal way in Authentication Manager. You’ll most likely now want to set up Active Directory authentication within SSL-Explorer to take advantage of the centralized account management that this approach offers. You can find more information on this in SSL-Explorer: Getting Started Guide under the chapter Data Management.
263
VASCO Digipass Token Configuration SSL-Explorer can be configured to authenticate to a VASCO server using the RADIUS feature of the product. Note that VASCO does not currently include a RADIUS server with their product, therefore you will need to use an external RADIUS server (e.g.Free RADIUS) to provide the RADIUS component of this solution. To configure Digipass token authentication with SSL-Explorer you will need to do the following:
• Configure an Authentication Scheme that uses RADIUS authentication as one of the authentication stages
• Configure the RADIUS server in VACMAN Middleware • Add the SSL-Explorer server to VACMAN as a RADIUS client • Create Users in VACMAN Middleware • Import Digipass Tokens into VACMAN Middleware • Assign Digipass Tokens to users • Test the authentication process
Configure the RADIUS server in VACMAN Middleware In VACMAN Middleware, log on to your VACMAN server, expand the server tree and right click on the RADIUS server’s node. Select ‘New RADIUS Server’ to create the new server.
264
Enter the relevant properties for the RADIUS server on your network and click OK.
The VACMAN Server service may need to restart and you might need to log onto the server again. Once this is complete the new RADIUS server details are listed under the RADIUS Server node.
265
Add the SSL-Explorer Server to VACMAN as a RADIUS client In order for the SSL-Explorer server to talk to the VACMAN server via RADIUS, it will need to be configured as a RADIUS client.
Click ‘Create’ and the new RADIUS client will be created.
266
Create Users in VACMAN Middleware You will need to create some users in the VACMAN Middleware server in order to authenticate them using the Digipass devices. Right click on the ‘Users’ node and select ‘New User’.
The new user dialog appears. Enter the relevant details and click ‘Create’.
267
The new user is created and appears in the user list.
Importing Digipass Tokens to VACMAN In order to authenticate your users using Digipass tokens, you will firstly need to import them into VACMAN Middleware. You can do this as follows. Right click on the Digipass node and select ‘Import Digipass’
An import dialog will appear. You will now need to import the Digipass import file (a *.dpx file) for the relevant keys.
268
Enter the 32 character hexadecimal number into the ‘Key’ field.
Click ‘Import All Applications’ to import all records. You can alternatively pick just the relevant applications you wish to import by selecting ‘Import Selected Applications’. Click ‘Close’ when done. The import proceeds and you will see the imported tokens in the Digipass item list.
269
Assign Digipass Tokens to Users The last step of the Digipass configuration is to assign the Digipass tokens to the relevant users within VACMAN Middleware. This can be done similarly to the following: Locate the relevant Digipass token in the Digipass list in the server tree. Right-click on the token and select ‘Assign’.
Enter the username in the ‘User ID’ field and click the ‘Find’ button to search for the user.
270
Select the relevant username and click ‘OK’. The token will be assigned the Digipass token.
Test the Authentication Process Now that RADIUS authentication is configured, you will want to try out the authentication process in SSL-Explorer using your Digipass key fob. Enter your username when prompted.
271
The second stage prompts you for password – this is the password to the user database you have currently configured, e.g. Active Directory.
If the password was accepted, the second password prompt will be shown. This prompt asks for the OTP displayed on the key fob. If you configured the key fob with a PIN, e.g. ‘4567’, you will need to enter this followed by the token code displayed on the device. For example, if the device displays ‘157252 and your PIN number is ‘4567’; you should enter ‘4567157252’ in this field.
When successfully authenticated, you will be presented with the Favorites page.
272
SafeWord Configuration SSL-Explorer can be configured to authenticate to a SafeWord server using the RADIUS feature of the product. Note that SafeWord requires an Active Directory database and Internet Authentication Server (IAS) installed on the Domain Controller. To configure SafeWord authentication with SSL-Explorer you will need to do the following:
• Install and configure the SafeWord Server • Configure an IAS • Create an Authentication Scheme that uses RADIUS authentication as one of the
authentication stages • Test the authentication process
Installing SafeWord Start the setup from the CD.
Click Yes to get latest updates if required, which will then download.
Enter the serial number and click OK. More files will download from the update server and the installation starts.
273
Click Next.
Click Yes.
274
Click Next.
Click the top option, then Next. Visual C++ redistributable installs and more update files are downloaded.
275
Safeword Server and Active Directory Management Console should already be ticked. Scroll down and tick IAS (RADIUS) Agent. Click Next.
Click Next.
276
Click Next. More updates downloaded and the files start installing. This can take a while.
Change the ports is required and enter Encryption and Signing keys. Click Next.
277
Confirm the domain or re-enter the domain if incorrect. Click Next. More files will install.
Click Yes
Click Finish.
278
Configuring SafeWord Start Active Directory Users and Computers.
Expand the domain, you should see a Safeword Folder, click on this.
Enter an administration password to be used with Safeword and click OK A web page will also appear asking for a new password for the User Center.
279
Enter a new password and click Submit. Back in AD Users and Computers, click on Import/Backup/Restore under Safeword.
Click Browse under Import Tokens, browse to the import file on the CD provided with the tokens. Click Import.
280
You should now have tokens listed in the Tokens section. Now we can assign tokens to users.
Bring up the properties screen for a user you want to assign a token to and select the Safeword tab. Enter the token serial number and an option PIN code if you wanted to use one. Click Apply, where the lower part of the properties page becomes active. You can choose here to enter a passcode from the token to test that it is working ok. If this test fails try again. If it still fails, you should be able to fix it by clicking Re-Sync.
281
While in the user properties, go to the Dial-in tab and tick Allow Access under Remote Access Permission.
Configuring IAS Start the Internet Authentication Service management console and create a new RADIUS client that points to your test client.
282
For the client Vendor, choose RADIUS standard and enter a shared secret.
Using a tool such as NTRadPing, test the RADIUS response.
283
Enter the server name, port 1812 and the secret key. Enter the username to test against and the passcode generated by the token (followed by the PIN if that option was set). Click Send and if working, you should see an Access-Accept response.
Configuring SSL-Explorer Go back to IAS and create a RADIUS client that points to the SSL-Explorer server address.
284
In SSL-Explorer, go to System Configuration->Security Options and click the RADIUS tab. Enter the IAS server address, shared secret. Set the Authentication Method to CHAP and click OK.
Go to Authentication Schemes and create a new Scheme. Give it a meaningful name such as RADIUS, or Safeword. Select Password (primary) and RADIUS (primary) to set Safeword as a 2 layer authentication (You could choose RADIUS on its own if required, just note that if SSL-Explorer requires the User's password for anything, it will prompt for it).
285
Move the RADIUS scheme to the top if this is to be the default scheme. Now test the login via SSL-Explorer, which should now work.
286
Resource Management
Resources are the key entities that a user of the system will interact with. Without such things, a user has no means of using or gaining any benefit from the system – it is the resources that provide the ‘value’ in an SSL VPN. This section covers the basics of resources; what they are, how they are used and finally ends with what types are available.
Introduction .Sections covered in this chapter are as follows:
• What are Resources? • Resource Wizards • Available Resource
What are Resources? The main purpose a user will use SSL-Explorer is to access the corporate network usually from a remote site, be it from a remote branch office or from a clients site. Securely allowing users into SSL-Explorer is just one side of the remote access solution. Once logged in, the user must have a means of actually interacting with items within the corporate network such as network drives, files and applications and this is where resources fit into the picture. As the diagram below shows resources are the means by which a user interacts with the trusted network.
Some resources such as Network Places allow a user to interact with shares on the network. Other resources as Web Forwards allow users to interact with company intranet websites. Each resource provides a different way to access and interact with the remote network, from running remote applications to creating secure VPN tunnels. It is the Super User’s responsibility to create these resources and provide a secure working environment for the remote user population. Without the right configuration of resources, accessing areas of the corporate network remotely would be at the least difficult and in the worst case, impossible. The Super User is also responsible for the management and configuration of resources. As the corporate network evolves so to must the resources which access the network. As further company security policies are put in place not only must the network change to suit but so to must the SSL-Explorer resources.
287
The user console is the page from which the users are able to access these resources for use. Resources are listed under the Resources bar to the left of the page and can also be added to a user’s Favorite page. Administering resources however is done through the Management Console.
Resource Wizards Every resource is created through an intuitive wizard. The wizard directs the Super User in defining the appropriate steps in the correct order. As the screenshot below shows, the navigation pane highlights all the necessary steps to complete the action.
Some of these steps can be skipped and then redefined as required through the Edit Resource pages later. Also any step can be re-attempted by simply clicking on the appropriate step in the Navigation Pane.
Available Resources SSL-Explorer defines a number of resources; each provides a specific function in interacting with the instance and the corporate network. Resources that can be used are listed below:
• Web Forward: Provides secure intranet and internet access • Network Place: Provide network file system access • Application: Deployment and execution of Java applications • SSL-Tunnel: Configure SSL tunnels for special tasks such as remote support • Profile: User environment configuration • Network Extension: A virtual network adaptor that provides secure access into the SSL-
Explorer network
288
Each chapter is dedicated to one of these resources covering everything from creating to managing the resource.
Executing a Resource All executable resources follow a similar set of steps when being executed, these are detailed below.
Step 1 From the user console find the resource to execute. Against this resource will be the execute button
Step 2 When pressed the execute button needs a policy in which the resource should be executed. The execute button lists all the policies the resource is connected to, selecting one will execute the resource using any policy attributes associated with the chosen policy. If the resource page is set to show icons as oppose to listing resources the user will see something similar to the image below
To execute a resource simply press the correct icon. The resource will execute in the first policy the user has been assigned to, usually everyone.
Step 3 The resource should now execute opening the required window if necessary.
289
SSL-Explorer Agent
Many commonly used applications from email clients to CVS clients typically operate using unsecured protocols to facilitate the exchange of data. To the casual home user this is usually not a worry, though to the corporate user this is a critical vulnerability and one that leaves a business open to all manner of threats from password sniffing to full-blown industrial espionage. Thankfully with modern encryption protocols like SSL, data from these applications can be “tunnelled” inside SSL packets. In the case of SSL-Explorer, this is achieved through the use of the SSL-Explorer Agent – a small program that can intercept data transmitted by the insecure application, encrypting said data and transmitting the secure form over the wire. At the receiving end the SSL-Explorer server decrypts this data and forwards it to the appropriate destination within the trusted network. With SSL-Explorer, you have the ability to lock down your network, leaving just a single port open on your firewall. Most traffic that would normally operate on other ports can be tunnelled through the HTTPS port 443 into your network. The sections covered in this chapter are:
• What is the SSL-Explorer Agent? • Starting the SSL-Explorer Agent • Stopping the SSL-Explorer Agent • Executing Resources from Agent
What is the SSL-Explorer Agent? With SSL Explorer comes a small SSL-Explorer Agent. This Agent is a Java application that works in conjunction with your SSL-Explorer session to provide SSL-tunneling and application launching facilities provided by the SSL-Explorer server. The Agent is launched by a small Java applet placed on all pages that require access to the VPN client. You only need to launch the client once per SSL-Explorer session. The Agent is an essential tool for providing a secure tunnel for some of the resources detailed later in this chapter. When required the resources automatically starts the agent. However the agent can also be started manually in which case any resource requiring the use of the tunnel will not need to start the agent.
Communication with Browser The SSL-Explorer Agent listens on a number of ports in the 65500+ range. This is normal behavior. The Agent is actually also a HTTP server and uses these ports to communicate with your web browser. All outbound network communications are sent through the HTTPS port 443.
290
Precautions It is important to remember that the agent will provide a secure tunnel into your network until it is closed or times out due to inactivity. Your users must make sure that they log-off from their SSL-Explorer sessions. It is not wise to allow such a session to remain open and unattended even for a short period of time. The agent will timeout any tunnel that is inactive for a configurable period of time.
Starting the Agent Click the Start Agent button from the top navigation pane.
This instructs the client to start the agent. A warning message will be displayed as below.
The next sets of dialogs are security warnings verifying the client and the agent itself. These warnings should be accepted.
Step 1 Once all the security messages have passed the agent will be started and if communication with
the server is successful the agent will be ready. The agent icon in the top navigation bar will change colour much like the image below.
In addition a pop up will appear by the taskbar and an agent icon will be visible from the taskbar itself.
A final reminder that the agent is up and running successfully will be in the form of information in the event pane.
Any resources relying on the agent will only execute once the agent is active.
291
Stopping the Agent In order to stop the SSL-Explorer Agent simply click the active Agent icon as shown below.
This will stop the agent. It will also change the agent icon back to indicate that it is inactive as shown below.
Nothing else is required to stop the SSL-Explorer agent.
Executing Resources from Agent Once the agent is started you can execute any resource assigned to you from the directly from the taskbar icon. Clicking the right button the agent icon will present a list of resources that can be executed directly from the agent without having to go through SSL-Explorer.
By opening the Tunnel Monitor one can view any tunnels that are created through the life of the agent and if so wish can kill any running tunnels.
292
Web Forwards
Web forwards provide a secure way of remotely accessing a company’s intranet resources and as such are an essential tool in helping reduce the risk of unauthorized access to the corporate network. This chapter covers all the essentials to allow a super user to manage these resources, from what a web forward is, how they work to managing them. Web forwards come in three types tunneled, reverse and replacement this chapter details each and when best to use each type. The sections covered in this chapter are:
• What is a Web Forward? • Technical Overview • Web Forward Interface • Creating a new Web Forward • Editing a Web Forward • Deleting a Web Forward • Outlook Web Access and Mail Check
By the end of this chapter the reader should have a good understanding of web forwards and how to use them.
What is a Web Forward? Simply put, web forwards redirect HTTP traffic. By creating a web forward the publisher can make an internal web resource accessible to the outside world – without ever having to publish the resource on to the World Wide Web. Take for example a company intranet or an internal web-based application. Without web forwards users can only access these resources internally within the LAN. Trying to access these remotely would mean having to publish these on the internet. Making a company’s sensitive internal resources available over an un-trusted publicly accessible network leaves the system vulnerable to attacks. Web forwards reduce these vulnerabilities by publishing web forwards on a VPN. The elimination of the resource from the internet instantly minimizes the chances of the internal network being compromised. When accessing the web resource users have to sign in to SSL-Explorer through strict authentication techniques. During the course of the session the communication channels are secured through SSL and then to further enhance security SSL-Explorer’s policy framework can restrict those that can even access the web forward.
293
Technical Overview SSL-Explorer provides three ways in which a web forward can be created these are:
• Tunneled: Suitable for static intranets • Replacement proxy: Suitable for web applications which use absolute URLs with minimal
JavaScript • Reverse proxy: Suitable for web applications which use relative URLs and tend to be more
complex than those for replacement proxy Each one is briefly described below.
Tunneled Web Forwards A tunneled Web Forward uses the SSL-Explorer Agent. If not already installed the agent is downloaded to the client machine. The agent acts as an agent for the client browser handling all necessary transaction to provide a secure connection to the target resource. The communication link between browser and agent is the only line that is not encrypted. Unlike reverse and replacement web forwards the content of the HTTP traffic are not altered at all. No content is changed from the moment it leaves the client to the response that is received, SSL-Explorer acts a dumb proxy providing no functionality. This web forward performs the same functionality as a standard SSL-Tunnel. The unique feature is that no content is processed. However if the target site has links to other sites and are selected then those pages will step out of the secure SSL Tunnel boundary and will not be securely accessed.
Replacement Proxy Web Forwards A replacement web forward, unlike the tunneled forward, does not rely on the SSL-Explorer agent. Despite this the communication link both to and from the intranet resource remain encrypted due to the browser and SSL-Explorer. The SSL-Explorer server retrieves the web page on behalf of the connecting client. Information received by SSL-Explorer is processed by the replacement engine which is in stark contrast to the tunneled Forward. The data is stripped of certain information and new information is added to the transmission, all links within the page are replaced to point back to the SSL-Explorer server. The transmission is then encrypted or left unencrypted depending on the target server HTTP/ HTTPS. The responses are again preprocessed by the replacement engine before being securely sent back to the client. This processing means that any additional links attached to the web resource are handled by the web forward. As long as the web forward remains open all pages are processed and remain secure. So for
294
example a web application that opens up various pages or goes off to various other sites will continue to be processed by the forward.
Reverse Proxy Reverse proxy like replacements does not rely on the SSL-Explorer agent and again despite this the communication link remains encrypted due to the browser and SSL-Explorer. Unlike replacement web forwards the content is neither altered from the moment it leaves the client to the response that is received, SSL-Explorer acts as a reverse proxy server for the target client. Unfortunately if the target site has links to other sites and are selected then those pages will not be secured.
Web Forward Interface The main web forward page lists the available forwards. This page is located under Management Console → Resource Management → Web Forwards
295
The main page details which policy a web forward is associated with, the type of the web forward and the category of the web forward. Only those web forwards associated with a user’s policy are visible from the user console under User Console → Resources → Web Forwards.
Action Icons The action icons against each web forward performs functions on the associated web forward, their respective objective are detailed below:
Delete web forward
Edit web forward details
Execute resource (User Console)
296
Creating a new Web Forward Step 1 Select the Create Web Forward action.
Step 2 Select the type of web forward you wish to create.
Step 3 Once selected the web forward wizard will open. All web forwards follow the same wizard process as below.
297
Step 4 The first step in the wizard is to provide details of the resource itself, the name and description of the resource.
The final web forward can be set as a favorite resource which will make this resource accessible from the favorite’s page.
Step 5 The second step defines the resource itself. For each web forward the required content differs. These are detailed below.
Configuring a Tunneled Web Forward This web forward requires the least amount of information. All the wizard requires is a valid URL the authentication step is skipped.
The wizard provides a mechanism to use built-in system parameters these are detailed a little more in the Create Replacement Proxy step next. Once done pressing the Next button will take you to the next step in the wizard, which is detailed in step 6 below.
298
Configuring a Replacement Proxy Web Forward Replacement details require two sets of information; the first is the basic information of the web site.
• Destination URL: The URL of the site you wish to access • Encoding: This overrides the encoding of the HTTP response; this should be left as default
unless otherwise informed by 3SP support. • Restrict to hosts: This restricts what hostnames the user can access. Any user accessing the
site can access only the URL hostname and any hostnames listed in this box. If the list is empty then no restrictions apply, if the hostname specified is the hostname of the URL then users can not access any pages located outside of the hostname.
Replacement Variables The ${} indicates that replacement variables can be included in the resource definition. Click this icon will load the available variables that can be used. The session variables are values taken from the current session. The attr variables are values taken from user defined attributes.
The second part of information required is the authentication details.
Authentication
Replacements and reverse proxy can not only access a site or an application but can also authenticate the user accessing it. When the web forward connects to the URL the additional information provided here are passed in to the site automatically authenticating the user. Depending on the type of authentication type you select in the dropdown the appropriate parameters are listed.
The wizard provides two types of authentication FORM and HTML authentication.
Note
299
• Form Type: The type of form authentication to use, in most circumstances POST will be used to post the parameters listed in the Form Parameters box to the site. NONE disables form authentication and relies on HTML authentication only.
• Form Parameter: Specific form parameters for authentication should be provided here. These parameters map to the parameters on the form. As the example above pre, ixPerson, sPassword are all form parameters for this application. During authentication these will be passed into the form with the provided values. As sPassword=${session:password} shows replacement parameters can also be used, we have used a session parameter for the form’s password field. The ixPerson parameter is the index list for forms username dropdown list, 6 is the index of the given username, when executed the form will lookup username 6 from the dropdown list.
• Preferred scheme: The type of HTML authentication to be used, BASIC, NTLM, DIGEST, NONE.
• Username: The authenticating username for HTML authentication, each scheme uses this value in different ways.
• Password: The associated password. Depending on the site whichever authentication method is required by the server those details will be passed forward. Once completed pressing the Next button will proceed to the next step in the wizard, this is detailed in step 6 below.
300
Configuring a Reverse Proxy Web Forward As with replacement proxy this also requires two types of information, the basic URL information and the authentication details however unlike other web forwards this is broken into host-based proxy and host-based proxy.
Path-Based Reverse Proxy
• Destination URL: The URL of the site you wish to access • Paths: Each additional path that needs to be proxied is added here. Web applications such as
Outlook Web Access require more paths than the one in the target URL, in the example above the OWA web forward sets a target of http://mail.server.co.uk/exchange and then adds 2 further paths /exchange, /exchweb. To deal with this, you add each path that should be proxied to this filed. This would then proxy any URLs that begin with http://mail.server.co.uk/exchange, and http://mail.server.co.uk/exchweb
• Encoding: This overrides the encoding of the HTTP response; this should be left as default unless otherwise informed by 3SP support.
Host-based Reverse Proxy
• Active DNS: This enables sites that are at root of a server to be used by the web forward, as mentioned in the note above sites at root generally cannot be used by the reverse proxy web forward. Enabling this parameter is not enough, a wild card entry on your networks DNS server must be configured so that any lookups for active*.3sp.co.uk point to the SSL-Explorer server. When the web forward is launched a fake hostname prefixed by active and
301
suffixed by 3sp.co.uk is generated (e.g. active32432432424.3sp.co.uk) and used by the client browser to access the reverse proxy. SSL-Explorer is able to see this hostname and use the number embedded to look up the associated web forward. More information can be found in the 3SP knowledge base1.
• Host Header: This is another method used by the reverse proxy engine to determine whether
a site should be proxied. A specific hostname can be set for a site this requires that the hostname defined resolves to the SSL-Explorer server. The browser will be redirected from the standard SSL-Explorer URI to this host header. More information can be found in the 3sp knowledge base.
No Target Site at Root of Server Ordinarily target sites you wish to use with reverse proxy cannot exist at the root of their server. e.g. http://www.example.com is invalid whereas http://www.example.com/salesportal would be acceptable. Active DNS can be used to override this action.
The second part of information required is the authentication details.
Authentication
Replacements and reverse proxy can not only access a site or an application but can also authenticate the user accessing it. When the web forward connects to the URL the additional information provided here are passed in to the site automatically authenticating the user. Depending on the type of authentication type you select in the dropdown the appropriate parameters are listed.
The wizard provides two types of authentication FORM and HTML authentication.
1 3SP Knowledge Base – http://3sp.com/kb
Note
302
• Form Type: The type of form authentication to use, in most circumstances POST will be
used to post the parameters listed in the Form Parameters box to the site. NONE disables form authentication and relies on HTML authentication only.
• Form Parameter: Specific form parameters for authentication should be provided here. These parameters map to the parameters on the form. As the example above pre, ixPerson, sPassword are all form parameters for this application. During authentication these will be passed into the form with the provided values. As sPassword=${session:password} shows replacement parameters can also be used, we have used a session parameter for the form’s password field. The ixPerson parameter is the index list for forms username dropdown list, 6 is the index of the given username, when executed the form will lookup username 6 from the dropdown list.
• Preferred scheme: The type of HTML authentication to be used, BASIC, NTLM, DIGEST, NONE.
• Username: The authenticating username for HTML authentication, each scheme uses this value in different ways.
• Password: The associated password. Depending on the site whichever authentication method is required by the server those details will be passed forward. Once completed pressing the Next button will proceed to the next step in the wizard, this is detailed in step 6 below.
Step 6 Once the web forward has been successfully configured the next step is the assignment of the resource to a policy. The appropriate policy should be added to Selected Policies box.
303
Step 7 In the final step the wizard presents a summary of the web forward.
Pressing the Finish button will end the wizard and create the web forward. This newly created web forward will be visible from the main web forwards page and executable by those in the assigned policy. That’s all there is to it.
304
Editing a Web Forward From the web forwards page select the Edit action against the required web forward and the Edit Web Forward page will be shown. From this page the current details stored about the web forward can be modified.
Deleting a Web Forward The Delete action removes a web forward permanently from the system. Selecting the delete action against a web forward will result in a warning message informing that the web forward is about to be deleted, as shown below.
Selecting Yes will result in the removal of the resource from the system. If this web forward is associated with any policies this link will also be removed along with all other associated links.
305
Outlook Web Access and Mail Check One of the many features available from the Enterprise Edition of SSL-Explorer is the mail check feature. This presents to the user an instant view of his or her email account status directly through the user console without having to start their email client to check for new email. This feature can be used to check for email (and launch your web mail client) on any mail server that supports the POP3/IMAP protocols, including Microsoft Exchange. The mailbox icon is visible from the user console and shows the status of new or any unread messages.
Clicking the refresh button also instantly checks the mail account and provides an instant update of its status and clicking the mailbox itself will open a new window to the mail account. Configuration of this relies on a web forward. The following provides basic steps on how to configure the mail check feature.
Step 1 Install the SSL-Explorer Mail Check extension from the Extension Manager. Further instructions on installing extensions can be found in the SSL-Explorer: Configuration Guide.
Step 2 Create a web forward that connects to the mail server and check that it works correctly. In the
screenshot below I have created an Outlook Web Access (OWA) web forward. No username or password has been specified in the configuration. When I execute this I am prompted for authentication.
Step 3 Configure the mail check configuration parameters from Management Console → System Configuration → Messaging → Mail Check.
In the screenshot I have specified the OWA web forward that I configured in step 2. The mail check feature requires this to access the mail server. Also the mail protocol has been specified and the hostname of the mail server. Further information on these parameters can be found in the SSL-Explorer: Configuration Guide under System Configuration.
Step 4 The final step involves the configuration of personal details for each user from the user console. For each user the mail check tab becomes accessible from User Console → Personal Details → Mail Check.
306
The Mail Check extension will automatically try and log onto the mailserver with the current users SSL-Explorer credentials. If these are different, then each user needs to provide their mail authentication details on this screen. In addition the default mail folder (e.g. ‘inbox’) can be specified if needed.
Active Directory Accounts Auto Configured If the system has been configured to use Active Directory and the mail accounts also uses the same Active Directory authentication credentials, the mail check extension will automatically use the user’s Active Directory credentials to authenticate the user’s mail account. There is then no need for users to provide authentication details in the mail check tab under personal details.
The mail check feature uses the web forward and the details defined in the mail check configuration page to connect to the mail server. It is from here it takes the individual users authentication details to connect to their account and retrieve mail details.
Step 5 Once all the user details have been provided the user should log back into the system. The mailbox icon will be visible in the top right of the main window. Clicking on the mailbox will open a window to the mail account of the user without the need for authentication.
Note
307
Network Places
Network places are another vital tool against defending unwarranted access to the corporate network. By configuring a network place within SSL-Explorer, this allows a user to securely access the company network without compromising the integrity of the network. This chapter covers the basics of network places and moves right through to managing these resources. The sections covered in this chapter are:
• What is a Network Place? • Network Places Interface • Creating a new Network Place • Editing a Network Place • Deleting a Network Place • Web Folders Windows Access • Enterprise Drive Mapping
By the end of this chapter the reader should have a firm grasp on network places and how best to use them in particular the means in which a simple network forward can be integrated into a user’s familiar Windows environment.
What is a Network Place? A network place is a versatile resource that provides remote users with a secure Web interface to the corporate network. A remote user can browse network shares, rename, delete, retrieve and even upload files just as if he or she was connected in the office connected to the network. In particular network places provide remote users that have appropriate permissions to browse Microsoft SMB file shares, SAMBA file systems configured on UNIX and even FTP or SFTP file systems. In addition network places also provide support for web folders and Enterprise Drive Mapping.
Web Folders Web Folders is a web authoring component that is included with Internet Explorer 5. It enables the management of files on a WebDAV server by using a familiar Windows Explorer or My Computer interface. WebDAV is a protocol that extends HTTP to define how basic file functions such as copy, move, delete, and create folder are performed over the internet. Using a WebDAV client as web folders a remote user can access the company network through the standard Windows Explorer interface without actually needing to log into the SSL-Explorer. SSL-Explorer has an inbuilt WebDAV server which provides WebDAV clients secure access to required file systems.
308
Network Places Interface The main network place page lists the available shares. This page is located under Management Console → Resource Management → Network Places
The main page details which policy a network place is associated with and the available actions associated with each. Only those network places associated with a user’s policy are visible from the user console under User Console → Resources → Network Places.
Action Icons The action icons against each network place performs functions on the associated network place, their respective objective are detailed below:
Delete network place
Edit network place details
Execute resource (user console)
309
Creating a new Network Place Step 1 From the main network places page the action menu in the top right presents the only available action
which is, Create Network Place. Selecting this begins the creation wizard.
Step 2 The first step in the wizard as with any resource is the name and the description of the required resource. This will be displayed on the main network places page.
This particular resource can be added to the favorite page if so desired for ease of access.
Step 3 The next step requires the definition of the URL alongside any additional parameters. Selecting the Type
This can be of the following: Windows Network: Windows source anywhere on a visible network Local File: Source connected to the client machine FTP: FTP filesystem SFTP: SFTP filesystem Jar Archive: A jar file. When executed network places opens up a window into the extracted
Jar Tar Archive: A Tar file. When executed network places opens up a window into the
extracted Tar Zip Archive: A zip file. When executed network places opens up a window into the
extracted zip Automatic: This allows the user to type in single URLs for any type of filesystem and it will
successfully connect to the right type of system. For example all the following URLs can be used:
o SMB share: smb://[username:password@]server/share o SMB share: \\server\share
310
o Local share: file://<path> (for Windows use forward slash) o Local share: <path> (for Windows use forward slash) o FTP share: ftp://username:password@server[port]/folder o FTP share: ftp://server/folder
Step 4 Depending on the type chosen a list of parameters are shown and need completing.
• Host: Hosrname of source filesystem • Port: Port of source filesystem • Path: Specific path that needs to be accessed on the host
Replacement Variables The ${} indicates that replacement variables can be included in the resource definition. Click this icon will load the available variables that can be used. The session variables are values taken from the current session. The args variables are values taken from user defined attributes.
• Username: Username if the location is protected. If this is to be used by all users then the replacement variables should be used such as ${session:username}. For more information on attributes and replacement variables refer to the User Attributes Chapter in SSL-Explorer: Configuration Guide.
• Password: Password for the username
FTP Default Passive FTP can initiate connections in passive and active mode. By default all ftp URI’s will be connected to their host using passive mode as this is the most secure and most common mode used. However if you wish to connect to a server in non-passive mode simply add ?passive=FALSE to the end of the URI as in ftp://ftp.server.com?passive=FALSE.
Note
Note
311
Step 5 In addition to defining the path a network place resource requires its access permissions
defining. This will restrict what access rights will be available on the file share when a user executes the network place. The available permissions are as follows:
• Show hidden: Show all files and folders including hidden files • Read Only: All files folders are visible but they can only be viewed • Show Folders: Show only folders • No Delete: All files and folders are visible and all file management actions can be performed
except deletion of any files A combination of these can be chosen. The final step is defining a drive letter for the network place. This feature is only part of enterprise drives and allows a share to be mapped to a drive letter. Once mapped the user is able to access the network share through Windows Explorer no longer needing to connect to SSL-Explorer to see the content.
• Drive: Select a drive to map to this network place. Refer to the section titled Enterprise Drive Mapping
Step 6 Once the network place has been defined the final step is in the defining which policy this network
place should be associated with. Any user not linked to this policy will not be able to access the network place.
Step 7 The wizard provides a summary of the wizard, pressing Finish completes the process and creates the new resource. That’s all there is to it. The newly created network place will be visible from the main network place page.
312
File Management When a network place is executed the file system is opened in a new window. The window displays the content of the file. All the content from here and below can be managed; files removed, uploaded and even deleted as if you were connected directly to the file system.
Depending on what permissions were selected during the configuration of the resource depends on what actions are available to the user. The full list of available actions against each file is listed below.
Delete selected file or folder
Rename selected file or folder
Copy selected file or folders
Cut selected file or folder
Paste content of clipboard to selected folder
Zip folder and store it to a locally accessible file system
In addition to these action icons the actions available in the Actions pane in the top right of the window also perform these functions as well as the ability to Upload files and return back to the top folder (Home).
313
Editing a Network Place From the network place page select the Edit action against the required resource and the Edit Web Forward page will be shown. From this page the current details stored can be modified.
Deleting a Network Place The Delete action removes a network place resource permanently from the system. Selecting the delete action against a network place will result in a warning message informing that the resource is about to be deleted, as shown below.
Selecting Yes will result in the removal of the resource from the system. If this network place is associated with any policies this link will also be removed along with all other associated links.
Web Folders Windows Access When using Windows XP and Internet Explorer you can take advantage of Microsoft Web Folders to access your file resources. Web folders are a great tool for remote working and once set up accessing a share is simply a matter of clicking an icon and entering a Windows username and password when prompted. Much simpler than using a cryptic combination of SSH port forwarding and Terminal Services. Web folders use the WebDAV server that is embedded into SSL-Explorer. So any web folder configured must go through SSL-Explorer’s WebDAV server else the share cannot be seen by the client operating system. For security SSL-Explorer only allows web folders to be mapped to existing network places. If a network file system has not been configured through network places in SSL-Explorer then the web folder cannot be mapped to the desired location. This enforces the policy restrictions; if a user does not have a policy which allows them to access a given network place then they can neither create a web folder to it.
314
The steps to create a web folder are listed below.
Step 1 The required file system should already exist within SSL-Explorer as a network place.
The network place should be configured to access the appropriate share. It is the name used here that will be used by SSL-Explorer to lookup the configured URI.
Step 2 From Windows access My Network Places.
Step 3 Under the Network Tasks pane select Add a network place.
315
Step 4 This starts the Add network place wizard.
Step 5 The wizard will briefly search for information about service providers and will then present you with the following screen. Select Choose another network location and click next.
Step 6 Now you need to enter the fully qualified domain name to your SSL-Explorer server.
316
Above the SSL-Explorer is https://remoteServer.co.uk and my network place as named in network places on the system is Public. When executed web folders will locate communicate with the WebDAV server at remoteServer.co.uk. It will then request the URI for a network place named Public. It is this URI that will then be mapped to the web folder.
Step 7 The web folders client will attempt to connect to the resource and you will be prompted to enter your authentication details.
Step 8 After successful authentication the client will ask for a new name for this network place.
317
Step 9 Windows has successfully created the web folder. Windows Explorer opens and searches for resources. You may be asked to accept a certificate as part of the process – this is normal and ensures that your data is encrypted across the wire using SSL.
In My network places a new shortcut is created.
318
This shortcut can be moved to the desktop so that all a user needs to do to access the shared folder is double-click this icon and enter your Windows logon information.
319
Enterprise Drive Mapping SSL-Explorer enterprise comes with the Enterprise Drive Mappings plugin. This adds the ability for a user to create a network place and assign it a drive letter.
The effect of this is that once the SSL-Explorer Agent is running the drive becomes available under the user's Windows Explorer and like any other drive listed in Windows Explorer this drive can be accessed and any content accessible for the lifetime of the SSL-Explorer Agent.
How does this differ from WebDAV? WebDAV is limited to what file types it can support, certain files require specific WebDAV support added to them in order to be accessed while others are not accessible at all. With Enterprise Drives any file as long as it supports random access can be accessed and are fully modifiable, this means word documents, notepad documents, development files such as java files or files from IDEs like eclipse can all be accessed, modified and saved. Not only that but WebDAV supports only local buffering, any file needing to be edited WebDAV will download a local copy and it is this copy that is edited. Once editing is complete WebDAV uploads this back to the server. With Enterprise Drive Mappings any file can be edited and can be edited in the traditional local buffered mode or also via streaming mode where the file is edited from the source.
320
Configuring Drive Mapping There are a number of configuration parameters that can be altered to make Enterprise Drive Mapping more suitable for your environment. These can be accessed from System Configuration → Windows Integration → Drive Mapping and are detailed below.
• Debug: Enable debugging for drive mappings. This should only be set if asked by SSL-Explorer support staff.
• Debug Flags: Flags for the above debug option. • Streaming Threshold: The size at which files are streamed. Streaming maintains an open file
on the remote filesystem. A zero value means files are always streamed. • Always Stream Files: The file extensions that should always be streamed. • Never Stream Files: The file extensions that should never be streamed. • Block Size: The block size used when reading data from the remote file system. Altering this
value can affect the efficiency of file accessing, the default value should be ample for most environments.
• Block Timeout: The number of seconds before a timeout exception is thrown when reading streamed blocks of data from the remote file system. A timeout exception will cause unexpected results and as such this setting is only used when the remote file system becomes unresponsive. It is not recommended. that you change this value unless instructed to do so by 3SP support.
• Total Size: The total amount of disk space displayed for a drive's volume information • Free Size: The amount of free space displayed for a drive's volume information • Size Format: The format to use in a drive's volume information
321
Applications
This function of SSL-Explorer allows for the publishing of applications that are to be either downloaded or launched by clients via the SSL-Explorer server. The benefits of being able to distribute resources in this way are mainly linked with the reduced costs of distributing applications and dependant software. Note that applications can not be created unless a valid Extension has been installed within the SSL-Explorer server. This section will cover:
• What is an Application Shortcut? • Applications Interface • Publish a new Application • Edit an existing Application • Removing an Application • Additional Application Configurations
What is an Application Shortcut? An Application shortcut allows for the publication of an application via the SSL-Explorer server. This means an application can be distributed very easily to authorized clients. This prevents the need to install specific application software on each client. In order for an application shortcut to function it requires the following information:
• Shortcut Identity • A valid Extension type • A valid Application shortcut configuration • Associated Policy
By using this approach SSL-Explorer can be used to deploy a variety of applications as shown in the diagram below.
322
In the diagram the remote clients will access the SSL-Explorer instance which makes applications available to the remote user. What applications are available to each remote use depend on the policies they are linked to. The other major component to an application is the extension that is associated to it. The extension is in essence the method of connection to be used to gain access to the application. If no extensions are installed then no application shortcuts can be created. Some of the extensions distributed by 3SP are bullet pointed below, details on configuring these can be found by clicking on the hyperlink:
• UltraVNC • Linux rdesktop command • Microsoft RDP Client • NX Client for Windows • PuTTY for Windows • Remote Desktop Protocol (RDP) • TN5250 AS/400 Terminal Emulator • Virtual Network Computing (VNC)
Extensions can be also created manually, this as well as addition information is detailed further in the following documents.
• SSL-Explorer: Getting Started Guide • SSL-Explorer: Configuration Guide • Knowledge Base Articles
323
Applications Interface The main Applications page provides information on all Applications present within the system.
By hovering over any resource a pop-up is loaded that provides valuable information on the details of each resource, in this instance the key information is detailed below:
• Name: The name of the Application shortcut. • Type: The Extension type. • Description: Further details on the resource
Action Icons The action icons against each Application shortcut performs functions on the associated Application shortcut, their respective objective is detailed below:
Delete Application shortcut
Edit Application shortcut details
Execute resource (user console)
Publish a new Application In order to demonstrate the publishing of a new application this section will detail the steps required to install the UltraVNC Extension. UltraVNC is an easy to use, fast and free software that can display the screen of another computer (via internet or network) on your won screen. The program allows you to use your mouse and keyboard to control the other PC remotely. A second version of the UltraVNC extension is available. This second version can used to connect to computers via a VNC Repeater. License: It is free and open source software released under the GNU General Public License. Official Site: http://www.ultravnc.com/
324
Step 1 First select Applications from the Resource Management section of the Management Console. This displays the following screen.
Step 2 On a fresh install there will be no application records present. In order to publish a new application click the Create Application Shortcut link as shown below.
This starts the Create Application Wizard. A graphic of the first page follows.
Step 3 In this screen the type of application extension is defined. The wizard behavior changes for step three. This is due to each application type having potentially different requirements for operating information. UltraVNC is used in this example but the other application types are covered later in this section. Select Next.
325
This screen allows for the entry of the application details. A brief description of each of the fields follows.
• Name: The name to be used to identify the Application shortcut. • Description: A description of the Application shortcut. • Add to favorites: A checkbox that if selected will add the application shortcut to the
favorites of the appropriate accounts.
Step 4 When the fields have had the desired values entered simply click the Next button. This advances to the following wizard page (General Tab). As already mentioned, depending on the application type a different Application Options screen will be presented. In this instance UltraVNC is being used. Each of the options available on the different tabs is explained below.
General Tab
Each of the options is described briefly below:
• Hostname: Hostname of the remote VNC server that is being connected to. • Port: The Port on which the remote is listening. If the VNC server uses Display Numbers
instead of Ports, simply add 5900 to the Display Number to get the Port Number. • Password: The Password for the remote VNC server. This is usually a maximum of 8
characters.
326
Display Tab
Each of the options is described briefly below:
• Full Screen: When enabled the remote desktop session will take up the entire screen. • Display Scale: Magnify or reduce the display area of the remote desktop. • Disable Status Bar: Disables the Status Bar when connecting to a WinVNC server. • Disable Hot Keys: Disables the WinVNC Hot keys. • Disable Toolbar: Disables the UltraVNC Toolbar. • View Only: Local mouse and keyboard input is disabled. • Cursor Type: Displays a specific type of cursor in the display window.
o No Cursors: Local systems current cursor type. o Dot Cursor: A small dot as the remote cursor. o Normal Cursor: Displays the remote cursor.
Mouse Tab
Each of the options is described briefly below:
• Emulate 3 button mouse (2 button click): Pressing the left and right mouse button at the same time emulates a middle mouse button click (i.e. LMB + RMB = MMB).
• Swap Mouse Buttons: Swaps the functions of the left and right mouse buttons.
327
Protocol Tab
Each of the options is described briefly below:
• Colour Scheme: Alters the color scheme of the display. • Share the Server with other viewers: Allows other VNC viewers to connect, view and
control the remote desktop. • Compression Level: The level of compression to be used when supported by a particular
form of encoding. The lower the number the less compressed which has a saving against processor time.
• Do not transfer Clipboard contents: This prevents the contents of the Clipboard from being transferred to the remote client/viewer.
• Encoding: Allows the selection of encoding types for the session.
328
Advanced Tab
Each of the options is described briefly below:
• Level of Logging: Change level of log output. Use higher numbers to aid debugging. • Output Console: Display log output on the console.
Once the application options have been entered click the next button to advance to the next page.
Step 5 This page allows for the configuration of policies to be applied against the new application record. Policies can be added, removed or even configured from his page. When all relevant policies have been applied click the Next button which displays the following page.
329
Step 6 This is simply a summary page detail key information. If all information on this page is correct press the Finish button to advance to the final wizard page as shown below.
Step 7 Clicking the Exit Wizard button returns to the main applications page where the newly created applications record is present.
That is it. This shortcut can now be executed and the configured resource will connect to the remote machine.
330
Edit an existing Application Step 1 To edit an existing application navigate to the applications screen (Management Console →
Resource Management → Applications). A list of existing applications is displayed as shown below.
Step 2 To edit an application just click the Edit action against the application to be altered. This will then show a tabbed screen where values can be changed for all of the associated information against an application. In the following example an UltraVNC application type is shown.
Step 3 Clicking the Save button will store the altered values and redisplay the applications screen. Selecting the Cancel button will not alter any values and return to the application screen.
331
Removing an Application Step 1 To remove an existing application navigate to the applications screen (Management Console →
Resource Management → Applications). A list of existing applications is displayed as shown below.
Step 2 To remove an application select the Remove action against the application to be removed. The following screen is presented.
Step 3 Selecting No will cancel the action and return to the application screen. Selecting Yes will remove the application and return to the main application screen.
332
Additional Application Configurations As already discussed there are a number of types of application that can be created. This section shows the Application Configuration screen(s) for each of these types. A brief description of each of the fields present is also included.
Linux rdesktop rdesktop is a Remote Desktop Protocol (RDP) client for most Unix-like systems such as BSD and Linux. rdesktop works by interacting with Microsoft Terminal Services. Linux rdesktop supports all features of RDP, including mapping local drives and printers to the remote computer. For a full list of features please visit the projects main site. Operating Systems: Unix variants such as BSD and Linux. License: It is free and open source software released under the GNU General Public License. Official Site: http://www.rdesktop.org/
Each of the options is described briefly below:
• Hostname: The Hostname of the remote RDP server. • Port: The Port on which the remote RDP server is running (defaults to 3389). • Domain: The Windows domain name to use for authentication. • Username: The Windows username to use for authentication. • Password: The Windows password to use for authentication. • Color depth: Number of bits per pixel to use. The lower the number the less colors are
available. 16bpp for example has 65536 colors available. • Full screen: The remote desktop will take up the entire local desktop.
333
Microsoft RDP Client Remote Desktop in Windows XP Professional provides remote access to the desktop of your computer running Windows XP Professional, from a computer at another location. Using Remote Desktop you can, for example, connect to your office computer from home and access all your applications, files, and network resources as though you were in front of your computer at the office. This Microsoft RDP Client only supports the features of RDP that can be executed from the command line. Operating Systems: Windows 2000; Windows 95; Windows 98; Windows ME; Windows NT; Windows Server 2003; Windows XP. License: Microsoft License Official Site: http://www.microsoft.com/
Each of the options is described briefly below:
• Hostname: The hostname of the remote RDP server. • Port: The port on which the remote RDP server is running (defaults to 3389). • Width: If full screen is not selected this will set the width of the remote desktop in pixels. • Height: If full screen is not selected this will set the height of the remote desktop in pixels. • Full screen: If enabled the remote desktop will take up the entire display. • Console Session: Connects to the Windows console desktop.
334
NX Client for Windows The NoMachines wide range of free NX clients is a lightweight means to carry with you all the power of your office workstation. For a full list of features please visit the projects main site. Operating Systems: License: NoMachine NX Products License Official Site: http://www.nomachine.com
General Tab
Each of the options is described briefly below:
• NX Server Hostname: The hostname of the server which is running NX. • NX Server Port: The port number on which the NX server is listening. Because NX uses
SSH this will normally be 22. • NX Public Key: Each NX server uses public key authentication to validate the initial
connection. There is only one key per server. • NX Username: The name used for authentication on the NX server. • Session: This defines the type of session. Session can be Unix, Windows or VNC. • Desktop: Allows for the selection of the remote desktop type to use. For example Gnome or
KDE. • Connection: Enables the selection of the speed of the network connection. Possible values
are Modem, ISDN, ADSL, WAN or LAN. • Display Size: Defines the size of the display window.
335
• Custom Width: When using the custom display size this value will set the display width in pixels.
• Custom Height: When using the custom display size this value will set the display height in pixels.
Advanced Tab
Each of the options is described briefly below:
• Disable no-delay on TCP connection: Selecting this option will disable the no-delay setting when using TCP connections.
• Disable ZLIB stream compression: Selecting this option will disable the ZLIB stream compression for a connection.
• Enable SSL encryption of all traffic: Allows the session to be encrypted using SSL. • Cache in memory: Sets the amount of cache to be used in memory. • Cache on disk: Set the amount of cache to be used on the disk..
Environment Tab
Each of the options is described briefly below:
336
• Use font server: Allows the use of a font server. • Font Server Host: The hostname of the font server to be used. • Font Server Port: the connecting port of the font server.
XDM Desktop Options Tab
These settings are used if the Desktop field is set to use XDM. Each of the options is described briefly below:
• XDM Settings: Specifies how the XDM settings are collected. • XDM Display Host: The hostname of the XDM Display Server. • XDM Display Port: The port the XDM Display Server connects on.
Custom Desktop Options Tab
These settings are used if the Desktop field is set to use Custom. Each of the options is described briefly below:
337
• Application: Allows the user to select how the desktop is launched. • Run the following command: Runs the entered command at startup but only if the option is
selected in the application field. • Virtual Desktop: Sets either a fixed display or a moveable window. • Enable the X agent encoding: Enables X agent encoding in the desktop. • Enable taint of X replies: This option when enabled will short-circuit simple replies on the
X client side in single application mode.
Windows Session Options Tab
Each of the options is described briefly below:
• RDP Hostname: The hostname of the Windows systems being connected too. • RDP Domain: The domain of the target system. • RDP Authentication: The method of authentication to be used. • RDP User: Specifies the name to be used if “Show Windows logon Screen” is selected in the
RDP Authentication field. • Run an Application at Start-up: Allows an application to be launched when a connection is
made. • Run the following Application: Runs the enter Application path at start-up if the previous
option is true.
338
VNC Session Options Tab
Each of the options is described briefly below:
• VNC Hostname: The Hostname of the system being connected to. • VNC Display Port: The Display port number that is used.
339
PuTTY for Windows PuTTY is a client program for the SSH, Telnet and Rlogin network protocols. These protocols are all used to run a remote session on a computer, over a network. PuTTY implements the client end of that session: the end at which the session is displayed, rather than the end at which it runs. In really simple terms: you run PuTTY on a Windows machine, and tell it to connect to (for example) a Unix machine. PuTTY opens a window. Then, anything you type into that window is sent straight to the Unix machine, and everything the Unix machine sends back is displayed in the window. So you can work on the Unix machine as if you were sitting at its console, while actually sitting somewhere else. Some features of PuTTY are:
• The storing of hosts and preferences for them for later use. • Control over the SSH encryption key and protocol version. • Command-line SCP and SFTP clients, called "pscp" and "psftp" respectively. • Control over port forwarding with SSH, including built-in handling of X11 forwarding. • Full XTerm, VT102, and ECMA-48 terminal emulation. • IPv6 support • Public-key authentication support
For a full list of features please visit the projects main site. License: MIT licence Official Site: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Each of the options is described briefly below:
• Hostname: The Hostname on which the SSH server is running. • Port: The Port on which the SSH server is using. Defaults to the normal SSH port number of
22. • Username: Username used to authenticate with the SSH server.
340
Remote Desktop Protocol (RDP) RDP is the remote access protocol that underpins Windows Terminal Services and Windows XP Remote Desktop Connection. License: It is free and open source software released under the GNU General Public License.
Each of the options is described briefly below:
• Hostname: The Hostname on which the RDP server is running. • Port: The Port that the RDP Server is using. Defaults to 3389. • Domain: The Windows domain name used for authentication. • Username: The Windows user name used for authentication. • Password: The password used for the authentication process. • Bandwidth Saving: Enables the use of the Bandwidth saving mode. • Fullscreen (Java 1.4+): When enabled this will display the remote desktop on the entire
display area of the local desktop. Java 1.4 or higher must be present for this to work. • Screen Width: Defines the width of the remote desktop as long as full screen mode is not in
use. • Screen Height: Defines the height of the remote desktop as long as full screen mode is not in
use. • Keyboard: Keyboard language code. • Start Program: A program to start running upon connection.
341
TN5250 AS/400 Terminal Emulator An emulator allowing connections to AS/400 machines. License: It is free and open source software released under the GNU General Public License.
Each of the options is described briefly below:
• Hostname: The hostname running the terminal emulator. • Port: The port being used by the terminal emulator.
342
Virtual Network Computing (VNC) VNC software makes it possible to view and fully interact with one computer from any other computer or mobile device anywhere on the internet. This extension uses the TightVNC variation of the VNC protocol. License: It is free and open source software released under the GNU General Public License. Official Site: http://www.tightvnc.com
Each of the options is described briefly below:
• Hostname: The Hostname of the remote system running a VNC server. • Port: The VNC Display port to be used. • Password: The VNC Password. • Operate in a separate window: This will open this connection in a new display window if
one is already open. • Restricted colors to 8 bits: Restricts the display to only use 8 bit colors. • View only: Disables the mouse and keyboard allowing only the viewing of the connection. • Show Controls: Displays a toolbar containing the VNC controls. • Share desktop: Shares the connection with other clients on the same VNC server. • Defer screen updates (in ms): Use this option to set the number of milliseconds between
each screen update. • Defer cursor updates (in ms): Use this option to set the number of milliseconds between
each cursor update. • Defer update requests (in ms): Use this option to set the number of milliseconds between
each update request.
343
SSL-Tunnels
SSL Tunnels allow for ad-hoc connections to be made between networked computers. The following items are covered in this section. This section will cover:
• What is an SSL Tunnel? • SSL Tunnels Interface • Create a new SSL Tunnel • Edit an existing SSL Tunnel • Remove an existing SSL Tunnel
What is an SSL Tunnel? An SSL Tunnel is simply a connection between two TCP enabled components. All of the data transmitted over a tunnel is encrypted using the SSL protocol. This is done the same way as other tunnelling technologies. For example, a user may wish to create a secure tunnel to a TCP/IP enabled database that exist the other side of an SSL-Explorer server. First of all, an administrator configures a new SSL-Tunnel that uses 63389 as its source port and mysql.mycompany.com:3389 as the destination. The user may then activate this tunnel and then specify localhost as the hostname and the 63389 as the port and all traffic with then be secured. You may use the same technique for a number of different applications and protocols. A common use of tunnels is to secure the SMTP / POP protocols used for email access. In short, anything that uses TCP/IP client / server architecture will usually be able to be secured in this manner.
Tunnel Types Tunnels come in two types:
• Local: A local forwarding is where the client acts as the listening device. • Remote: A remote forward is where the client acts as the listening process. Here the roles are
reversed and it is the remote target that acts as the listener of any communication request. The practical implication of this is that a remote user can connect to a central company networked SSH server and use it as a go between to access another client machine within that network.
344
SSL Tunnels Interface The SSL-Tunnels page is accessible from Management Console Resource Management SSL Tunnels as shown below The main SSL Tunnels page provides information on all tunnels present within the system.
Action Icons The action icons against each SSL-Tunnel performs functions on the associated tunnel, their respective objective is detailed below:
Delete SSL Tunnel
Edit SSL Tunnel details
Execute resource (User Console)
345
Create a new SSL Tunnel Step 1 To create a new SSL Tunnel first click the “Create Tunnel” action from the SL-Tunnel main page.
This will then start the wizard, the first page of which follows.
• Name: The name to be used to identify the SSL Tunnel. • Description: A description of the SSL Tunnel. • Add to favorites: A checkbox that if selected will add the SSL Tunnel to the favorites of the
appropriate accounts.
Step 2 Once all the relevant values have been completed simply click the Next button. This will show the following page.
• Source Interface: The interface the local server will listen on. This can be any valid local IP address. For example, it could be your network IP address in which case you would connect to <hostname>.co.uk in this case other external hosts will be able to connect to you via your hostname. This replaces the original allow external hosts parameter. It could also be 127.0.0.1 in which case the local loopback address localhost will be used. In this case only you can connect using localhost or 127.0.0.1. It could also be blank in which case it will listen on both.
• Source Port: The port number to use with the source interface. The port on which the client agent creates a server that is connected via the tunnel to the destination on the SSL-Explorer
346
network. This can be any port number (over 1024 on UNIX based systems) and is the number that should be used when configuring the client application. For example, if you were connecting a tunnel from port 60025 to an SMTP server running on port 25 on the host mail.mycompany.com, the source port is 60025
• Destination Host: The name of the host that forms the other end of the tunnel. • Destination Port: The port number of the host that forms the other end of the tunnel. The
port on which the SSL-Explorer server creates a server that is connected via the tunnel to the agent which then is in turned connected to the client application (a server of some kind, VNC server for example – in this case people on the SSL-Explore would be able to use a VNC viewer to display and control the remote desktop e.g. this would run on port 5900).
• Auto. Start: A checkbox that is disabled as default. When checked this will automatically try to start the tunnel for the duration of the SSL Explorer server session.
• Type: This drop down box supports the values Local and Remote. A local SSL Tunnel type allows for local connections only. The Remote option will allow for connections to the remote clients network.
Step 3 Once all the relevant values have been completed simply click the Next button. This will show the
following page.
Step 4 Once all the relevant values have been completed simply click the Next button. This will show the summary page.
Step 5 If the summary information is all correct simply click the Finish button. This will show the final
wizard page.
347
Step 6 Finally click on the Exit Wizard button to close and exit the wizard. The newly created SSL Tunnel will now be displayed on the main page.
In addition to this a new item will become available from the User Console as shown below (Navigation is: User Console Resources SSL Tunnels).
SSL Tunnels require the SSL-Explorer Agent to be running in order to operate correctly. More information is available on the SSL-Explorer Agent in the Configuration Management document.
348
Edit an existing SSL Tunnel Step 1 To edit an existing SSL Tunnel navigate to the SSL Tunnels screen (Management Console
Resource Management SSL Tunnel). A list of existing SSL Tunnels is displayed as shown below.
Step 2 To edit an SSL Tunnel select the Edit action the SSL Tunnel to be altered. This will then show a tabbed screen where values can be changed for all of the associated information against an SSL Tunnel.
Step 3 Clicking the Save button will store the altered values and redisplay the SSL Tunnels screen. Selecting the Cancel button will not alter any values and return to the SSL Tunnels screen.
349
Removing an SSL Tunnel Step 1 To remove an existing SSL Tunnel navigate to the SSL Tunnels screen (Management Console →
Resource Management → SSL Tunnel). A list of existing SSL Tunnels is displayed as shown below.
Step 2 To remove an SSL Tunnel just click the Remove action against the SSL Tunnel to be removed. After pressing the Remove button the following screen is presented.
Step 3 Selecting No will cancel the action and return to the SSL Tunnels screen. Selecting Yes will remove the SSL Tunnel and return to the main SSL Tunnels screen.
350
Profiles
Profiles configure the general working environment for a user. The system provides two areas of control and they are the session and SSL-Explorer agent properties. This chapter covers all that is needed to use and manage profiles from creating to configuring them. The sections covered in this chapter are:
• What is a Profile? • Profiles Interface • Creating a new Profile • Editing Profile Parameters • Editing a Profile Description • Deleting a Profile
By the end of this chapter the reader should have a good understanding of profiles and how best to configure them to suit their own environment.
What is a Profile? Simply a profile provides a means for a Super User or user to alter the general working environment of the system. Modification is encapsulated into two distinct areas those that affect a session and those that affect the SSL-Explorer Agent. The SSL-Explorer Agent is an applet that tunnels data from insecure applications. The agent intercepts the data and encrypts transmission. The agent is mainly used by resources as SSL-Tunnels and Web Forwards further information on the agent and resources can be found in the SSL-Explorer: Resource Management Guide. The session parameters affect how the active session behaves and includes such things as session inactivity timeout which defines how long a user can sit idle before being automatically logged out. Profiles can be accessed and configured by both the Super User and the user, however only the user can configure the system default profile. User’s themselves, if given the permission to do so (refer to the Permissions chapter in SSL-Explorer: Access Control Guide), can create and manage their own profiles. Profiles are a great way for users to configure an environment based upon where they are accessing the system from. For example a user might configure a ‘home’ profile which is configured for use when working from home. Another might be to create a profile called ‘On-site’ which could be used for when the user is on a customer site.
351
Profiles Interface The main profiles page lists the currently configured profiles. This page is located under Management Console → Resource Management → Profiles.
The main page details which policy a profile is associated with. If a user has been given the permission to maintain profiles only those profiles associated with a user’s policy are visible from the user console under User Console → Resources → My Profiles.
Action Icons The action icons against each profile performs functions on the associated profile, their respective objective are detailed below:
Delete profile
Edit profile name and description details
View or edit profile parameters (More…)
352
Creating a new Profile Step 1 From the main profiles page select the Create Profile action in the Action pane in the top right of the
page.
Step 2 The first step in the wizard is the naming of the resource. Provide an appropriate name and description.
The profile itself when created has to be based on an exiting profile. All the current parameters set within this base profile are copied into the new profile. The Base on profile parameter should be used to select an appropriate profile to use.
Step 3 The next step is associating this profile to a policy. Select the appropriate policy.
Step 4 In the final step the wizard presents a summary of the profile.
353
Pressing the Finish button will end the wizard and create the profile. That’s all there is to it. As you will have noticed the configuration of the profile has not be done. The profile takes on the properties of the base profile. To configure this profile further the edit profile parameters action must be selected. This is detailed next.
354
Editing Profile Parameters From the profiles page select the Configure action listed under the More… button against the required profile. The Edit profile page will be shown.
From here the Session and Agent properties can be altered. Selecting the appropriate icon will take the user to the edit page for that area. Each area is detailed below.
Editing Session Details The session edit page is shown below.
The parameters are detailed below.
Web server
• Session inactivity timeout: Number of minutes a user may sit idle before the system logs the user out automatically
• Compression: Data received will be compressed. This has an affect on processor power but delivered data quickly.
Replacement Variables The ${} indicates that replacement variables can be included in the resource definition. Click this icon will load the available variables that can be used. The session variables are values taken from the current session. The args variables are values taken from user defined attributes.
Note
355
User Interface
• Enable tool tips: This enables SSL-Explorer tips to be shown where necessary • Special effects: Enable or disable special window effects. • Theme: There is only one theme provided with the default installation called default. New
themes can be added later when offered by 3sp from the extension store. The user can also manually change the look and feel of the SSL-Explorer user interface. A theme has three parts:
1. CSS: used to change fonts, colours, borders, a few images etc 2. Images: Each theme can have its own set of images 3. Layouts: These allow a user to radically change the user interface very easily. Using
layouts a user can change the positioning of items for example the default left hand menu could be moved to run across the top of the page. However these don’t allow the alteration of the main content area for each page.
The best way to create your own company theme is to copy webapp/theme/default and webapp/WEB-INF/theme/default to another folder such as webapp/theme/myTheme and webapp/WEB-INF/theme/myTheme respectively and edit the content. Images are easiest to change followed by CSS and finally layouts.
• Default user console resource view: The default view type to use when listing resources in the user console
• Date format: In which format should dates be used in the system • Clock type: Select the type of clock you wish to display, this clock is visible in the event
pane.
‘Client’ displays the clients local time, ‘Server’ displays the servers time and ‘Disabled’ prevents the clock from being displayed.
356
Editing Agent Details
Agent Configuration
• Keep-Alive interval: Because the agent does not have a permanent connection to SSL-Explorer as HTTP is stateless, a heartbeat is required to inform SSL-Explorer is alive. If SSL-Explorer fails to receive this heartbeat then all open connections are closed.
• Shutdown interval: When an agent is being shutdown either by logging off or clicking the agent shutdown button a message is sent to the agent to shutdown. If SSL-Explorer does not receive a de-registration request from the agent within this configured interval SSL-Explorer takes it upon itself to clean up any unnecessary connections tunnels, objects etc.
• Registration sync timeout: When the agent is launched the agent applet downloads and tries to start the agent. The applet then waits for the agent to connect to SSL-Explorer and send registration request. If this is not received within this allotted time then the applet is informed and an error is raised.
No Requirement to Adjust Parameters The heartbeat, registration and shutdown intervals shouldn’t be altered unless you are working with a slow network or old hardware.
• Start automatically on logon: Start the agent automatically whenever a user logins • Browser command: Command to launch browser, leave blank for automatic • Web forward inactivity timeout: If a web forward has been inactive for the given duration
close the connection • Tunnel inactivity timeout: If a tunnel has been inactive for the given duration close the
connection • Debug: Enable logging, logs will be held on the client machine under
<User_home>/.sslexplorer/applications/Agent/cpn-client.log
Note
357
• Force basic agent: Force the use of the basic SSL-Explorer agent. This is supported on all Java platforms and versions from 1.1 upwards (including the Microsoft JVM) and is a smaller downloaded that the more full featured agent
• Clear cache directory on exit: Enabling removes the SSL-Explorer Agent from the client’s computer on shutdown. Disabling leaves the SSL-Explorer Agent files will be left inside a hidden directory enabling a faster start up time on next use.
• Display information popups: Enabling this shows messages when the agent is performing an actions in a popup. Disabling this removes these popups and lets the agent to operate silently.
• Cache directory: The location for storing downloaded applications and other resources. This directory is maintained within the users home directory.
• Remote tunnels require confirmation: Enabling will force the user to accept any remote tunnel connections. Disabling will automatically create connections.
• No session timeout if active: This prevents the user session from timing out if the agent is running regardless of whether the agent has any open tunnels
• Localhost address: The address to use when SSL-Explorer needs to connect to the loopback address on the client. For example, this may be set to 127.0.0.2 as a work-around for connection problems when using the RDP extension on Windows XP SP1
Agent Proxy Configuration
• Type: Type of proxy server, this can also be configured to use whatever proxy the browser is using.
• Hostname: The hostname of the proxy server • Port: Port number of proxy server • Username: If proxy server requires authentication this will be the username provided.
Leaving this blank will force authentication when the agent connects to the proxy. • Password: Associated with the above username • Domain: Authenticating domain if proxy server uses Windows authentication. • Preferred authentication: If authentication is used the preferred authentication method can
be configured.
358
Editing a Profile Description From the profiles page select the Edit Profile Description action against the required resource and the Edit profile page will be shown. From this page the name and description and to which policy the profile is assigned can be altered.
Deleting a Profile The Delete action removes a profile permanently from the system. Selecting the Delete action against a profile will result in a warning message informing that the profile is about to be deleted, as shown below.
Selecting Yes will result in the removal of the resource from the system. If this profile is associated with any policies this link will also be removed along with all other associated links.
359
Network Extensions
The SSL-Explorer Network Extension (nEXT) is a feature which provides users with full network connectivity allowing them to upload download files and even mount drives as if they were on the local network. The feature works on Linux and Microsoft Windows 2000, XP and 2003 operating systems. This chapter covers everything a Super User will need to know to set-up, deploy and administer the nEXT extension and furthermore it provides details on how a user can get the benefits out of the service. The sections included are:
• What is nEXT? • Network Extension Interface • Configuring the Server • Configuring the Client • Additional Configuration • Running the Service • Creating Bridged Configuration • Sample Scripts
By the end of this chapter the reader should have a good understanding the nEXT extension from knowing the benefits to creating, using and deploying a successful nEXT deployment.
What is nEXT? The SSL-Explorer Network Extension’s plug-in provides an OSI layer 2 or 3 secure network extension, providing an easy-to-configure network interface which has minimal maintenance overheads. As part of the Enterprise Edition, SSL-Explorer nEXT is a plug-in to SSL-Explorer that provides full network connectivity to the connecting client. Meaning that a user gains access to the company network and may perform remotely all of the standard functions as adding new drives, moving files etc as if they were connected sitting in their actual office. Once installed, a Super User is able to configure any number of virtual network interfaces on the server and allow full network access to the SSL-Explorer user population. SSL-Explorer nEXT consists of two components: the server-side component which opens up interfaces and the client-side component which connects to these interfaces. It is through these connections that data is transmitted and received between both parties.
360
As the diagram below shows in affect nEXT creates a tunnel between two networks.
Each separate network remains to work independently on its own subnet but in addition a new subnet is created by nEXT - in this example, 192.168.70. The home network server has to hop from one subnet to the other to communicate between the nEXT server (and the corporate network) and the home network. The single clients are not connected to any home network and so run the nEXT client independently. Each has two network addresses, their standard internet address and the new nEXT address on the 192.168.70 subnet. The nEXT plug-in is not a full ‘clientless’ solution since it needs to install network virtual devices on each client’s operating system. However all configuration data is maintained on the server so any changes to these is pushed down to client when it connects. Once installed, its operation is quite transparent to the user.
Typical Scenarios There are a couple of typical connection scenarios that this document will address.
• The Road Warrior: One of the more common requirements of a VPN solution is to provide connectivity to employees out in the field. These users may want access to the company’s Local Area Network to upload files, read email and use VOIP to make calls from their laptops.
The Remote Office: Another common requirement of a VPN solution is to connect two offices together.
361
System Requirements The nEXT extension requires a certain level of resources available on both the SSL-Explorer server as well as the client machines that will be installing the client software and so to successfully run nEXT the following requirements should be met:
Server System
• Microsoft Windows 2000, XP or 2003 Server • SSL-Explorer 0.2.4 • SSL-Explorer Enterprise Edition
OR • Linux 2.4 or higher with integrated TUN/ TAP driver
Client System
• Microsoft Windows 2000, XP or 2003 Server OR
• Linux 2.4 or higher with integrated TUN/ TAP driver
Requires Administrative Account to Install Service In order to install and run the SSL-Explorer: nEXT service on your client machines, you will require the use of an account with administrative permissions in Windows. Once the service is installed, a regular user can launch nEXT configurations from Windows system tray.
Network Extension Interface The Network Extension interface can be accessed from the Access Control section of the Management Console.
A number of actions are available against each server and client component these are detailed in the next section.
362
Action Icons The icons are split into those available for a client and those available for a server interface, where necessary hyperlinks have been provided to allow direct access to information on the action. It is recommended however that the process of configuring and executing the nEXT service successfully that the entire process should be followed in order, from the Configuring the Server section onwards.
Client Icons
Launch Client Configuration. Refer to Connecting Client
Install Windows Service. Refer to Windows Service
Add Windows TAP driver Install Client TAP Driver
Delete Windows TAP driver
Compile Linux Client Connecting Client
Edit Client Configuration
Remove Client Configuration
Server Icons
Start Network Extension Starting Server Interface
Add Windows TAP driver Install Server TAP Driver
Delete Windows TAP driver
Edit Server Interface
Remove Client Configuration
363
Configuring the Server Before we can begin configuration of the plug-in it must first be installed. As with any other plug-in, you will need to use the Extension Manager for this operation unless already installed with the full Enterprise Edition release.
For this particular extension the SSL-Explorer server will need restarting before nEXT can be used. For Linux servers the nEXT extension files are compiled on the operating system, GCC and GCC-C++ should be installed on the server for successful compilation. If compilation does fail SSL-Explorer will report this when the Super User logs back in.
Avoiding Recompilation with Server Restart Each time a Linux SSL-Explorer instance is restarted it searches for a nEXTserver binary in $SSLX_HOME/bin directory. If this is not found then a compile of the binary is performed and the output copied to $SSLX_HOME/bin directory. A compile is only performed again when the Network Extensions version has changed. A compiled binary from another server can be used by copying the binary to $SSLX_HOME/bin directory and checking the 'Do not compile' parameter under System Configuration → Resources → Network Extensions. If this is not set the system will re-compile and not use the copied binary. If the system is not compiling the binary itself then at each version change take a newly compiled version and copy to $SSLX_HOME/bin, failure to do so may result in problems as the binary may not be compatible with the latest version of the plug-in.
The basic steps that need to be carried out for a successful server side implementation is as follows:
• Configuration of the server interface • Installation of the TAP driver
Both these steps are covered below.
Step 1 The first step in the process is the creation of a server interface. The server interface is a virtual network adapter that resides on the operating system that hosts your SSL-Explorer server. This virtual adapter (typically called a TAP device) provides the connection between your LAN and your VPN clients.
Note
364
Step 2 This opens the Network Extensions main page. From the Action list in the event pane choose whichever actions is appropriate Create Bridged Interface or Create Routed Interface action.
• Bridged: A bridged interface essentially involves combining an existing Ethernet interface on your server with a virtual TAP interface, placing them together under the umbrella of a single bridge interface
Benefit of Bridged Interface One of the benefits of using a bridged interface is that a connecting client can obtain an IP address from the LAN subnet.
• Routed: A routed interface involves creating a separate subnet for VPN clients; each
connecting client receives an IP address from the VPN subnet and not an IP address from the LAN. This requires some additional network configuration, setting up routes on your gateway and ensuring that the operating system hosting SSL-Explorer is acting as a router
Benefit of Bridged Interface One of the benefits of using a routed interface is that Routing is more scalable and efficient than bridging.
Overall bridging and routing are very similar, with the major difference being that routed interfaces will not pass IP broadcasts across the VPN, but a bridged interface will.
Step 3 To create an interface a number of details are required, firstly the name and description of the interface
Secondly the ‘Interface Settings’ need to be configured.
Note
Note
365
The parameters are as follows:
• Network: Network address for this subnet in CIDR format. In the screenshot above a private subnet of 192.168.70.0/24 has been created. This is the same as using 192.168.70.0 with a subnet mask of 255.255.255.0 which will provide 256 hosts (254 useable addresses as 192.168.70.0 is the network address and 192.168.70.255 is the broadcast address).
• IP Address: IP address assigned to the first from the defined subnet. By default the server will be assigned the first available IP address in the subnet range which in the above example would be 192.168.70.1.
• Max Clients: Maximum number of concurrent clients that can connect to this subnet. This figure is also affected by the number of concurrent users you have licensed for SSL-Explorer: Enterprise Edition.
Step 4 If you have chosen to create a routed interface then the routing tab will need completing.
• Published Network: This box contains a list of the published networks for this server interface. A published network is any network which you want clients connecting to this interface to have access to. In the example, we have added the 192.168.0.0/24 subnet which is the main LAN that clients will need to access.
• MTU: The ‘Maximum Transmission Unit’ for Ethernet frames. • Route between clients: If checked clients on the VPN will be able to communicate with
other clients on the same VPN. • Publish client networks to other clients: The client configuration page allows the
publication of networks published by connecting clients. By default these networks are not accessible by other clients. However by checking this box these published networks become
366
accessible by other clients. This will also require the above option, Route between clients to be checked also.
Step 5 For advanced users select the command tab to configure any required up and down commands.
Up Commands: A command that will be executed once the interface has started. In the screenshot above the comments in speech marks will be displayed with the $IPADDR variable being replaced for the actual IP address. Any command executable from a script file is useable. In fact the commands listed here are themselves executed from a temporary script file. Much like the $IPADDR token there are a number that can be used, these are listed below.
• Down Command: Similarly to the ‘Up’ command parameter, only these commands will be executed when the interface is stopped.
Step 6 Once configured, pressing the Save button will store these parameters. The newly created interface
will now be visible from the main page.
The main page displays the current status of the interface and the available options that be performed on the associated interface. The final step is the installation of a corresponding TAP driver on the server to service the new interface this is detailed in the next section.
Option Description
${IPADDR} The IP address of the interface
${DEVICE} The name of the TAP device created by the ifconfig command.
${NETADDR} The network address for this interface
${SUBNET} The subnet mask for this interface
${CIDR} The CIDR string for this interface
${MTU} The MTU of the interface
${BADDR} The broadcast address of the network
367
DHCP Configuration When a nEXT client connects to the server, DHCP is used to retrieve the IP address they will be assigned. The parameters configured in the DHCP tab are pushed to the client to allow it to configure necessary components such as DNS servers, WINS servers and, NTP servers.
The configurable items are detailed below: • Address Pool Start Address: Start address of the DHCP address assignment, only IPs in this
range will be allocated by nEXT. • Address Pool End Address: End of the DHCP address assignment • Domain name: Set connection-specific DNS Suffix, this is used to search domains when a
FQDN is not provided, i.e. hostname rather than hostname.company.co.uk. • Primary DNS: Set primary domain name server IP address. • Secondary DNS: Set the secondary DNS server IP address.
Defining Flush and Register Commands for Windows If you have problems resolving the DNS server set the clear DNS cache command, ipconfig /flushdns and the DNS registration command, ipconfig /registerdns, to the client Up command pane in the client configuration window.
• Primary WINS: Set primary WINS server IP address (NetBIOS over TCP/IP Name Server). • Secondary WINS: Set the secondary WINS server IP address. • NBDD server: Set primary NBDD server IP address (NetBIOS over TCP/IP Datagram
Distribution Server) • NTP server: Set primary NTP server IP address (Network Time Protocol). • NBT type: Set NetBIOS over TCP/IP Node type. Possible options:
368
1 = b-node (broadcasts) 2 = p-node (point-to-point name queries to a WINS server) 4 = m-node (broadcast then query name server) 8 = h-node (query name server, then broadcast)
• NBS Scope-Id: Set NetBIOS over TCP/IP Scope. A NetBIOS scope Id provides an extended
naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer name, as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.
• Disable NBT: Disable NetBIOS over TCP/IP. These parameters can be accessed for use in the Commands tab also. The relevant replacement variables are detailed below. Option Description
${DOMAIN} Domain name
${PRIMARY_DNS} Primary DNS IP
${SECONDARY_DNS} Secondary DNS IP
${PRIMARY_WINS} Primary WINS IP
${SECONDARY_WINS} Secondary WINS
${NTP} NTP server
${NBDD} NBDD server
${NB_SCOPE_ID} NetBIOS scope Id
369
Install Server TAP Driver A TAP driver is virtual network kernel driver that simulates an Ethernet network device. Whereas ordinary network devices are directly backed by physical hardware; data sent to/from a virtual TAP device is forwarded to/from applications i.e. SSL-Explorer. To the operating system, the process is transparent and acts in an identical manner to a secondary physical network adapter.
Microsoft Windows 2000 / XP/ 2003
Windows does not come preconfigured with a TAP driver and so it must be installed.
Step 1 Log into your machine using an administrative account. Step 2 The tap driver is installed form the SSL-Explorer server. So the second step in this process is to log
into the management console on the server instance requiring the TAP driver installation. Step 3 From the server interface listing select the ‘Install Windows TAP Driver’ action.
Multiple Server Interfaces For each new network you wish to extend to a new TAP driver will need to be installed on the server to service that network.
This will begin downloading files from the server on to the client machine.
Step 4 As the SSL-Explorer nEXT TAP driver is currently unsigned a warning will appear. Select Continue Anyway to install the driver.
Warning Message
Note
Note
370
The warning message will appear for every instance of the TAP driver you have installed this could be multiple times. Continue pressing Continue Anyway until the driver installation is complete.
Step 5 Once complete press Ok to complete the installation process.
That’s all there is to installing a Windows TAP driver.
Linux
Most Linux distributions come with an integrated TUN/TAP driver.
Step 1 Firstly, make the device node.
mknod /dev/net/tun c 10 200 Step 2 Add to /etc/modules.conf
alias char-major-10-200 tun
Step 3 Load TUN/TAP driver modprobe tun
That is all there is to configuring the server-side of the nEXT plug-in. The next section details the client side which must also be configured.
371
Configuring the Client The client side follows a similar premise to the server interface configuration:
• Client configuration • Installation of the TAP driver
Both these steps are detailed below.
Step 1 From the Network Extensions page select the appropriate client configuration action. A client configuration is seen as a single client connecting the nEXT server whereas a routed client can be seen as a external network connecting to the nEXT server.
Step 2 This will start the ‘Create Client Configuration’ wizard. The first step requires the name of the configuration and description.
Checking the Add to favorites add this to the clients favorite’s page.
Step 3 The next step requires the interface configurations defined.
372
• Server Interface: the server configuration to use. This should be the interface that was configured earlier.
• IP Address: Optionally you can specify an IP address to bind to this client configuration. • Device Name: Optional you can also specify a device name associated with the TAP
network driver.
Step 4 If you have chosen to create a routed client configuration then you can configure any routing information in this step.
• Published Network: a list of the published networks for this client interface. A published network is any network which you want clients connecting to this interface to have access to. In the example above I have made the client side LAN, 192.168.70.0/24 visible to the server.
• MTU: The ‘Maximum Transmission Unit’ for Ethernet frames.
Step 5 The next step for both configurations allows any up and down commands to be defined.
Step 6 Select the policy this resource should be attached to. Adding this to the ‘Everyone’ policy ensures that the entire user population will have access to this client.
373
Step 7 The final step displays the summary of the configuration. If you are happy with the configuration select the Finish button to create the resource. The newly created client will be visible from the main Network Extension page.
The next step is the installation of a TAP driver to route requests from the client machine to the corresponding TAP driver on the server; this is detailed in the next section.
Install Client TAP Driver A TAP driver is virtual network kernel driver that simulates an Ethernet network device. Whereas ordinary network devices are directly backed by hardware network adaptors data sent to and from TAP device are forwarded to and from applications i.e. SSL-Explorer.
Microsoft Windows 2000 / XP/ 2003
Windows does not come preconfigured with a TAP driver and so it must be installed.
Step 1 Make sure the ‘User console install actions’ checkbox is checked in the nEXT configuration page (System Configuration → Resources → Network Extensions.
Step 2 Log into your machine using an administrative account.
Step 3 The TAP driver is installed form the SSL-Explorer server. So the next step in this process is to log in to the user console with the client machine you wish the TAP driver to be installed on.
Step 4 From the correct client configuration select the Install Windows TAP driver action.
374
Multiple Server Interfaces Each client TAP driver is tied to a TAP interface on the server at runtime. If you wish to be able to access multiple TAP drivers on the server then multiple TAP drivers on the client should also be installed – one for each network (which should have a corresponding TAP driver installed on the server) you wish to access.
This will begin downloading files from the server on to the client machine.
Step 5 As the SSL-Explorer nEXT TAP driver is currently unsigned a warning will appear. Select Continue Anyway to install the driver.
Warning Message The warning message will appear for every instance of the TAP driver you have installed this could be multiple times. Continue pressing Continue Anyway until the driver installation is complete.
Step 6 Once complete press Ok to complete the installation process.
Note
Note
375
That’s all there is to installing a Windows TAP driver. The client is now configured.
376
Additional Configuration Before we can actually start the server interface a few external items for the server need to be configured:
• Configuration of necessary routes • Enabling IP routing on the server
These are detailed below. In order for the machines on the new subnets created through nEXT to operate successfully with the VPN the routes need to be configured on the published networks. As a minimum the VPN network should be added to routes on those machines clients may require access to over the VPN.
Where SSL-Explorer is the Default Gateway If the SSL-Explorer server is the default gateway for your network adding the VPN network will not need to be added to these routes.
Local routes
If the SSL-Explorer server uses the LAN IP address 192.168.0.10 with the VPN subnet being 192.168.70.0.
To add routes across the LAN execute the following command on the machines clients should be able to access:
• Linux: route add –net 192.168.70.0 netmask 255.255.255.0 gw 192.168.0.10 • Windows: route –p add 192.168.70.0 mask 255.255.255.0 192.168.0.10
The machines will be aware of the VPN and thus be able to respond to requests from the subnet IP addresses. If all machines needed to see the subnet then these commands would need to be executed on all machines.
Global routes
An alternative is to add the route to the default gateway. In this way all machines will instantly be able to see the subnet through the default gateway. For example if we have a default gateway of 192.168.0.1 we need to execute the route command to route all 192.168.70.0/24 traffic to the SSL-Explorer server on 192.168.0.10.
• route add –net 192.168.70.0 netmask 255.255.255.0 gw 192.168.0.10
Note
377
When a client tries to access a machine on the new subnet it will not be able to locate the IP address. Instead it will go to the default gateway which will then direct the machine to the SSL-Explorer server which has visibility of the subnet. In the local routes example the default gateway is not configured and so if a machine has no knowledge of the subnet the machine is unreachable.
Enable Server IP Routing IP routing is a set of protocols that allows data to travel across multiple networks from source to destination. By default this is disabled and needs to be enabled on the SSL-Explorer server.
Microsoft Windows
To enable routing the IPEnableRouter value in the registry must be set to ‘1’.
Step 1 Run regedit.exe
Step 2 Locate the IPEnableRouter parameter from the registry. This should be located under HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Step 3 Change the value from ‘0’ to ‘1’.
Linux
Run the following command:
• echo 1> /proc/sys/net/ipv4/ip_forward Since Linux does not use a registry, this should be added to your startup script to save from having to execute this command every time you restart the operating system. How this is configured depends upon your flavor of Linux, to achieve this on a Fedora Core installation you can add/edit the following line in /etc/sysctl.conf.
• net.ipv4.ip_forward = 1
378
Running the Service
Now that both client and server have been configured all that remains is the starting of each component.
Starting the Server Interface Step 1 From the Network Extensions page select the Start Interface action against the appropriate server
interface.
Step 2 The status of the interface should change to ‘Started’ as shown below.
Connecting Client The client can be executed from the user console in one of two ways:
• Win32 direct • Linux Client • Command line
Both of these are explained below.
Win32 Direct
This is launched directly from the Network Extension page in the user console. Since the process will start the TAP driver, the user logged in to the client machine must have Administrator privileges and must also have the TAP driver installed.
Step 1 From the Network Extension page select the Start Client Configuration action against the appropriate client configuration
Step 2 This will start the client, in the taskbar the TAP driver icon will appear.
379
While nEXT attempts to establish a connection the icon will flash briefly. Once a connection to the server has been established the icon will stop flashing indicating the connection has been established. The new nEXT network will be available to use. From Windows Explorer you should now be able to access the drives of those machines on the nEXT network.
Routes are not immediately published on Microsoft Windows systems Due to restrictions imposed by Windows networking, the VPN routes are not immediately published when the nEXT client is launched. Expect to wait around 10-15 seconds after launching the client before the routes are published and the nEXT VPN client is fully usable.
Linux
The Linux client can only be downloaded and compiled straight from the Network Extension page as the system is unable to execute the client. Instead the client user will have to manually take the compiled file and run the client as a command line executable. Details on this can be found in the Command Line Client section.
Step 1 You will need to have GCC, GCC-C++ and OpenSSL installed on the system before compilation can be performed
Avoid Moving Compiled Binaries It is recommended that you do not attempt to move compiled binaries across Linux Platforms as the C++ runtime support may be different even on same versions of Linux.
Step 2 From the Network Extension page select the Compile Linux Client action against the appropriate
client configuration.
Step 3 The system will begin downloading the client. Once completed you will receive a notice.
Note
380
Step 4 Once the client has been built you can move it to somewhere appropriate on your system and configure platform scripts to install it as a service. To run the command please refer to the section below, Command Line Client.
Command Line Client
From the action menu in the user console the user can actually download the nEXT client executable (nEXTClient).
The executable comes with a host of options applicable to both Windows and Linux. In both cases running the client will require Administrative/root privileges to allow the client to start the TAP drivers. The command line options available are as follows:
Switch Switch alternative Description
-h --hostname SSL-Explorer server hostname (required)
-P --port Port on which SSL-Explorer resides (default=443)
-c --config Client configuration identifier
-u --username Connecting user's username (prompt if not given)
-p --passsword User's password. (prompt if not given)
-i --ip Request the given ip address from the server
-m --mtu Override the client configuration's MTU setting
-C --console Force log output to the console
-f --logfile Alternate path to applications log file
-l --loglevel Defines the log level
-r --reconnect Reconnect if the connection is lost
-I --interval Interval between reconnect attempts (in seconds)
-o --option Set a system option for example ifconfig.path=/usr/sbin
-a --frames Log frame information (requires INFO debug level)
-F --certfile Client certificate file for authentication (PKCS12)
A script should be created to save having to retype the command every time you wish to start the client. Below are two examples:
• nEXTclient -h <hostname> -u <username> -C –r
• nEXTclient –h <hostname> –F <certificate file>.p12 –p <certificate password> The <certificate file> needs to be a standard P12 certificate obtained from the SSL-Explorer CA and <certificate password> its associated password. For further information on certificates refer to the Access Control Guide chapter titled Authentication Schemes
Windows Client nEXTPass.exe As part of the Windows Client zip file there is an executable called nEXTPass.exe. This enables a user to
Note
381
encrypt a password for use by the service (i.e. password entered in registry settings) or either of the Windows clients. Usage: nEXTPass <unencrypted password> For example nEXTPass.exe enter_10 outputs an encrypted string TY2MTM2ZWYzNGY5OTMyMzVmNTkz. This can then be used when running the command line client, nEXTclient.exe –h sslexplorer –u majid –p TY2MTM2ZWYzNGY5OTMyMzVmNTkz. Users can also use this to encrypt the passphrase of their client certificate if using client certificates.
Windows Service A Windows Service action is available from the Network Extension main page that allows the configuration of the nEXT client as a Windows service on the client machine. Again Administrative privileges are required to install the service but once installed any user can use the service.
Step 1 From the Network Extension page in the user console click the Install Windows Service icon against the appropriate client configuration.
Step 2 Once successfully installed, a dialog will appear. Press ‘OK’ to accept the message.
Step 3 The service is installed but requires configuration. To configure the service run regedit.exe and create the following key if not present:
• HKEY_LOCAL_MACHINE\Software\SSL-Explorer nEXT
Step 4 Set the log level. Two values can be attributed to this key: ‘logFile’, an absolute path to a file to log to, and ‘logLevel’, either INFO or DEBUG. Add these if required.
382
Step 5 To configure a connection, create a subkey under the key. The key can have any name assigned to it. In the example below the key has been named ‘Office’.
Step 6 In the new key add an ‘args’ string value and add the arguments that need to be passed into the nEXT client executable. Above you can see the arguments for username, password and hostname are used.
Step 7 If you wish the nEXT configuration to auto start on boot up you need to create another value here, a
new DWORD value named autostart. Its value should be set to 1.
Step 8 That’s it, the final step is to start the service from Service Control Panel (Control Panel → Administrative Tools → Services). The SSL-Explorer nEXT service will have been installed previously through the Network Extension page.
When the service is started the nEXT icon should appear in the taskbar as before while the connection is being made. The networks should be accessible once the service has established a connection.
383
Creating Bridged Configuration In this scenario the SSL-Explorer server will be configured with a bridged server interface.
Creating the Server When using Ethernet bridging, the first task is to create the Ethernet Bridge. The Ethernet Bridge must be setup before SSL-Explorer is started. Unfortunately there is no portable method of creating the bridged interface so each operating system has its own method.
Windows
This configuration requires Windows XP or higher on the bridge side as Windows 2000 does not support bridging, however a Windows 2000 machine can be a client on a bridged network. Ensure that you have at least one spare TAP driver installed on the SSL-Explorer server. Rename this to “tap0” or any other name of your choosing. Next select tap0 and your ethernet adapter with the mouse, right click, and select Bridge Connections. This will create a new bridge adapter icon in the control panel. Edit the TCP/IP properties on the bridge adapter and set to the IP address of your SSL-Explorer server. It is not possible to use DHCP as the IP address must be known to SSL-Explorer. Your bridged connection has now been created and you can proceed to configuring SSL-Explorer
Linux
First, make sure you have the bridge-utils package installed. On Fedora Core this can be installed using the command yum install bridge-utils Create a new file in $SSLX_HOME/bin called bridge-start.sh. Paste in the contents of the sample script below Sample Scripts and set the br, tap, eth, eth_ip, eth_netmask, and eth_broadcast parameters according to the physical Ethernet interface you would like to bridge. Make sure to use an interface which is private and which is connected to a LAN which is protected from the internet by a firewall. You can use the Linux ifconfig command to get the necessary information about your network interfaces to fill in the bridge-start parameters. Now run the bridge-start script. It will create a persistent tap0 interface and bridge it with the active Ethernet interface. If the file is not executable the execute the command, you can use the same command to make bridge-start.sh and network-bridge scripts executable. chmod 755 bridge-start.sh Do the same for the bridge-stop.sh script Sample Scripts, ensuring that you edit the content to reflect the device names entered into bridge-start.sh. Now run the bridge-stop.sh script, this should remove the persistent tap interface and remove the network bridge.
384
These scripts should be configured to start upon system boot. An example script is provided that has been tested on Fedora Core installation. Simply create a new file in /etc/rc.d/init.d called network-bridge and past in the contents. Assuming you have named the files above as suggested you should only need to edit the location of SSLX_HOME if it differs from your installation. Save this file and then execute the command chkconfig –add network-bridge This should make it available as a service to start on run levels 3, 4 and 5. You can test this by executing the command service network-bridge start
Configuring SSL-Explorer Bridged Server Now that you have configured the OS with a bridge you can create the SSL-Explorer server configuration item.
Step 1 Enter a name and description for your server interface
Step 2 Now select the Interface tab, in the Network field enter the subnet of your LAN, in this example its 192.168.1.0/24. Next enter the IP address of the SSL-Explorer server, this should be the same IP address that you configured on the network bridge. Finally, set the Device Name field to the tap adapter name that is included in the network bridge, in this example its tap0
385
Step 3 Unless you have some specific commands you want executing when the interface comes up or goes
down you can skip the Commands Tab. Now select the DHCP tab and enter an IP range for the VPN clients, this should be within your LAN’s network scope and NOT part of any existing DHCP range in the LAN. It is also important to enter your LAN’s domain name and DNS server information
You can now save the interface configuration
386
Step 4 The next step is to create a client configuration. At this stage we are going to setup a simple client configuration that allows single clients to connect and obtain a LAN IP address
Step 5 Next, ensure that the Server Interface in the dropdown is the bridged interface we created previously. You can leave the IP address and Device name fields empty as they are not required in this configuration.
Step 6 Finally you may want to enter some up commands to ensure that DNS is updated on the client correctly, in the UP commands enter ipconfig /flushdns
387
ipconfig /registerdns This will ensure that any previous DNS entries are removed and that the TAP interface of the client is registered with the operating systems DNS service. If you want to force your user's internet traffic through SSL-Explorer you could also add the following: Route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1 Route delete 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1
Sample Scripts
bridge-start.sh #!/bin/bash ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Set this to the root of your SSL-Explorer installation SSLX_HOME=/opt/sslexplorer # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth0" # Define the IP settings for the bridged interface # NOTE: this must match the IP address assigned to # the SSL-Explorer server interface eth_ip="192.168.1.61" eth_netmask="255.255.255.0" eth_broadcast="192.168.1.255" for t in $tap; do ${SSLX_HOME}/bin/nEXTserver --mktun $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
388
bridge-stop.sh #!/bin/bash #################################### # Tear Down Ethernet bridge on Linux #################################### # Set this to the root of your SSL-Explorer installation SSLX_HOME=/opt/sslexplorer # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged together tap="tap0" ifconfig $br down brctl delbr $br for t in $tap; do ifconfig $t down ${SSLX_HOME}/bin/nEXTserver --rmtun $t Done network-bridge #!/bin/bash # chkconfig: 345 50 26 # description: Network Bridge # # An init script to start and stop the Network Bridge SSLX_HOME=/opt/sslexplorer case "$1" in start)
echo "Starting Network Bridge" ./${SSLX_HOME}/bin/bridge-start.sh
;; stop) echo "Stopping Network Bridge" ./${SSLX_HOME}/bin/bridge-stop.sh
;; restart) $0 stop sleep 1 $0 start ;; *) echo $"usage: $0 {start|stop|restart}" ;;
esac exit 0
389
Virtual Hosts
SSL-Explorer is able to host more than one domain on the same server this is known as virtual hosting. This chapter details what virtual hosting is and how you can configure your SSL-Explorer instance to host multiple domains. The sections covered in this chapter are:
• What is Virtual Hosting • Virtual Host Interface • Creating a new Virtual Host • Editing a Virtual Host • Deleting a Virtual Host
What is Virtual Hosting Virtual hosting provides direct access to a destination without the need of logging into SSL-Explorer. In addition it means users without accounts can also benefit from this feature as virtual hosting does not consider accounts. SSL-Explorer simply takes the host header provided and redirects this to the defined destination. The only thing that needs to be performed outside of SSL-Explorer is that any source hostname needs a DNS entry to be mapped to SSL-Explorer.
Virtual Host Interface The main virtual host page lists the available virtual hostings currently setup. This page is located under Management Console → Resource Management → Virtual Hosts
390
Action Icons The action icons against each entry performs functions on the associated virtual host, their respective objective are detailed below:
Delete virtual hosting
Edit virtual hosting
Creating a new Virtual Host Step 1 Select the Create Virtual Host action at the top right of the page.
Step 2 Provide the basic details for the virtual host
• Name: Name that will be shown in the main window. • Description: The description for the virtual host
Step 3 The next bit of information necessary is the actual virtual host information
391
• External Hostname: The host header that needs to be redirected. Any traffic directed at this host will be controlled by this virtual host resource.
• Internal Hostname: The actual destination of where this traffic should be directed to.
Step 4 As a final step a DNS entry needs to be made that will map the external hostname hostname, timebooking.co.uk, to the SSL-Explorer instance. This creates the initial link between the host and SSL-Explorer without this entry the workstation will try and resolve timebooking.co.uk and not find any site.
Editing a Virtual Host From the virtual host page select the Edit Virtual Host action against the required resource. The edit page will open allowing the data to be edited.
Deleting a Virtual Host The Delete action removes a virtual host permanently from the system. Selecting the Delete action against a virtual host will result in a warning message informing that the resource is about to be deleted, as shown below.
392
Selecting Yes will result in the removal of the resource from the system.
393
Microsoft Exchange 2003 RPC/ HTTPS
This resource is not actually visible from the navigation menu on the left. Yet it provides a valuable feature which is not directly used through SSL-Explorer. RPC/ HTTPS allows you to connect to your Exchange server from an Outlook 2003 client in native mode. Unlike POP/SMTP, this means that all mail is held centrally rather than being downloaded to each client. This chapter details further this feature and covers the following chapter:
• What is this Resource? • Configuration • What is Outlook Mobile Access?
What is this Resource? This extension provides a pass-thru proxy for Outlook RPC over HTTPS traffic. It is in no way a replacement for a front-end HTTPS server in a normal Exchange HTTPS topology, but is instead a facility to allow SSL-Explorer to become the internet facing proxy for your Outlook users, allowing both SSL-Explorer and Exchange HTTPS over a single open port on the company firewall. Being part of the SSL-Explorer framework means this benefit’s from the policy based security, access to this service is provided by way of authorized SSL-Explorer policies.
What is RPC/HTTPS? RPC over HTTP allows Microsoft Outlook clients to access Microsoft Exchange server over the internet. The MAPI protocol usually uses RPC to make calls to the Exchange server using TCP, but here we are able to tunnel Outlook RPC requests inside an HTTP session.
The RPC over HTTP Proxy networking component extracts the RPC requests from the HTTP request and forwards the RPC requests to the appropriate server. The advantage of this approach is that only the RPC proxy server has to allow access from the Internet. Back-end Exchange servers do not have to allow access from the Internet.
1
1 ‘Article Technical details of using RPC over HTTP to access exchange from an Outlook client’ Microsoft TechNet
394
Configuration Configuration is broken into two parts, the server and the client. This document assumes that the Exchange administrator has already configured the Exchange server to accept RPC calls over HTTP. For further information on how to configure this please refer to the Microsoft website or to this site http://www.kuhnline.com/index.php?id=51. This chapter however does detail how to configure a new mail account to use SSL-Explorer as a proxy to communicate with the configured RPC/HTTPS Exchange server.
Pre-requisites • Trusted Certificate: SSL-Explorer must have a trusted certificate installed or alternatively
each client must trust the SSL-Explorer certificate by adding it to the Internet Explorer trusted certificate authorities’ store.
• HTTPS Proxy hostname: The HTTPS proxy configured within Outlook must match that of the certificate used by SSL-Explorer. If the SSL-Explorer server is setup with a trusted certificate for the host vpn.sslexplorer.com then this must be entered exactly into Outlook configuration for HTTPS otherwise Outlook will not connect to the SSL-Explorer server.
• NTLM Authentication: The RPC proxy will only work with Outlook Clients that authenticate over NTLM.
Configuring SSL-Explorer as a RPC Proxy Step 1 From the Extension Manager (Management console → Configuration → Extension Manager)
install the SSL-Explorer Outlook RPC/HTTPS extension. Once installed the extension should be listed in the installed extensions tab.
Step 2 A new tab under Configuration → System Configuration → Resource titled Outlook should be visible.
From here the mail server can be defined the associated port as well as the type of backend server HTTPS or HTTP. In addition all policies that have access to this feature can be added. To add a policy simply select the available policies from the RPC/HTTPS policies list.
395
Any policy not part of the Selected Policies window those attached users will not have the ability to use Outlook over HTTPS.
Client Configuration The final step in the configuration is that of the email client Outlook. Each user can either add an a new profile to an existing account or as the following details, a new email account is created. Either way the main steps are the same detailed here are relevant to both.
Step 1 From control panel, access the mail setup by selecting the mail icon.
Step 2 From mail setup access Email Accounts
Step 3 Select Add a new email account from the wizard options.
396
Step 4 Under server type select ‘Microsoft Exchange Server’
Step 5 Under the Exchange server settings step select the newly configured Exchange server and the name of your new mailbox.
397
Step 6 From the same window select More settings. From the first window under the Connection tab check the Connect to my exchange mailbox using HTTP box.
Step 7 Selecting the Exchange proxy settings button opens a final window in which the FQDN of the SSL-Explorer server should be keyed into the Use this URL to connect to my proxy server for Exchange parameter. Also under the Proxy authentication settings select NTLM Authentication.
398
That’s all there is to configuring the client. Once Outlook is started, if SSL-Explorer has not been configured to use the same Windows account as what the user is logged in with, the system will prompt for the SSL-Explorer authentication credentials. After which if the user is recognized as a valid user of the RPC/ HTTPS resource SSL-Explorer will enable communication between Outlook and the mail server over HTTPS.
399
What is Outlook Mobile Access? Exchange 2003 provides a new feature called Outlook Mobile Access (OMA). OMA allows users to access Exchange data by using mobile devices. This browse application is similar to Outlook Web Access but much lighter weight and meant to be viewed on today’s latest cell phones.
Configuring SSL-Explorer as a OMA Proxy Step 1 Setup the exchange properties as per RPC Client Configuration. Step 2 Under the Outlook tab (Configuration → System Configuration → Resource) you can define which
policies should be able to access mail through there mobile devices.
Simply Add the appropriate ones from the OMA policies list. Any policy not part of the Selected Policies window those attached users will not have the ability to use Outlook Mobile Access.
Step 3 Finally to access mail from a mobile device simply connect your mobile to the following address:
https://<servername>/oma
400
Internationalization
Internationalization extends the accessibility of your SSL-Explorer installation by providing a mechanism to provide a user base with different translated versions of SSL-Explorer. This chapter details all that is needed to translating SSL-Explorer, and covers the following sections:
• What is Internationalization? • Internationalization Interface • Creating a New Translation • Editing a Translation • Activating a Language • Translate Extensions • Share Language • Deleting a Translation • Language Selection
By the end of this chapter the reader should have a firm understanding of how to translate SSL-Explorer and how it can benefit an organizations multilingual global user base.
System Configuration Options For details on the configuration options available for internationalization refer to the SSL-Explorer Configuration Guide
What is Internationalization? The internationalization feature provides to the user a method to take the content of SSL-Explorer and translate this into a language of their choice that may not be currently supported by the current SSL-Explorer product. You may also use this feature to create your own company-specific version of SSL-Explorer, with customized messages that are more relevant to your organization and working practices. This mechanism means that SSL-Explorer is able to cater for a wider array of users. For example if your enterprise’s user base spans a number of countries and continents, you now have the ability to provide translated versions of the same system to all users,. SSL-Explorer can be altered specifically to a company’s language needs providing a more user friendly environment of the system where users are not struggling to understand the system. 3SP extends this translation process further by providing a mechanism to submit your translations to 3SP for possible inclusion in a future release. All users can then benefit from these community-created submissions.
Note
401
Internationalization Interface The main internationalization page lists the available shares. This page is located under Management Console → Resource Management → Internationalization.
The main page details which languages have been installed and which of these is currently activated.
Action Icons The action icons against each language performs functions on the associated language, their respective objective are detailed below:
Delete inactivated language
Edit a inactivated language
Download language (More…)
Translate extensions (More…)
402
Language Status A language can have one of three states, depending on the state the language can either be edited for translation, deleted from the system or neither of these two actions can be performed until the language is set to the appropriate state. These states and their rules are listed below:
State Can language be edited? Can language be deleted?
Default Inactivated Installed
Creating a New Translation Step 1 From the main page the action menu in the top right presents the only available action which is, Create
New Language. Selecting this begins the creation process.
Step 2 The first step is provide information regarding the new translation.
• Predefined language and country: This requires the locale for the new language. In this example I am using the ‘French – Canada’ language.
• Base language: This provides a list of currently installed language. Selecting one loads the content of the language into the new translation.
• Name: The name will be shown on the main page and by all users in the Language Selection box so it is essential that a sensible name is used.
Select the Save button to store the new translation. That’s it. The new language will be visible from the main internationalization page.
As you can see above any newly created language is Inactivated, to activate it the content needs to be translated. This is done through the Edit action icon.
403
Editing a Translation Step 1 The language which needs translating new or old must not be currently in use. From the main window
set the language to Inactive (refer to the section titled Action Icons to do this). Step 2 From the internationalization page select the Edit action against the required resource, this will start
the edit translation wizard.
The first step in the wizard is selecting the category to translate.
The translation wizard breaks the required sentence which need translating into logical groupings based on the area they appear in. As can be seen from the screenshot above the Categories column lists all the different areas of the system from Installation Wizard right through to the individual enterprise plugins. The first step is to choose the area you wish to translate.
Step 3 Selecting a category lists the available sentences in the column to the right.
404
As the screenshot above shows, the certificates category has been selected. The associated sentences are listed. The column listing the sentences is split into two equal columns. The column to the left shows the actual original English text whilst the right column shows the translated equivalent, in this example the translation is in French.
Sentences not translated in English Those sentence that have yet to be translated their equivalent translated sentence in the right-hand column are shown in English. As each sentence is translated the English is replaced.
Step 4 The purpose of internationalization is to translate each sentence. To modify a sentence, press the Modify button.
The original sentence is shown above. The text box to the left is used to enter the new translation. Depending on the sentence a number of rules may be required. An example of these would be a sentence requiring a dynamic parameter. The instructions to cater for such sentences are detailed in the information box to the right. To save the sentence press the Save button.
Note
405
To move to the next sentence without going back to the previous page (Step 2) simply press the Next button. To move back to the sentence above the current one without going back to the previous page (Step 2) simply press the Previous button. That’s all there is to it. Once satisfied that all sentence have been translated simply press Cancel and select the next category to translate.
Translation State Saved The system stores the current state of the translations so it is not essential that all sentences in a category or even all categories must be translated in one session. The system saves the currently translated sentence, the same user or a new user with the correct permissions can continue on translating in a later session.
Activating a Language Once all the sentences have been modified for users to use the language it needs to be activated. From the edit page (Step 2 in the wizard) simply press the Activate button at the bottom of the page.
All Sentences Must Be Translated For a sentence to be installed for use there must not be any empty sentences. All sentences must be translated whether temporarily to English or the new translation.
This will step the state of the language to Installed in the main page.
The new language will instantly be accessible from Language Selection box.
All users with permissions to choose a language will see this new language.
Translate Extensions Step 1 Once a language is installed its extensions can be translated. To translate the extensions of a newly
installed translation select the More... button against the selected language and choose Translate Extension.
Note
406
The page lists all extensions currently being edited and those currently installed.
Step 2 To edit a new extension select the Translate New Extension action from the action menu to the right.
Step 3 This produces a list of currently installed extensions. Anyone listed can be translated. Select the extension that you wish to translate.
Step 4 The newly selected extension appears in the extension list.
To begin translating simply select the edit action against extension.
Step 5 From the translation page follow the same principle as with the standard edit action, selecting the modify button against each sentence allows the sentence to be translated.
407
If all sentences are completed selecting the Activate button will install the extension. The translated extension will only be accessible once the core language has been selected from the Language Selection box. Once the core language is loaded the system then loads any installed extensions associated with this language, in this example it will include the mail check extension.
408
Share Languages Once you are satisfied with a translation and have installed it you can download the language as a packaged zip file and share it with other SSL-Explorer users.
Step 1 Against the installed language simply select the download action
Step 2 The system compresses all the necessary data into a zip file which needs to be downloaded and saved.
If the download does not start simply press the Here link in the dialog above.
Step 3 Translations you wish to share with the SSL-Explorer community need to be sent to [email protected].
Deleting a Translation The Delete action removes the resource permanently from the system. Selecting the delete action against a language will result in a warning message informing that the resource is about to be deleted, as shown below.
Selecting Yes will result in the removal of the resource from the system.
Language Selection During logon and throughout the system the language selection box is visible to the right of the interface.
This box allows the current translation of SSL-Explorer to be altered. Using the pull down box any installed languages are visible. Selecting one changes the current language instantly.
409
Once a language has been translated and its state set to Installed the translation will become visible from this box. Various restrictions on this are available; refer to the chapter titled Configure User Interface in the SSL-Explorer: Configuration Guide for more information.
410
System Functions
This section introduces the final section in the menu tree the System section. System encapsulates functionality that affects the instance as a whole from functions such as shutting down the server to viewing the status of the system.
Auditing The audit module is exclusive to the SSL-Explorer: Enterprise Edition. This powerful reporting tool allows for the real-time capture and analysis of user and system events. This ranges from items such as starting and stopping the system through to specific user events such as creating a favorite.
This section details how to:
• Auditing Interface • Initializing the Auditing Module • Creating a New Report • Running One-Off Reports • Checking Audit Report Integrity • Uploading a Report Template • Changing Recorded Events
Auditing Interface The main auditing page lists the currently stored reports. This page is located under Management Console → System → Auditing.
The main page details which languages have been installed and which of these is currently activated.
Action Icons The action icons against each language performs functions on the associated language, their respective objective are detailed below:
411
Delete inactivated language
Edit a inactivated language
Execute report
Copy Report (More…)
Translate extensions (More…)
Initializing the Audit Module Before any reporting can be performed the Audit Module must first be initialized. This module can also be run at anytime after configuring the Audit Module. This will remove all previously captured audit information so care should be exercised when using this function.
Step 1 Select Auditing from the System menu. If the Audit module has not been initialized the first item shown is the initialization wizard. The first step requires an Audit Seed. This is simply a passphrase that is used to secure the contents of the audit logs, this helps prevent tampering.
Step 2 The next step allows the selection of the events to monitor. By default all events have been selected. If you should wish to remove any of the selected events just highlight the item you wish not to record and press the 'remove' button. Once all the events that are to be recorded are selected click the 'next' button. This will display the following page
412
Step 3 Next.the archiving options are defined.
• Archive Directory: This is an absolute path or a relative path of the SSL-Explorer Audit archive directory. This is where any archives are physically stored.
• Minimum Recorded Months: This is the minimum amount of months that archives will be kept for.
• Day to Archive: The significant day of the month that the Audit Archive is to be performed.
• Time of Day to Archive: The time of the day that the Audit Archive is to be performed.
Step 4 Finally the configurations details are summarized, pressing Finishing will save the auditing details. The main page for auditing should now be loaded each time the auditing menu item is pressed.
413
Creating a New Report Step 1 In the main page select the Create Audit Report action from action menu
Step 2 This presents the report creation page.
All tabs contain specific information to the report, each can be configured. For example dates can be defined in the Date tab. Below the report has been configured to report on the weeks auditing results.
Those who can run this report can also been defined through normal policies by selecting the policy tab.
414
Step 3 Once saved this report should be visible from the main page
These reports can be executed over and over again by pressing the execute icon against the appropriate report. Predefined dates such as 'Last Week and 'Last Month' are run relative to the current date.
415
Running One-Off Reports Not all reports need to be created beforehand before they can be executed, auditing allows reports to created on the fly and just run immediately.
Step 1 Select the Run Audit Report action from the action menu
Step 2 From here items for the report can be configured such as date ranges.
Also items like the events you wish to record.
416
Step 3 Once configured simply press the Run Report button.
This will generate the report and allow it to be downloaded. When the file download dialog appears simply save or open the file.
The report should visible once opened as below.
417
418
Checking Audit Report Integrity This option checks the integrity of the audit report and determines whether the report has or has not been tampered with.
Step 1 From the main page simply select the Check Audit Integrity action.
This requires the seed for the audit report to check against.
Once the seed has been entered simply press the Check button to begin the validation process. The amount of time this will take will depend on the size and number of Audit files to be checked. Once the files have been checked the following page will be displayed if no inconsistencies were found.
Alternatively, if inconsistencies were found the following page is displayed. This page will also show the first record that was found to be incorrect. This will help in determining how and when the inconsistency occurred.
419
Uploading a Report Template The default reporting templates can be overridden for more specific presentation requirements. To do this a template has to be previously created.
Step 1 Select the Upload Report Template action from the action pane.
The next step is to locate and upload the required template into the system. Pressing the Browse button will list the local system directories.
The filename refers to a zipped directory containing the appropriate report files. Simply press the Upload button. This will load the new report template into the system.
420
Changing Recorded Events The events that are selected to be recorded by the system can be modified if required. This is done by:
Step 1 Select the Change Recorded Events action from the main page .
This displays the current list of events.
Step 2 Use the event selection tools to move events from available to selected.
421
Status
Status provides vital information pertaining to the current instance from sessions currently active within the system as well as hardware details on which the connected instance is running. The sections covered in this chapter are:
• Session Information • Status Information • nEXT Clients • Outlook Client
Session Information All users logged into the system are made visible from this page.
As with all resources hovering over a user provides further information on the user. Pressing the LogOff button against the user will disconnect his session.
Status Information System information provides hardware information to the user such as the specification of the server being used, the operating system its running on etc.
422
nEXT Clients From here we can see who is connected to the instance through nEXT. Much like the user sessions each session can also be terminated.
Outlook Client Much like the nEXT client page this shows a list of outlook sessions connected via this instance. Again these can be terminated.
423
Message Queue
The message queue is used to configure and deliver messages to all users of the System. Depending on the delivery system a message can be sent to online as well as offline users. This chapter provides information on how to enable an appropriate delivery system as well as how to send messages. The sections covered are as follows:
• What is the Message Queue • Message Queue Interface • Enabling a Delivery System • Sending a Message • Clear Message Queue
What is the Message Queue Message queue gives a privileged user the ability to create messages and have that message broadcast to all user. SSL-Explorer provides two delivery mechanisms: Agent which can send messages to users who are currently online and Email which sends messages to anyone online or not through email. The functionality is flexible enough to allow messages to be sent not only to all principals but individual principals too. For further information on messaging and configuration of the delivery systems please refer to the chapter titled Messaging in the SSL-Explorer: Configuration Guide.
Message Queue Interface Messaging is accessible from the Message Queue page available from Management Console System Message Queue.
As shown above messages can be delivered either as an SMTP email or via the SSL-Explorer Agent. In addition to this below the delivery system window is the message queue window which lists the status of any messages sent.
424
Enabling a Delivery System The two main delivery systems are email and the SSL-Explorer agent. To enable either one simply click on the appropriate system to toggle it on or off. Any messages sent via the agent will appear on screen whilst the user is online. If the agent is not running the message will not be received by the user. Email on the other hand does not rely on any agent but instead sends the message directly to the user’s email address.
Sending a Message Step 1 To send a message select the Send Message action from the action box in the top right of the screen.
Step 2 Enter the details of the message.
425
Step 3 Select the recipients of the message. Select the recipient tab and choose who must receive the message.
Recipients can be selected in a number of ways, through policy, or individual accounts and even roles if supported.
Step 4 Once done hit the Send button. The message will be send through the chosen delivery system. The newly created message will be visible from in the delivery queue from the main page.
Clear Message Queue If messages are being sent quite regularly the status queue can get quite full. The message queue can therefore be cleared if so desired. Simply select the Clear Message Queue action from the action box to the right.
The system will ask for clarification of the action before clearing out the queue.
426
Shutdown
Certain actions within SSL-Explorer require the instance be restarted before a new additions can be activated such as some extensions. It is from this page that the system can be shutdown. The sections covered in this chapter are:
• Shutdown the Instance • Restarting the Instance
Shutdown the Instance Step 1 To shutdown SSL-Explorer simply select the Shutdown SSL-Explorer option.
Step 2 Select a delay time, after this time the instance will be shutdown. Step 3 Select the Ok button. From here the system will begin counting down and when the delay has been
achieved the instance will shutdown.
The server will need to be manually restarted.
Restarting the Instance Step 1 To shutdown SSL-Explorer simply select the Restart SSL-Explorer option.
Step 2 Select a delay time, after this time the instance will be restarted.
427
Step 3 Select the Ok button. From here the system will begin counting down and when the delay has been achieved the instance will be restarted.
The server will come back online after a few minutes with any changes that required restarting operational.
428
