SSL Web Proxy Vigor2930, Vigor2950 and VigorPro 5500/5510 series router support SSL Web Proxy function to let user access lots of servers in security via Internet environment. We provide a general user application as a reference including case description and configuration of Web interface. There are two modes supported in this feature including Secured Port Redirection mode and SSL mode. Please refer to the following introduction about related application and configuration. Introduction Generally to access an internal web server which is behind a NAT router, you have the following two methods: 1. Open relevant ports (Usually TCP 80) on the router. 2. Connect a traditional VPN tunnel (PPTP, L2TP or IPSec) to the router. Drawbacks of the above methods: 1.If the web server contains private or restricted information which just allow authorized access, open port is a potential security hole for hackers to exploit for invasion or file transfer. In this case, most administrators don t select open port. 2. There are many blocking issues involving connections in relation to GRE port blocking or ESP/AH port blocking. And there are many IPSec NAT incompatibility problems. So if you are on a business trip, it happens frequently that you can t connect a VPN to your company s router caused by the router/firewall in hotel, airport, etc. Advantages of SSL Web proxy Secured Port Redirection mode: It works like Open Port but the port opened by router is random and temporary. The random port is opened when the session is established, and closed when the connection is dropped. SSL mode: It uses HTTPS to establish a secure connection. Typical port blocking is decreased. No NAT incompatibility problem. No static IPs are required, and a VPN client is unnecessary. Application Note (Secured Port Redirection mode)
Figure 1 OTRS is a working system which just permits the Support department to access. Gforge is another system which permits the Support, Sales, R&D etc. department to access. Both systems are based on web services. User A belongs to the Support department, and User B belongs to the Sales department. They are on business trips and need to access the systems from the Internet. Configurations on the Router : 1. Go to the SSL VPN >> SSL Web Proxy page, and setup two entries.
2. Enter the following: Enter a name for the OTRS system. If the web server is allowed to be accessed directly through IP address, you may input the format http://ip/directory in the URL field. Here http://172.17.1.40/login.pl If you have input IP address in the URL field, you needn t setup the Host IP Address field. In fact you will find it is grayed out. Select "Secured Port Redirection". 3. Enter the following: Enter a name for the Gforge system. If the web server is restricted to be accessed from domain name, you have to input the format http://domain_name/directory in the URL field. http://swm.gforge.com Enter the IP address of the web server in the Host IP Address field Here is
Select "Secured Port Redirection". 4. Go to SSL VPN >> User Account page and add two accounts for User A and User B.
5. Enter the following: Enable the account. Setup the username/password for User A. You needn t, but you d better disable all the VPN services in this profile. Otherwise users can also connect vpn to your router by using this account. Enable SSL Web Proxy, then enable relevant web servers (here both OTRS and Gforge) for User A.
6. Enter the following: Enable the account. Setup the username/password for User B. You needn t, but you d better disable all the VPN services in this profile. Otherwise users can also connect vpn to your router by using this account. Enable SSL Web Proxy, then enable relevant web servers (here only Gforge) for User B.
7. Go to System Maintenance >> Management page and make sure HTTPS Server is enabled. If you don t want to use the standard TCP 443 port, change the port as follows. Here we change it to 4443. Steps for User A to use web proxy : 1. Open a web browser(i.e or Firefox), and go to the following URL : https://210.243.151.187:4443 2. Internet Explorer 6 will display the below security alert stating that the security certificate is valid but is not from a known source. Please accept the certificate with
confidence by pressing the Yes button. Internet Explorer 7 will display the below security alert stating that the security certificate is valid but is not from a known source. Please select the Continue to this website (not recommended) choice.
3. A login window pops up. Input the username and password for User A. 4. If login successfully, you will see a window like the one shown below. Press SSL Web Proxy.
5. This page will list all the web sites that you are allowed to access. In this example are OTRS and Gforge for User A. But you are still not able to access them for the moment. There is a button "Activate" for each web server. Press the button to open a random port and a session for an internal server. Press the "Activate" button for the server you would like to access. 6. After pressing the "Activate" button, the button changes to "Deactivate". And OTRS and Gforge become OTRS and Gforge. Now you are able to access the OTRS system and Gforge system by clicking the links OTRS and Gforge.
The OTRS system.
The Gforge system. 7. After the access, to close the session and the port you may press the Deactivate button or simply turn off the web browser.
Steps for User B to use web proxy : The steps are identical to the ones listed above. Just notice that after login successfully, the SSL Web Proxy page will just list the Gforge system for User B. Limitation of Secure Port Redirection 1. It just supports web service. 2. The web servers must be within the same subnet of the Vigor router. And they must point their default gateways to the Vigor router. Here the Vigor router is the SSL Web Proxy. Application Note (SSL mode) OTRS is a working system which is connected directly behind Vigor2950. They are within
the same subnet. Web Mail server is another system which is also behind Vigor2950 but in a different subnet than Vigor2950. User A is on a business trip and need to access both systems from the Internet. Configurations on the Router : 1. Go to the SSL VPN >> SSL Web Proxy page, and setup two entries. 2. Enter the following: Enter a name for the OTRS system. If the web server is allowed to be accessed directly through IP address, you may input the format http://ip/directory in the URL field. Here http://172.17.1.40/login.pl If you have input IP address in the URL field, you needn t setup the Host IP Address field. In fact you will find it is grayed out. Select "SSL".
3. Enter the following: Enter a name for the Web Mail. If the web server is restricted to be accessed from domain name, you have to input the format http://domain_name/directory in the URL http://ms.mailserver.com Enter the IP address of the Web Mail in the Host IP Address field. Select "SSL". field. Here is
4. Go to SSL VPN >> User Account page and add an account for User A. 5. Enter the following: Enable the account. Setup the username/password for User A. You needn t, but you d better disable all the VPN services in this profile. Otherwise users can also connect vpn to your router by using this account. Enable SSL Web Proxy, then enable relevant web servers (here both OTRS and
WebMail) for User A. 6. Go to System Maintenance >> Management page and make sure HTTPS Server is enabled. If you don t want to use the standard TCP 443 port, change the port as follows. Here we change it to 4443.
Steps for User A to use web proxy : 1. Open a web browser(i.e or Firefox), and go to the following URL : https://218.242.130.126:4443 2. Internet Explorer 6 will display the below security alert stating that the security certificate is valid but is not from a known source. Please accept the certificate with confidence by pressing the Yes button.
Internet Explorer 7 will display the below security alert stating that the security certificate is valid but is not from a known source. Please select the Continue to this website (not recommended) choice.
3. A login window pops up. Input the username and password for User A. 4. If login successfully, you will see a window like the one shown below. Press SSL Web Proxy.
5. This page will list all the web sites that you are allowed to access. In this example are OTRS and WebMail for User A. Now you are able to access them by clicking the links.
The OTRS system.
The WebMail
Secured Port Redirection vs SSL 1. They both just support web service. 2. Secured Port Redirection mode only work if the web servers are within the same subnet of the SSL Web Proxy. SSL mode doesn t have this limitation. 3. If the web server contains ActiveX controls, you d better choose Secured Port Redirection mode.