Professional Documents
Culture Documents
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR 3SP REPRESENTATIVE FOR A COPY. IN NO EVENT SHALL 3SP OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF 3SP OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SSL-Explorer: Administrators Guide Copyright 2007 3SP Ltd. All rights reserved. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between 3SP and any other company.
PREFACE .......................................................................................................................................14 DOCUMENT OBJECTIVE ...................................................................................................................................... 14 Audience ................................................................................................................................................... 14 Related Documentation .......................................................................................................................... 14 Document Organization .......................................................................................................................... 15 Document Convention............................................................................................................................. 15 OBTAINING DOCUMENTATION ............................................................................................................................ 15 3SP.com .................................................................................................................................................... 15 DOCUMENTATION FEEDBACK .............................................................................................................................. 16 OBTAINING TECHNICAL ASSISTANCE................................................................................................................... 16 INTRODUCTION............................................................................................................................17 MANAGEMENT CONSOLE ..............................................................................................................17 PURPOSE ........................................................................................................................................................... 17 ACCESSIBILITY ................................................................................................................................................... 18 MANAGEMENT CONSOLE INTERFACE ................................................................................................................... 19 Areas of Functionality.............................................................................................................................. 19 Navigation Icons ...................................................................................................................................... 20 Options Icon ............................................................................................................................................. 20 WIZARDS........................................................................................................................................................... 21 Cancel Process ......................................................................................................................................... 21 SELECTION PROCESS .......................................................................................................................................... 21 Configure................................................................................................................................................... 22 GETTING HELP................................................................................................................................................... 22 AMENDING CONFIGURATION PARAMETERS .......................................................................................................... 22 SSL-VPN OVERVIEW .....................................................................................................................23 BASIC TECHNOLOGY OVERVIEW ......................................................................................................................... 23 IPsec VPNs ................................................................................................................................................ 23 SSL-Based VPNs ....................................................................................................................................... 24 IPsec vs. SSL VPN .................................................................................................................................... 24 SSL-EXPLORER .................................................................................................................................................. 24 SSL-Explorer Editions .............................................................................................................................. 26 DEPLOYMENT ...............................................................................................................................27 DEPLOYMENT SCENARIOS ................................................................................................................................... 27 Non-DMZ ................................................................................................................................................... 27 Within the DMZ ........................................................................................................................................ 28 Behind the DMZ ....................................................................................................................................... 28 DEPLOYMENT CONSIDERATIONS ......................................................................................................................... 29 SUMMARY .......................................................................................................................................................... 29 INSTALLING SSL-EXPLORER ........................................................................................................31 INSTALLATION .............................................................................................................................31 INSTALLATION PREREQUISITES ........................................................................................................................... 31 INSTALLATION OF SSL-EXPLORER ...................................................................................................................... 31 SSL-EXPLORER: COMMUNITY EDITION - SOURCE CODE INSTALLATION ............................................................... 39 Pre-requisites............................................................................................................................................ 39 Configuring a Service .............................................................................................................................. 41 SSL-EXPLORER RPM INSTALLATION ON REDHAT 8.0......................................................................................... 42
UPGRADING SSL-EXPLORER ............................................................................................................................... 43 UPGRADING FROM 0.1.16 TO 0.2.X ................................................................................................................... 44 MANAGING THE INSTANCE .................................................................................................................................. 46 Build Scripts .............................................................................................................................................. 46 Managing the Windows Service ............................................................................................................. 47 Determining the Service Status ............................................................................................................. 48 ACCESSING THE INSTANCE ................................................................................................................................. 50 SERVER MIGRATION ........................................................................................................................................... 51 INSTALLATION WIZARD ..............................................................................................................53 CERTIFICATE MANAGEMENT........................................................................................................53 PROTECTING PRIVATE DATA............................................................................................................................... 53 What is an SSL Certificate? .................................................................................................................... 53 Certification Authority ............................................................................................................................. 54 CONFIGURE CERTIFICATE INTERFACE.................................................................................................................. 55 CREATE NEW CERTIFICATE................................................................................................................................. 55 What is a Keystore?................................................................................................................................. 57 IMPORT EXISTING CERTIFICATE ......................................................................................................................... 58 USER DATABASES .........................................................................................................................59 WHAT IS ACTIVE DIRECTORY? ........................................................................................................................... 59 Active Directory within SSL-Explorer..................................................................................................... 59 WHAT IS HSQLDB? .......................................................................................................................................... 60 HSQLDB within SSL-Explorer ................................................................................................................. 60 WHAT IS LDAP? ............................................................................................................................................... 60 LDAP within SSL-Explorer ....................................................................................................................... 60 WHAT IS NIS? .................................................................................................................................................. 60 NIS Database with SSL-Explorer ........................................................................................................... 61 CONFIGURE USER DATABASE INTERFACE ............................................................................................................ 61 CONFIGURING THE BUILT-IN DATABASE.............................................................................................................. 62 CONFIGURING ACTIVE DIRECTORY ..................................................................................................................... 62 CONFIGURING ENHANCED ACTIVE DIRECTORY .................................................................................................... 65 Organizational Units (OUs) ..................................................................................................................... 66 Organizational Unit Filter ........................................................................................................................ 66 Modifying Filters ....................................................................................................................................... 67 Troubleshooting ....................................................................................................................................... 68 CONFIGURING LDAP.......................................................................................................................................... 69 CONFIGURING NIS ............................................................................................................................................ 72 CONFIGURING SUPER USER ........................................................................................................73 SUPER USER RESPONSIBILITY ............................................................................................................................ 73 Super User Rights .................................................................................................................................... 74 CONFIGURE SUPER USER INTERFACE .................................................................................................................. 74 CONFIGURING THE SUPER USER ......................................................................................................................... 75 CONFIGURING WEB SERVER........................................................................................................77 WHAT IS HTTP/S? ........................................................................................................................................... 77 SSL-Explorer HTTP/S............................................................................................................................... 77 Is it Secure?.............................................................................................................................................. 77 THE JETTY WEB SERVER .................................................................................................................................... 78 CONFIGURE WEB SERVER INTERFACE ................................................................................................................. 78 CONFIGURE WEB SERVER................................................................................................................................... 79 Listening Interface ................................................................................................................................... 80 Modifying Interfaces ................................................................................................................................ 81
EXTERNAL HOSTNAMES ...................................................................................................................................... 81 Modifying Hostnames .............................................................................................................................. 81 EXTERNAL PROXY SUPPORT ........................................................................................................83 WHAT IS A PROXY SERVER? ............................................................................................................................... 83 PROXY USE WITH SSL-EXPLORER ....................................................................................................................... 84 CONFIGURE EXTERNAL PROXIES INTERFACE ........................................................................................................ 84 CONFIGURE EXTERNAL PROXIES ......................................................................................................................... 85 ENTERPRISE EDITION..................................................................................................................86 COMMUNITY EDITION VS. ENTERPRISE EDITION ................................................................................................. 86 INSTALL SSL-EXPLORER ENTERPRISE EDITION INTERFACE .................................................................................. 87 FINALIZING INSTALLATION ........................................................................................................88 THE SUMMARY PAGE .......................................................................................................................................... 88 Making Modifications ............................................................................................................................... 88 SUMMARY INTERFACE ......................................................................................................................................... 88 SUMMARY .......................................................................................................................................................... 89 Unsuccessful Configuration .................................................................................................................... 90 PUBLISHING SERVER ...................................................................................................................91 PRE-REQUISITES ................................................................................................................................................ 91 CONFIGURING SSL-EXPLORER WITH A FIREWALL ................................................................................................ 91 TESTING THE SSL-EXPLORER SERVICE................................................................................................................ 92 SYSTEM CONFIGURATION............................................................................................................93 SERVER CONFIGURATION............................................................................................................93 INTERFACE......................................................................................................................................................... 94 CONFIGURE WEB SERVER................................................................................................................................... 95 Web Server Interface .............................................................................................................................. 95 Configuration Parameters ....................................................................................................................... 95 Reconfigure Listening Interface............................................................................................................. 96 Reconfigure External Hostnames .......................................................................................................... 96 CONFIGURE PERFORMANCE ................................................................................................................................ 97 Performance Interface ............................................................................................................................ 97 Configuration Parameters ....................................................................................................................... 97 CONFIGURE PROXIES ......................................................................................................................................... 98 Proxy Interface......................................................................................................................................... 98 Configuration Parameters ....................................................................................................................... 98 CONFIGURE USER INTERFACE ............................................................................................................................. 99 UI Interface .............................................................................................................................................. 99 Configuration Parameters ....................................................................................................................... 99 CONFIGURE SSL .............................................................................................................................................. 100 SSL Interface .......................................................................................................................................... 100 Configuration Parameters ..................................................................................................................... 100 CONFIGURE TIME SYNCHRONIZATION ............................................................................................................... 101 Time synchronization Interface ........................................................................................................... 101 Configuration Parameters ..................................................................................................................... 101 RESOURCES ................................................................................................................................102 INTERFACE....................................................................................................................................................... 102 CONFIGURABLE RESOURCES ............................................................................................................................. 102 NETWORK PLACES............................................................................................................................................ 102 Network Places Interface...................................................................................................................... 103
Configuration Parameters ..................................................................................................................... 103 WEB FORWARDING .......................................................................................................................................... 104 Web Forward Interface ......................................................................................................................... 104 Configuration Parameters ..................................................................................................................... 104
MICROSOFT WINDOWS INTEGRATION .....................................................................................106 WINDOWS FILE SHARING ................................................................................................................................. 106 What is CIFS? ......................................................................................................................................... 106 File Sharing Interface ............................................................................................................................ 106 Configurable Parameters ...................................................................................................................... 107 What is WINS? ....................................................................................................................................... 109 What is the LMHOSTS File? .................................................................................................................. 109 What is NetBIOS? .................................................................................................................................. 109 What is DNS?.......................................................................................................................................... 110 SECURITY OPTIONS ...................................................................................................................111 INITIAL OPTIONS ............................................................................................................................................. 111 PASSWORD OPTIONS ....................................................................................................................................... 111 Password Options Interface ................................................................................................................. 112 Configuration Parameters ..................................................................................................................... 112 SESSION OPTIONS ........................................................................................................................................... 114 Session Options Interface..................................................................................................................... 114 Configuration Parameters ..................................................................................................................... 114 CONFIDENTIAL ATTRIBUTES ............................................................................................................................. 115 Confidential Attribute Interface ........................................................................................................... 115 CONFIGURATION PARAMETERS ......................................................................................................................... 115 POLICY OPTIONS ............................................................................................................................................. 116 Policy Options Interface ........................................................................................................................ 116 CONFIGURATION PARAMETERS ......................................................................................................................... 116 LOGON PAGE ................................................................................................................................................... 117 Logon Page Interface ............................................................................................................................ 117 CONFIGURATION PARAMETERS ......................................................................................................................... 117 MESSAGING................................................................................................................................118 MESSAGE QUEUE ............................................................................................................................................. 118 WHAT IS SMTP?............................................................................................................................................. 118 SMTP and SSL-Explorer ........................................................................................................................ 119 MESSAGING INTERFACE .................................................................................................................................... 119 CONFIGURATION PARAMETERS ......................................................................................................................... 119 BASIC CONFIGURATION ............................................................................................................121 EXTENSION MANAGER ...............................................................................................................121 WHAT ARE EXTENSIONS? ................................................................................................................................. 121 Installation of Extensions ..................................................................................................................... 122 Anatomy of an Extension...................................................................................................................... 122 EXTENSION MANAGER INTERFACE..................................................................................................................... 123 Action Icons ............................................................................................................................................ 123 INSTALL AN EXTENSION.................................................................................................................................... 124 UPDATING AN EXTENSION ................................................................................................................................ 125 REMOVING AN EXTENSION................................................................................................................................ 126 UPLOAD AN EXTENSION.................................................................................................................................... 126 BESPOKE APPLICATION EXTENSIONS ................................................................................................................. 127 SSL CERTIFICATES .....................................................................................................................128
REVISITING CERTIFICATES ............................................................................................................................... 128 Encryption ............................................................................................................................................... 128 Authentication ........................................................................................................................................ 129 SSL-Certificates ...................................................................................................................................... 129 Certification Authority ........................................................................................................................... 129 Trustworthy Certificates........................................................................................................................ 130 SSL-CERTIFICATES INTERFACE ........................................................................................................................ 130 Action Icons ............................................................................................................................................ 131 Certificate Actions .................................................................................................................................. 131 CREATING A CA ............................................................................................................................................... 132 PURCHASING CERTIFICATES ............................................................................................................................. 134 GENERATING A CSR......................................................................................................................................... 136 IMPORTING A CERTIFICATE .............................................................................................................................. 138 EXPORTING KEYS AND CERTIFICATES................................................................................................................ 139 ATTRIBUTES ...............................................................................................................................140 WHAT ARE ATTRIBUTES? ................................................................................................................................. 140 Security Questions ................................................................................................................................. 140 Applications ............................................................................................................................................ 141 Web Forwards ........................................................................................................................................ 141 Types of Attributes ................................................................................................................................ 142 ATTRIBUTE INTERFACE ..................................................................................................................................... 142 Actions Icons .......................................................................................................................................... 143 CREATING ATTRIBUTES .................................................................................................................................... 143 EDITING A ATTRIBUTE ..................................................................................................................................... 147 DELETING A ATTRIBUTE ................................................................................................................................... 147 HOW TO USE ATTRIBUTES ................................................................................................................................ 147 Session Variable ..................................................................................................................................... 148 LICENSE MANAGER ....................................................................................................................150 LICENSE MANAGER........................................................................................................................................... 150 LICENSE MANAGER INTERFACE ......................................................................................................................... 150 Actions Icons .......................................................................................................................................... 151 UPLOADING A LICENSE ..................................................................................................................................... 151 DELETING A LICENSE ....................................................................................................................................... 151 SECURE NODE.............................................................................................................................152 WHAT IS A SECURE NODE? ............................................................................................................................... 152 What is its function? .............................................................................................................................. 152 WHAT ARE ROUTES .......................................................................................................................................... 153 Visibility ................................................................................................................................................... 153 Compatible Resources ........................................................................................................................... 154 INSTALLING SECURE NODE CLIENT ................................................................................................................... 154 Authorize Secure Node ......................................................................................................................... 156 SECURE NODE INTERFACE ................................................................................................................................ 156 Action Icons ............................................................................................................................................ 156 CREATE NEW ROUTE........................................................................................................................................ 157 Enabling Routes ..................................................................................................................................... 158 EDITING A SECURE NODE ................................................................................................................................. 159 EDITING A ROUTE ............................................................................................................................................ 159 DELETING A SECURE NODE .............................................................................................................................. 159 DELETING A ROUTE.......................................................................................................................................... 159 SECURE NODE CONFIGURATION ....................................................................................................................... 160 PUBLIC KEY INFRASTRUCTURE .................................................................................................161
AUTHENTICATION SCHEME INTERFACE .............................................................................................................. 191 Action Icons ............................................................................................................................................ 192 CREATING AN AUTHENTICATION SCHEME .......................................................................................................... 192 DELETING AN AUTHENTICATION SCHEME .......................................................................................................... 194 AUTHENTICATION MODULES ............................................................................................................................. 194 PASSWORD AUTHENTICATION........................................................................................................................... 195 Creating a Password.............................................................................................................................. 195 Modifying a Password ........................................................................................................................... 195 Configuring Passwords .......................................................................................................................... 197 PERSONAL QUESTIONS AUTHENTICATION ......................................................................................................... 200 Configuring Answers ............................................................................................................................. 200 PIN AUTHENTICATION ..................................................................................................................................... 202 Modifying a PIN...................................................................................................................................... 202 Configuring PIN ...................................................................................................................................... 203 OTP AUTHENTICATION .................................................................................................................................... 205 Defining Recipient Details..................................................................................................................... 206 Configure Service Provider ................................................................................................................... 208 Configuring OTP ..................................................................................................................................... 210 CLIENT CERTIFICATES ...................................................................................................................................... 212 Enable Authentication ........................................................................................................................... 214 Creating a CA ......................................................................................................................................... 215 Creating Client Certificates ................................................................................................................... 217 Importing Certificate into Browser ...................................................................................................... 222 Using Active Directory Certificates ...................................................................................................... 225 Configuring Client Certificates.............................................................................................................. 228 PUBLIC KEY AUTHENTICATION.......................................................................................................................... 229 Identity Creation .................................................................................................................................... 230 Reset Identity ......................................................................................................................................... 232 Configuring Public Key .......................................................................................................................... 233 Import Identity ....................................................................................................................................... 233 IP AUTHENTICATION ........................................................................................................................................ 235 Creating a Restriction ............................................................................................................................ 235 RADIUS AUTHENTICATION.............................................................................................................................. 236 Configuring RADIUS .............................................................................................................................. 237 REMOTE CLIENT AUTHENTICATION ................................................................................................................... 238 WebDAV .................................................................................................................................................. 238 Embedded Client .................................................................................................................................... 238 HARDWARE TOKEN AUTHENTICATION......................................................................................239 SAFENET IKEY 2032 CONFIGURATION ............................................................................................................ 239 SafeNet CIP Utilities .............................................................................................................................. 240 Importing SSL Certificates into the Devices....................................................................................... 241 ALADDIN ETOKEN PRO CONFIGURATION .......................................................................................................... 245 Using eToken Properties ....................................................................................................................... 245 RSA SECURID AUTHENTICATION MANAGER ..................................................................................................... 250 Configuring an Authentication Scheme that uses RADIUS .............................................................. 250 Add an Agent Host Record for the SSL-Explorer server................................................................... 253 Add the SSL-Explorer Server as a RADIUS client .............................................................................. 254 Importing and Assigning Tokens to your Users ................................................................................ 255 Test the Authentication Process .......................................................................................................... 257 Synchronization with Microsoft Active Directory ............................................................................... 259 VASCO DIGIPASS TOKEN CONFIGURATION ...................................................................................................... 261 Configure the RADIUS server in VACMAN Middleware..................................................................... 261 Add the SSL-Explorer Server to VACMAN as a RADIUS client......................................................... 263
SAFEWORD ..................................................................................................................................................... 270 Installing SafeWord ............................................................................................................................... 270 Configuring SafeWord ........................................................................................................................... 276 Configuring IAS ...................................................................................................................................... 279 Configuring SSL-Explorer ...................................................................................................................... 281 RESOURCE MANAGEMENT..........................................................................................................284 INTRODUCTION..........................................................................................................................284 WHAT ARE RESOURCES? .................................................................................................................................. 284 RESOURCE WIZARDS ........................................................................................................................................ 285 AVAILABLE RESOURCES .................................................................................................................................... 285 EXECUTING A RESOURCE .................................................................................................................................. 286 SSL-EXPLORER AGENT ...............................................................................................................287 WHAT IS THE SSL-EXPLORER AGENT? ............................................................................................................. 287 Communication with Browser .............................................................................................................. 287 Precautions ............................................................................................................................................. 288 STARTING THE AGENT ...................................................................................................................................... 288 STOPPING THE AGENT ...................................................................................................................................... 289 EXECUTING RESOURCES FROM AGENT............................................................................................................... 289 WEB FORWARDS ........................................................................................................................290 WHAT IS A WEB FORWARD? ............................................................................................................................ 290 TECHNICAL OVERVIEW ..................................................................................................................................... 291 Tunneled Web Forwards ....................................................................................................................... 291 Replacement Proxy Web Forwards ..................................................................................................... 291 Reverse Proxy ........................................................................................................................................ 292 WEB FORWARD INTERFACE .............................................................................................................................. 292 Action Icons ............................................................................................................................................ 293 CREATING A NEW WEB FORWARD..................................................................................................................... 294 Configuring a Tunneled Web Forward ................................................................................................ 295 Configuring a Replacement Proxy Web Forward............................................................................... 296 Configuring a Reverse Proxy Web Forward ....................................................................................... 298 EDITING A WEB FORWARD ............................................................................................................................... 302 DELETING A WEB FORWARD............................................................................................................................. 302 OUTLOOK WEB ACCESS AND MAIL CHECK......................................................................................................... 303 NETWORK PLACES......................................................................................................................305 WHAT IS A NETWORK PLACE? .......................................................................................................................... 305 Web Folders............................................................................................................................................ 305 NETWORK PLACES INTERFACE .......................................................................................................................... 306 Action Icons ............................................................................................................................................ 306 CREATING A NEW NETWORK PLACE .................................................................................................................. 307 File Management ................................................................................................................................... 310 EDITING A NETWORK PLACE ............................................................................................................................. 311 DELETING A NETWORK PLACE .......................................................................................................................... 311 WEB FOLDERS WINDOWS ACCESS .................................................................................................................... 311 ENTERPRISE DRIVE MAPPING ........................................................................................................................... 317 How does this differ from WebDAV? .................................................................................................. 317 Configuring Drive Mapping ................................................................................................................... 318
Create Users in VACMAN Middleware ................................................................................................. 264 Importing Digipass Tokens to VACMAN ............................................................................................. 265 Assign Digipass Tokens to Users ......................................................................................................... 267 Test the Authentication Process .......................................................................................................... 268
APPLICATIONS ...........................................................................................................................319 WHAT IS AN APPLICATION SHORTCUT?............................................................................................................. 319 APPLICATIONS INTERFACE ................................................................................................................................ 321 Action Icons ............................................................................................................................................ 321 PUBLISH A NEW APPLICATION ........................................................................................................................... 321 General Tab ............................................................................................................................................ 323 Display Tab ............................................................................................................................................. 324 Mouse Tab .............................................................................................................................................. 324 Protocol Tab ........................................................................................................................................... 325 Advanced Tab......................................................................................................................................... 326 EDIT AN EXISTING APPLICATION ....................................................................................................................... 328 REMOVING AN APPLICATION ............................................................................................................................. 329 ADDITIONAL APPLICATION CONFIGURATIONS.................................................................................................... 330 Linux rdesktop ........................................................................................................................................ 330 Microsoft RDP Client .............................................................................................................................. 331 NX Client for Windows .......................................................................................................................... 332 PuTTY for Windows ............................................................................................................................... 337 Remote Desktop Protocol (RDP) ......................................................................................................... 338 TN5250 AS/400 Terminal Emulator .................................................................................................... 339 Virtual Network Computing (VNC) ...................................................................................................... 340 SSL-TUNNELS .............................................................................................................................341 WHAT IS AN SSL TUNNEL? .............................................................................................................................. 341 Tunnel Types .......................................................................................................................................... 341 SSL TUNNELS INTERFACE ................................................................................................................................ 342 Action Icons ............................................................................................................................................ 342 CREATE A NEW SSL TUNNEL ............................................................................................................................ 343 EDIT AN EXISTING SSL TUNNEL ....................................................................................................................... 346 REMOVING AN SSL TUNNEL ............................................................................................................................. 347 PROFILES....................................................................................................................................348 WHAT IS A PROFILE? ....................................................................................................................................... 348 PROFILES INTERFACE ....................................................................................................................................... 349 Action Icons ............................................................................................................................................ 349 CREATING A NEW PROFILE ............................................................................................................................... 350 EDITING PROFILE PARAMETERS ........................................................................................................................ 352 Editing Session Details .......................................................................................................................... 352 Editing Agent Details ............................................................................................................................. 354 EDITING A PROFILE DESCRIPTION .................................................................................................................... 356 DELETING A PROFILE ....................................................................................................................................... 356 NETWORK EXTENSIONS .............................................................................................................357 WHAT IS NEXT?.............................................................................................................................................. 357 Typical Scenarios ................................................................................................................................... 358 System Requirements ........................................................................................................................... 359 NETWORK EXTENSION INTERFACE .................................................................................................................... 359 Action Icons ............................................................................................................................................ 360 CONFIGURING THE SERVER .............................................................................................................................. 361 DHCP Configuration ............................................................................................................................... 364 Install Server TAP Driver ...................................................................................................................... 367 CONFIGURING THE CLIENT ............................................................................................................................... 369 Install Client TAP Driver ........................................................................................................................ 371 ADDITIONAL CONFIGURATION .......................................................................................................................... 373 Enable Server IP Routing...................................................................................................................... 374
RUNNING THE SERVICE .................................................................................................................................... 375 Starting the Server Interface ............................................................................................................... 375 Connecting Client ................................................................................................................................... 375 Windows Service .................................................................................................................................... 378 CREATING BRIDGED CONFIGURATION ............................................................................................................... 380 Creating the Server ............................................................................................................................... 380 Configuring SSL-Explorer Bridged Server ........................................................................................... 381 SAMPLE SCRIPTS .............................................................................................................................................. 384 bridge-start.sh ........................................................................................................................................ 384 bridge-stop.sh ........................................................................................................................................ 385 VIRTUAL HOSTS .........................................................................................................................386 WHAT IS VIRTUAL HOSTING ............................................................................................................................. 386 VIRTUAL HOST INTERFACE ............................................................................................................................... 386 Action Icons ............................................................................................................................................ 387 CREATING A NEW VIRTUAL HOST...................................................................................................................... 387 EDITING A VIRTUAL HOST ................................................................................................................................ 388 DELETING A VIRTUAL HOST ............................................................................................................................. 388 MICROSOFT EXCHANGE 2003 RPC/ HTTPS ...............................................................................390 WHAT IS THIS RESOURCE?............................................................................................................................... 390 What is RPC/HTTPS? ............................................................................................................................. 390 CONFIGURATION .............................................................................................................................................. 391 Pre-requisites.......................................................................................................................................... 391 Configuring SSL-Explorer as a RPC Proxy .......................................................................................... 391 Client Configuration ............................................................................................................................... 392 WHAT IS OUTLOOK MOBILE ACCESS?............................................................................................................... 396 Configuring SSL-Explorer as a OMA Proxy ......................................................................................... 396 INTERNATIONALIZATION ..........................................................................................................397 WHAT IS INTERNATIONALIZATION? .................................................................................................................. 397 INTERNATIONALIZATION INTERFACE ................................................................................................................. 397 Action Icons ............................................................................................................................................ 398 Language Status .................................................................................................................................... 399 CREATING A NEW TRANSLATION....................................................................................................................... 399 EDITING A TRANSLATION ................................................................................................................................. 400 ACTIVATING A LANGUAGE ................................................................................................................................. 402 TRANSLATE EXTENSIONS .................................................................................................................................. 402 SHARE LANGUAGES .......................................................................................................................................... 405 DELETING A TRANSLATION ............................................................................................................................... 405 LANGUAGE SELECTION ..................................................................................................................................... 405 SYSTEM FUNCTIONS ..................................................................................................................407 AUDITING...................................................................................................................................407 AUDITING INTERFACE ...................................................................................................................................... 407 Action Icons ............................................................................................................................................ 407 INITIALIZING THE AUDIT MODULE .................................................................................................................... 408 CREATING A NEW REPORT ............................................................................................................................... 410 RUNNING ONE-OFF REPORTS ........................................................................................................................... 412 CHECKING AUDIT REPORT INTEGRITY............................................................................................................... 415 UPLOADING A REPORT TEMPLATE ..................................................................................................................... 416 CHANGING RECORDED EVENTS ......................................................................................................................... 417 STATUS .......................................................................................................................................418
SESSION INFORMATION .................................................................................................................................... 418 STATUS INFORMATION ..................................................................................................................................... 418 NEXT CLIENTS ................................................................................................................................................ 419 OUTLOOK CLIENT ............................................................................................................................................ 419 MESSAGE QUEUE ........................................................................................................................420 WHAT IS THE MESSAGE QUEUE ........................................................................................................................ 420 MESSAGE QUEUE INTERFACE ............................................................................................................................ 420 ENABLING A DELIVERY SYSTEM ........................................................................................................................ 421 SENDING A MESSAGE ....................................................................................................................................... 421 CLEAR MESSAGE QUEUE ................................................................................................................................... 422 SHUTDOWN ................................................................................................................................423 SHUTDOWN THE INSTANCE............................................................................................................................... 423 RESTARTING THE INSTANCE ............................................................................................................................. 423
Preface
This preface introduces the SSL-Explorer: Administrators Guide, as such it has been broken down into the following sections: Document Objective Obtaining Documentation Documentation Feedback Obtaining Technical Assistance
Document Objective
This guide has two major objectives. The first is to provide all the relevant information required to install and configure SSL-Explorer. The second is to give additional information on the features available within SSL-Explorer once running. This guide applies to both the Community/Enterprise editions of SSL-Explorer release 0.2.15 or greater. It should be noted that not all features are available in the Community Edition.
Audience
This guide is for anyone who wishes to successfully install and administrate the SSL-Explorer VPN software. Although this is often people concerned with network administration, it may also be a useful indication to managers of the ease that SSL-Explorer can be deployed. This guide is expected to be useful if performing any of the following tasks: Installing a test/production SSL-Explorer server. Evaluating SSL-Explorer as a potential SSL-VPN solution. Reconfiguring an existing implementation of SSL-Explorer. Adding or removing features to SSL-Explorer.
Related Documentation
For more information refer to the following documentation: Knowledge Base Articles Forum Posts
Document Organization
This guide has been broken down into the following sections:: Introduction Installing SSL-Explorer Installation Wizard System Configuration Basic Configuration Access Control Administration Resource Management System Functions
For ease of reference these sections reflect the organization of the menu tree in the management console.
Document Convention
The following conventions are used in this document: Courier font characters represent system commands Note single quoted text refer to buttons on a corresponding web page Icons used in this manual are as follows: Note additional information pertaining to the subject matter Alert important information that requires special attention
Obtaining Documentation
3SP product documentation and additional literature is available on http://3SP.com. 3SP Ltd. also provides several ways to obtain technical assistance and other technical resources. This section explains how to obtain technical information from 3SP Ltd.
3SP.com
Additional articles and FAQs can be found at this URL: http://3sp.com/kb You can access the 3SP Ltd. Website at this URL: http://3sp.com
Documentation Feedback
You can send comments about technical documentation to support@3sp.com or by writing to the following address: 3SP Ltd. 3 The Glade Business Park, Forum Road, Nottingham, United Kingdom. NG5 9RW We appreciate your comments.
Introduction
This chapter provides an overview of SSL-Explorer detailing the basic's of interacting with the system through the Management Console aswell as reasons why you might want to install SSLExplorer.
Management Console
The management console is the main point of interaction between the administrators of the system and the system itself. This chapter introduces the reader to the management console and details its various functions. The sections included in this chapter are: Purpose Accessibility Management Console Interface Wizards Selection Process Getting Help Amending Configuration Parameters
At the end of this chapter the reader should have an understanding of the management console and its purpose.
Purpose
SSL-Explorer is broken into two views the management view which this document discusses and secondly, the user view. The management view known as the management console contains all the necessary functionality to manage the workings of the SSL-Explorer instance. From this console the user has the ability to create items which will affect users of the system whether that refers to a small group of users or the entire user base of the SSL-Explorer instance. In addition, it is from this console that the monitoring, configuring and system management is carried out. From monitoring audit reports to modifying SSL-Explorer port configurations. Secure Access Due to the system-wide affect of changes made through the management console, it is imperative that the console is accessible only by authorized administrators.
Accessibility
Initially only the super user of the system will be able to access the management console. The super user has access to every task and action available in the console and with this right is assigned the task of creating accounts for his administrative team.
As the diagram above shows these administrative users are responsible for managing the system, creating users of the system and assigning resources and creating policies. Restrict access to the Super User account After correct configuration of SSL-Explorer policies, the Super User account should no longer be required and access to this account should be locked down. In order to carry out administrative tasks as creating policies and users the administrative users must be assigned administrative control; Delegation Permission or System Permission, detailed in a future chapter. Only then will the management console view become available. Users of the system mainly access the system via the user console to perform their daily tasks, accessing the internal network, creating application shortcuts, accessing internal files and documents in accordance with your access policies.
However this is not to say that a standard user of the system cannot access the management console. In fact as the above diagram shows, if given an appropriate delegation permission or resource permission a standard user will be able to access this console too.
Areas of Functionality
Within the management console, on the Navigation Pane (the left-hand side column), there are a number of groups. Each of these groups is explained in greater detail below. Configuration: This area holds the functionality that will affect the workings of the SSLExplorer instance. The impact of this will normally be system-wide. Access Control: This controls aspects of how users can enter the system and what permissions they have within the system. Resource Management: Usable resources that impact the assigned policy. System: Items relating specifically to the SSL-Explorer instance.
All necessary functionality pertaining to this document is located within the Access Control area. Super User Access The super user has access to all areas throughout the lifecycle of the instance. All other users have subsets of these areas which can alter throughout the lifecycle of the instance.
Note
Navigation Icons
The icons at the top right of the page allow different areas of the system to be accessed, each icon is detailed below. Some of these icons are only accessible through the enterprise edition. The Home icon takes the user back to their defined home page
The Management Console icon switches the view from the User Console to the Management Console. The User Console icon switches the view from management console to user console. The scope of impact is reduced from system-wide to local user only. The SSL-Explorer agent icon activates the agent. The agent creates secure channels during the execution of insecure resources. The virtual keyboard icon enhances security by allowing all user input to be performed through a virtual keyboard. No key presses are use and so cannot be logged by a hacker. The Help icon provides context-sensitive information to assist the user in understanding and using the current page. The Log out icon exits the user from the application. The options icon. This allows a user to reduce or increase the number of visible information windows on screen
Options Icon
Selecting the options icon provides a list of all windows currently accessible.
Checking these will instantly remove or add the appropriate window. In addition the user can alter the language and profile currently in use from this window.
Wizards
Wizards have been provided to make the task at hand easier by guiding the user through each step in the process. By the end of the steps the user should have the intended item that can be used within the system. Progressing through each step in a wizard is a simply matter of clicking the Next button at the bottom right of each wizard page.
Some wizards allow backward navigation. To step back to previous pages simply press the Previous button at the bottom right of each wizard page.
Cancel Process
Any wizard from the Installation Wizard to the Resource Creation Wizard can be terminated at any time. Clicking on the Cancel button at the bottom of the progress pane will instantly end the wizard and no configuration changes will be applied.
Selection Process
Some steps in the wizard require the user to add and remove items from a text box to a list box. Listing All Items The asterisk * symbol may be entered into a text box to list all available entries that can be assigned to the corresponding list box. To add items in this process simply enter the name of the item, for example the account name, in the text box on the left, then select the Add button on the right.
Note
The item will appear under the Selected list box to the right. If you wish to remove an item simply select the item name from the selected list box, for example Selected Accounts, then simply press the Remove button.
These buttons have been deliberately placed together and between two list boxes to help illustrate the behavior of the buttons, taking from the list of available items on the left/ top and moving them to the chosen items to the right/ bottom.
Configure
In some of the wizards the selection buttons also have an additional Configure button. This allows the user to enter another wizard to help complete the step of the current wizard.
Getting Help
SSL-Explorer includes web-based on-line help. Clicking the Help button, at the top right corner provides details on where help can be found. In addition many parameters come with tooltips to help understand what a parameter requires.
All changes made are stored and become the new default configuration settings for the current area. If the reset button is applied the system will revert back to this configured state until a new state is saved. To disregard any changes the configuration page provides the cancel button, pressing this will remove any changes made before the apply button has been selected.
If any configurable parameters are amended incorrectly the reset button reverts the configuration page back to the last saved state, allowing the user to reconfigure the parameter(s).
SSL-VPN Overview
Before starting on the installation steps it is worth reviewing some of the technology that SSLExplorer uses, complements and competes against. This chapter can be skipped by the reader who is eager to get on with the actual installation. The following chapter is useful as a remote access primer and also for gaining an understanding of where SSL-VPN solutions fit in with other similar remote access products. It also covers core concepts of the prevalent VPN technologies as well as describing their differences. Later, the differences between the Community and Enterprise Editions or SSL-Explorer are also covered.
IPsec VPNs
IPsec was first proposed in the mid-nineties and has subsequently been revised a number of times. It has been designated as a mandatory part of IPv6 and is currently optional in IPv4. IPsec can run in either transport mode or tunnel modes, both have significantly different implications particularly with regard to security. All data transmitted is encrypted and therefore secure although there have been issues with the use of keys within this standard. As with SSL, IPsec uses tunnels to make a connection between two endpoints. A typical deployment will consist of one or more VPN gateways, providing full and unrestricted access to the networks to which they are authorized access. VPN client software must be installed on each remote access users computer. The VPN client is configured to define which packets it should encrypt and with which gateway it should build the VPN tunnel. It is argued that this makes this method more secure as it is more complex to configure, though this argument does not really stand up to scrutiny. One agreed downside though is the additional costs when maintaining such a system. These costs normally appear as additional support time, user downtime and remote access network maintenance. IPsec works at the Network Layer of the OSI Model which means it operates independently of the applications that may use it. IPsec encapsulates the original IP data packet with its own packet hiding all application protocol information. Once a tunnel is created, any number of connections and protocol types (web, email, file transfer, VoIP) can flow through it. The connecting client becomes a full member of the corporate network, able to see and access everything; even printers.
SSL-Based VPNs
Originally developed by Netscape, the SSL protocol was revised by IETF to create the TLS 1.0 standard. The TLS has matured to version 1.1, but at the time of writing only the Opera web browser currently supports the 1.1 implementation. That said, the 1.0 version is very well supported and in widespread use. The terms TLS and SSL are interchangeable, though SSL is often used in preference and will be for the remainder of this document. Although the SSL protocol resides further up the OSI stack than the other protocols, SSL does not suffer from any major disadvantages. If anything, it can offer significant advantages mainly due to its flexibility. One example of this being that SSL is supported by all major browsers, therefore the issue of client-side support for this VPN technology is covered by default. One of the key strengths of SSL lies in its ability to authenticate both the client and server. This is achieved during the initial handshake routine where both parties identify themselves using digital certificates. In addition to authentication, the handshake process generates session keys which are used to encrypt any messages during the session. The use of the SSL protocol provides these VPNs with a secure channel between client and server that is transparent to the end user. No additional software is needed and no client application needs installing on the remotely accessing client computer. In fact since most web browsers support SSL, it is no exaggeration to state that virtually every modern computer is already equipped to connect to and take advantage of the applications and services provided via an SSL VPN gateway. Due to the lack of explicitly installed client-side VPN software (in direct contrast to IPsec), SSL VPNs are often referred to as being clientless. Although technically a misnomer, the use of this term is highly indicative of the transparency of this new VPN technology.
As a result of this, IPsec implementations will often cost more to maintain. It should be noted that the true costs and benefits of using a particular method are often hard to quantify. Care should be taken in order to realistically balance cost versus the actual security benefits offered.
SSL-Explorer
SSL-Explorer is the world's first open-source, browser-based SSL VPN solution. First released in 2004, the project has grown to a stage where the software now receives around ten thousand
downloads per month. The project is one of the few software-only SSL VPN solutions and already delivers a feature set equivalent to or better than a number of the purely commercial vendors in this market. In direct contrast to other vendors, 3SP Ltd the developers of SSL-Explorer work closely with their users in the open source community and constantly entertain ideas for enhancements or feature requests. This closeness between users and developers has resulted in a tight knit community following behind the software and its popularity is growing all the time. The software itself is very easy to use, with a focus placed upon usability. 3SP understands that software that is unnecessarily difficult to use, will most likely never actually be used. A powerful, extensible design also makes third party contributions in the form of extensions possible. Many of the new features and commercial features may be seamlessly installed in this manner, meaning that users can install just the components that they need, without unnecessary complexity. SSL-Explorer currently offers Active Directory integration, LDAP and remote desktop access, as well as web forwarding via a number of methods. System administration is done via SSLExplorers powerful policy-based access control infrastructure, and privileged users have the ability to grant access to resources right down to the actions that can be performed on a specific resource. SSL-Explorers nEXT (Network Extension) feature offers full network access to corporate resources. A number of additional tasks can be performed when using nEXT over and above the functionality offered by a basic, browser-launched SSL VPN tunnel. To summarize, SSL-Explorer is a fully-featured, end-to-end SSL-VPN without the added expense or the rigidity of fixed hardware appliances. SSL-Explorer The leading browser-based, open source SSL VPN solution.
Note
SSL-Explorer Editions
There are currently two versions of SSL-Explorer. SSL-Explorer: Community Edition - SSL-Explorer: Community Edition is an entry-level platform that has been designed for smaller businesses that find it difficult to justify the costs involved with using the expensive solutions provided by alternative vendors. The core functionality of SSL VPN is provided in an easy-to-use package that can be installed in minutes. This edition is licensed under the GNU General Public License (GPL) which allows use of the software in a commercial or non-commercial environment without payment of any licensing fees. Commercial support is also now available for this edition. SSL-Explorer: Enterprise Edition - The Enterprise Edition is designed for those organizations that require enhanced features and dedicated commercial support. Cutting edge features are included such, virtual keyboards, enterprise drive mapping, a host of highly recognized and secure authentication schemes but to name a few. SSLExplorer Enterprise Edition is at the height of SSL-VPN technology with a continually growing list of add-in functionality and features. Enterprise Edition is not open source, but it builds upon and extends the trusted open source foundation of the Community Edition.
Deployment
Understanding the environment is key to creating a successful SSL-Explorer deployment. In this chapter a number of deployment scenarios as well as information on security technologies - are discussed. It is in no way meant to provide a recommended deployment structure but merely to provide the reader with an idea of what to consider when deploying SSL-Explorer. If you have already considered the environment you can always skip to the next chapter. Specifically this chapter will cover: Deployment Scenarios Deployment Considerations Summary
Deployment Scenarios
The following diagrams have been provided to show some basic SSL-Explorer deployments. A brief description of some of the more major characteristics is also provided. The actual firewall configuration required to access SSL-Explorer from the internet is covered later in Chapter 13.
Non-DMZ
The first diagram depicts an installation of SSL-Explorer behind only a firewall. Typically all port 443 (standard SSL port) traffic is passed through the firewall to the SSL-Explorer instance. A proxy server could easily be included by placing it on the Internet side of the SSL-Explorer instance should it be required. As the SSL-Explorer server simply sits behind the firewall all port 443 traffic passes through unchecked. This being the case care should be taken to ensure that unwanted traffic is dealt with correctly.
Deployment Considerations
The decision of where to place SSL-Explorer on the corporate network depends on many factors. The diagrams offered in the previous section each have their own specific characteristics, both good and bad. Ultimately it is a matter of balancing current equipment, budget (if present) and value of assets being accessed. The following list is not meant to be exhaustive but should give an idea of some more important considerations when deploying SSL-Explorer. Any applicable statutory requirements or compliance regulations. SSL-Explorer performance (WAN speed, server CPU and memory etc.). Failover/redundancy (UPS, backups, hardware failure etc.). Corporate security policy (DMZ, Air Gap technology etc.).
Summary
It is essential when installing any VPN technology that the proposed deployment is well understood. This helps ensure that the service behaves as expected as well as allowing for better management of risk or threat. SSL-VPNs provide a great benefit to the ever expanding and mobile business but as with any solution, if not properly deployed it could become more of a hindrance than a benefit. Much information is available on security approaches and considerations, as shown in RFC 2196 (Site Security Handbook. B. Fraser. September 1997). This is obviously only one source of information and many others exist. Many forums have been created that aim to provide information as well as support with self help. Even when implementing a complete solution it is wise to have at least considered some aspects of this chapter.
Installing SSL-Explorer
This section guides an administrator through the process of installing SSL-Explorer for both editions: Community and Enterprise. Notes on upgrading and starting the instance are also detailed. By the end of this chapter the reader will have a fully installed SSL-Explorer VPN server on their target machine.
Installation
The chapters covered are: Installation Pre-requisites Installation of SSL-Explorer SSL-Explorer: Community Edition - Source Code Installation SSL-Explorer RPM Installation on RedHat 8.0 Upgrading SSL-Explorer Managing the Instance Accessing the Instance Server Migration
Installation Prerequisites
The SSL-Explorer server requires the Java Runtime Environment (JRE) 5.0 to operate this can be downloaded freely from the Java website http://java.sun.com/j2se/1.5.0/download.jsp. This is only a requirement on the server side. Your clients can connect from any Java-enabled browser, including early versions of Internet Explorer that use the Microsoft VM.
Clean installation If using a clean installation of your chosen operating system it is strongly recommended that all service packs, updates, patches and hot-fixes be applied.
Installation of SSL-Explorer
This section explains the steps required when using the standard SSL-Explorer installer. The process is identical for both Community and Enterprise editions of SSL-Explorer. The process is also virtually identical on Windows and Linux operating systems. Instructions for installing the Source Code distribution of SSL-Explorer: Community Edition follow later.
Step 1
Ensure that you are logged onto an account with the correct permissions to enable the running of an installation program. Locate the SSL-Explorer installation program and run the appropriate process below: Windows: Simply double-clicking on the SSL-Explorer icon will launch the application. Linux: Execute the SSL-Explorer script file by simply typing, from the same directory, ./sslexplorer_linux_0_2_8.sh
This will start the installation program and display the following screen.
Step 2
If the SSL-Explorer installation program is unable to locate the Java environment the following message is displayed.
Step 3
Simply click on the Download button in order to retrieve the required Java environment or alternatively select the path to an existing valid Java installation by using the locate button. The following screen shot shows what happens when selecting the download option.
Step 4
Step 5
Step 6
If you agree to the licensing agreement select the, I accept the agreement radio button. This enables the Next button which should now be pressed. This then displays the following screen.
Step 7
Once you have selected where SSL-Explorer is to be installed simply click the Next button.
Step 8
This screen shows the components to be installed. There is only Program files displayed which can not be de-selected. No changes to this page can be made so just press the Next button.
Step 9
This screen allows the selection of a Start Menu Folder. By default Start Menu Shortcut are created for all recognised system users. Once the Folder has been selected simply press the Next button. This the displays the Installing screen as shown below.
Step 10 This screen will close automatically and display the following screen.
Step 11 Clicking the Launch button triggers the launching of the web browser.
Step 12 The systems default browser will normally be started automatically, as shown below. If not enter http://localhost:28080 as the browser address.
SSL-Explorer on Microsoft Windows XP with Service Pack 2 When installing SSL-Explorer on a Windows XP machine with Service Pack 2 installed, the browser will not be able to connect if the Windows Firewall is enabled. It is recommended in any case that the SSLExplorer server should not be acting as both firewall and VPN server. If such a problem is encountered, check whether the problem disappears when the firewall has been disabled. Step 13 There are a number of steps to complete the browser based installation wizard. These are covered in Section 2 of this guide. Once these have been completed close the browser which will show the previously mentioned screen, as below.
Step 14 Just click the Next button which will show the following screen.
Step 15 Now that the installation is complete it only remains for the Finish button to be clicked. This closes the installation screen. The SSL-Explorer instance is automatically stopped when leaving the web based installation wizard. Further information is available on using the SSL-Explorer service in the remaining sections of this chapter.
Pre-requisites
To build the SSL-Explorer: Community Edition source code an installation of Apache ANT is required, this can be downloaded from the Apache website, http://ant.apache.org. The Ant toolkit relies on the Java Development Kit (JDK) to run successfully. SSLExplorer itself also requires a Java environment to work in, in particular version 1.5.0 or above. The JDK can be downloaded freely from http://java.sun.com/j2se/1.5.0/download.jsp.
This distribution contains only source code, therefore the installation process must include the compilation of these files into an executable application. The following steps describe how to do this. Step 1 Define the environment variables. The application has dependencies on two freely available tools, the Java runtime and the Apache Ant build tool these should already have been downloaded and installed. It should be noted that the variables created in this way only exist for the current session. If the build process should be interrupted in any way the environment variables will need to be re-entered. Accessing Environment Variables in Windows Windows users can access Environment Variables through the GUI by selecting Start (Right Click) My Computer Advanced (Tab) Environment Variables (Button). This opens an interface that allows for the creation, deletion and maintenance of system variables. This will permanently create environment variables. Open a command prompt or shell window in the appropriate Operating System and configure the JAVA_HOME variable executing the following command appropriate to your Operating System: Windows: set JAVA_HOME=<Java install directory> Linux: export JAVA_HOME=<Java install directory>
Note
Where <Java install directory> is the home directory of the installed JRE. Also add the environment variable for ANT_HOME: Windows: set ANT_HOME=<Ant install directory> Linux: export ANT_HOME=<Ant install directory>
Where <Ant install directory> is the home directory of the installed Ant build tool.
To run Ant from the SSL-Explorer directory the bin directory must be specified in the Operating Systems Path variable. Windows: set PATH=%PATH%;%ANT_HOME%\bin Linux: PATH=${PATH}:${ANT_HOME}/bin
The Ant tool relies on Java to work and so the Java executables must be accessible through the Path variable: Windows: set PATH=%PATH%;%JAVA_HOME%\bin Linux: PATH=${PATH}:${JAVA_HOME}/bin
To check that all parameters have been defined successfully use the SET or ECHO commands as shown below: Step 2 set This displays all the system variables, locate those defined. echo %PATH% (Windows)/ $PATH (UNIX)
Run the build script. Locate the SSL-Explorer installation directory and from the root directory execute the script using the following command: <SSL-Explorer Installation directory>/ ant install This will begin compiling the source code and produce compilation information much like the screenshot below.
Step 3
Once completed the installation will automatically attempt to start a browser pointing to the Installation Wizard. As shown below a message will appear displaying the URL for the Installation Wizard. If a browser does not open then a browser will have to be manually opened and pointed to the URL
The Installation Wizard page below continues the installation process by configuring the newly installed instance.
This wizard guides the user through the steps required to successfully configure SSL-Explorer. Information on the Installation Wizard can be found in part two of this document, Installation Wizard.
SSL-Explorer on Microsoft Windows XP with Service Pack 2 When installing SSL-Explorer on a Windows XP machine with Service Pack 2 installed, the browser will not be able to connect if the Windows Firewall is enabled. It is recommended in any case that the SSLExplorer server should not be acting as both firewall and VPN server. If such a problem is encountered, check whether the problem disappears when the firewall has been disabled.
Configuring a Service
The Community Edition comes with a script that can be used to execute the SSL-Explorer server as a background service so that it is automatically started upon booting of the host Operating System. To configure SSL-Explorer to run as a service, issue the following command: ant install-service This is another target present within the build.xml file. The target detects the Operating System and executes the appropriate instructions to install the SSL-Explorer server as a service. Steps on managing the SSL-Explorer service on both Operating Systems are detailed below.
Step 5
Step 8
This wizard will guide the user through the steps required to successfully configure SSL-Explorer. Information on the Installation Wizard can be found in part two of this document, Installation Wizard.
Step 9
Once you have configured SSL-Explorer to your preferences you are now ready to start the SSLExplorer server. Refer to the chapter titled Managing the Instance section, Managing Linux Service.
Upgrading SSL-Explorer
Step 1 Shutdown server. This can be done either from the management console (System Shutdown) or specific to each operating system: Windows: From the services window (Control Panel Administrative Tools Services) select the SSL-Explorer service and press stop Linux: From the shell run: 'service sslexplorer stop' Run the installer of the latest SSL-Explorer version you downloaded. This will guide you through the standard installation process steps 4 7 under section Installation of SSL-Explorer. Step 7 asks for an installation directory, the original directory should be chosen. A prompt will be shown asking if you wish to overwrite the existing directory much like the image below:
Step 2
You should select Yes. The installation wizard should identify the currently installed configuration files and prompt whether you wish to keep or remove these:
You should select Yes if you wish to keep your current configuration details such as certificate details, database settings etc. Selecting No will install a fresh install of the new version, the extensions should not be affected.
You should continue with the remaining installation steps. Installation Wizard can be Skipped There is no need to work you way through the installation wizard again if the current information is fine. Simply press Cancel in the wizard, this will move to the end of the wizard requiring the server to be restarted. The remaining installation steps can be continued with.
Note
Note
Windows 2000 users will need to now reboot in order to properly remove the old service Install SSL-Explorer, completing the install wizard and then starting the service and logging in at least once to ensure configuration was successful. Once satisfied that the installation has been successful shutdown the service. From the SSL-Explorer program group run the Upgrader tool.
Step 6
Complete the Source parameter which is required and defines the location of the old SSLExplorer installation. The tool will detect the installation and present a number of additional options. These options detail what resources require transporting across to the new installation. Select the appropriate ones.
Step 7
Once done select the Start button to begin the transfer. The upgrader provides output of its progress.
Step 8
Once completed the SSL-Explorer instance can be restarted. When resources are transferred they are not attached to any policies. All resources should be reviewed and resources reassigned. Web forward resources transferred will lose their current credentials flag. To replicate this behaviour add ${session:username} and ${session:password} replacement variables into the authentication details.
SSL-Explorer can be started either from the build script or as a service both are detailed below.
Build Scripts
SSL-Explorer comes with a main script called build.xml that is situated at the root path of the SSL-Explorer installation. It contains all the necessary targets to manage the instance. The targets and their purpose are detailed below:
Start Server
Start: The instance is started and runs quietly in the background without any console. Console: SSL-Explorer runs in the foreground with a console showing trace information. Killing the console will result in termination of the server.
These commands are executed with the ant tool; for example: ant start Your location should be where the build.xml file is (usually in the home directory of the installation).
Stop Server
The only target available for this is the stop target and is executed as follows: ant stop The more appropriate way would be to use the Shutdown or Restart functions available from the running instance under Management Console Shutdown.
Start Service
If the Service Status is set to Stopped right click the SSL-Explorer Service and select Start as shown above.
Stop Service
If the Service Status is set to Started the service can be stopped by right clicking the SSL-Explorer Service and select Stop. However it is more appropriate to use the Shutdown or Restart functions available from the Management Console of SSL-Explorer (Management Console Shutdown).
Start Service
The service command also allows us to start a service, as shown below. Again those distributions which support this command should use the command below, and for others an equivalent command should be used. Red Hat: service sslexplorer start
Stop Service
The service command can also be used to stop the service. Operating Systems that do not support this command must use any other equivalent service command. Red Hat: service sslexplorer stop
Using your Active Directory or built-in credentials (depending how you configured the SSLExplorer server in the Installation Wizard) you will be able to log into the server.
Server Migration
If in the event you need to migrate SSL-Explorer to another server the steps are as follows: Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Disable any enterprise edition authentication schemes on the current server installation Install, on the target server, the same version of SSL-Explorer using the same folder locations as the current installation For enterprise edition installations take a copy of your license file which should have been emailed to you during your purchase and copy it to the target server From the current server copy the <SSL-Explorer_HOME>/conf folder Take a copy of the <SSL-Explorer_HOME>/db folder from the current server Copy these two folders to the same location in the new target server Start the SSL-Explorer server on the new server Log into the new instance as Super User Navigate to the license manager (Configuration -> License Manager) and upload the original license previously copied over.
Installation Wizard
This section provides details on how to configure the SSL-Explorer instance, once the server has been installed all new installations are forced to go through the installation wizard. For upgrades this process is not automatically initiated after an upgrade, instead an administrator can start the installation wizard by running the exe from the installation directory. .
Certificate Management
SSL certificates give a website the ability to transmit data to and from SSL-Explorer securely. This chapter provides details on the first step of the configuration wizard in which SSL certificates are set up. The sections included are: Protecting Private Data Configure Certificate Interface Create New Certificate Import Existing Certificate
By the end of this chapter you should understand what an SSL certificate is and what it is used for. More importantly you know how to successfully configure a certificate for an SSL-Explorer instance.
If successful the handshake then establishes an encryption method and a unique key for the session. This key is used subsequently for rapid encryption, decryption, and tamper detection during the session. Once the exchanges are complete both parties can then begin a secure session that ensures a high degree of message privacy and integrity. Further information can be found in the SSL-Explorer: Configuration Guide under the chapter titled SSL-Certificates.
Certification Authority
Without SSL encryption, packets of information are transmitted across networks in plain text meaning that they are vulnerable to interception. We have already learnt how SSL provides protection for the data in transit across the internet, but there are other attacks that you could still fall vulnerable to. For example, imagine that an attacker was able to set up a VPN server that looked and behaved identically to one of your own trusted servers. If that individual was able to use one of the many social-engineering techniques to convince your staff to log-on to that server, he would likely be able to successfully harvest user credentials for a later, potentially damaging attack on your network. Thankfully, this does not have to be the case. In this modern era, we have a way of verifying that a secure server is exactly who it proclaims to be. Every SSL certificate that is assigned to a particular server on a specific hostname must be for a verified business entity. Much like a passport or a drivers license, SSL certificates for web servers are issued by a trusted third party known as a Certification Authority (CA). Certification authorities are independent and trustworthy entities responsible for issuing and managing digital certificates. It is the role of the CA to verify an individual or organizations identity and their claim to the hostname to which the certificate is to be registered. By digitally signing the issued certificates, the CA guarantees the legitimacy of the data held in them. Since all participants of a public key infrastructure must trust the CA, they can also trust the issued certificates and the public keys of other participants.
Note
Use Current Certificate Every subsequent execution of the installation wizard will result in an extra option becoming available, Use Current Certificate. This allows the original certificate created or imported during the previous configuration process to be used again.
To produce an un-trusted certificate follow the steps below. Step 1 The first thing required to create an un-trusted certificate is a passphrase. This will be used to encrypt the generated keystore.
The passphrase must be at least 6 characters. A system message will appear on the message pane if not. Keystore and Certificates A keystore contains one or many SSL certificates and is encrypted by a passphrase.
Note
Step 2
The actual content of a certificate is merely information on the owner of the certificate and information detailing in what capacity the certificate is to be used. The next step simply requires this information as can be seen below:
Each configurable parameter is detailed: Hostname: The hostname of the SSL-Explorer server running the instance. Organizational Unit: The logical unit or department using certificate. Company Name: Name of company using certificate. City: The city in which the company is located. State: The state in which the company is located. Country code: Country such as GB=Great Britain.
All the information is required to generate an un-trusted SSL certificate. Certificate Generated when Wizard Completed The installation will not generate the certificate until all the other steps are complete. This means that at any time in the installation process you can step back and alter your certification options and configuration details.
Note
What is a Keystore?
A keystore is a key database file that contains both public keys and private keys. Public keys are stored as signer certificates while private keys are stored in the personal certificates. Keys are used for a variety of purposes mainly for authentication and data integrity.
Each configurable parameter is detailed: Type: The certificate can be either JKS or PKCS12 Passphrase: Passphrase protecting the importing certificate Alias: A name that will be used by SSL-Explorer to represents the certificate Filename: The actual certificate that relates to all the information provided above
Your CA authorized certificate has now been imported. Only when the installation wizard is complete will the certificate will be used by SSL-Explorer.
User Databases
All user data used and managed by SSL-Explorer must be stored somewhere. SSL-Explorer allows the configuration of a number of databases to store this information. This chapter provides information on each of the following databases: What What What What is is is is Active Directory? HSQLDB? LDAP? NIS?
Further to this how to configure the following databases: Configure User Database Interface Configuring the Built-in User Database Configuring Active Directory Configuring Enhanced Active Directory Configuring LDAP Configuring NIS
By the end of this chapter the reader should have an understanding of each type of database and be able to configure the appropriate one that suits their particular requirements.
Note
Additional Databases SSL-Explorer can be configured with databases other than those above for details refer to the 3SP Knowledge Base at http://3sp.com/kb.
SSL-Explorer community edition comes with the basic Active Directory module which allows basic actions as connecting and using the users installed in an existing database. SSL-Explorer Enterprise has an additional Enhanced Active Directory module which allows the administration of Active Directory from within SSL-Explorer; all administrative actions are reflected back to the actual Active Directory service.
What is HSQLDB?
HSQLDB is an open source Java-based SQL relational database that is used by SSL-Explorer. The product is currently being used as a database and persistence engine in many commercial and open source projects and products. It is best known for its small size, its ability to execute completely in memory, and lastly, its flexibility and speed.
What is LDAP?
Lightweight Directory Access Protocol is a standard method for communicating with a database. It is a software protocol which allows for fast search and retrieval of data. LDAP represents stored data in a directory structure much like a phone book. This makes it perfect for systems with high levels of search and retrieves actions but not so well for systems which rely on a high degree of data updates. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500 a standard for directory services in a network.
What is NIS?
NIS also known as yellow pages is a client-server directory service protocol for distributing amongst other things hostnames and users between computers in a network. In a common UNIX environment the list of users for identification is placed in /etc/passwd, and secret
authentication hashes in /etc/shadow. NIS adds another global user list which is used for identifying users on any client of the NIS domain.
The following information is required: Domain Controller Hostname: The primary Active Directory service domain in the form of, example.3sp.co.uk. The entry must be lowercase. Backup Domain Controller Hostnames: if backup domain controllers have been configured then these should be added here. This list should contain active controllers which SSL-Explorer can fail over to in the event the primary domain controller is inaccessible. For more information on backup domain controllers refer to the section titled, Backup Domain Controller. Hostnames can also be specified with a port number if different from the Domain Controller Port parameter.
Note
Service Account Authentication The standard Active Directory database uses GSS-API authentication for the service account. It is unable to authenticate credentials containing non-English characters, the service account does not need to be fully qualified.
Service Account Username: The service account details needed to use authenticate Active Directory users. This account serves as a link to the Active Directory database. Service Account Password: The password for the service account.
Note
Service Account It is recommended that a specific AD user account be created for the Service Account only. This is required to support some of the authentication methods available as part of SSL-Explorer: Enterprise Edition.
The next tab OU Filter is an optional tab but allows specific organizational units to be added or removed from SSL-Explorer.
Include Organizational Unit Filter: Add any OUs that should be used when listing accounts and roles. Only the accounts residing in the OUs you specify will be shown. For further details refer to the section titled, Organizational Unit Filter. Exclude Organizational Unit Filter: Add any OUs that should not be used in the listing of accounts and roles. Include Built-in groups: This will include the default Built-in group base CN=Builtin built from the domain name to the filter list. Include standard Users and groups: This will include the default User base CN=Users built from the domain name to the filter list. All users and groups under this will be added.
The final tab, Options, allows an advanced user the ability to fine tune access to the AD service.
User Authentication Type: which authentication method to use for user account authentication. GSS-API type is unable to process credentials which contain none English characters but allows for the service account to be defined without full qualification. Simple authentication however is able to authenticate using non-English characters type such as, rt. Authentication Timeout: how long the system should wait authenticating Authentication Maximum Retries: how many times to try to authenticate. The total authentication time will be timeout x retries. Cache Objects In Memory: The system can cache user objects either to file or memory. If the user population is extremely large in-memory caching can be prone to running out of memory when loading objects. Max Group Cache Objects: The maximum number of group objects stored in cache. Connection timeout: generic connection timeout for active directory sessions Page Size: The number of objects returned in each paged request, the default should be acceptable in most cases. User/ Group details Cache TTL: This is the minimum Time to Live value which must be greater than 10 seconds. Default value of 300 seconds stores Active Directory user information in cache for 5 minutes before clearing the cache. The next required action fetches user details again caching for another 300 seconds. A value too low will cause severe delays in processing any action as SSL-Explorer will continually be re-fetching data from the domain controller. Enforce username case sensitivity: This enables checking of username case sensitivity during log-on.
With the configured information the installation wizard will attempt to connect to the domain controller and valid the service account. If the service is unreachable for whatever reason a message will be shown like the one below:
The wizard will allow the configured details to be adjusted before selecting Next again to retry. Once a successful connection is made and the service account has been authenticated the Active Directory user database is ready to be used.
The connections tab configures how to connect to the actual Windows Active Directory service.
The only differing information for Enhanced Active Directory is the service account details. Service Account DN: The service account details needed to use authenticate Active Directory users. This account needs to be fully qualified e.g. CN=John Smith, DC=Employees. Service Account Password: The password for the service account.
Enhanced Active Directory database uses Simple authentication for the service account. Simple authentication allows the use of non-English characters such as rt. With this type of authentication the account credentials need to be fully qualified The next tab OU Filter is an optional tab but allows specific organizational units to be added or removed from SSL-Explorer.
Create Group OU: The OU location within the AD where new groups will be created. Create User OU: The OU location within the AD where new users will be created.
Thats all there is that differs from the Active Directory installation detailed above. User Account Authentication uses Simple Enhanced Active Directory uses Simple authentication for both the service account as well as user accounts.
Note
This nesting enables the organization to distribute users across multiple logical structures for easier administration of network resources. When activated, SSL-Explorer uses the current Active Directory groups and maps them directly to groups. SSL-Explorer also creates all internal data for each user within the chosen OUs. Each user will be assigned to the mapped roles.
Entries in the filter must be of the form OU=<Organizational Unit name>. For example, OU=Research. If an OU is held below another OU then the entire hierarchy up to the parent OU must be listed. If an OU called Marketing was stored under the Employees OU; to add Marketing the correct syntax would be OU=Marketing, OU=User with the separating comma being used to separate each element in the hierarchy.
To add all OUs in the domain simply leave the Filters list box empty. When the list box is empty, all OUs will be queried by SSL-Explorer. If problems are encountered with Active Directory, try clearing the list box and seeing whether To remove an OU from the search use the exclusion operator # against the OU name. For example to exclude the Test Accounts from the search you would add #OU=Test Accounts.
Modifying Filters
The OUs listed within the Filters list box are the only items that will be used by SSL-Explorer. Clicking the Add button takes the OU in the Filter textbox and applies it to the list of filters.
Highlighting an OU from the Filters list and clicking the Remove button takes the selected OU out of the list box.
Troubleshooting
If your users are unable to connect via Active Directory, check that: The time settings between the Active Directory server and SSL-Explorer are synchronized. Kerberos authentication, used by Windows, allows only a few minutes of clock skew between Windows server and client. Ensure that both the domain controller and the SSL-Explorer server are synchronized to the same date and time to within one minute. Confirm that the Windows server is configured for Active Directory authentication. If using Windows NT4.0 server, then the server only supports NT Domain authentication. If OUs have not been loaded successfully: Any organizational units held within a tree structure need to be added with the entire parental structure.
In the above diagram to includeTester into the filters list the syntax should be OU=Tester,OU=Engineer,OU=Staff. The syntax begins with the lowest branch first. If any OUs are stored underneath the default Windows OU such as Users the OU=User root should not be included in the filter syntax. Check syntax of each filter. Every Organizational Unit must begin with OU=. If a hierarchy structure is being included, be sure to separate each element with a comma. Also avoid using unnecessary spacing. Clear the organizational unit filter to ensure that SSL-Explorer searches the entire Active Directory tree.
Note
Knowledge Base For more information on overcoming other SSL-Explorer related Active Directory problems refer to the 3SP Knowledge Base at http://3sp.com/kb
Configuring LDAP
LDAP much like active directory is divided into four distinct areas.
Hostname: Hostname of the server hosting the LDAP service Port: Listening port of LDAP service Protocol: LDAP protocol to be used. Options include, secured SSL communication or plain, unsecured communication Base DN of LDAP server: The base DN represents the location where you want to start LDAP queries within the namespace. This may be the root of the LDAP directory tree or a specific branch. Service Account Authentication: The LDAP authentication method required to access the service. The simple method will require valid user account details to access the service; anonymous will connect to the directory anonymously with no user credentials required and MD5-Digest uses digest authentication to securely send the user credentials as an MD5 hash to the LDAP service as opposed to plain-text as with the other two methods. Service Account DN: The distinguished name to identify the Service Account User Service Account Password: The associated user password
The next tab OU Filter is an optional tab but allows specific organizational units to be added or removed from SSL-Explorer.
Create Role Organizational Unit: The OU where new roles will be created Create User Organizational Unit: The OU where new users will be created Include Organizational Unit Filter: Add any OUs that should be used when listing accounts and roles. Only the accounts residing in the OUs you specify will be shown. For further details refer to the section titled, Organizational Unit Filter. Exclude Organizational Unit Filter: Add any OUs that should not be used in the listing of accounts and roles.
The next tab is the User Schema tab which provides schema information so SSL-Explorer can successfully link to the correct user classes at run time.
User class: The LDAP class object used to represent a User class Username attribute: Username attribute from the User class, if one exists Fullname attribute: Fullname attribute from the User class, if one exists
Note
LDAP Class Objects SSL-Explorer needs to understand which User and Role classes are in use by the given LDAP installation. Since each installation can use a different type of schema this information makes SSL-Explorer compatible with a larger number of LDAP installations.
Email attribute: Email attribute from User class, if one exists Home directory attribute: Home directory attribute from the User class, if one exists Role membership attribute: Role membership attribute from the User class, if one exists Role membership contain DNs?: If the role membership attribute value points to a distinguished name then this box should be checked. The role membership attribute can contain a value or otherwise refer to another object in the directory
The next tab, Role Schema, requires role information so SSL-Explorer can successfully link to the correct role classes at run time.
Role class: The LDAP class object used to represent a Role Rolename attribute: The rolename attribute from the Role class, if one exists Role membership attribute: The role membership attribute from the Role class, if one exists Role membership contains DN?: If the role membership attribute value points to a distinguished name then this box should be checked. The role membership attribute can contain a value or otherwise refer to another object in the directory
The final tab, Options, allows an advanced user to fine tune LDAP operations.
Connection timeout: generic connection timeout for active directory sessions Max Cache Objects: amount of information, retrieved from the AD, to cache. If the Ad is large this should be set to a high value. Typically an object is cached for each user and one for each group. Calculating how many groups and users you have is a good guide when setting this. If the setting is too low some users may not be able to login. Page Size: The number of objects returned in each paged request, the default should be acceptable in most cases. User/ Group details Cache TTL: This is the minimum Time to Live value which must be greater than 10 seconds. Default value of 300 seconds stores Active Directory user
information in cache for 5 minutes before clearing the cache. The next required action fetches user details again caching for another 300 seconds. A value too low will cause severe delays in processing any action as SSL-Explorer will continually be re-fetching data from the domain controller.
Configuring NIS
NIS only has one tab, Connection.
Hostname: the hostname of the NIS server Domain name: the NIS domain name Refresh interval: Remote account and groups are cached. This value is the interval (in minutes) between updates Include Local Accounts: If selected, local accounts are also include in the list of available accounts. This only works on UNIX like system that have a /etc/passwd and or /etc/shadow file Include Local Groups: If selected, local groups are also include in the list of available accounts. This only works on UNIX like system that have an /etc/group file
By the end of this chapter the reader should understand the purpose of the super user and the necessary steps involved in configuring a super user.
As the diagram above highlights, middle-tier users manage the everyday running of SSL-Explorer from creating users to assigning permissions. Disable the Super User The super user should be disabled after handing over management duties to other users. This helps prevent security breaches against this highly privileged user account.
Note
Super user is defined in one of two ways, when built-in database is chosen as the user database or through an external database like active directory or LDAP.
Password Structure and Complexity To enable tighter security of the super user password it is recommended that an alphanumeric, mixed case password is used. As is usually the case the more complex the password, the greater the security. If an external user database is chosen SSL-Explorer loads in all necessary users from the external database. Since users and roles are managed outside the system the installation can only choose an existing user to act as the super user. All that needs to be done is choose an appropriate username. The installation wizard takes every user found within the OU filters previously selected. As the screenshot below shows all users found beginning with the letter A are listed.
The password field is disabled as the user credentials are taken from the external database. Thats all there is to using an existing external user database. Since all the necessary work involving configuring of users and groups has already been carried out and stored within the database SSL-Explorer can now use these.
By the end of this chapter the reader should have an understanding of what a web server is and how the internal SSL-Explorer web server can be configured if need be.
What is HTTP/S?
Hypertext Transfer Protocol (HTTP) is the foundation protocol of the World Wide Web. It defines the rules for exchanges between browser and server. It provides for the transfer of hypertext and hypermedia, for recognition of file types and other functions. Hypertext Transfer Protocol Secure (HTTPS) is a variant of HTTP. HTTPS communications protocol is designed to transfer encrypted information using the Secure Sockets Layer protocol (SSL).
SSL-Explorer HTTP/S
During the installation wizard SSL-Explorer runs using HTTP since at this stage, no SSL certificate has yet been configured for use. Certificates are the key to maintaining secure transactions and during the installation stage an appropriate certificate is configured, refer to chapter Certificate Management. Once installation is complete and everything has been successfully configured SSL-Explorer will then begin to operate strictly over HTTPS. All transactions from all users are secured.
Is it Secure?
To be reassured that the SSL-Explorer service is operating securely you should see the following: A Secure URL: The SSL-Explorer URL will begin with https instead of http to denote a secure URL. A Secure Browser: In the bottom right corner of the browser the padlock image should be visible.
HTTPS is a recognized worldwide standard for secure communications that was initially created by Netscape. These features are required by every web site claiming to be secure.
When the user communicates with SSL-Explorer via static HTML pages, the browser generates a HTTP request which is addressed to the Jetty HTTP server component. If the request requires static information such as another HTML page then the server simply services this request by locating and returning the necessary page. However, dynamic content requires much more complex processing and this is where Jettys servlet container comes in. The HTTP server routes the request onto the servlet container, where the controller program intercepts the request. The controller reads and decides the course of action necessary for the request. The available tasks or actions an application can perform are defined within the Model component in the form of object-oriented action classes. The Controller maps the request to an appropriate action by creating an object of the action class and calling one of its methods. If the invoked action needs to update the state of SSL-Explorer then it will create or modify appropriate objects of the Model, known as state objects. State objects represent a runtime view of the current state of the system. Once an action has completed servicing the request the Controller invokes a JSP page template, part of the View. The JSP template is then responsible for presenting the new updated state of the application to the user; this maybe a new page, a new shortcut in network neighborhood or a new application execution.
The main body of this step is in setting up the listening interfaces, the means by which clients can enter the service. This and the remaining configurable features are detailed below.
Step 3
Listening Interface
This option specifies which interfaces SSL-Explorer should listen on for incoming requests. The installation wizard searches for all available network interfaces on the machine. If the machine has two network cards then both of their interfaces will be loaded into the Available Interfaces.
In addition, as can be seen above, any other interfaces such as virtual interfaces created by external programs are also detected and listed as available. These define all the interfaces by which external users can physically enter the machine and by default All Interfaces is selected.
All network cards (and any available virtual network interfaces) will be used to listen for appropriate incoming SSL-Explorer requests. This scenario should be acceptable in most situations. For more advanced configurations, restrictions to specific interfaces can be specified.
As the diagram above shows the selected listening interfaces are only two despite the SSLExplorer machine having three. While connections to SSL-Explorer via the two selected interfaces are accepted, any connection attempted via the un-selected interface will not be allowed. If further analysis is made of the diagram all three connections are actually made and routed to the SSL-Explorer instance. Pre-login code is executed which is where the interface addresses are validated and appropriately the requests accepted or rejected.
Modifying Interfaces
The interfaces placed in the, Selected Interfaces list box will be the only ones able to accept client requests. To add a new interface from the Available Interfaces list box use the Add button to the right of the Available Interfaces list box.
To remove an interface from the Selected Interfaces list box use the Remove button to the right of the Available Interfaces list box.
External Hostnames
Any hostname entered into the Valid External Hostnames list box enforces that only connections made to those specific hostnames can access SSL-Explorer. This can be useful in cases where you may wish to deprecate an old server; transparently redirecting incoming connections to a new server. For example by specifying, http://sslexplorer.com any user request that comes in on any other URL such as, http://sslexplorer.co.uk will be redirected to the designated hostname, http://sslexplorer.com.
As the above diagrams shows the first request comes in on http://sslexplorer.com (with the user having located the location from its DNS entries). SSL-Explorer validates the incoming hostname against its valid external hostname list. This hostname is not valid and so a HTTP redirect message is posted back to the client browser with the valid hostname entry. Again the browser validates this new hostname against its DNS entry and finds a match. This time the request is made using the valid hostname, http://sslexplorer.co.uk and the connection is successful. If however the client was unable to validate the redirected hostname from its DNS list the client would be unable to gain access to SSL-Explorer.
Modifying Hostnames
Hostnames placed in the Valid Hostnames list box will be the only external hostnames acceptable. Any other URL will be asked to re-connect via a valid hostname. The given valid hostname must be available from the local machines DNS list else the second connection attempt by the client will fail.
To configure a new hostname type in the name in the text box labeled, Hostname. To then add this hostname use the Add button to the right of the Hostname text box.
The hostname will be added to the list box labeled, Valid External Hostnames. To remove a hostname from the list box use the Remove button to the right of the Hostname text box.
By the end of this chapter the reader should be familiar with a proxy server and its purpose and in particular how SSL-Explorer can be configured, in this step, to utilize an existing company web proxy server.
In addition a proxy can also be configured to act as a firewall, controlling communication traffic to resources and from certain clients. The most common proxy application is a web proxy which proxies HTTP requests. Its main function is to keep a cache of web pages and files available on remote web servers, allowing local client to access them more quickly, reliably and without ever leaving the internal network.
Configuration of the proxy is complete. SSL-Explorer will try to connect and authenticate itself with the proxy server once everything has been configured.
Enterprise Edition
SSL-Explorer has both an opensource GPL edition and an Enterprise edition. The Enterprise edition comes with high-end enterprise grade features as well as commercial support. This step in the installation allows the an Enterprise License to be installed. Both versions of SSL-Explorer can take advantage of additional extensions that are available from the 3SP Extension Store. Some extensions add further functionality to the server itself, whilst others may be applications that can be deployed and executed over the SSL-Explorer VPN. This chapter details exactly what extensions are and how to install them, the sections included in this chapter are: Community Edition vs. Enterprise Edition Install SSL-Explorer Enterprise Edition Interface
Feature Granular policy-based rights management Remotely browse Windows file systems via Windows Explorer Microsoft Outlook Web Access 2003 supported - move vulnerable OWA servers out of the DMZ Reverse proxy web forwarding feature Active Directory authentication supported Built-in database authentication supported UNIX authentication supported Configurable authentication schemes Access your desktop remotely Intranet resources may be securely externalized using web forwarding Accessible using zero-footprint VPN client Connect using any modern web browser Supports access through HTTP Local and remote tunneling via SSL Session inactivity timeouts Web application URL masking No dedicated appliance necessary Supports Microsoft Windows XP/2000/2003 and Red Hat Linux 8.0 or later (other Linux distributions are unofficially supported) Commercial Support SSL client certificate authentication SMS (text message) authentication using one-time-password SafeNet iKey 2032 and Aladdin eToken Pro USB devices supported for FIPScertified PKI authentication
Community X X X X X X X X X X X X X X X X X X X -
Enterprise X X X X X X X X X X X X X X X X X X X X X X
Feature Enterprise Active Directory LDAP authentication Public-key authentication PIN authentication IP authentication RADIUS authentication
Community -
Enterprise X X X X X X
Finalizing Installation
Once all configuration details have been completed all that remains is the application of the configurations to the SSL-Explorer VPN server. This chapter details the final step and includes the following sections: The Summary Page Summary Interface Summary
The system provides a summary of all the configuration data that has been supplied by the user, as the snippet above shows, for the Web Server configuration step the port was configured to 443 and the interfaces 192.168.154.1, 192.168.1.163. Everything is neatly detailed under the appropriate step.
Making Modifications
The configuration can be modified by selecting the Previous button to the bottom right of the page the installation wizard can move back through the installation wizard process to any step.
Any previously configured step can be modified and again when the summary appears the new details will be shown.
Summary Interface
The summary page is divided into two parts; the first is the summary page, highlighting the configuration values set by the user.
Once Finish is pressed the installation wizard begins configuring the instance, a progress bar like the one below is shown:
The second is the result after these configurations have been applied.
Summary
Step 1 The page displays a summary of all the configuration details entered by the user. To apply the configurations details simply press the Finish button.
Step 2
The system begins to apply the configuration to the SSL-Explorer instances. This process takes a few seconds to complete. Results of the configuration changes are displayed with any errors or warnings clearly highlighted. After a successful result clicking on the Exit Install button at the bottom of the page will complete the process.
Step 3
In order for the configurations to take affect SSL-Explorer is automatically shutdown. The installation process is now complete. For users to begin using the newly configured instance SSL-Explorer must be started in run mode. For details on starting SSL-Explorer in run-mode refer to the section titled, Starting SSL-Explorer in this document.
Unsuccessful Configuration
If any configuration is unsuccessful an error message is shown similar to one below:
In addition a new option to re-run the installation process will become available.
Clicking on this button will return the user to the start of the installation process. This will allow the user to re-configure SSL-Explorer and correct any details. Configuration State The installation wizard is able to maintain the state of each step and so there is no need to retype all the previous configuration details in again.
Note
Publishing Server
An SSL-VPNs purpose is to provide secure remote access from the internet. In order to achieve this some additional configuration will be required on your firewall to route incoming requests to the SSL-Explorer server on your internal network. In this section we cover: Pre-requisites Configuring SSL-Explorer with a Firewall Testing the SSL-Explorer service
By the end of this chapter the reader should have a working SSL-Explorer server.
Pre-requisites
The following list shows the actions that should have already been performed. If these prerequisites have not been completed it is likely that the SSL-Explorer services will either not work or perform unexpectedly. Install SSL-Explorer Configure SSL-Explorer: Using the Installation Wizard. Configure SSL-Explorer Service: This will be dependant on what operating system SSLExplorer is installed on.
Below is an example of a simple firewall interface, the required values have already been filled.
If the connection attempt is successful then the following dialog will be presented.
Seeing the above dialog means that the SSL-Explorer server has successfully been contacted and has sent a reply to the clients browser. It is strongly recommended that you try port scanning your SSL-Explorer server from an external IP address in order to be sure that all access to ports apart from 443 is correctly disabled.
System Configuration
This section provides details on how to configure SSL-Explorer whilst it is up and running. Some of the items detailed have already been described in the installation wizard but many are only accessible once the server instance is up and running. Since configuration is a large area it has been divided into two this section covers the System Configuration function. By the end of this chapter the reader should know how to successfully reconfigure the SSLExplorer instance.
Server Configuration
The management console contains all the necessary functions that affect the workings of an SSLExplorer VPN server. As a super user all functions are accessible and configurable. This chapter details the available options covering the following areas: Interface Configure Configure Configure Configure Configure Configure
These pages are interacted through the standard control which can be found under the section titled, Amending Configuration Parameters in the Management Console chapter.
Interface
The server configuration page is accessible from the Management Console Configuration Server. System
The tabbed menu above the main page and shown below allows easy access to each section, this allows any server-related configuration parameter to be amended at any time and each section accessible in any order. As new extensions are added that have configuration options a new tab is created for the appropriate module. These configuration tabs are detailed in there own sections. Please refer to the appropriate chapters for more information on individual tabs.
Configuration Parameters
It is not advisable to alter these settings without possessing prior knowledge of web-server tuning. The defaults should suffice for most installations. Below details the basic configurable options and their meanings: Port: HTTPS port, the default HTTPS port is 443 this should be sufficient for most installations however if some other service relies on this port then another port can be specified. If another is used be sure users add this specific port to the URL, https://server.co.uk:port Bind address: refer to section, Reconfigure Listening Interface. HTTP Port: The port number on which to listen for HTTP requests. Users cannot access the main SSL VPN over HTTP, this service is available to extensions to add HTTP services and to redirect users to the HTTPS server. Valid external hostnames: refer to section, Reconfigure External Hostnames. Invalid Hostname Action: What action to perform if an client connects from an invalid hostname Disable Certificate Warning: Disable un-trusted certificate warning messages
Configure Performance
The next tab in the interface list is the Performance tab. These parameters alter the way the system performs. In most deployments the default values should suffice but if you are experiencing delays using the system then altering these values could yield good results.
Performance Interface
The picture below shows the Performance page.
Configuration Parameters
Minimum Threads: Threads reserved for the web server. The Jetty server pools the number of threads defined by this parameter. Too little and the system will have to wait for threads to be free for use. Maximum Threads: The maximum number of threads to use before attempting to reclaim system resources. Jettys maximum number is restricted by the Java runtime and operating system. As a rough guide, assume one thread per VPN user. Max Idle Time: Threads that are idle for longer than this period are liable to be terminated until the Thread pool size reaches the minimum thread size. Resource Persist Time: When the Jetty listener is low on resources, this timeout is used for idle persistent connections. It is desirable to have this set to a short period of time so that idle persistent connections do not consume resources on a busy server. Buffer Size: SSL-Explorer will use a buffer of this size to construct its reply to the client. A larger buffer allows more content to be written before anything is actually sent, thus providing SSL-Explorer more time to set appropriate status codes and headers. A smaller buffer decreases server memory load and allows the client to start receiving data more quickly. Buffer Reserve: This variable defines the space reserved in the first buffer of a response to allow a HTTP header to be written in the same packet. The reserve should be large enough to avoid moving data to fit the header, but not too large as to waste memory. Requests per GC: If this is set greater than zero, then the system garbage collector will be invoked after approximately this number of requests. For predictable response, it is often best to have frequent small runs of the GC rather than infrequent large runs.
Enable Request log: Request logs are a record of the requests that the server has processed. When enabled logs will be written to <SSL-Explorer installation>/logs. TCP/IP No Delay: Turn on TCP/IP No Delay option to force all data to be flushed to the network and not buffered Enable Statistics Log: Turn on webserver statistics log Statistics Log Update: Time in seconds for the periodic update of the webserver statistics log.
Configure Proxies
The next tab in the interface list is the Proxies tab allowing proxy detailed to be configured. A proxy server is an application that enables a client to make indirect network connections to other network services. A client connects to the proxy server requesting a resource available on a different server, the proxy retrieves the data whether across the internet, internal network or using its internal cache. Some SSL-Explorer services need to make external calls across the internet and the Installation Wizard allows for the configuration of the SSL-Explorer instance to direct these external accesses through a company proxy server if required. Configure Proxy allows the reconfiguration of these details in the advent that a company introduces a proxy policy or removes or even upgrades its current proxy server. More information on proxy servers can be found in the, SSL-Explorer Installation Guide, in the chapter titled, Adding External Proxy.
Proxy Interface
The picture below shows the Proxy Configuration page.
Configuration Parameters
Proxy Hostname: Hostname of the HTTP proxy server. Proxy Port: The port upon which the proxy server is listening for connections. Proxy Username: If the proxy server has a secure authenticating account on it then the details of this account Password: The password for the associated authenticating username Non-Proxied Hosts: Any host which should bypass the proxy server should be entered here for example SSL-Explorer instance accessing a server that exists on the same machine may not need to go through the proxy server; If so the target server should be keyed in here. Entries should be
one per line with no termination character. Wildcards such as *.foo.com may be entered to exclude a range of hosts.
UI Interface
The screenshot below shows the interface.
Configuration Parameters
Automatically Connect to Extension store: When checked SSL-Explorer will automatically connect to the 3SP application store whenever the application management page is loaded. Allow user to select language: On the logon page and throughout the entire system a user can change their language as when required. This is made available through the Language Selection box to the right of the system. By checking this option the language selection box is disabled and invisible to all users meaning that the default language must be used by all. Checking this box activates the selection box and makes it visible to all users again. Default language: This sets the default language throughout the system. Retrieve Online Resources: When enabled, context sensitive links to online resources are displayed on pages. Allow Open Webfolders in Firefox: When enabled, Firefox users will see the Open As Webfolder action for network places. This requires that the Open as Webfolder firefox extension is installed
Configure SSL
This tab defines how SSL is configured within the system.
SSL Interface
The screenshot below shows the interface.
Configuration Parameters
Enforce Strict SSL Trust Mode: This option enforces strict security requirements on outgoing SSL connections. All outgoing SSL connections should have a trusted SSL certificate, either trusted by the default Java CA trust store or by the SSL-Explorer trust store. If a server presents an untrusted certificate the connection will be terminated. Supported Protocols: The list of protocols supported by SSL-Explorer, nothing in the selected Protocol box simply means that the default setting of all protocols is enabled. Supported Ciphers: The list of SSL ciphers supported by SSL-Explorer. If the selected cipher list is empty then all available ciphers are supported, if you edit this list then ensure that SSL_RSA_WITH_RC4_128_MD5 is selected as this is required by the SSLExplorer Agent.
Potential Compatibility Issues Editing supported ciphers may cause compatibility problems with some older browsers
Configuration Parameters
Enable NTP Time Synchronization: Enable the use of NTP servers. Once checked the listed NTP servers are used for time synchronization. NTP Servers: The NTP servers to use. The default servers in the list are part of the pool.ntp.org domain www.pool.ntp.org. Update Interval: Enter the time in hours of how often you wish to update the system clock System Command: If SSL-Explorer does not support setting the time on the installed platform natively, this parameter allows a super user to provide a command and argument to perform action via a system call.
This is the final section that can be configured from the Server configuration page. The following chapters continue with the remaining pages available from the top level System Configuration page starting with resources.
Resources
Resources are the main entities a user of the system will want to access once the system is up and running. Resources allow a user to access various parts of the system securely; they allow applications to be executed and intranets to be accessed securely amongst other things. This chapter details the basic configuration options available from the resources configuration page covering the following sections: Interface Configurable Resources Network Places Web Forwarding
These pages are interacted through the standard configuration pages control which can be found under the section titled, Amending Configuration Parameters, in the Management Console chapter.
Interface
The resources page is accessible from Management Console Resources. System Configuration
The tabbed menu above each page and shown below allows easy access to each section, this allows any configuration parameter to be amended at any time and each section accessible and in any order.
Configurable Resources
The resources configuration page allows the configuration of resources. As further resources are added to an installation such as nEXT an associated configuration tab becomes available. Each configuration tab for the resources highlighted above are detailed below.
Network Places
A network place resource enables the access of network resources such as files, folders and directories securely. SSL-Explorer uses not only its own in-built interface to access network neighborhood resources but is also compatible with Microsoft WebFolders allowing a more intuitive means of accessing remote folders over the internet.
Configuration Parameters
Try current user (1st): When accessing a network resource which requires further authentication SSL-Explorer will automatically use the users current username/ password. Try guest (2nd): If the users current authentication details fail SSL-Explorer will try to authenticate using guest and anonymous credentials. If both options fail the user is presented with a login box allowing the user to authenticate manually.
Note
Configuring Guest Authentication Configuration of the guest account can be found under System Configuration Integration.
Windows
Web Forwarding
On a conventional network, providing remote access to intranet websites is not straightforward as intranet resources are not designed to be externally accessible and therefore are not resolvable using the DNS system. It is for this reason that SSL-Explorer provides a web forwarding facility as a means of allowing access to the internet as well as a corporate intranet securely. Administrators can publish links to intranet resources for access in SSL-Explorer via a web forward. SSL-Explorers web forwarding technology provides three techniques to create web forwards each with its own unique characteristic: Tunneled Web Forward: This is a direct port-forwarded SSL tunnel to the remote site. This method requires that the VPN client is launched upon the client system. Replacement Web Forward: Requests are retrieved from SSL-Explorer which retrieves the content on the clients behalf rewriting links so content is retrieved only from SSLExplorers inbuilt web server. Does not require the VPN client. Reverse Proxy Web Forward: All requests bound for the client are processed by a reverse proxy beforehand who decides whether the request will be sent onto the requesting client. Does not require the VPN client.
Configuration Parameters
Directory: When a webpage is loaded its content is cached to a temporary folder on the local machine for quick access, this parameter defines the location of the temporary directory. As the default setting shows during execution of a web-forward the %TMP% variable is taken from the system variable TMP. This variable can be replaced either by a full directory location or another environment variable. Max. Size per User: The directory above is created on a client machine; this parameter defines how large that directory should be. The default of 10MB means that every users cache will not exceed more than 10MB. Max. Objects per User: An additional limit is placed on the number of objects: html page, image, CSS etc that can be stored. If the limit is exceeded either in terms of the directory size or the number of objects (which is defaulted to 10000 objects) the system continues to make cache new content making space by removing oldest cached objects. Max. age: The maximum number of minutes each cached item will be stored for. A value of 0 means store forever (or until logout)
Clear on Logout: Checking this parameter clears the cached data once the user has logged out of the system. The default value for this is checked, retaining cached information can take up unnecessary space and compromises security by leaving behind traces of internet content visited/ accessed Active DNS Host Format: The format of the unique Active DNS hostname used to access reverse proxy web forwards
What is CIFS?
Common Internet File System (CIFS) is used for client/server communication within Microsoft operating systems. It is designed to enable all applications, not just web browsers, to open and share files securely across the Internet by defining a remote file-accessing protocol that is compatible with the way applications already share data on local disks and network file servers. CIFS is an enhanced version of Microsoft's cross-platform Server Message Block (SMB) protocol, the native file-sharing protocol in the Windows operating system. Not intended to replace HTTP, CIFS complements HTTP while providing more sophisticated file sharing and file transfer than older protocols such as FTP.
Configurable Parameters
WINS Server Address: If a WINS server is in use the location of the server. Information on WINS servers can be found in the section titled, What is WINS? NetBIOS Hostname: SSL-Explorer instance NetBIOS name can be declared if clients are having trouble locating the instance. For more information on NetBIOS refer to the section titled What is NetBIOS? NetBIOS Scope: A NetBIOS Scope ID provides an extended naming service; it is used to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. If scope id is used it must be set using this property or name queries will fail. NetBIOS local Interface Address: The IP address of the local interface the client should bind to for name queries if it is different from the default. More information on NetBIOS can be found in the section titled, What is NetBIOS? NetBIOS Broadcast Address: Broadcast address is an IP address that allows information to be sent to all machines on a given subnet rather than a specific machine for example if the local host's IP address is 192.168.1.15, the broadcast address would likely be 192.168.1.255. It may be necessary to set the broadcast address for certain network configurations because the default of 255.255.255.255 may throw an error. More information on NetBIOS can be found in the section titled, What is NetBIOS? LMHOSTS File Path: The path to an LMHOST file containing a map of IP addresses to hostnames, refer to the chapter titled What is the lmHosts File? for more information on LMHOST file.
NetBIOS Socket Timeout: Defaulted to 5 seconds this parameter restricts the datagram socket used for name service querying. If after 5 seconds the unsuccessful socket connection is closed. NetBIOS Retry Count: The number of times a name query should be attempted if no answer is received. This is defaulted to 2. NetBIOS Retry Timeout: The duration in milliseconds that the client will wait for a response to a name query. The default is 3 seconds. Local Interface Address: The IP address of the local interface the client should bind to for name queries if it is different from the default. Disable Plain Text Password: Windows is capable of authenticating using plain text to support old machines however plain text passwords should never be used and are disabled by default. Response Timeout: The time period a client will wait for a request to be serviced from the target server; the default value is 10 seconds. Socket Timeout: To prevent the client from holding server resources unnecessarily sockets are closed after this time period if there is no activity. The default is 15 seconds. Resolve Order: This specifics which name resolution methods to enforce and in which order with the first, in a comma separated list, being the first technique to use. If this fails the second technique is instigated and so on. By default the system is expected to resolve in this order, LMHOSTS,WINS,BCAST,DNS. The LMHOST file is interrogated if this is unable to resolve the required machine then a WINS server is checked, after which a NetBIOS name query will be broadcast on 255.255.255.255 or the address specified by the NetBIOS Broadcast Address parameter. Should this broadcast query fail, DNS would be queried. If the DNS query fails, an unknown host error will result. For information on these techniques refer to the sections below.
Note
Only Methods Listed Are Used If the Resolve Order parameter does not include one of the methods for example WINS or LMHOST these will not be attempted regardless of whether or not their associated configuration parameters have been set.
Guest user: This relates to the Try Guest User 2nd configuration parameter available within Resources Network Places. Whenever a network resource is accessed which requires authentication setting the, Try Guest User 1st to true will automatically supply this guest username and password. For more information on this parameter refer to the chapter titled, Web Forwarding. Guest Password: This defines the password used for the guest account.
What is WINS?
WINS (Windows Internet Name Service) is a name resolution service that resolves computer names to IP addresses. Using WINS, the computer name ARIES, for example, could be resolved to an IP address that enables computers on a Microsoft network to find one another and transfer information. The underlying application programming interface, or API, that enables WINS name resolution and information transfers between computers is NetBIOS (Network Basic Input/Output System). The NetBIOS API contains a set of commands that applications can use to access session-layer services. WINS provides a distributed database for registering and querying dynamic computer name-toIP address mappings in a routed network environment. A WINS server runs on a Windows NT Serverbased computer and handles name registration requests from WINS clients and registers their names and IP addresses. The server also responds to name queries from WINS clients by returning the IP address of the name being queried.
Each line contains the IP Address and NetBIOS name. The problem with LMHOSTS files is that you have to maintain them every time a new resource is added to the network the LMHOSTS files on all clients need to be updated. Although you can configure clients to include information from a central LMHOSTS file or files you still have to update that file and configure all the clients to use it. This is where WINS is advantageous since it acts as a central database for maintaining NetBIOS name to IP address mappings. All you have to do is set up the WINS server and configure your clients to use it (you can use DHCP to configure the clients with the WINS server information, so that can be centrally maintained as well.)
What is NetBIOS?
To transmit WINS queries and other information computers use NetBIOS. NetBIOS provides an API that allows computers on a network to communicate. When you install TCP/IP networking on a Microsoft client or server, NetBIOS over TCP/IP is also installed. NetBIOS over TCP/IP is a session-layer service that enables NetBIOS applications to run over the TCP/IP protocol stack. NetBIOS applications, such as the command-line NET utilities, rely on WINS or the local LMHOSTS file to resolve computer names to IP addresses. It offers network applications a set of hooks to carry out inter-application communication and data transfer. In simple NetBIOS allows applications to talk to the network. NetBIOS frees the application from having to understand the details of the network including error recovery. Microsoft adopted NetBIOS in the late 1980s for their LAN Manager product and it found its way into early versions of Windows and into Windows NT. It is still present today because many
corporate networks still have legacy (Windows 9x or Windows NT) machines which require NetBIOS to function properly on a network. Since Windows 2000 however, DNS has become the default name resolution method for Windows-based networks.
NetBIOS Names
NetBIOS names identify resources on a network, applications use these names to start and end sessions. You can configure a single machine with multiple applications each of which has a unique NetBIOS name which in affect is what SSL-Explorer VPN is, another windows networking client with its own NetBIOS name, a box within a box.
NetBIOS Hostname
The NetBIOS Hostname configuration parameter defines the SSL-Explorer instance name allowing clients to locate the instance. Again this shouldnt need to be modified as SSL-Explorers use of the JCIFS API automatically generates a unique dynamic NetBIOS name (if one has not been set) that should be broadcasted to any WINS servers or central NetBIOS name database by the operating systems network configuration. However a hostname can be reserved for the instance and in which case must be a unique name within the entire source routing network consist up to 16 alphanumeric characters. Correct NetBIOS Hostname If the defined name is incorrectly specified, JCIFS will not use the name and will continue to generate unique names that can be meaningless when looking through audit logs.
Note
What is DNS?
WINS isn't the only name resolution service available you can also use DNS (Domain Name Service). DNS is a name resolution service that resolves Internet host names to IP addresses. Using DNS you can resolve the fully qualified domain name www.company.com for example to an IP address. While WINS is used with NetBIOS applications DNS is used with Winsock applications that operate over the TCP/IP protocol stack such as FTP or Telnet. DNS can be configured to work in conjunction with WINS.
Security Options
The Security Options page allows the configuration of security related parameters. Security affects all areas of the system and so this page divides the configurable items into their respective areas. The section only covers those options available with the basic installation of SSL-Explorer. All other option pages are detailed in their respective chapters. The chapters covered are: Initial Options Password Options Session Options Confidential Attributes Policy Options Logon Page
Initial Options
In the initial installation of SSL-Explorer the security options page only has a select number of options available. These are shown below.
With the Enterprise Edition a plethora of further authentication modules become available and each has their own configuration tab accessible from this page. Documentation on the configuration options available for the additional modules can be found under the respective chapters for each module.
Password Options
This page contains all necessary information pertaining to the configuration of the password authentication module. This is the default module that comes as standard with SSL-Explorer. With enterprise edition the numbers of authentication modules available are increased considerably and each adds an additional tab to this menu.
Configuration Parameters
Max Logon Attempts Before Lock: A value of zero disables this option; the default value is 3 logon attempts if after 3 attempts the account is temporarily locked. Max Lock Attempts Before Disable: The maximum number of temporary locks before the account is permanently disabled. Use a value of zero to never lock accounts. Lock Duration: The default value is 300 seconds; all values are in seconds. Password Pattern: The definition of a password, how passwords for this instance must be constructed. Details on Password patterns can be found below. Password Pattern Description: This description is shown to the user when defining a personal password. Days before Expiry Warning: The default value is 21, after which the warning will be displayed to the user informing them to change their password. Days before Expiry: The default is 28 days approximately one month after which the user will be forced to change password.
Password Pattern
The structure of an account password is based on regular expressions and is defaulted to, .{5,}, which defines a password with a minimum size of 5 characters. This expression is detailed in the diagram below:
The security function password structure is built around the Java regular expression syntax. Any valid expression will be accepted to parse passwords an example is given below:
Expression X(n) X(n,m) .[^\s]{n,m} \w[n,m] X exactly n number of times X between n and m Any character except white spaces with a length between n-m Word character [a-z,A-Z,_,0-9] between n-m Meaning
Session Options
Session options are security parameters used by the system to control how user sessions behave.
Configuration Parameters
Maximum Logon Cookie Age: Maximum age of the cookie that is used persist the logon if the browser is closed. A value of -1 will mean that the user will have to logon everytime the browser is opened. Multiple Sessions: Defines whether the same User can log on multiple times. Further details can be found below. Verify Client Address: When checking logon state, verify the remote address of the request against the address recorded at logon. This prevents re-use of logon cookies from other clients Lock Session on Browser Close: Enabling this option will force the user to provide their password upon opening a new browser and returning to the site
Multiple Sessions
This option configures whether the same user is able to log into the system more than once simultaneously. The option provides three alternatives depicted below.
As the diagram shows, the final Single Session per User / IP Address is the most restrictive. This setting will prohibit the same user from accessing the SSL-Explorer server more than once, locking down the user so that he or she can open a single session from a single machine.
Confidential Attributes
Confidential attributes are used by the system to store personal information about the user such as security questions which are used during authentication. These options configure how these attributes are encrypted.
Configuration Parameters
Confidential Mode: Determines how the passphrase for the user's private key is established. Attributes are stored by encrypting them with a user's public key so that they can only be decrypted by the corresponding private key. With automatic the passphrase for the private key is automatically configured as the users account password. If no account password has been provided then it will be prompted for instead. When set to Prompt the user will be prompted for the passphrase upon logon meaning that the passphrase will be independent of the users password. Disabled will prevent the key being used at all, meaning confidential user attributes will not be encrypted at all. Public Key Algorithm: The algorithm used to encrypt confidential user attributes. Mask Personal Answers: Checking this option hides the actual user responses with asterisk. Bit Length: Bit length of public/private keys used to encrypt confidential user attributes.
Policy Options
This page simply refines some of the access abilities for policies any particular policy related configuration options are maintained within this page.
Configuration Parameters
Restrict Policies to Assigned Authentication Scheme: This option restricts the available resources to those which are attached to the policies assigned to the authentication scheme used at login
Logon Page
This page defines the logon preferences. All users are affected by the changes made to this page.
Configuration Parameters
Site Name: Define a specific name for the site. When a user is presented with the logon page the title specified here is shown. Welcome Text: You can configure a custom title for the logon page. Leave this blank to use the default internationalized SSL-Explorer title Logo: By setting an image here you can configure a custom logo for the logon page. Any logon logo image must be placed in [SSL-Explorer_HOME]/conf/site/icons Message Type: The type of message icon to show. This icon as well as the following message text I shown below the logon parameter. Message Align: Set's the alignment of the message text, options available are justify and center Message: The message you wish displayed beside the message type icon.
Messaging
SSL-Explorer enables messages to be broadcast to user of the system in a number of ways. This chapter aims to provide some background to messaging and then provides details on the available options through SSL-Explorer. The sections covered are follows: Message Queue What is SMTP? Messaging Interface Configuration Parameters
Message Queue
The message configuration page affects the functionality available from the Message Queue page available from Management Console System Message Queue. As the main page below shows this functionality allows a privileged user the ability to create messages and have that message broadcast to all or a select few members of the SSL-Explorer instance principal base.
What is SMTP?
POP3 (Post Office Protocol version 3) is used to handle email between email server and a local email client like Microsoft Outlook. POP3 is used to authenticate credentials on the server and download email that comes from across the Internet to the email server. The POP3 protocol is activated when the client receives email as shown in the diagram below.
SMTP (Simple Mail Transfer Protocol) on the other hand is the protocol used for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another. In addition, it is used to deliver email from the email client to the recipient's email server. The email will stay on the recipient's email server until it is explicitly requested to be downloaded by the recipient's email client over the POP3 protocol.
Messaging Interface
The screenshot below shows the available messaging configuration parameters which affect messaging functionality.
With SSL-Explorer Enterprise edition a number of additional messaging related extensions can be uploaded such as the one time password extension; any configurable parameters will be accessible from this menu under an associated tab.
Configuration Parameters
Enable on Startup: When SSL-Explorer instance is started the email messaging service is available to use, un-checking this option will disable message distribution via email when the instance is restarted. SMTP Server: Messaging is performed in two ways, through active users running the VPN client and via messages being broadcast as emails received by users email clients. To use the email option the details of the SMTP mail server needs to be specified. Port: In addition to the above server being defined so to must be the listening port on the server, by default mail servers listen on port 25. Login (HELO): HELO represents the SMTP HELO command some mail servers (usually older servers) do not accept mail requests before a SMTP HELO command is sent. Clients use HELO as the first request in every session. The HELO parameter requires the principal host domain name for the sender, for example domainname.co.uk. Sender Address: This parameter specifies the host sending the message and will appear on the Sender name when the mail is received by the users mail client.
Note
Clickatell and SMS in Access Control Configuration of Clickatell and SMS can be found in the Access Control guide under the OTP Authentication section.
Basic Configuration
This section details the remaining areas listed under the configuration menu. These items allow configuration of those items that directly affect user interaction for example, extension manager allows an administrator to include additional functionality into the system, which affects what functions become available to users much like SSL-Certificates which affect how users are authenticated against the system.
Extension Manager
The chapters that follow detail the remaining functions available under the Configuration header in the Management Console. These are: Extension Manager, SSL-Certificates, Replacements, User Attributes and License Manager. SSL-Explorer is not a static entity but an extensible application that continues to have functionality added and one of the methods employed to extend the functionality is through extensions. These are additional applications which can be installed on the SSL-Explorer VPN server to further enhance the usability and experience of SSL-Explorer. This chapter details the extension manager which manages these additional applications; the chapter consists of the following sections: What are Extensions? Extension Manager Interface Install an Extension Updating an Extension Removing an Extension Upload an Extension Bespoke Application Extensions
By the end of this chapter the user should have a sound knowledge of extensions, the extension manager and know how to install relevant applications and plug-ins required to meet business needs.
services. Examples of these would be SSL-Explorers range of proprietary lightweight remote access applets supporting SSH, RDP, VNC, SFTP and Telnet.
Installation of Extensions
Extension files reside on the 3SP Extension Store a publicly available store accessed from within SSL-Explorer. When an extension is selected for installation the wizard contacts the remote Extension Store and downloads the new extension file. Plug-in extensions require the restart of SSL-Explorer to become active whereas applications generally work instantly once downloaded. The extension itself comes in the form of a zip file and is stored on the SSL-Explorer server locally under <SSLEXPLORER_HOME>/conf/repository/archives, where <SSLEXPLORER_HOME> refers to the SSL-Explorer home directory. The file is unzipped to the applications folder, <SSLEXPLORER_HOME>/webapp/WEB-INF/applications. Each time the server is restarted the system clears the content of the applications folder. The extension is unzipped again from the repository folder and stored back into the applications folder.
Note
Extension files These files should not be removed as they will affect the running of the SSL-Explorer instance.
Anatomy of an Extension
All the contents of the extension to get it up and running make up the pieces of an extension file. For example the PuTTY plug-in extension consists of the following files: extension.xml putty.exe
The most important file in the package is the extension.xml. Not only does this maintain a list of files but it is also used by SSL-Explorer to understand how to run the file and identify whether any user interaction is required to launch the application successfully. Application extension For application extensions the extension.xml file is replaced by an application.xml file whose purpose is much the same as the extension.xml. The actual number of additional files varies greatly depending on the complexity of the extension.
Note
The page divides extensions in to tabs by type. In addition there are three tabs that provide other information: Installed: This shows currently installed extensions Updateable: Extensions that have a new version available Articles: Articles that detail how to set up extensions that cannot be included in the extension store for licensing reasons
Action Icons
The action icon performs a particular function on the associated extension; available actions for an extension are:
Install extension
Update extension
Remove extension
Install an Extension
Step 1 Any extension that is available for installation will be visible from under the appropriate section tab for example any remote access extensions will be listed as installable from the Remote Access tab, any extensions related to access will be installable from the Access Control tab.
Choose an extension to install. The extension will have the install action icon against it.
Step 2
The system will proceed to download the extension from the extension store and install the application. A progress bar similar to the one below shows the status of the download:
Step 3
Once installed the extension will be available from the Installed tab. If an extension requires a restart of the system the extension will have the inactive icon against it:
Also a restart message will be visible from the Warnings window in the events pane.
Once restarted the active icon will be visible against the extension:
The extension should be accessible from its defined location for example application extensions from the applications menu.
Updating an Extension
Step 1 Any updates to extensions are visible and can be updated from the Updateable tab.
Step 2
Step 3
The system starts to update the extension. A progress bar indicates how long the update will take. If the system requires a restart a warning message will be shown indicating this in the events panel.
Removing an Extension
Step 1 An installed extension can be uninstalled from the Installed tab. Identify an extension to remove from the Installed extension tab. Any uninstallable extension will have the delete icon against it.
Step 2
Step 3
Select the associated remove action icon. A warning message is displayed to confirm the removal of the extension.
The extension is removed and is added back to the list of available extensions. Assigned Extensions Any application extensions assigned through the application shortcut page are also removed from all associated users.
Note
Upload an Extension
Applications not available through the extension store can be uploaded manually. Many applications can be made into an extension and through this step uploaded onto the SSLExplorer server for use by your users. Step 1 Step 2 Extension.xml: Which details the parameters required for the application, how to launch the application, defines the required application files, registry information and application execution procedures. Application files: All files required to execute the application must be collated. Construct the extension in the appropriate manner. The basic content of an extension consists of the following items:
This content should be stored in a directory and that directory compressed into a zip file. For more information on constructing your own extensions, please refer to the Extensions section of the 3SP Knowledge Base at 3SP.com. Step 3 To upload the created extension, select Upload Extension from the action pane.
Step 4
Enter the path of the extension zip file for the system to upload.
When the Upload button is pressed the system will upload the extension to the appropriate place depending on the extension type. Plug-ins: These extensions usually require a system restart and will be loaded into the system under the appropriate page for example, if the plug-in is a new authentication method this will be visible within the Authentication Schemes page. Applications: Extensions that are applications will be visible within the Installed tab under extension manager as well as a selectable application within the application shortcut pages.
SSL Certificates
As part of the installation wizard an SSL certificate is configured this is then used for the purpose of encrypted communication between server and client. This page enables the management of this and other types of certificates that SSL-Explorer supports. This chapter details the certificate related actions available to a user from importing new certificates and purchasing certificates, the following sections are included: Revisiting Certificates SSL-Certificates Interface Creating a CA Purchasing Certificates Generating a CSR Importing a Certificate Exporting Keys and Certificates
By the end of this chapter the reader should have a sound understanding of certificates and be able to manage certificates used by the SSL-Explorer instance. Further information can be found in SSL-Explorer: Access Control Guide, chapter Authentication Schemes and
Revisiting Certificates
The SSL (Secure Sockets Layer) protocol is the standard method used in securing e-commerce transactions. SSL defines two methods for securing sensitive information during an SSL session they are encryption and authentication.
Encryption
The transmission of data should be secure so that no one can view the data that is being sent. Public Key Infrastructure (PKI) is a methodology that allows secures data transmission by encrypting information in a way that if the data is intercepted by a third party it cannot be understood. This topic is explained in greater depth in Appendix I, but for the purpose of brevity we will just summarize the core concepts here. PKI relies on an entity creating two keys that are used to encrypt information. The keys are related to one another by complicated mathematical formulae; but knowing the value of one of the keys will not lead you to the other. In this concept, one key is kept secret (the private key) while the other is made public (the public key). This public key can now be used alongside standard encryption techniques to encrypt and secure messages and the only way to decrypt the message is with the closely guarded private key. Only the one with the private key can ever understand the message. This is the basis for keeping SSL transmissions private. While encryption is a powerful tool on its own it is an insufficient tool to give consumers the confidence they need when performing e-commerce transactions.
Authentication
On the internet, any data passed between two computers travels via a public network and anyone with the desire and know-how can potentially read it. A man-in-the-middle (MITM) attack occurs when a hacker manages to position himself between a victim and a resource, proxying the clients personal information to and from the resource and silently snooping on their personal data. The victim is unaware that anything wrong is going on and in fact, may even be communicating with the hacker in an encrypted manner although the hacker can see all transactions and may even be able to modify them for personal advantage. This shows that encryption alone is not enough the client should be confident that data received was sent by the correct website to prevent such things as MITM attacks. Secure internet communication is viable not only because encryption is used, but also because of authentication of the website with which there is an encrypted session. In other words, you can verify that the website is the one you intended to communicate with, and not an imposter who has launched an MITM attack. A web site is generally authenticated by an X.509 certificate.
SSL-Certificates
In cryptography, X.509 is an ITU-T standard for public key infrastructure. X.509 specifies, amongst other things, standard formats for public key certificates and a certification path validation algorithm. An X.509 certificate contains the following information: Information about the entity that owns the certificate. The owners public key. Data from a well-trusted third party confirming that all the information inside the certificate is verified.
Web servers use certificates: To prove their identities to a client browser. To provide a public key to the browser so that it and the server may communicate securely.
X.509 certificates provide a mechanism on which an SSL session can be built. If an X.509 certificate contains the relevant data to create an SSL session, it can be considered an SSL certificate.
Certification Authority
A web server must have a certificate that has been vetted by a trusted third party authority known as a Certification Authority (CA). The CA vets the certificate to confirm the identity of the sender by various means as examining business documents and that the sender is allowed to own this certificate and that no forgery is taking place. Only if the vetting process confirms the entitys identity, the CA signs the certificate and adds its identity to the issuer field. By signing a certificate The CA signs the certificate by using its private key so that someone who examines it will be assured that that CA validated the certificates information.
Since the signing process requires possession of the CAs private key, which is closely guarded, it is not possible for someone to forge. It is relatively easy to create your own certificate that claims to belong to another website. However since a CA relies on public trust, it will not put its reputation on the line by signing a certificate unless sure of its validity.
Trustworthy Certificates
In the same way that I could create a fake website certificate, e.g. www.amazon.com, I could also then create a CA certificate issued from e.g. VeriSign and sign my fake certificate with it. Would this phony certificate then be accepted by a browser?
SSL-Certificates Interface
The screenshot below shows the main certificates page.
The page displays certificates related to each keystore type. As can be seen above, the keystore pull-down displays three different certificate types: SSL-Explorer Server Certificate: Certificates installed by the SSL-Explorer server for SSL encryption of VPN sessions. Browsers connecting to the instance will receive this as proof of authenticity. Trusted Server Certificates: These certificates are usually provided beforehand by trusted vendors whose webserver SSL-Explorer may be expected to connect to at some point. The certificate contains a public key to allow the client and server to secure the communication.
Server Authentication: This certificate is used when the SSL-Explorer instance, acting as a client, connects to another HTTPS server which requires authentication by the client through the use of a private key. Client Certificate Authentication: This certificate is used by the client to authenticate itself with SSL-Explorer. SSL-Explorer creates this certificate containing a private key which is imported into the browser to authenticate itself with the server. SSL-Explorer CA: This certificate contains the public key used to sign all client certificates.
Action Icons
The action icons against each certificate perform functions on the associated certificate:
Export certificate
Export key
Certificate Actions
The action panel on the right of the page shows the actions that can be performed:
Import Certificate or Key: Any further additions to the certificate database are imported from this option. Purchase a Secure Certificate: Buy a discount SSL certificate through 3SP Ltd. Download CSR: Downloads the Certificate Signing Request for the server SSL certificate currently in use in order to be sent to a CA for signing. Create CA: Create a new authority
Creating a CA
A Certificate Authority is required to be able to issue certificates to the clients. This process defines SSL-Explorer as the authority to be able to issue and validate the client certificates that will be used to log into the server. An external authority can also be used; the only thing required by SSL-Explorer is the importing of the private key part of the certificates issued by this authority for each client so that SSL-Explorer is able to identify each client certificate being used to login with. Step 1 From the Action menu select the Create CA action.
For a server which already has a CA this step will be replaced by the Reset CA action. In this situation the CA does not have to be reinitialized each time. Step 2 This action loads the Create CA wizard. This wizard guides the user through the steps required to configure a CA for the system. Each certificate created for a user will be issued by this authority.
The information must all be completed. The information is then used to create a valid authority. The stamp of authenticity is all based around the content that is provided here, it is recommended that correct information be supplied. The required information and their meaning are detailed below. Step 3 Common Name: The name the certificate should be referred to. Location: Where the authority is based Organizational Unit: The department of the authority Company: The name of the company or entity to which the certificate should be registered.
To encrypt this information and the subsequent generated private keys the certificate requires an encrypting password.
Step 4
The strength of the private keys is next required. The stronger the size the more complex the keys.
Step 5
Finally a summary I shown of the certificate that is about to be created. Pressing the Finish button will create the certificate else the he Previous button will go back to each step and allow amendments to take place. Thats it. The newly generated authority will be used to issue all client certificates. This CA can be seen in the SSL-Explorer CA keystore.
Purchasing Certificates
Step 1 The Purchase a Secure Certificate action goes to the SSL Certificate Purchase page at 3SP.com. 3SP Ltd. uses InstantSSL as the certificate provider.
As can be seen below, 3SP.com provides the Super User with a list of certificates to buy.
Step 2
Select the URL. Once the purchase has been successful a URL is sent to the recipients email address much like the one below. https://secure.comodo.net/frontpage?reseller=y... Inserting the URL into a browser opens the Certificate Signing Request page from Comodo as can be seen below:
Before this request can be processed a CSR needs to be generated through SSL-Explorer.
Generating a CSR
Step 1 Select the Download CSR option available in the Action pane.
Note
Convenience with 3SP.com Certificates The generated CSR can be used from any certification authority although 3SP Ltd. provides a more convenient and cost effective means of obtaining discounted certificates in partnership with InstantSSL.
Step 2
The Download CSR action takes the content from the unsigned certificate currently in use by SSL-Explorer and produces a CSR. When ready the system makes the CSR available for download.
The file should be saved. Remaining Steps The remaining steps detail how to continue the signing process via a certificate purchased through 3SP.com. If an alternative certification authority was used, please follow their instructions instead.
Note
Step 3
Complete the signing request. Using a standard text editor open the downloaded CSR, copy and then paste the content into the large text box as shown below.
Select Java Web Server as the server software used to generate the CSR and select an appropriate option from the last two questions. Select Next. Step 4 Complete the remaining details. The registration process reads the unsigned certificate and populates some details itself. The remaining required details must be completed.
Step 5
Once complete hitting the Next button takes us to the final step in the process confirmation of details.
From here InstantSSL will now validate the authenticity of the CSR. Depending on the type of certificate that was chosen, the time spent by InstantSSL on validating the request will vary. For example, an Intranet SSL Certificate is the quickest to process in usually under an hour. Step 6 If successful, InstantSSL will sign the certificate and return a zip file containing the signed certificate and the necessary root certificates reading to be imported into the system.
Importing a Certificate
Step 1 Select Import Certificate or Key from the Action menu.
Step 2
Next, select the Input Type. SSL-Explorer is able to import several types of certificate or key: A certificate purchased from 3SP.com: Use this if the certificate has been purchased from 3SP.com. This speeds up the import process by automatically loading all the keys contained within received zip file. A reply from a CA: A DER encoded certificate from a vendor other than 3SP Ltd. A root certificate for your web servers CA: A root certificate to authenticate the issuer of your installed certificate. A certificate from a server you wish to trust: Add a specific servers signed certificate to the CA certificate trust store to trust the server. A key for a server that requires client certificate authentication: A private key to perform client authentication on outgoing connections in either PKCS2 or JKS format. A CA certificate for verifying Active Directory user certificates: A certificate from a CA used to authenticate Active Directory users. A certificate you trust for client certificate authentication: Only the Super User can generate internal certificates, use Active Directory certificates or trust a certificate. Importing a certificate through this option will trust a certificate for use with client authentication. Load the appropriate file.
Step 3
Step 4
The system provides a summary of the action about to be performed, selecting Back will allow the details to be modified.
Once completed successfully the newly imported certificate will be visible from the main SSL certificate page as below.
To export a certificate simply select the export certificate action associated with the certificate.
To export the associated private key, select the export private key action.
Attributes
As with any large user management system, functionality that makes administration easier always helps and user attributes is no exception to this rule. Its simplicity and global use make this a very powerful piece of functionality. This chapter aims to details what user attributes are and how to make the best use of them. The sections covered in this chapter are as follows: What are Attributes? Attribute Interface Creating Attributes Editing a Attribute Deleting a Attribute How to use Attributes
By the end of this chapter the reader should have a sound understanding of user attributes and know how best to use them.
Security Questions
One of the default user attributes is placeOfBirth; all users have this attribute stored under the Security Questions tab (User Console My Account Personal Details). Each user can populate this attribute with their respective answer and when the Personal Details authentication module is used at log-on and asks a user for their place of birth, the module merely looks to the value stored under this attribute for each user logging into the system. If the attribute keyed in value matches that of the stored placeOfBirth value authentication is successful. For each user logging in the respective attribute is compared allowing for a single attribute to be used by all users.
Applications
Attributes can be used with application shortcuts, an attribute can be created as below which defines a hostname and a port number.
Here the attribute VNC Server is a defined by each user, specifying which server they wish to connect to when using the VNC application shortcut. The VNC application shortcut is configured to use this new attribute:
Whenever the application shortcut is executed, the system takes the current users vncServer attribute and uses the value as the hostname to connect to. Each user can define their own vncServer attribute to point to whichever server they wish to connect to. Thus for every user the application shortcut works differently, connecting to a different server without any further modification.
Web Forwards
The flexibility of user attributes also means they can be used in web forwards. An example is a web site such as a support site which requires a form to authenticate users.
A standard username attribute cannot be used as the FORM has a drop-down list for user as opposed to a text field. So here a user attributes is defined which specifies the associated users ID. Two new attributes are defined which are confidential to the user only and specify the Username Id for the user and their password.
When the web forward is configured the attributes are added to the authentication parameters.
When the web forward is finally executed the supportId and supportPassword attributes are submitted during authentication into the website. The FORM object takes the supportId and identifies the username then takes the supportPassword as the associated password. Instantly any user is able to access the support website using there credentials and this single web forward.
Types of Attributes
The examples above all show the use of the user attribute where the attribute is assigned through the ${attr:attributeName} command. There is also another attribute type called policy attribute. Unlike the user attribute which is assigned to each user this is assigned to a policy and is referenced by the ${policyAttributes:vncHostname} variable. Policy attributes once set are set for all users under the assigned policy. So a resource can be executed under a different policy and have a different value for each policy.
Attribute Interface
The screenshot below shows the user attributes main page accessible from Management Console Configuration User Attributes.
If you hover over an attribute (as with all resources) further information is shown in a pop-up: Name: Attribute name referenced wherever the attribute needs to be used Label: A more readable name for users to know what the attribute is for Category: Type of attribute and under what tab it should be stored in Personal Details Visibility: Whether the attribute can be managed by user or Super User or both
Actions Icons
The action icon performs a particular function on the associated attribute. Available actions for a user defined attribute are: Delete User Attribute Edit User Attribute
Creating Attributes
Step 1 Select Create User Attribute from the action box at the top right of the page.
Step 2
Name: The name by which the system can reference the attribute. Description: Information about the attribute Class: Whether the attribute will be a user or policy based attribute. o User: User attributes become associated with users. Each user will need the value for this defined either by themselves or the super user o Policy: This attribute is attributed to a policy instead. The value defined for this will affect all users associated with the policy so this value only needs to be set once
Step 3
The attribute must now be defined. The screenshot below shows an attribute is made up of a number of components.
Type: The type of attribute. Visibility: The visibility of a user attribute is divided into 4 scopes: o User or admin, use, view, override: This is the most relaxed level of visibility. Both the Super User as well as a user can fully manage the attribute o User use and view, admin change: Here the user is able to see the attribute, use it where necessary but cannot change the value associated with the attribute o User use, admin view or change: The user is restricted further by only being able to use the attribute managed solely by the Super User o User Confidential: The responsibility is reversed only the user has access to this, the Super User cannot manage nor visibly see this attribute Label: The name by which users can reference the attribute
Default Value: The default value, depending on the visibility this value can be altered by the user or Super User. Category: The placement holder for the attribute, a new tab under Personal Details (User Console My Account Personal Details) is created with this value as its title. Weight: The order of where it should be placed in the category if there is more than one attribute under the same category. The higher the weight the lower down the list it will be shown. Weight is defaulted to 0 by placing an attribute at the top of the list. Validation: The validation class to use. SS-Explorer comes with a set of default validators for each type of attribute. Some validators come with parameters that can be altered: o StringValidator: min and max length, trim blank spaces and even regEx or patterns can be used o IntegerValidator: min and max range values can be set o BooleanValidator: nothing can be defined, the validator checks for true or false only
Note
Providing Specific Validators You can use your own validation class here. Simply create the class, store it in a jar and add this jar file to [SSL-Explorer_HOME]/webapp/WEB-INF/lib.
Type Option: You can also use this parameter to provide specific options to each type of attribute. o Text: for text attributes this parameter can be used to define the width that gets displayed. o Checkbox: you can specify a replacement name for the default true, false values. o Text area: this parameter allows the dimensions of the text area to be displayed. By specifying a number such as 30x2 will set the area to be 30 with by 4 height.
Step 4
Once complete, hitting the Save button will store the attribute and it will be accessible from the user attributes page.
If the attribute is a user attribute and set to be accessible by users then it will be available under User Console My Account Attributes under the tab also titled that of the defined category parameter.
If the attribute is a policy attribute then this will be visible under each policy. Editing a policy there will be a tab as titled in the category field or if this was left blank, under the default Attribute tab.
Editing a Attribute
From the user attributes page select the Edit action against the required attribute, the Edit User Attribute Definition page will be shown. From this page the current details stored can be modified.
Deleting a Attribute
The delete action removes a user attribute permanently from the system. Selecting the Delete action against a user attribute will result in a warning message.
Selecting Yes will remove the attribute from the system. Fixed System Attributes User attributes created by the system such as those categorized under Security Questions are required by the system so cannot be removed nor edited; no available actions are associated with these.
Note
Step 1
The user attribute myNetHome is defined and stored under the Network Places category.
Step 2
As highlight in the screenshot shows the path uses the ${attr:myNetHome} variable. When this is executed the system replaces the ${attr:myNetHome} for the myNetHome user attribute. Step 3 Each user defines their Network Home under the user attribute available from the Personal Details page. As the highlight shows the user attribute is available under the newly available Network Places tab as defined in the attribute definition page earlier.
Thats all there is to it. Every time the network place is launched, the system dynamically takes the value of My Network Home from the logged in user and replaces the ${attr:myNetHome} parameter in the path. So for each user this will load their respective home share.
Session Variable
Another way to use dynamic parameters in the system is by using the session variable. The session variable is used mainly when creating extensions, and it allows session information to be used and not user attributes.
With the above example we could also have used session as oppose to the attr variable like below.
The session variable refers to the values available during the course of the session. So as above the system would replace this with the username being used in this current session. This means that if the users home share on the network is named the same as the username used to log into SSL-Explorer (as might be the case in an Active Directory environment) then this Network Place will work and the home share of RobertsP would still be loaded. The session variable can also be used to reference the users password; so in an example of an application shortcut which requires both username and password we could use session:username and session:password. More information on this variable and the available parameters that are accessible will be available in later releases of the documentation.
License Manager
With SSL-Explorer being an evolving product each new release brings with it further modules of functionality. In order to use some of these features a valid license must be uploaded into the system. This chapter details the License Manager which manages licenses in the system the chapter covers the following sections: License Manager License Manager Interface Uploading a License Deleting a License
By the end of this chapter the reader should have an understanding of the License Manager and when required be able to use the manager to upload licenses.
License Manager
The only licenses currently required for SSL-Explorer are for the Enterprise Edition of the product. In this scenario, a license is automatically retrieved and uploaded into the License Manager. This license will either be full or temporary for evaluation. In both cases the license and its purpose will be visible from the License Manager. Other than as a visible reminder of loaded licenses, the License Manager only really becomes effective in rare occasions where a license has failed to automatically upload. In this situation a warning is relayed to the user stating that they should contact 3SP Ltd. A new license will be sent which can then be uploaded manually through the License Manager.
Actions Icons
The action icon performs a particular function on the associated license. The only available action for an installed license is: Delete License
Uploading a License
Step 1 Select the Upload License action available from the Actions frame on the right of the page.
Step 2
Once selected pressing the Upload button will load the license into the system. The new license will be activated and will be visible from the main License Manager page.
Deleting a License
The Delete action removes a user attribute permanently from the system. Selecting the Delete action against a license will result in the removal of the license from the system. Any functionality associated with the license will no longer be accessible.
Secure Node
The standard communication model for outgoing calls is for SSL-Explorer to simply make a direct connection to the destination host. This paradigm does not suit all business needs. Secure node provides an alternative routing framework. The framework registers interest from external clients and enables them to instead route information for a particular host. This chapter provides further information on this framework and ultimately information how a Super User can administer and manage this framework. The sections covered are: What is a secure node? What are Routes Installing Secure Node Client Secure Node Interface Create New Route Editing a Secure Node Editing a Route Deleting a Secure Node Deleting a Route
This same process can be used to access resources inside the LAN from an SSL-Explorer server residing in a DMZ. In the diagram below SSL-Explorer sits in the DMZ with other internet facing servers. The DMZ is secured from the internet with a firewall which only has port 443 open so that SSL-Explorer is accessible. The link from LAN to DMZ is also secured by a firewall. The administrator creates a resource e.g. a web forward to a CRM system; this requires a connection to the CRM service on the LAN. Instead of opening another port on the firewall between the DMZ and LAN, the administrator can position a secure node on the LAN side with a single port open which the secure node can receive data on.
Visibility
Secure node is not something a user will actually see or select to use it is actually a background process that takes over whenever a connection needs to go out SSL-Explorer to a remote system. If the administrator has routes configured and a secure node installed the system will take advantage of this and proxy the traffic through the secure node. A user will be unaware that a secure node is proxying his or her traffic. When no secure node is installed, SSL-Explorer will continue to make direct connections to its target host.
Secure node is strictly an administrator feature to help reassurance of security; its activation affects all resources.
Compatible Resources
Currently not all resources work with secure node; Active Directory, LDAP and nEXT are inappropriate and Network Places is currently incompatible. Those that are currently compatible are as follows: Web Forwards Applications Tunnels
Step 2 Step 3
The client file will need to be saved to an appropriate place. Once done the extracted file should be executed. Once the wizard has started and the license agreed a destination folder of the secure node client needs to be specified
Step 4
The next step is defining the secure node properties: Host: The host of the SSL-Explorer server to maintain communication with Port: The listening port of the SSL-Explorer server
Note
Certificates Supported For tighter security a certificate can used instead of a simple password
Username: Username of a user that can access secure node Certificate: If Certificate has been chosen as the authentication method then this will be accessible. Browse to the appropriate certificate Password: If Password has been chosen as the authentication method then this will be accessible. Key in the password associated with the user Confirm Password: Confirmation of above password
Step 5
Once installed the client needs to be started. This is run as a process and so for a windows you need to start the SSL-Explorer Secure Node service (Control Panel Administrative Tools Services).
The secure node service will now be running. If successfully configured the client should successfully register with the SSL-Explorer server and appear in the main secure node page.
As you can you see above SSL-Explorer always comes with a default secure node which is the standard node all traffic goes though. This is located on the actual instance itself. Below this are all other newly registered secure nodes.
Action Icons
The action icons against each secure node performs functions on the associated secure node, their respective objective is detailed below: Delete secure node Edit secure node details Authorize secure node (More) Disable secure node (More)
Step 2
The Create Secure Node wizard will be initiated. The first step in the wizard requires basic information for the route.
Step 3
Host Pattern: The address of the route. Any traffic destined for this host will be proxied through the selected secure node. Secure node doesnt necessarily have to support only one address a range can be defined for example if you want this route to be used for all requests in a given domain *.domain.co.uk would be used. Port Pattern: Any specific host that should be identified
Use Regex Pattern Match: By checking this regular expressions can be keyed into the host pattern Continue if Secure Node is Offline: Selecting this will allow another secure node, which has an equivalent route, to serve the request destined for this route. If there is a selection of routes all with this flag set, the system will search through the list for a route which matches and eventually if all routes happen to be offline fall back to the default secure node. Type: There are two types secure nodes Local and Remote Local: Connections are established from SSL-Explorer out to the secure node Remote: Connections are established from the secure node back to SSL-Explorer
Step 4
Secure Node: The secure node which will service this route should be chosen here. The list of active secure nodes is available from the list
Once all the necessary parameters are defined the wizard displays a summary. Selecting Next will finish the creation of the route.
The newly created route will be visible from the main page under the appropriate tab Local Routes or Remote Routes.
Enabling Routes
Even though the route maybe assigned to a secure node and the secure node authorize in order for the route to be used by the secure node the route needs to be enabled. To enable a route simple go to the appropriate route and choose enable from the More button.
Editing a Route
From the appropriate route (local or remote) page select the Edit action against the required route, the Edit Route page will be shown. From this page the current details can be amended.
Selecting Yes will result in the removal of the secure node. The route association will be removed.
Deleting a Route
The Delete action removes a route permanently from the system. Selecting the delete action against a route (from the routes page) will result in a warning message.
Connection Timeout: The maximum wait time before a connection is considered timed-out Require Authorization on Host Change: This should be set if a secure node needs authorization when its host name has changed
Public key cryptography is used for the encryption/decryption and signing/verification of information. Encrypting information ensures privacy by preventing unintended disclosure; signing messages authenticates the sender of the message and ensures that the message has not been modified since it was sent.
Encryption
In most scenarios the public key infrastructure comprises of two key pairs, one pair to encrypt and decrypt messages between two parties and another pair used to authenticate the sender of the message. We first briefly detail how the keys are used to encrypt and decrypt the messages.
Public Key
A sender wishing to send you secure information uses your public key to encrypt the information since the public key can be made public it can be distributed amongst all necessary contacts. In normal practice, the information being sent is not encrypted with public/private key algorithms (asymmetric cryptography) instead it is encrypted using a secret key algorithm (symmetric cryptography). Symmetric algorithms are much faster than public/private key algorithms. A random session key is generated and used with the symmetric algorithm to encrypt the information. The public key is still used however to encrypt only the session key only and both are sent to the recipient.
Private Key
The recipient takes the public key encrypted information and uses his corresponding private key to decrypt the message. If the data is encrypted the recipient knows that the data was meant for them but they cannot be certain who its from. As above in normal situation the private key is used to decrypt the session key, and that key is used to decrypt the actual information rather than the private key decrypting all the information.
Authentication
The PKI method not only provides certainty of data privacy but also assurance that the data has been sent by the person who was meant to sent it and no MITM has occurred. The second key pair ensures authentication of the data.
Private Key
To prove to the recipient the authenticity of the sender that they are the source of the information a second private key is used to digitally sign the message (a digital signature). Unlike a typical handwritten signature, this digital signature is different every time it is made. A unique mathematical value, determined by the content of the message, is calculated using a hashing or message authentication algorithm. Using the private key this value is then encrypted creating a digital signature for the specific message. This encrypted hash value is sent with the message and the public key can also be sent either as part of the message or in a certificate.
Public Key
The receiver of a digitally signed message uses the correct public key to verify the signature by performing the following steps. 1. The associated public key is used to decrypt the hash value calculated for the information. 2. Using the correct hashing algorithm the hash of the information is calculated, if certificates have been used the appropriate algorithm will be specified. 3. The two hash values are compared if the values match, the receiver knows that the person controlling the private key corresponding to the public key sent the information and that the information has not been altered since it was signed. 4. If the public key was sent with a certificate the certificate is then validated with the CA that issued the certificate to ensure that the certificate has not been falsified and that the identity of the controller of the private key is genuine. 5. Finally, if one is available, the revocation list for the CA is checked to ensure that the certificate has not been revoked, or if it has been revoked, what the date and time of revocation were. Public keys are stored within digital certificates along with other relevant information (user information, expiration date, usage, who issued the certificate etc.). The CA enters the information contained within the certificate when it is issued and this information cannot be changed. Since the certificate is digitally signed and all the information in it is intended to be publicly available there is no need to prevent access to reading it, although you should prevent other users from corrupting, deleting or replacing it.
Introduction
Chapter covered a little access control theory as well as how SSL-Explorer deals with common challenges. It includes the following sections: Overview Access Control Architecture Flexibility
Overview
SSL-Explorer is a complete SSL VPN solution that provides secure, authenticated and controlled access to enterprise intranets, business applications and internal resources from virtually any modern desktop or notebook device.
At the heart of SSL-Explorer lies its access control engine. This is responsible for the complete management of all users from their initial log-on, right through to their exit from the system. More importantly it secures control of user access to different areas of the internal network. The engine is the key component in verifying a user accessing the system and determining the actions that they may perform. Every action performed within SSL-Explorer is monitored by the access control engine in real-time and, as the diagram depicts, it acts as the guardian of the system.
System of Trust
By considering an SSL VPN solution, you are obviously intent upon allowing remote access to your computer based assets or resources by other individuals or organizations. Some of these individuals you will trust more than others. The concept of trust is a fundamental part of any secure system. As such it is crucial for the security policy to cater for and control how that trust is granted, used and revoked. With trust playing such a significant part of remote access, SSL-Explorer has been designed to allow for either coarsely grained or finely grained access control. This approach allows SSLExplorer to mirror more closely the actual trust relationships present in the real world. In conjunction with multi-tiered authentication schemes, SSL-Explorers security model is much more advanced than those offered by conventional VPN solutions. Both the Community and Enterprise editions of SSL-Explorer are conceptually identical in their approach although there is a significant difference in the number of authentication modules available between the two editions.
Levels of Trust
Trust is administered in measures - the more trust a user has the more privileges they are granted. Again the opposite is said for someone who has a lesser degree of trust and consequently is given a lesser level of ownership and access.
SSL-Explorer follows this tried and tested pattern. With the access control framework, super users are seen as the most trusted users, seeing as they control the SSL-Explorer instance. Power users are given a lesser measure of control. Finally the standard user has a lesser degree of trust and therefore potentially the least level of access and responsibility.
Resource Access: The intended outcome when implementing an SSL VPN solution is to allow remote access to network-based resources. The number of types of network resource is relatively varied and new methods are likely to appear. Each resource deployed can have very different access requirements, such as read or write permissions. Any resource within the system must be accessible by more than one user if so desired; the system should allow for the sharing of resources. Resource Distribution: A resource created within the system must be easily made accessible to those users that require it. Assigning resources on a per-user basis should be avoided wherever possible. Resource Permissions: Resources can have a range of permissions to limit how they may be assigned. When a resource is assigned to a user the user must be restricted to the set permissions. For example, a super user may create a resource to administer creation and assignment of application shortcuts only. This is assigned to a user who attempts to delete an existing application shortcut, this operation will be declined.
In order to resolve the aforementioned issues the access control architecture relies on three key entities: Principal: The intended consumer of the resources, i.e. a user or a group. Resource: The networked resource, internal function or property item that the principal wishes to utilize, e.g. a web-forward or the right to manage accounts. Policy: This is the relationship defined between the principal and resource. It is the component that ensures that only the right people can perform the right action.
Utilizing this methodology, SSL-Explorer is able to maintain robust, secure, and flexible access control architecture.
What is a Resource?
Within SSL-Explorer a resource is defined as an application, utility, data source, or any other privileged ability that when assigned will allow the user to conduct certain tasks. Think of it as the endpoint, or objective that a user wishes to achieve. This could be something as simple as a user accessing their email client to read their mail. In this case, the resource would be the email. Similarly, an intranet website would also be classed as a resource just as a network share would be. All accessible stores of informational value are deemed to be resources under this concept.
What is a Principal?
As already mentioned, the principal simply refers to a user or group of users. The principal entity sits at the other end of the access control chain. The process flow begins with this entity and ends with the resource entity. In SSL-Explorer, these principals are only differentiated by the access rights they are assigned.
What is a Policy?
A policy is the glue by which all principals and resources within SSL-Explorer can cohesively work together. As the diagram below shows, the means by which a principal entity has access to a resource entity is through the policy and the means by which a resource entity becomes accessible is again through the policy.
Policies represent SSL-Explorers form of trust. A high level of trust equates to a policy of greater flexibility and responsibility; whereas a user with minimal trust may be assigned policies that grant them fewer privileges. A power user of the system manages the SSL-Explorer server and thus must have a higher degree of trust and consequently is granted a policy that covers a much greater scope of responsibility. The opposite can be said for a standard user whose policy may only grant the bare essentials required to allow them to perform their duties.
What is Permission?
A permission is a special part of a policy. It adds the final level of control to the access control framework. As we have seen, not only can we control what resources a principal can access, but with this sub-element we can add a lower-level layer to control exactly the functionality a user can perform on any given resource. For example as the diagram below shows, the policy is associated with a resource but the permissions on the resource only permit the associated principal to use the resource despite the resource itself having further actions such as editing, assigning etc .
With permissions we are able to lock-down control to the actions of the resource itself.
Flexibility
As we have seen, SSL-Explorer offers a great deal of flexibility with its design. This allows it to evolve as its environment changes. Should an organization decide to restructure, SSL-Explorer can easily be altered to reflect those changes. As the user base begins to evolve and expand, the internal representation of the user base can be visualized as a web of policies, interrelated and bound in all directions as depicted in the diagram below.
Creating Accounts
Principals in their basic form refer to the users of the system upon which the services of SSLExplorer are delivered. Accounts are the means by which a principal is created within the system. An essential process in building a robust and flexible system is defining what your principal base is. This chapter details further what principals are and how SSL-Explorer manages these entities. This chapter includes the following sections: Principal Types Super User Account Account Interface Create New Account Editing an Account Deleting an Account
By the end of this chapter the reader should have a sound understanding of principals and how to model their required principal architecture successfully.
Principal Types
Principals at their lowest level represent a user, a consumer of the system. This is simply a user that will access the system. This can be in the form of a standard remote user accessing the system to carry out their work, to a power user that maintains the system and creates users and organizes access control etc. Principals however go one step further than this definition by incorporating the concept of groups a collection of users gathered into a single entity due to some similarities. More details on groups can be found in the chapter titled, Creating Groups.
Structured Account Network A policy structure should be considered before creating any accounts. Categorizing accounts into policies as Administrators or Guest will encourage a more structured and organized system. This is
often imperative as the user base grows. The super user however is not categorised as a standard user infact the super user is calssified as the administrator of the system only and not as a typical user. The super user is only made to install the instance and perform configurations of the instance from then on the super user should delgate its responsibilities out to other users of the system through access rights (Management Console Access Control Access Rights).
Account Interface
The main accounts page provides information on all accounts present within the system.
Action Icons
The action icons against each account performs functions on the associated account, their respective objective is detailed below: Delete account Edit account details Enable account only visible if account is disabled (More) Disable account only visible if account is enabled (More) Unlock account after authentication failure (More) Furhter account related actions are added to the More... menu as and when new authenitcation related extensions are added:
Note
Unsupported Database Actions as Create, Edit, Delete will not be accessible if the chosen user databases does not support external modification by SSL-Explorer. To make such amendments the super user/ administrator must access the user database directly.
Step 7
The page requires certain information to create the user, these are detailed below: Username: This field defines the name to be used to log into the system Fullname: The name of the actual user responsible for this account. This name will be visible in the account summary page. Email: A contactable email address. Enabled: If checked, once the account has been given a useable policy the account will become active automatically.
Step 8
The created account can be assigned to a group. Enter the group name within the Group Name field and use the add and remove buttons to associate the account with the given group. Further information on group selection can be found in the section below titled, Assigning Groups. Select Save to store the newly created account. Cancellation of Account Selecting the cancel button will terminate the account being created. This can be pressed at anytime and no account will be added to the system.
Step 9
Note
Step 10 Once the account has been saved the system will ask for a password for the new account.
A new password must be entered. In addition the Force user to change password at next logon setting ensures that the user make his or her password secure by forcing them to change it the first time they logon to the system. Selecting Save will save the password against the new account. The newly created account should be visible from the main Accounts page.
Assigning Groups
Groups are loaded by the system from the underlying user database. If the database supports modification to groups then the created account will be able to join a listed group. For more information on which databases support group modification refer to the chapter in this document on Creating Groups. To add a user to a group with a user database that supports group modification, simply enter the name of the group in the Group Name text box and select the Add button. The group will then appear under the Selected Groups list box. If you wish to remove a user from a group, select the group name from the Selected Group name list box. Pressing the remove button will separate the user from the group .The name will also have been removed from the Selected Groups list box. For more information on navigating the wizard refer to the chapter titled, System Navigation.
Editing an Account
From the accounts page select the Edit action against the required account and the Edit Account page will be shown. From this page the current details stored about the account can be modified.
Deleting an Account
The delete action removes a user permanently from the system. Selecting the delete action against an account (from the accounts page) will result in a warning message informing that the user is about to be deleted, as shown below.
Selecting Yes will result in the removal of the account from the system. If this user is associated with any policies these will also be removed along with all other associated links.
Creating Groups
Groups represent the alternative type of principal. Groups offer a more convenient type for larger enterprises with a greater user base. This chapter details what a group represents and how SSLExplorer utilizes them. The sections included are as follows: What are Groups? Groups Interface Create New Group Editing a Group Delete Group
By the end of this chapter the reader should have a sound understanding of groups within SSLExplorer and how they can be used to provide structure to a user base.
Groups can be manipulated within the system as single entities but remember that all operations on the group will affect all accounts within the group. For example, an SSL tunnel resource can be linked to a single group and instantly every user within that group will be granted access to the attached resource.
Groups Interface
The diagram below lists the default groups.
Action Icon
The action icons perform a particular function on the associated group. Available actions for a group are: Edit group Delete group
Step 2
The only detail required is the name of the group. If the supplied name already exists in the system an error message will be raised in the event pane. Once a name has been defined simply add the accounts you wish to include in the group. Selecting Create will generate the group in the system for use. Selecting Cancel will stop this operation. If created the group should now be visible in the Group Page and can be used as any other group to assign accounts and policies to.
Editing a Group
From the group page select the Edit action against the required group and the Edit Account page will be shown. From this page the current details stored about the group can be modified.
Delete Group
Step 1 Step 2 To remove an existing group, select the Delete action associated with the group from the main group page. A warning message will appear similar to the one below.
Creating Policies
Polices are the main building blocks in SSL-Explorers access control architecture. They form the bond between a principal and a resource. This chapter covers policies, from their purpose and usage to their unique characteristics. The sections covered in this chapter are as follows: What is a Policy? Policy Interface Create Policy Editing a Policy Delete Policy
By the end of this chapter the user should have a sound grasp of policy management and should be able to implement a structured policy framework.
What is a Policy?
On its own a policy is of little worth. However, by acting as a middle layer between two entities this makes it very powerful tool. On one side it is able to organize principals by a common goal(s) and on the other side it collates resources of a similar purpose. This approach helps provide order in a seemingly unstructured environment.
Principal Pool
A policy does not have to have a resource attached to it instantly. Policies in fact can also be used to simply group together a number of principals. As shown in the Example Policy Structure section, the London Policy is simply a holder of principals.
Stateless
A policy is linked to a resource and a principal. Both the resource and principal can be attached to any number of policies, there is no such thing as exclusivity. By this token any single resource or principal has no knowledge of any other resource or principal attached to the same policy.
Policy Interface
The policy screen displays a summary of available policies in the system.
It is from this screen that we can create, edit or even delete resources.
Action Icons
The action icon performs a particular function on the associated policy. Available actions for a policy are: Delete policy Edit policy details
Create Policy
Step 1 Selecting the Create New Policy action from the event pane on the right will start the Create New Policy wizard.
The system loads the Create Policy Wizard, and then the wizard guides the user through the steps required to create a policy successfully. The steps included in the wizard are highlighted in the left navigation pane as shown below.
Step 2
Note
Required Information Mandatory fields are marked with a red dot ( ). Information must be entered for these fields. The details required are listed below: Name: This required name will be displayed throughout the system. It will be seen and accessed by those with the right permissions so a sensible name should be used. Description: The description field helps to provide further information as to the purpose of the policy. It can be used to detail anything related to the policy and will be visible to others where necessary.
Step 3
As mentioned earlier, a policy binds principals to resources. The next step in the wizard allows the super user to select those principals that will be associated to the new policy.
To add an account simply use the selection buttons; Add to add an Account to the Selected Accounts list box or Remove to remove an Account. More details on this selection process can be found in the section titled, System Navigation. If the systems user database supports groups then these too can be added in the same way as accounts. For more information on groups please refer to the chapter titled, Creating Groups.
Principals are Not Mandatory A policy by default is made up of resource(s) and principal(s) but neither is compulsory. Policies can be created without any principals defined and if the user so wishes these can be added later in the Edit Policy page. Also, policies do not necessarily require resources either if the need arises, policies may be used for the simple purpose of logically grouping principals together. Step 4
If any of the details require modification then selecting the Previous button will allow any previous step to be revisited and altered. Once satisfied pressing the Finish button will create the new policy. The new policy will now be accessible from the main Policy page.
Editing a Policy
By selecting the Edit action icon besides the policy of concern (from the policy page) the Edit Policy page will be shown. From this page the current details stored can be modified.
Step 1 Step 2
The tabs at the top of the page group the particular type of information, selecting each tab will allow you to modify the appropriate content. To save any new changes click the Save button at the bottom right of the page. If you wish to discard changes simply select the Cancel button.
Delete Policy
Step 1 Step 2 To remove an existing policy, select the Delete action associated with the policy from the policy page. A warning message will appear similar to the one below.
What is a Resource?
Within SSL-Explorer a resource is defined as an application, utility, data source, or any other privileged ability that when assigned will allow the user to conduct certain tasks. This could be something as simple as a user accessing their email client to read their mail. In this case, the resource would be the email.
The main page, shown above, provides information on the resource permissions currently available.
Action Icons
The action icon performs a particular function on the associated resource permission; available actions are: Delete resource permission Edit resource permission
The wizard guides the user through the steps required to create a resource entity in the system. Step 2
The first step in the wizard is detailing basic information pertaining to the resource to be created.
Note
Required Information Mandatory fields are marked with a red dot ( ). Information must be entered for these fields. The details required are listed below: Name: This required name will be displayed throughout the system. It will be seen and accessed by those with the right permissions and therefore a sensible naming convention should be used. Description: The description field helps to provide further information to the purpose of the resource. It can be used to detail anything related to the resource and will be visible to others where necessary.
Step 3
Resource permission simply defines what resources a user can access. Within this step the page allows the user to do just that.
Clicking on the down arrow on the Resource type reveals all the available personal resources that can be selected.
The first step is to select a resource from the list. Once a resource has been selected Add those access rights you wish to provide permission to. Step 4 As the policy structure states, a resource must belong to a policy. Without a policy the resource cannot be accessed or used. This step in the wizard requires a policy for which the resource is associated with.
Available polices are displayed to the left hand side and selected policies, which will have the resource assigned to them, to the right. To add or remove policies simply highlight the policy in the appropriate box (to add select policies to the left, to remove, select policies to the right) and use the Add and Remove buttons. Further information on using these buttons can be found in the chapter titled, System Navigation. Step 5 Before creating the resource the wizard provides a summary.
If you wish to alter any of the details select the Previous button to revisit and alter any steps. Once satisfied pressing the Finish button will create the new resource. The new resource will now be visible and accessible from the main Resource Permissions page.
Step 1 Step 2
The tabs at the top of the page group the particular type of information that can be edited; selecting each tab will allow you to modify the appropriate content. To save any new changes click the Save button at the bottom right of the page. If you wish to discard changes simply select the Cancel button.
Authentication Schemes
Authentication is the means of verifying a users identity; this can be in the form of a password or a code\key. To allow for greater security SSL-Explorer uses authentication schemes to provide a multiple staged authentication process. This chapter details authentication schemes, their purpose and how to implement a scheme. The topics covered are: What is an Authentication Scheme? Authentication Scheme Interface Creating an Authentication Scheme Authentication Modules Password Authentication Personal Questions Authentication PIN Authentication OTP Authentication (using SMS or Email for delivery) SSL Client Certificate Authentication Public Key Authentication IP Authentication RADIUS Authentication Remote Client Authentication
By the end of this chapter the reader should have a sound understanding of authentication schemes and how to implement a necessary scheme to meet their requirements.
Once the username has been entered and the Login button selected the next screen in the authentication process is displayed, see below. Each defined scheme is then made available to users at login as shown in the highlighted text below:
Clicking the here hyperlink in the highlighted sentence will load the schemes page as below:
Any defined scheme is selectable and when selected with the Ok button the user is returned back to the logon page with the selected authentication scheme activated.
It is from here one can see the available actions associated with each scheme.
Action Icons
Delete policy Edit policy details Enable scheme Disable scheme Decrease priority of scheme Increase priority of scheme
Step 1
From the Authentication Scheme page select the only available action Create Scheme
Step 2
This starts the authentication scheme wizard. The First step in the wizard is defining the name for the scheme its description as well as its priority. The priority value can be from 1 to 9999 and indicates the order in which a scheme is to be handled. The lower the value the higher the priority.
Step 3
Next the modules required for the scheme must be chosen. From the left pane all installed authentication modules are listed. Once an appropriate scheme is found press the Add button
and the module will be added to the list on the right. This process should be completed until all the necessary modules have been added to the Selected Modules pane.
To reorder the modules chosen simply use the Up and Down buttons to adjust the order of a module. Head Must be a Primary Module At the top of the Selected Modules window there must be a module which can be a primary module. The system will not allow a scheme to be defined which does not have a primary module at the top of the list. Step 4
An authentication scheme needs to be attached to a policy. This restricts which users can actually access the scheme.
Step 5
The final step is the summary. The system presents the details provided. If you are happy with the details pressing Finish button will result in the creation of the scheme. The scheme will be visible from the main page. However the authentication scheme itself will not be available at logon. Instead the scheme needs to be enabled. Simply press the enable action besides the new scheme.
Whereas a disabled scheme will have the disabled icon besides it:
Authentication Modules
As already mention there are differences in the level of control available for the configuration of a module. This section describes each of the modules within SSL-Explorer. There are significant differences between the authentication modules available between the Community and Enterprise editions of SSL-Explorer. These differences are shown in the following table.
Authentication Password Client Certificate IP Public Key PIN Number Personal Questions OTP (One Time Password) RADIUS Community/Enterprise Community Enterprise Enterprise Enterprise Enterprise Community Enterprise Enterprise only Type Primary/ Secondary Primary/ Secondary Primary Primary/ Secondary Primary/ Secondary Secondary Secondary Primary/ Secondary
The above table also shows what type an authentication module is. Type defines the order of the associated module. A primary module defines that the authentication module is capable of accepting a username and thus these types of modules should be placed first. Any module which has primary/ secondary type can be placed as a primary module or a secondary module but any module which is strictly typed as, secondary can not be placed first in a scheme. The authentication scheme system enforces this by disallowing a secondary scheme to be positioned at the top of the chain. A brief summary of the available modules, as of release of this document, are listed in the following sections.
Password Authentication
This is the most commonly used authentication scheme. It is the simplest and easiest to configure and is defined as part of the authentication modules that come part of both the Community and Enterprise editions of SSL-Explorer. In fact it is also part of the default set of authentication schemes configured with a brand new installation. Both Default and Password and Personal Details rely on the Password authentication module; the first as a single scheme the second as part of a two-factor scheme. The length, format and expiration of passwords are all configurable, however initially these parameters are defaulted and whenever the Super User creates an account a password must be attached.
Creating a Password
A password is assigned the first time a user is created. As the screenshot below shows the password can be redefined the first time the user logs into the system by selecting the checkbox.
For further information on creating passwords refer to the chapter titled, Creating Accounts.
Modifying a Password
Once a password has been assigned to the account it can be altered at any time by both the Super User from the Management Console and by the user through the User Console.
Management Console
Step 1 Choose the account you wish to edit from the Accounts page (Access Control Accounts) by selecting the associated More button.
Step 2
A new set of actions becomes available. Selecting Set Password allows the Super User to change the password for the account.
Step 3
From here a new password can be defined. In addition the checkbox at the bottom can be selected to force the user to change their own password when they next log in.
User Console
This method is used by the user allowing them to securely modify their own password without any intervention by the Super User. Step 1 From the My Accounts section select Change Password.
Step 2
The user is now able to change their password from the Change Password page.
The user is expected to key in the original password as well before the change can occur. By default the system will lock any user that fails authentication after three attempts and again disables any user who has been locked out three times consecutively. These parameters are configurable and are detailed in the section below.
Configuring Passwords
The configuration options can be accessed from System Configuration Password Options. There are a considerable number of parameters that should be understood as the Password authentication module is commonly used as the default authentication scheme and tends to be found in most other multi-factored schemes. The configuration parameters are detailed below:
The available options are detailed below. Max Logon Attempts Before Lock: A value of zero disables this option; the default value is 3 logon attempts, if after 3 attempts the account is temporarily locked. Max Locks Attempts before Lock: A value of zero disables this option; the default is 3 temporary locks, after which the account is permanently locked. Lock Duration: The length of time an account is locked; default value is 300 seconds. Password Pattern: The definition of a password, how passwords for this instance must be constructed. Details on Password patterns can be found below. Password Pattern Description: This description is shown to the user when defining a personal password. Days before Expiry Warning: The default value is 21, after which the warning will be displayed to the user informing them to change their password. Days before Expiry: The default is 28 days approximately one month after which the user will be forced to change password.
Password Pattern
The structure of an account password is based on regular expressions and is defaulted to, .{5,}, which defines a password with a minimum size of 5 characters. This expression is detailed in the diagram below:
The security function password structure is built around the Java regular expression syntax. Any valid expression will be accepted to parse passwords an example is given below:
Expression X(n) X(n,m) .[^\s]{n,m} X exactly n number of times X between n and m Any character except white spaces with a length between n-m Meaning
\w[n,m]
These cannot be amended nor can a user add additional question to these.
Configuring Answers
Both the Super User and user are able to configure answers for these questions through the Management Console and User Console respectively, but it mainly falls within the responsibility of the user to provide secure and personal answers to each question, something that they will remember and secure enough so that no other user can guess. The steps involved in configuring these are minimal but have been detailed below nonetheless.
Management Console
The Super User can access the users personal details and alter these details if so required. Step 1 From the Accounts page (Access Control Accounts) select the Edit action against the account to edit.
Step 2
From the Edit Account page select the Security Questions tab.
Step 3
This displays the available personal questions and where necessary populated with answers. These can be altered. When satisfied with the changes pressing the Save button will store the new answers.
User Console
It should be the users responsibility to manage and update their personal details. Step 1 Step 2 Open the Edit Personal Details page from My Account Personal Details Select the Security Questions tab
Once all the answers have been supplied pressing the Save button will store these for use during authentication.
PIN Authentication
PIN authentication is something all users with a bank account will already be familiar with. Again this is a standard authentication module and much like a password a user is expected to authenticate themselves with their private number. The PIN itself can be as long or as short as the Super User defines and alerts to change this value periodically can also be configured. When combined with an Active Directory user database, PIN authentication can prevent the locking of user accounts by dictionary attacks 1.
Modifying a PIN
Configuration of the PIN value itself can be performed by both Super User and User. Like any authentication module the actions to configure the PIN value is only available once an authentication scheme has been configured which has the PIN authentication module. Below describes how to configure the PIN as both Super User, through the Management Console, and User, through the User Console.
Management Console
The Super User can alter the PIN value; this is best used at the start to initialize the PIN for a user. Step 1 From the Accounts page (Access Control Accounts) select the More button beside the account to edit and select Change PIN.
Step 2
This will bring up the Set PIN page from where the PIN value can be configured.
Once a new PIN has been entered pressing the Save button will store the value.
User Console
The user should manage their PIN value and keep the PIN secure. Step 1 From the User Console select Change PIN under the My Account section.
Step 2
The Change PIN page should be visible. From here the PIN value can be changed.
As can be seen above the user is expected to enter their original PIN value in first. Once the PIN has been altered pressing the Save button will store the PIN for use when authenticating.
Configuring PIN
The configuration options can be accessed from System Configuration Security Options PIN. As can be seen below there are a small number of parameters but these should be used sensibly. For example defining a PIN size too great could leave users forgetting and failing authentication. Similarly with expiration time, a value that is too short could cause users to become to predictable with their new PIN numbers, i.e. incrementing the value by one upon each successive change.
The available options are detailed below. PIN Size: The default size of the PIN is 4 digits, this can be altered by this parameter, any user authenticating must supply the exact number of digits defined. Allows user to set PIN: Checking this switch enables a user to define their initial PIN instead of having the super user define a PIN for the user. Warn Number of Days: This defines at what point a warning message should be shown to a user that their PIN is about to expire. This is defaulted to 21 days, after a PIN has remained unchanged for this length of time the system will warn the user their PIN will expire. Expire in number of Days: This parameter defines the actual number of unchanged days a PIN will expire. After the defaulted 28 days the PIN will no longer be acceptable as authentic.
OTP Authentication
OTP (One Time Password) authentication can be seen as an extension to Password authentication. With Password authentication the configured password is used numerous times until a defined expiration date is hit and the password needs to be changed. The expiration tends to be around a month or so but with OTP authentication, the password can only be used once and once only - not only that, the expiration of the password is measured in minutes and not days so even the OTPs existence is short lived. OTP significantly strengthens the security of a system but it is recommended that OTP is added to a multi-factored authentication scheme. The main reason for this is that an OTP is delivered to an external device either a mobile phone or an email account both items managed by users and out of the control of SSL-Explorer thus can be viewed by unauthorized persons. Currently any SMS or email-enabled device can receive OTPs, meaning that your passwords may be sent by email to your inbox or by text messaging to your cell phone. Using OTP consists of a number of steps highlighted below: Defining Recipient Details Configuring Service Provider Configuring Delivery Method
In addition above all these an authentication scheme should be enabled with OTP authentication installed. Without this OTP options will not be accessible. Once these have been configured the OTP authentication scheme can be enabled. Using OTP authentication is quite simple; the steps below show you how: Step 1 At logon select the OTP scheme.
The primary authentication module should be used as per usual and then after you will be asked for the OTP Which will have been sent to either via email or SMS depending on what has been configured.
Step 2
The system will have already sent you an OTP either to your cell phone or email much like the example below.
This should be keyed in. If successfully entered the user is authenticated and given access to the system. If another authentication module is added after OTP authentication then that authentication scheme is loaded and authentication required. It is as simple as that. The sections provide details on configuration bullet points highlighted earlier. These are required to get the OTP authentication module running correctly.
Management Console
The Super User is able to alter the users details however the user should be responsible for the management of their details.
Step 1 Step 2
Configuration of any personal information by the Super User is done through the Accounts page (Access Control Accounts). Select the edit action against the user that needs to be edited. If the cell phone details needs editing select the Contact Info tab that is visible from the Edit account page.
The new cell phone number can be entered. When complete selecting the Save button will store the cell phone number. It is this number that will be used by the OTP authentication process when sending via SMS. Step 3 If it is the email details that need to be entered then use the Details tab.
The email can be altered and when complete pressing the Save button with store the address. It is this address that is used by the OTP authentication process when sending via email. Unchangeable Email for External User Databases Any system which relies on an external user database will be unable to alter the email details as these are read in from the external database. Modification to these will have to be done from the external database client.
User Console
The user should manage their contactable details. The steps below show how both cell phone number can be configured. Step 1 Step 2 Select Personal Details from the Navigation Pane on the left (My Account Personal Details). This will load the Edit Personal Details page. From the Edit Personal Details page select the Contact Info tab. From the cell phone number can be altered.
Once satisfied the new number can be saved by pressing the Save button. This number will be used by the OTP process.
SMTP Transportation
Email relies on an SMTP mail server so the corporate email service should be sufficient. The parameters required merely provide SSL-Explorer with details of the email server.
Enable on Startup: When SSL-Explorer instance is started the email messaging service is available to use. Un-checking this option will disable message distribution via email once the instance is restarted. SMTP Server: Messaging is performed in two ways; through active users running the VPN client and via messages being broadcast as emails received by users email clients. To use the email option the details of the SMTP mail server need to be specified. Port: In addition to the above server being defined so must the listening port on the server. By default mail servers listen on port 25. Login (HELO): HELO represents the SMTP HELO command. Some mail servers, usually older servers, do not accept mail requests before a SMTP HELO command is sent. Clients use HELO as the first request in every session. The HELO parameter requires the principal host domain name for the sender, for example domainname.co.uk. Sender Address: This parameter specifies the host sending the message and will appears as the senders address when the mail is received by the users mail client
SMS Transportation
SMS configuration is a little more complicated than email. For starters, before any configuration details can be defined for the SMS message itself the provider details are required. Unlike email the SSL-Explorer relies on an external SMS service provider called Clickatell.
Clickatell provides the required infrastructure to be able to transport SMS messages generated by SSL-Explorers OTP module to cell phones not only not only locally but to cell phones around the world. Step 1 To use SMS a Clickatell credit account needs to registered. To open an account with Clickatell clicking on the warning message in the warning box to the right as shown below. This will open the Clickatell take the user to the Clickatell site for registration.
Step 2
Once an account has been opened Clickatell will provide the required information necessary to configure SSL-Explorer. Select the Clickatell tab in the Messaging Configuration page (System Configuration Messaging).
The provided information can be used to fill in the above form. Once all the information has been entered selecting the Save button will store the Clickatell account information. These parameters will be used by the OTP module when sending SMS messages. Step 3 The final step with SMS is the configuration of the SMS message itself. From the Messaging Configuration page (System Configuration Messaging) select the SMS tab.
The parameters should be configured as appropriate. Once satisfied the Save button should be pressed to save the information. The bullet points below detail these parameters. Number Visibility: This determines whether users can view and modify their cell phone numbers.
Originator: The sender of the SMS message. This is set as default to SSL-Explorer. Whenever a password is sent the SMS message will be shown as coming from this sender. Enable on Startup: This setting selects whether the SMS messaging service is started upon server start up. Un-checking this option will disable message distribution via SMS once the instance is restarted.
As can be seen above the available delivery options from the OTP configuration page (System Configuration Security Options OTP) are either SMS or EMAIL. If SMS has been configured as the transportation method then SMS should be chosen. If email has been configured as the transportation method then EMAIL should be selected. If however both transportation methods were configured then either can be chosen.
No OTP with Mismatched Delivery Method If the delivery method differs from the configured service provider (SMTP or Clickatell) OTP authentication will not be accessible from the authentication scheme wizard. The delivery method and the configured service provider must match. If there are no configurable details for what has been defined as the delivery method the system will disallow usage of the OTP module.
All the components have now been configured. OTP authentication is ready to be used.
Configuring OTP
The OTP authentication configuration parameters provide a way of modifying how the actual message is produced. The parameters here work in conjunction with the parameters available from the Message Configuration pages (System Configuration Messaging). The parameters are accessible from System Configuration Security Options OTP.
A brief description of each of the parameters follows: Mode: The OTP password can be defined to be sent to the recipient at logon time or prior to logon. Method of Delivery: Whether to use SMS or SMTP Message Subject: The Subject entry for an email Message Text: The SMS text displayed alongside the password, the replacement string %PASS% is replaced by the generated password. Expired Subject: The subject entry when sending expiry email notifications Expired Message: The main body of expiration notification message Password Length: The length of the generated password Max Logon Attempts: Number of logon attempts Password Expires (Hours): Expiration of the one time password in hours. This is used when the Mode parameter is set to send password before login and expire. The default is 24 hours after which the sent password will no longer be valid to use. Logon Grace(Secs): Expiration of the one time password in seconds. This is used when the Mode parameter is set to send at logon. The default is 300 seconds after which the sent password will no longer be valid to use. Scheduler Period: How often the scheduler should run to evaluate passwords Expiry Date Format: The format of the expiry date sent as part of a OTP message. The formats used are those defined by the Java SimpleDateFormat class.
Client Certificates
SSL Client Certificate authentication can be seen as the next progression in the authentication modules. It is more secure than the previous but requires more configuration. To some degree, client certificate authentication is an automatic authentication process requiring minimal interaction from the user. All the user is required to do is provide the password for the certificate the first time that it is installed and that is it. Everything else is performed by the browser and server. Strong Cryptography and the Law This feature requires advanced cryptography software 1 from Sun Microsystems that is not installed with the standard Java JRE/JDK. This software may be subject to restrictions depending on the laws regarding the import/ export of cryptographic software in your country and we unfortunately cannot distribute this with the standard SSL-Explorer distribution. Please see our SSL Client Certificates Flash demonstration which will help guide you through the relatively simple installation process. A certificate is generated and validated before being imported into the clients browser. When this browser connects to SSL-Explorer the two begin instantly exchanging secure information to try and identify one another. The browser uses this certificate as a means of authenticating itself to the server. The server, aware of the provided certificate, is able to verify the client and automatically grant authentication. Since a unique certificate can be assigned to each User, Client Certificates can provide a very secure means of access. Unlike the previous authentication methods client certificates requires a bit more configuring but once configured it no longer has to be configured again. The general process is highlighted below. Enable Authentication Creating a CA Creating Client Certificates Importing Certificate into Browser
Before all these however an authentication module should be available which has client certificates included. Once these are all done using certificates is a simple process. Step 1 All a Super User needs to do is enable the authentication scheme. As a user selecting this scheme will force the browser to begin using the certificate to authenticate itself.
Adding a Primary Authentication Layer The certificate is tied into the browser which means that anyone using this machine can log into the system as long as they know the certificate password. A primary authentication module should be used in conjunction with client certificate authentication such as password authentication to tighten access.
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0 http://java.sun.com/javase/downloads/index.jsp
Step 2
Once the authentication process begins the Choose a digital certificate dialog will appear. Select the appropriate certificate you wish to use then OK or Cancel if you do wish to use any.
Step 3
The only item of information required is the password used to encrypt the certificate. Once supplied the system is able to safely authenticate the connecting client.
Step 4
If successfully a message is shown like below. Selecting like the one below is displayed.
This merely informs the user that they have successfully logged into the system. Selecting Login will either go to the users main page or load the next authentication module. The next sections detail the configuration steps highlighted above.
Enable Authentication
Regardless of whether certificate authentication has been configured already and all clients are all fully equipped with their certificates, if the system has not enabled client certificates then client certificate authentication will not work. In fact even if a scheme had been configured with client certificate authentication the system would not allow the execution of the scheme. A message like below would be shown if client certificates was selected.
Enabling client certificates is a very simple process. Step 1 Step 2 From the Security Options (System Configuration Security Options) menu select the Client Certificates tab. Set the Mode of Operation to Accept Certificates
This is the switch that turns on client certificates Step 3 Finally select the Certificate Type you wish to use
Internal: Internally generated certificates Active Directory: AD generated certificates Trusted: Imported certificates Any: All of the above
Once selected press the Ok button and the details will be saved. Client certificate authentication is now enabled and the System is aware of which certificates will be used for authentication.
Creating a CA
A Certificate Authority is required to be able to issue certificates to the clients. This process defines SSL-Explorer as the authority to be able to issue and validate the client certificates that will be used to log into the server. An external authority can also be used; the only thing required by SSL-Explorer is the importing of the private key part of the certificates issued by this authority for each client so that SSL-Explorer is able to identify each client certificate being used to login with. Further details on this can be found in the section titled, Import a Trusted Certificate. Step 3 The SSL-Certificate page provides all the required options for this process. From the available Action menu to the top right select the Create CA action.
For a server which already has a CA this step will be replaced by the Reset CA action. In this situation the CA does not have to be reinitialized each time. This entire process should only need to be done once only. Step 4 This action loads the Create CA wizard. This wizard guides the user through the steps required to configure a CA for the system. Each certificate created for a user will be issued by this authority.
The information must all be completed. The information is then used to create a valid authority. The stamp of authenticity is all based around the content that is provided here, it is recommended that correct information be supplied. The required information and their meaning are detailed below. Common Name: The name the certificate should be referred to. Location: Where the authority is based Organizational Unit: The department of the authority Company: The name of the company or entity to which the certificate should be registered.
Step 5
To encrypt this information and the subsequent generated private keys the certificate requires an encrypting password.
Step 6
The strength of the private keys is next required. The stronger the size the more complex the keys.
Step 7
Finally a summary I shown of the certificate that is about to be created. Pressing the Finish button will create the certificate else the he Previous button will go back to each step and allow amendments to take place. Thats it. To see the newly generated authority that will be used to issue all client certificates from now on select the SSL-Explorer CA keystore from the top pull-down menu.
The authority will be displayed. The next step now is to create certificates for the users wanting to access the system.
The first two methods use the recently created certificate authority while the last one allows the Super User or administrator of the system the opportunity to use certificates generated by an outside authority. Each of these is detailed below.
Inclusive
This technique is the simplest method of generating certificates for the SSL-Explorer user population. In fact this process generates certificates for the entire user population in one complete process. Be warned though, certificate creation is extremely computationally expensive and this process can take a long time, especially if you have many users and require a long key length. Unlike the exclusive process detailed next this does not distinguish single users and instead creates a certificate for everyone. This doesnt sound too convenient, but bear in mind users who dont need a certificate will have one generated for them anyway. For example in Active Directory (Active Directory with certificates is detailed in the section titled Using Active Directory Certificates) if the entire directory has been imported into SSL-Explorer all users even objects such as machines will have certificates generated. Step 1 From the Accounts page (Access Control Accounts) the Action list provides the Generate Certificate action. This is a very quick way of creating certificates for all the accounts in the userbase.
Step 2
With all certificates a password is required to encrypt its content. Client certificates are no different. As the image below shows SSL-Explorer allows a user defined password to be keyed in or a system generated one can be used.
When satisfied with the password pressing the Create button will generate the certificates. Each user will have their own certificate. All the certificates are compressed into a zip file. Step 3 This zip file should be saved.
Once stored the Super User must provide each certificate to their respective user. From here all that is needed is for the user to import these into their browser. This section is detailed shortly. If you are happy with this technique and prefer using this to the other two then the remaining two methods can be skipped and you can go directly to the section titled, Importing Certificate into Browser.
Exclusive
This method also relies on the previously generated authority to issue the required certificate only unlike the previous inclusive method this method produces certificates for single users only. An individual user can be picked out and have a certificate generated for them. This instantly avoids the unnecessary certificates generated by the inclusive method but has the problem of being effective for only a single user. Meaning for more users the process will need to be repeated. This is also a simple process to execute and is described below: Step 1 From the Accounts page (Access Control Accounts) select the More button against the account you wish to create a certificate for. This opens the actions list, choose the Generate Certificate action.
Step 2
Much like the previous method the system generates the certificate and compresses this into a zip file. This certificate should be sent to the appropriate user. From here all that is needed is for the user to import this into their browser. This section is detailed shortly. If you are happy with this technique and prefer using this to the other two then the remaining method can be skipped and you can go directly to the section titled, Importing Certificate into Browser.
Step 2
This opens the Certificate and Key Import wizard. Here the certificate needs to be imported into the system. Select the A Certificate you trust for client certificate authentication option.
Step 3
The system now needs to locate the certificate file. SSL-Explorer can import X.509 v1, v2, and v3 certificates and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to be imported must be provided either in binary encoding format, or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard. Use the Browse button to locate the certificate file.
Once located pressing the Next button will import the file into the system.
Thats it. The newly imported certificate will be visible from the main SSL Certificate page using the Keystore setting of Client Certificate Authentication as shown below.
If you have a revocation list then it would be wise to specify the URLs for example http://dc/CertEnroll/company plc.crl now in the CRLs list box available from System Configuration Security Options Client Certificates.
Like the other two methods, all that remains now is the imported of the other half of the certificate into the browser. This is explained in the next section.
Step 2 Step 3
Once in the process the next step is to trigger the importing procedure. The certificate will need to be located and its associated password supplied. If the correct file and password have been supplied it is simply a matter of informing the browser to accept and import this file. A summary is then shown detailing the file about to be imported and where it will be located. Pressing the Finish will complete the process.
Step 4
The newly imported certificate should be visible from the browsers main certificate view. This is the Certificate Manager window.
Now that the certificate has been imported all that remains is connecting to SSL-Explorer with client certificate authentication. The system should instantly exchange and authenticate the certificates between browser and server. Once authenticated a message should appear like the one below informing the user that the certificate has been accepted and they have been successfully authenticated through client certificate.
Server-side Configuration
Step 1 The first task is the importing of the CA certificate which will be used by SSL-Explorer to authenticate the client certificates with. From the SSL-Certificate (Configuration SSL Certificates) page select the Import Certificate or Key action from the Actions list
Step 2
This starts the Import Wizard. From here the A CA Certificate for verifying Active Directory User Certificates option should be selected.
Step 3
The wizard asks for the certificate file. As per the pre-requisite you should already have a CA certificate file prepared. This should be located using the Browse button.
Step 4 Step 4
Once found the system presents a summary of the certificate file about to be imported. If correct pressing Finish will import the file into the System. If you have a revocation list then it would be wise to specify the URLs for example http://dc/CertEnroll/company plc.crl now in the CRLs list box available from System Configuration Security Options Client Certificates.
That completes the server side of the process. Now all that remains is the client side.
Client-side Configuration
Now that the server end is complete all that remains is the creation of AD client certificates. Windows 2000 Certification Service installation adds a virtual directory called CertSrv pointing to %systemroot%\System32\CertSrv. It is this service clients need to access to request certificates over an intranet. When requiring a client certificate each user needs to generate their certificate from CertServ by going to the URL http://<Certificate Authority server>/CertSrv. Step 1 From CertServ select the Request a certificate task.
Step 2
The next step asks for the certificate type, the User Certificate type should be chosen
Step 3
Lastly, the strength of the key encryption needs defining. As mentioned previously the stronger strength the more secure the keys.
` Step 4 Unlike the internal Client Certificate option CertSrv can automatically install the newly created client certificate. Selecting Install this certificate imports the certificate into the users browser.
This generated certificate is instantly imported into the browser and can be viewed through the standard certificate manager option within your browser. As long as the certificate type has been configured to use Active Directory (Enable Authentication) everything is ready to use. When client certificate authentication is triggered at logon the system and browser will authenticate the client using the Active Directory certificates and Active Directory CA authority configured in this section.
Mode of Operation: There are two modes of operation, Disabled, which turns off the use of certificates and Accept Certificates which allows the use of certificates. Certificate Type: The type of certificate the system can accept can be either: Internally generated certificates against a built-in database, Active Directory certificates, externally Trusted certificates imported into the system and finally Any which configures the system to accept any form of certificate. Validity Period: The duration the certificate is valid for. Bit Length: The length of the private key CRLs: Any URLs which maintain a list of revoked certificates.
If however the identity file is stored anywhere else the system will be unable to locate this file. The user will have to use the Use an identity file option and manually locate the file.
If successfully the user will be logged into the system, simple as that.
Identity Creation
An identity is the entity which uniquely defines the user it is associated with. The identity is used to sign the ticket the system produces at log on. To secure the identity even further it is highly recommended that once an identity is generated it is stored on the users USB key. An identity can be created both by the Super User, from the Management Console, and the user from the User Console. In this section we detail both processes.
Management Console
The Super User can initialize the identity for a user and can continue to reset the identity. Depending on the companys strategy the Super User can be responsible for all identity renewals. Step 1 From the Accounts page (Access Control Accounts) press the More button against the user. The action list is shown, select the Set Identity action.
Step 2
The system asks for a Passphrase to encrypt the identity. When a passphrase has been supplied pressing the Generate button will create an identity encrypted by the passphrase
Step 3
The system provides the identity in a zip file. This should be stored on to a secure location and the identity files extracted and given to the appropriate user. It is highly recommended that the user store the identity file onto a USB key for greater security. It is this created identity that will be used to authenticate the user during public key authentication.
User Console
The user can also configure there own identity. In fact the Super User, by using Reset Identity can force users to create their own identities. Step 1 The navigation panel to the left shows the selection of actions that can be performed by the user. Select the Update Identity action.
Step 2
This takes us to the Update Identity window. From here the users identity can be updated. As a security measure the user must also provide their account password.
The system requires the new passphrase associated with this new identity. Once satisfied pressing the Generate button will create the new identity file. Step 3 As before the identity is stored within a zip file. This should be stored, the identity file extracted and stored on a USB key. Thats all there is to it. When the user logs into the system, it is this identity the authentication module will ask for.
Reset Identity
Here the Super User can force each user to define there own identity when they first logon with public key authentication. Selecting this when a new account is created is a great way to encourage users to configure and manage their identities and other security passwords. Must be Two-Factored Scheme For reset to work correctly public key authentication must be in a scheme with at least two authentication modules in and public key must not be positioned as the primary module. This action is exclusive to the Super User. Step 1 From the Accounts page (Access Control Accounts) press the More button against the user you wish to reset an identity for. From the action list select the select the Reset Identity action.
Step 2
The system displays a warning message clarifying the action about to be performed. Pressing Yes will continue with the reset. Thats all there is to resetting the identity.
Step 3
Now when the next logs into the system they will be presented with the first authentication method and if successful the second authentication method, public key, will not ask for an identity but rather force the user to generate a new one much like before.
Much like before the identity will need to be safely stored on a secure medium as a USB key. The user will be logged into the system and will now posses a new identity which will need to be presented the next time they log in.
Allow User to Create Initial Identity: The Super User has the option of creating an identity for SSL-Explorers user base from the Edit Accounts page; this option however alleviates this need by forcing the users themselves to create their own identity files at login time. If the user chooses key authentication the system will force the creation of an identity. Enforce Password Security Policy: Enforce that passphrase conforms to the password policy under System Configuration Security Options Password Options.
Import Identity
This function allows for an already existing key to be imported into SSL-Explorer as a user public key. This action can be performed by any users who have account editing privileges. When SSL-Explorer looks on a device, such as a USB key, it tries to find the public key. This key should be in the root directory of the device in a sub-folder called .sslexplorer-ids. So in order for the external device to operate as required the public key file must always be in this folder for example, E:\.sslexplorer-ids\myPublicKey.pub. Step 1 From the Accounts page (Access Control Accounts) press the More button against the user you wish to reset an identity for. From the action list select the select the Import Identity action.
Step 1 Step 2
Simply locate the *.pub file that you wish to import using the file system Browse button. Once the file is chosen simply use the Upload button to import the identity.
IP Authentication
IP authentication is the only authentication that requires no input from the user at logon. Since it relies on the physical address of a client machine as oppose to the user, IP authentication is able to determine the validity of a user even before the logon page is displayed. IP authentication ties the user to a specific IP address. During logon if an endpoint has been configured as denied an error message will be shown in the events pane. The only way to log into the system using the same account is from the attributed IP address.
Creating a Restriction
Once an authentication scheme has been defined with IP authentication all that you need to do is assign a valid IP address to each user. Step 1 From the accounts page edit a user you wish to assign an IP address to.
Step 2
From the Attribute tab enter a valid IP address. It is this IP address that will be looked at when the user logs in, if the user and IP do not match the user can not log into the system.
To allow a user to login using any machine then use the default value of, *.*.*.*
RADIUS Authentication
SSL-Explorer Enterprise makes available the RADIUS authentication module allowing SSLExplorer to integrate with a corporate RADIUS authentication server. The RADIUS authentication method (Remote Authentication Dial In User Service) is known as an AAA (authentication, authorization and accounting) protocol. It allows for a RADIUS server to be queried by SSL-Explorer in order to validate a users logon request. As the RADIUS server is outside of the control of SSL-Explorer, certain actions will not be available such as create or edit. This also has an effect on how this module is used in an authentication scheme. As a username and password are supplied it can be used as either a primary or secondary form of authentication. It can also be combined with other modules, but of course care should be taken to ensure that the selected modules within an authentication scheme are compatible. The pre-requisite for this authentication method is: Operating RADIUS server
The server must be available and be populated with all users that will be used for authentication, after all SSL-Explorer is merely interfacing with the results of the server and plays no part in the management of the server content. Once the scheme is activated all that is required before login should be used is the configuration of SSL-Explorer to locate the server, configuration information can be found in the section titled Configuring RADIUS. Once everything has been configured properly the user will be able to select RADIUS as the authentication scheme to use.
When the users authentication details are supplied SSL-Explorer forwards these onto the RADIUS server. The authentication result returned determines whether the user is authenticated into the System or not.
Configuring RADIUS
The configuration parameters are vital to the success of the scheme. If any of these parameters are incorrect SSL-Explorer will be unable to communicate with the RADIUS server. So it is imperative that these are understood and used correctly. The parameters are accessible from System Configuration Security Options RADIUS as shown below.
The parameters are detailed below. RADIUS Server: This refers to the hostname or IP address of the RADIUS server. Authentication Port: The port on the RADIUS server to use to service authentication queries. Accounting Port: A port address on the RADIUS server pertaining to all accounting traffic. Shared Secret: If the RADIUS server requires, enter the RADIUS server's shared password/key here. Authentication Method: The authentication method to use to communicate with the RADIUS server itself. Time Out: The number of seconds to wait for a response from the RADIUS server before failing. Authentication Retries: The number of authentication attempts allowed before the account is locked out. RADIUS Attributes: Special attributes to be sent to the RADIUS server as part of the authentication process. Username Case: Define what case is sent to the RADIUS server Expect Challenge: Expect an initial challenge from the RADIUS server (i.e. user does not provide password prior to first RADIUS Access request)
WebDAV
WebDAV is a set of extensions to the HTTP protocol which allow users to collaboratively edit and manage files on remote web servers. WebDAV enables clients on PCs or Macs to access files and folders on a server in much the same way as on the desktop, while actually residing on a remote server being accessed over the Internet.
As the diagram above shows, in order to access remote files across the internet the desktop must be running a WebDAV client such as Windows Explorer. The remote location must be running a WebDAV server to make the remote directories accessible and as the diagram depicts SSLExplorer runs its own WebDAV server so directories on the remote machine can be accessed through SSL-Explorer. The WebDAV authentication scheme when enabled allows external applications to access the WebDAV server using username password authentication regardless of which schemes SSLExplorer has configured. If this is disabled then WebDAV resources may only be accessed when launched from directly from SSL-Explorers Network Places page. Any shortcuts created on the users Windows desktop or in Windows Control Panel Network Places will not work.
Embedded Client
The Embedded VPN client is a Java API provided by 3SP Ltd. which gives external applications the ability to create secure tunnels to hosts protected by SSL-Explorer. This allows an external application to bypass the general interface processing of SSL-Explorer and tunnel through SSLExplorer to the remote servers for secure communication. Similarly to WebDAV, the authentication scheme allows the access of SSL-Explorer resources through the embedded client using username and password regardless of what SSL-Explorer has configured as its authentication schemes. If this is disabled then clients connecting in through the embedded client API will not be able to access any resources through SSL-Explorer.
In order to set up SSL-Explorer to use the SafeNet iKey 2032 for authentication, we need to do the following things, some of which have already been covered in previous chapters. Please follow the links to sections that cover the tasks in more detail. Configure SSL client certificate authentication in SSL-Explorer Create SSL client certificates to authenticate your users. Either: o Generate SSL client for your users using the built-in SSL-Explorer CA or: o Import existing SSL client certificates purchased from an existing CA Configure an authentication scheme that uses SSL client certificates Import these certificates into each device using the CIP Utilities software Issue devices to your users
You will be prompted for a *.p12 file. This refers to the format of the certificate file that is generated by SSL-Explorer. Select the relevant certificate for this users key and select OK.
You will then be prompted to enter the password for the certificate this is the password that was set when the certificates were generated in SSL-Explorer. Once the correct password has been entered, the certificate is imported and you can view its details in the right hand column.
You will next want to right-click on the certificate and choose copy certificate to the system. This will copy the certificate to the Windows Certificate Store, but this is useless without the corresponding private key which always remains on the USB device.
And thats the key configured. Since SSL-Explorer knows which certificate to associate with each user, we should now be able to try connecting using our new SSL Client Certificate scheme. You
will notice that you are prompted by the browser to select an SSL client certificate to present to SSL-Explorer.
As an additional step of the authentication process, you will be prompted by the CIP Utilities software to enter your iKey passphrase in addition to this.
The first thing you will probably want to do is set a password on your devices. The standard password set on factory initialized devices is 0123456789. Hit change password and set the password to something more secure. A password complexity meter is provided to give you an indicator of how secure your password is. As is often the case, a combination of uppercase letters, numerals and punctuation marks help to create stronger passwords.
Next you will need to import the SSL client certificate onto the device. On the certificates & keys tab, select Import Certificate and then choose Import Certificate from File.
Select the P12 file and open it. You will then be prompted for the passphrase.
When the passphrase is entered successfully, the certificate is imported onto the device.
And thats it. The device has been configured with the key, and now all that remains to be done is to test the authentication process works with SSL-Explorer. Try connecting to your SSL-Explorer VPN server.
When you try connecting to the VPN server, you will be prompted to select the certificate you wish to present to the SSL-Explorer server.
Select the appropriate certificate and hit OK. You will then be prompted to provide the eToken passphrase that you set in eToken Properties.
Optionally you may wish to: Synchronize your Authentication Managers accounts database with your Active Directory domain controller
RADIUS Properties RADIUS Server Enter the IP address of the RSA Authentication Manager RADIUS server Authentication Port This is the port the RADIUS server is listening to for authentication requests. Account Port This is the port the RADIUS server is listening to for accounting requests. Shared Secret This is a password that requires setting on both SSL-Explorer and the Authentication Manager. Authentication Method This should be set to PAP (Password Authentication Protocol) unless otherwise instructed. Time out Seconds to wait for a response from the server before timing out upon authentication. Authentication Retries Number of times to reattempt a timed-out authentication request. Next, you will need to browse to Access Control Authentication Schemes and configure a new authentication scheme that includes the RADIUS authentication. Create a new scheme, similarly to the one below.
Next you will need to assign authentication methods to the scheme. Add Password and also add RADIUS to create a scheme with Password authentication as the primary method and RADIUS as the secondary method. Click Next.
Next choose the policies to assign this authentication scheme to. For the purposes of this example, well use the Everyone policy to assign to all users.
Review your settings and click Finish to create the new policy.
Select Add Agent Host from the Agent Host menu. You will need to enter the values for your SSLExplorer VPN server, such as network address. Set all other parameters similarly to as follows:
Thats it.
You will now need to add a new RADIUS client, select the RADIUS Clients node and select Add from the toolbar. Fill out the dialog similarly to as follows and click OK.
Your server is now added as a RADIUS client and can talk to RSA Authentication Manager.
Now you will need to assign imported tokens to your users. Locate your user from the User Edit User and choose the Assign Token button.
Choose select token from list. The Select Token dialog is displayed.
Click OK and the user will be assigned the RSA key fob.
The second stage prompts you for password this is the password to the user database you have currently configured, e.g. Active Directory.
If the password was accepted, the second password prompt will be shown. This prompt asks for the OTP displayed on the key fob. If you configured the key fob with a PIN, e.g. 4567, you will need to enter this followed by the SecurID token code displayed on the device. For example, if the device displays 441370 and your PIN number is 4567; you should enter 4567441370 in this field. If you do not have a PIN, simply enter the code displayed on the device.
When successfully authenticated, you will be presented with the Favorites page!
We will configure a synchronization that will retrieve all LDAP objects with a class of user from an organizational unit within the LDAP schema, named Employees. You will need to enter information similar to as follows. This job is set to run every minute just so that we can quickly see whether the values we have entered are correct.
Click OK, and wait a minute for the job to be run. Go back to your list of LDAP synchronizations and you should see a status message similar to 10 User(s) Updated as in the picture below our users have been imported successfully.
And thats Active Directory configured. Your users can now be assigned tokens in the normal way in Authentication Manager. Youll most likely now want to set up Active Directory authentication within SSL-Explorer to take advantage of the centralized account management that this approach offers. You can find more information on this in SSL-Explorer: Getting Started Guide under the chapter Data Management.
Enter the relevant properties for the RADIUS server on your network and click OK.
The VACMAN Server service may need to restart and you might need to log onto the server again. Once this is complete the new RADIUS server details are listed under the RADIUS Server node.
The new user dialog appears. Enter the relevant details and click Create.
An import dialog will appear. You will now need to import the Digipass import file (a *.dpx file) for the relevant keys.
Click Import All Applications to import all records. You can alternatively pick just the relevant applications you wish to import by selecting Import Selected Applications. Click Close when done. The import proceeds and you will see the imported tokens in the Digipass item list.
Enter the username in the User ID field and click the Find button to search for the user.
Select the relevant username and click OK. The token will be assigned the Digipass token.
The second stage prompts you for password this is the password to the user database you have currently configured, e.g. Active Directory.
If the password was accepted, the second password prompt will be shown. This prompt asks for the OTP displayed on the key fob. If you configured the key fob with a PIN, e.g. 4567, you will need to enter this followed by the token code displayed on the device. For example, if the device displays 157252 and your PIN number is 4567; you should enter 4567157252 in this field.
When successfully authenticated, you will be presented with the Favorites page.
SafeWord Configuration
SSL-Explorer can be configured to authenticate to a SafeWord server using the RADIUS feature of the product. Note that SafeWord requires an Active Directory database and Internet Authentication Server (IAS) installed on the Domain Controller. To configure SafeWord authentication with SSL-Explorer you will need to do the following: Install and configure the SafeWord Server Configure an IAS Create an Authentication Scheme that uses RADIUS authentication as one of the authentication stages Test the authentication process
Installing SafeWord
Start the setup from the CD.
Click Yes to get latest updates if required, which will then download.
Enter the serial number and click OK. More files will download from the update server and the installation starts.
Click Next.
Click Yes.
Click Next.
Click the top option, then Next. Visual C++ redistributable installs and more update files are downloaded.
Safeword Server and Active Directory Management Console should already be ticked. Scroll down and tick IAS (RADIUS) Agent. Click Next.
Click Next.
Click Next. More updates downloaded and the files start installing. This can take a while.
Change the ports is required and enter Encryption and Signing keys. Click Next.
Confirm the domain or re-enter the domain if incorrect. Click Next. More files will install.
Click Yes
Click Finish.
Configuring SafeWord
Start Active Directory Users and Computers.
Expand the domain, you should see a Safeword Folder, click on this.
Enter an administration password to be used with Safeword and click OK A web page will also appear asking for a new password for the User Center.
Enter a new password and click Submit. Back in AD Users and Computers, click on Import/Backup/Restore under Safeword.
Click Browse under Import Tokens, browse to the import file on the CD provided with the tokens. Click Import.
You should now have tokens listed in the Tokens section. Now we can assign tokens to users.
Bring up the properties screen for a user you want to assign a token to and select the Safeword tab. Enter the token serial number and an option PIN code if you wanted to use one. Click Apply, where the lower part of the properties page becomes active. You can choose here to enter a passcode from the token to test that it is working ok. If this test fails try again. If it still fails, you should be able to fix it by clicking Re-Sync.
While in the user properties, go to the Dial-in tab and tick Allow Access under Remote Access Permission.
Configuring IAS
Start the Internet Authentication Service management console and create a new RADIUS client that points to your test client.
For the client Vendor, choose RADIUS standard and enter a shared secret.
Enter the server name, port 1812 and the secret key. Enter the username to test against and the passcode generated by the token (followed by the PIN if that option was set). Click Send and if working, you should see an Access-Accept response.
Configuring SSL-Explorer
Go back to IAS and create a RADIUS client that points to the SSL-Explorer server address.
In SSL-Explorer, go to System Configuration->Security Options and click the RADIUS tab. Enter the IAS server address, shared secret. Set the Authentication Method to CHAP and click OK.
Go to Authentication Schemes and create a new Scheme. Give it a meaningful name such as RADIUS, or Safeword. Select Password (primary) and RADIUS (primary) to set Safeword as a 2 layer authentication (You could choose RADIUS on its own if required, just note that if SSLExplorer requires the User's password for anything, it will prompt for it).
Move the RADIUS scheme to the top if this is to be the default scheme. Now test the login via SSL-Explorer, which should now work.
Resource Management
Resources are the key entities that a user of the system will interact with. Without such things, a user has no means of using or gaining any benefit from the system it is the resources that provide the value in an SSL VPN. This section covers the basics of resources; what they are, how they are used and finally ends with what types are available.
Introduction
.Sections covered in this chapter are as follows: What are Resources? Resource Wizards Available Resource
Some resources such as Network Places allow a user to interact with shares on the network. Other resources as Web Forwards allow users to interact with company intranet websites. Each resource provides a different way to access and interact with the remote network, from running remote applications to creating secure VPN tunnels. It is the Super Users responsibility to create these resources and provide a secure working environment for the remote user population. Without the right configuration of resources, accessing areas of the corporate network remotely would be at the least difficult and in the worst case, impossible. The Super User is also responsible for the management and configuration of resources. As the corporate network evolves so to must the resources which access the network. As further company security policies are put in place not only must the network change to suit but so to must the SSL-Explorer resources.
The user console is the page from which the users are able to access these resources for use. Resources are listed under the Resources bar to the left of the page and can also be added to a users Favorite page. Administering resources however is done through the Management Console.
Resource Wizards
Every resource is created through an intuitive wizard. The wizard directs the Super User in defining the appropriate steps in the correct order. As the screenshot below shows, the navigation pane highlights all the necessary steps to complete the action.
Some of these steps can be skipped and then redefined as required through the Edit Resource pages later. Also any step can be re-attempted by simply clicking on the appropriate step in the Navigation Pane.
Available Resources
SSL-Explorer defines a number of resources; each provides a specific function in interacting with the instance and the corporate network. Resources that can be used are listed below: Web Forward: Provides secure intranet and internet access Network Place: Provide network file system access Application: Deployment and execution of Java applications SSL-Tunnel: Configure SSL tunnels for special tasks such as remote support Profile: User environment configuration Network Extension: A virtual network adaptor that provides secure access into the SSLExplorer network
Each chapter is dedicated to one of these resources covering everything from creating to managing the resource.
Executing a Resource
All executable resources follow a similar set of steps when being executed, these are detailed below. Step 1 From the user console find the resource to execute. Against this resource will be the execute button
Step 2
When pressed the execute button needs a policy in which the resource should be executed. The execute button lists all the policies the resource is connected to, selecting one will execute the resource using any policy attributes associated with the chosen policy. If the resource page is set to show icons as oppose to listing resources the user will see something similar to the image below
To execute a resource simply press the correct icon. The resource will execute in the first policy the user has been assigned to, usually everyone. Step 3 The resource should now execute opening the required window if necessary.
SSL-Explorer Agent
Many commonly used applications from email clients to CVS clients typically operate using unsecured protocols to facilitate the exchange of data. To the casual home user this is usually not a worry, though to the corporate user this is a critical vulnerability and one that leaves a business open to all manner of threats from password sniffing to full-blown industrial espionage. Thankfully with modern encryption protocols like SSL, data from these applications can be tunnelled inside SSL packets. In the case of SSL-Explorer, this is achieved through the use of the SSL-Explorer Agent a small program that can intercept data transmitted by the insecure application, encrypting said data and transmitting the secure form over the wire. At the receiving end the SSL-Explorer server decrypts this data and forwards it to the appropriate destination within the trusted network. With SSL-Explorer, you have the ability to lock down your network, leaving just a single port open on your firewall. Most traffic that would normally operate on other ports can be tunnelled through the HTTPS port 443 into your network. The sections covered in this chapter are: What is the SSL-Explorer Agent? Starting the SSL-Explorer Agent Stopping the SSL-Explorer Agent Executing Resources from Agent
Precautions
It is important to remember that the agent will provide a secure tunnel into your network until it is closed or times out due to inactivity. Your users must make sure that they log-off from their SSL-Explorer sessions. It is not wise to allow such a session to remain open and unattended even for a short period of time. The agent will timeout any tunnel that is inactive for a configurable period of time.
This instructs the client to start the agent. A warning message will be displayed as below.
The next sets of dialogs are security warnings verifying the client and the agent itself. These warnings should be accepted. Step 1 Once all the security messages have passed the agent will be started and if communication with the server is successful the agent will be ready. The agent icon in the top navigation bar will change colour much like the image below.
In addition a pop up will appear by the taskbar and an agent icon will be visible from the taskbar itself.
A final reminder that the agent is up and running successfully will be in the form of information in the event pane.
Any resources relying on the agent will only execute once the agent is active.
This will stop the agent. It will also change the agent icon back to indicate that it is inactive as shown below.
By opening the Tunnel Monitor one can view any tunnels that are created through the life of the agent and if so wish can kill any running tunnels.
Web Forwards
Web forwards provide a secure way of remotely accessing a companys intranet resources and as such are an essential tool in helping reduce the risk of unauthorized access to the corporate network. This chapter covers all the essentials to allow a super user to manage these resources, from what a web forward is, how they work to managing them. Web forwards come in three types tunneled, reverse and replacement this chapter details each and when best to use each type. The sections covered in this chapter are: What is a Web Forward? Technical Overview Web Forward Interface Creating a new Web Forward Editing a Web Forward Deleting a Web Forward Outlook Web Access and Mail Check
By the end of this chapter the reader should have a good understanding of web forwards and how to use them.
Technical Overview
SSL-Explorer provides three ways in which a web forward can be created these are: Tunneled: Suitable for static intranets Replacement proxy: Suitable for web applications which use absolute URLs with minimal JavaScript Reverse proxy: Suitable for web applications which use relative URLs and tend to be more complex than those for replacement proxy
secure. So for example a web application that opens up various pages or goes off to various other sites will continue to be processed by the forward.
Reverse Proxy
Reverse proxy like replacements does not rely on the SSL-Explorer agent and again despite this the communication link remains encrypted due to the browser and SSL-Explorer. Unlike replacement web forwards the content is neither altered from the moment it leaves the client to the response that is received, SSL-Explorer acts as a reverse proxy server for the target client. Unfortunately if the target site has links to other sites and are selected then those pages will not be secured.
The main page details which policy a web forward is associated with, the type of the web forward and the category of the web forward. Only those web forwards associated with a users policy are visible from the user console under User Console Resources Web Forwards.
Action Icons
The action icons against each web forward performs functions on the associated web forward, their respective objective are detailed below: Delete web forward Edit web forward details Execute resource (User Console)
Step 2
Step 3
Once selected the web forward wizard will open. All web forwards follow the same wizard process as below.
Step 4
The first step in the wizard is to provide details of the resource itself, the name and description of the resource.
The final web forward can be set as a favorite resource which will make this resource accessible from the favorites page. Step 5 The second step defines the resource itself. For each web forward the required content differs. These are detailed below.
The wizard provides a mechanism to use built-in system parameters these are detailed a little more in the Create Replacement Proxy step next. Once done pressing the Next button will take you to the next step in the wizard, which is detailed in step 6 below.
Destination URL: The URL of the site you wish to access Encoding: This overrides the encoding of the HTTP response; this should be left as default unless otherwise informed by 3SP support. Restrict to hosts: This restricts what hostnames the user can access. Any user accessing the site can access only the URL hostname and any hostnames listed in this box. If the list is empty then no restrictions apply, if the hostname specified is the hostname of the URL then users can not access any pages located outside of the hostname.
Note
Replacement Variables The ${} indicates that replacement variables can be included in the resource definition. Click this icon will load the available variables that can be used. The session variables are values taken from the current session. The attr variables are values taken from user defined attributes.
Authentication
Replacements and reverse proxy can not only access a site or an application but can also authenticate the user accessing it. When the web forward connects to the URL the additional information provided here are passed in to the site automatically authenticating the user. Depending on the type of authentication type you select in the dropdown the appropriate parameters are listed.
The wizard provides two types of authentication FORM and HTML authentication.
Form Type: The type of form authentication to use, in most circumstances POST will be used to post the parameters listed in the Form Parameters box to the site. NONE disables form authentication and relies on HTML authentication only. Form Parameter: Specific form parameters for authentication should be provided here. These parameters map to the parameters on the form. As the example above pre, ixPerson, sPassword are all form parameters for this application. During authentication these will be passed into the form with the provided values. As sPassword=${session:password} shows replacement parameters can also be used, we have used a session parameter for the forms password field. The ixPerson parameter is the index list for forms username dropdown list, 6 is the index of the given username, when executed the form will lookup username 6 from the dropdown list.
Preferred scheme: The type of HTML authentication to be used, BASIC, NTLM, DIGEST, NONE. Username: The authenticating username for HTML authentication, each scheme uses this value in different ways. Password: The associated password.
Depending on the site whichever authentication method is required by the server those details will be passed forward. Once completed pressing the Next button will proceed to the next step in the wizard, this is detailed in step 6 below.
Destination URL: The URL of the site you wish to access Paths: Each additional path that needs to be proxied is added here. Web applications such as Outlook Web Access require more paths than the one in the target URL, in the example above the OWA web forward sets a target of http://mail.server.co.uk/exchange and then adds 2 further paths /exchange, /exchweb. To deal with this, you add each path that should be proxied to this filed. This would then proxy any URLs that begin with http://mail.server.co.uk/exchange, and http://mail.server.co.uk/exchweb Encoding: This overrides the encoding of the HTTP response; this should be left as default unless otherwise informed by 3SP support.
Active DNS: This enables sites that are at root of a server to be used by the web forward, as mentioned in the note above sites at root generally cannot be used by the reverse proxy web forward. Enabling this parameter is not enough, a wild card entry on your networks DNS server must be configured so that any lookups for active*.3sp.co.uk point to the SSL-Explorer server. When the web forward is launched a fake hostname
prefixed by active and suffixed by 3sp.co.uk is generated (e.g. active32432432424.3sp.co.uk) and used by the client browser to access the reverse proxy. SSL-Explorer is able to see this hostname and use the number embedded to look up the associated web forward. More information can be found in the 3SP knowledge base 1. Host Header: This is another method used by the reverse proxy engine to determine whether a site should be proxied. A specific hostname can be set for a site this requires that the hostname defined resolves to the SSL-Explorer server. The browser will be redirected from the standard SSL-Explorer URI to this host header. More information can be found in the 3sp knowledge base.
Note
No Target Site at Root of Server Ordinarily target sites you wish to use with reverse proxy cannot exist at the root of their server. e.g. http://www.example.com is invalid whereas http://www.example.com/salesportal would be acceptable. Active DNS can be used to override this action.
Authentication
Replacements and reverse proxy can not only access a site or an application but can also authenticate the user accessing it. When the web forward connects to the URL the additional information provided here are passed in to the site automatically authenticating the user. Depending on the type of authentication type you select in the dropdown the appropriate parameters are listed.
The wizard provides two types of authentication FORM and HTML authentication.
Form Type: The type of form authentication to use, in most circumstances POST will be used to post the parameters listed in the Form Parameters box to the site. NONE disables form authentication and relies on HTML authentication only. Form Parameter: Specific form parameters for authentication should be provided here. These parameters map to the parameters on the form. As the example above pre, ixPerson, sPassword are all form parameters for this application. During authentication these will be passed into the form with the provided values. As sPassword=${session:password} shows replacement parameters can also be used, we have used a session parameter for the forms password field. The ixPerson parameter is the index list for forms username dropdown list, 6 is the index of the given username, when executed the form will lookup username 6 from the dropdown list.
Preferred scheme: The type of HTML authentication to be used, BASIC, NTLM, DIGEST, NONE. Username: The authenticating username for HTML authentication, each scheme uses this value in different ways. Password: The associated password.
Depending on the site whichever authentication method is required by the server those details will be passed forward. Once completed pressing the Next button will proceed to the next step in the wizard, this is detailed in step 6 below. Step 6 Once the web forward has been successfully configured the next step is the assignment of the resource to a policy. The appropriate policy should be added to Selected Policies box.
Step 7
In the final step the wizard presents a summary of the web forward.
Pressing the Finish button will end the wizard and create the web forward. This newly created web forward will be visible from the main web forwards page and executable by those in the assigned policy. Thats all there is to it.
Selecting Yes will result in the removal of the resource from the system. If this web forward is associated with any policies this link will also be removed along with all other associated links.
Clicking the refresh button also instantly checks the mail account and provides an instant update of its status and clicking the mailbox itself will open a new window to the mail account. Configuration of this relies on a web forward. The following provides basic steps on how to configure the mail check feature. Step 1 Step 2 Install the SSL-Explorer Mail Check extension from the Extension Manager. Further instructions on installing extensions can be found in the SSL-Explorer: Configuration Guide. Create a web forward that connects to the mail server and check that it works correctly. In the screenshot below I have created an Outlook Web Access (OWA) web forward. No username or password has been specified in the configuration. When I execute this I am prompted for authentication.
Step 3
Configure the mail check configuration parameters from Management Console System Configuration Messaging Mail Check.
In the screenshot I have specified the OWA web forward that I configured in step 2. The mail check feature requires this to access the mail server. Also the mail protocol has been specified and the hostname of the mail server. Further information on these parameters can be found in the SSL-Explorer: Configuration Guide under System Configuration. Step 4 The final step involves the configuration of personal details for each user from the user console. For each user the mail check tab becomes accessible from User Console Personal Details Mail Check.
The Mail Check extension will automatically try and log onto the mailserver with the current users SSL-Explorer credentials. If these are different, then each user needs to provide their mail authentication details on this screen. In addition the default mail folder (e.g. inbox) can be specified if needed. Active Directory Accounts Auto Configured If the system has been configured to use Active Directory and the mail accounts also uses the same Active Directory authentication credentials, the mail check extension will automatically use the users Active Directory credentials to authenticate the users mail account. There is then no need for users to provide authentication details in the mail check tab under personal details.
Note
The mail check feature uses the web forward and the details defined in the mail check configuration page to connect to the mail server. It is from here it takes the individual users authentication details to connect to their account and retrieve mail details. Step 5 Once all the user details have been provided the user should log back into the system. The mailbox icon will be visible in the top right of the main window. Clicking on the mailbox will open a window to the mail account of the user without the need for authentication.
Network Places
Network places are another vital tool against defending unwarranted access to the corporate network. By configuring a network place within SSL-Explorer, this allows a user to securely access the company network without compromising the integrity of the network. This chapter covers the basics of network places and moves right through to managing these resources. The sections covered in this chapter are: What is a Network Place? Network Places Interface Creating a new Network Place Editing a Network Place Deleting a Network Place Web Folders Windows Access Enterprise Drive Mapping
By the end of this chapter the reader should have a firm grasp on network places and how best to use them in particular the means in which a simple network forward can be integrated into a users familiar Windows environment.
Web Folders
Web Folders is a web authoring component that is included with Internet Explorer 5. It enables the management of files on a WebDAV server by using a familiar Windows Explorer or My Computer interface. WebDAV is a protocol that extends HTTP to define how basic file functions such as copy, move, delete, and create folder are performed over the internet. Using a WebDAV client as web folders a remote user can access the company network through the standard Windows Explorer interface without actually needing to log into the SSL-Explorer. SSL-Explorer has an inbuilt WebDAV server which provides WebDAV clients secure access to required file systems.
The main page details which policy a network place is associated with and the available actions associated with each. Only those network places associated with a users policy are visible from the user console under User Console Resources Network Places.
Action Icons
The action icons against each network place performs functions on the associated network place, their respective objective are detailed below: Delete network place Edit network place details Execute resource (user console)
Step 2
The first step in the wizard as with any resource is the name and the description of the required resource. This will be displayed on the main network places page.
This particular resource can be added to the favorite page if so desired for ease of access. Step 3 The next step requires the definition of the URL alongside any additional parameters. Selecting the Type
This can be of the following: Windows Network: Windows source anywhere on a visible network Local File: Source connected to the client machine FTP: FTP filesystem SFTP: SFTP filesystem Jar Archive: A jar file. When executed network places opens up a window into the extracted Jar Tar Archive: A Tar file. When executed network places opens up a window into the extracted Tar Zip Archive: A zip file. When executed network places opens up a window into the extracted zip Automatic: This allows the user to type in single URLs for any type of filesystem and it will successfully connect to the right type of system. For example all the following URLs can be used: o SMB share: smb://[username:password@]server/share o SMB share: \\server\share
o o o o Step 4
Local share: file://<path> (for Windows use forward slash) Local share: <path> (for Windows use forward slash) FTP share: ftp://username:password@server[port]/folder FTP share: ftp://server/folder
Depending on the type chosen a list of parameters are shown and need completing.
Host: Hosrname of source filesystem Port: Port of source filesystem Path: Specific path that needs to be accessed on the host
Note
Replacement Variables The ${} indicates that replacement variables can be included in the resource definition. Click this icon will load the available variables that can be used. The session variables are values taken from the current session. The args variables are values taken from user defined attributes.
Username: Username if the location is protected. If this is to be used by all users then the replacement variables should be used such as ${session:username}. For more information on attributes and replacement variables refer to the User Attributes Chapter in SSL-Explorer: Configuration Guide. Password: Password for the username
Note
FTP Default Passive FTP can initiate connections in passive and active mode. By default all ftp URIs will be connected to their host using passive mode as this is the most secure and most common mode used. However if you wish to connect to a server in non-passive mode simply add ?passive=FALSE to the end of the URI as in ftp://ftp.server.com?passive=FALSE.
Step 5
In addition to defining the path a network place resource requires its access permissions defining. This will restrict what access rights will be available on the file share when a user executes the network place. The available permissions are as follows:
Show hidden: Show all files and folders including hidden files Read Only: All files folders are visible but they can only be viewed Show Folders: Show only folders No Delete: All files and folders are visible and all file management actions can be performed except deletion of any files
A combination of these can be chosen. The final step is defining a drive letter for the network place. This feature is only part of enterprise drives and allows a share to be mapped to a drive letter. Once mapped the user is able to access the network share through Windows Explorer no longer needing to connect to SSL-Explorer to see the content. Step 6 Drive: Select a drive to map to this network place. Refer to the section titled Enterprise Drive Mapping
Once the network place has been defined the final step is in the defining which policy this network place should be associated with. Any user not linked to this policy will not be able to access the network place.
Step 7
The wizard provides a summary of the wizard, pressing Finish completes the process and creates the new resource. Thats all there is to it. The newly created network place will be visible from the main network place page.
File Management
When a network place is executed the file system is opened in a new window. The window displays the content of the file. All the content from here and below can be managed; files removed, uploaded and even deleted as if you were connected directly to the file system.
Depending on what permissions were selected during the configuration of the resource depends on what actions are available to the user. The full list of available actions against each file is listed below. Delete selected file or folder Rename selected file or folder
In addition to these action icons the actions available in the Actions pane in the top right of the window also perform these functions as well as the ability to Upload files and return back to the top folder (Home).
Selecting Yes will result in the removal of the resource from the system. If this network place is associated with any policies this link will also be removed along with all other associated links.
The steps to create a web folder are listed below. Step 1 The required file system should already exist within SSL-Explorer as a network place.
The network place should be configured to access the appropriate share. It is the name used here that will be used by SSL-Explorer to lookup the configured URI. Step 2 From Windows access My Network Places.
Step 3
Step 4
Step 5
The wizard will briefly search for information about service providers and will then present you with the following screen. Select Choose another network location and click next.
Step 6
Now you need to enter the fully qualified domain name to your SSL-Explorer server.
Above the SSL-Explorer is https://remoteServer.co.uk and my network place as named in network places on the system is Public. When executed web folders will locate communicate with the WebDAV server at remoteServer.co.uk. It will then request the URI for a network place named Public. It is this URI that will then be mapped to the web folder. Step 7 The web folders client will attempt to connect to the resource and you will be prompted to enter your authentication details.
Step 8
After successful authentication the client will ask for a new name for this network place.
Step 9
Windows has successfully created the web folder. Windows Explorer opens and searches for resources. You may be asked to accept a certificate as part of the process this is normal and ensures that your data is encrypted across the wire using SSL.
This shortcut can be moved to the desktop so that all a user needs to do to access the shared folder is double-click this icon and enter your Windows logon information.
The effect of this is that once the SSL-Explorer Agent is running the drive becomes available under the user's Windows Explorer and like any other drive listed in Windows Explorer this drive can be accessed and any content accessible for the lifetime of the SSL-Explorer Agent.
Debug: Enable debugging for drive mappings. This should only be set if asked by SSLExplorer support staff. Debug Flags: Flags for the above debug option. Streaming Threshold: The size at which files are streamed. Streaming maintains an open file on the remote filesystem. A zero value means files are always streamed. Always Stream Files: The file extensions that should always be streamed. Never Stream Files: The file extensions that should never be streamed. Block Size: The block size used when reading data from the remote file system. Altering this value can affect the efficiency of file accessing, the default value should be ample for most environments. Block Timeout: The number of seconds before a timeout exception is thrown when reading streamed blocks of data from the remote file system. A timeout exception will cause unexpected results and as such this setting is only used when the remote file system becomes unresponsive. It is not recommended. that you change this value unless instructed to do so by 3SP support. Total Size: The total amount of disk space displayed for a drive's volume information Free Size: The amount of free space displayed for a drive's volume information Size Format: The format to use in a drive's volume information
Applications
This function of SSL-Explorer allows for the publishing of applications that are to be either downloaded or launched by clients via the SSL-Explorer server. The benefits of being able to distribute resources in this way are mainly linked with the reduced costs of distributing applications and dependant software. Note that applications can not be created unless a valid Extension has been installed within the SSL-Explorer server. This section will cover: What is an Application Shortcut? Applications Interface Publish a new Application Edit an existing Application Removing an Application Additional Application Configurations
By using this approach SSL-Explorer can be used to deploy a variety of applications as shown in the diagram below.
In the diagram the remote clients will access the SSL-Explorer instance which makes applications available to the remote user. What applications are available to each remote use depend on the policies they are linked to. The other major component to an application is the extension that is associated to it. The extension is in essence the method of connection to be used to gain access to the application. If no extensions are installed then no application shortcuts can be created. Some of the extensions distributed by 3SP are bullet pointed below, details on configuring these can be found by clicking on the hyperlink: UltraVNC Linux rdesktop command Microsoft RDP Client NX Client for Windows PuTTY for Windows Remote Desktop Protocol (RDP) TN5250 AS/400 Terminal Emulator Virtual Network Computing (VNC)
Extensions can be also created manually, this as well as addition information is detailed further in the following documents. SSL-Explorer: Getting Started Guide SSL-Explorer: Configuration Guide Knowledge Base Articles
Applications Interface
The main Applications page provides information on all Applications present within the system.
By hovering over any resource a pop-up is loaded that provides valuable information on the details of each resource, in this instance the key information is detailed below: Name: The name of the Application shortcut. Type: The Extension type. Description: Further details on the resource
Action Icons
The action icons against each Application shortcut performs functions on the associated Application shortcut, their respective objective is detailed below: Delete Application shortcut Edit Application shortcut details Execute resource (user console)
Step 1
First select Applications from the Resource Management section of the Management Console. This displays the following screen.
Step 2
On a fresh install there will be no application records present. In order to publish a new application click the Create Application Shortcut link as shown below.
This starts the Create Application Wizard. A graphic of the first page follows.
Step 3
In this screen the type of application extension is defined. The wizard behavior changes for step three. This is due to each application type having potentially different requirements for operating information. UltraVNC is used in this example but the other application types are covered later in this section. Select Next.
This screen allows for the entry of the application details. A brief description of each of the fields follows. Name: The name to be used to identify the Application shortcut. Description: A description of the Application shortcut. Add to favorites: A checkbox that if selected will add the application shortcut to the favorites of the appropriate accounts.
Step 4
When the fields have had the desired values entered simply click the Next button. This advances to the following wizard page (General Tab). As already mentioned, depending on the application type a different Application Options screen will be presented. In this instance UltraVNC is being used. Each of the options available on the different tabs is explained below.
General Tab
Each of the options is described briefly below: Hostname: Hostname of the remote VNC server that is being connected to. Port: The Port on which the remote is listening. If the VNC server uses Display Numbers instead of Ports, simply add 5900 to the Display Number to get the Port Number. Password: The Password for the remote VNC server. This is usually a maximum of 8 characters.
Display Tab
Each of the options is described briefly below: Full Screen: When enabled the remote desktop session will take up the entire screen. Display Scale: Magnify or reduce the display area of the remote desktop. Disable Status Bar: Disables the Status Bar when connecting to a WinVNC server. Disable Hot Keys: Disables the WinVNC Hot keys. Disable Toolbar: Disables the UltraVNC Toolbar. View Only: Local mouse and keyboard input is disabled. Cursor Type: Displays a specific type of cursor in the display window. o No Cursors: Local systems current cursor type. o Dot Cursor: A small dot as the remote cursor. o Normal Cursor: Displays the remote cursor.
Mouse Tab
Each of the options is described briefly below: Emulate 3 button mouse (2 button click): Pressing the left and right mouse button at the same time emulates a middle mouse button click (i.e. LMB + RMB = MMB). Swap Mouse Buttons: Swaps the functions of the left and right mouse buttons.
Protocol Tab
Each of the options is described briefly below: Colour Scheme: Alters the color scheme of the display. Share the Server with other viewers: Allows other VNC viewers to connect, view and control the remote desktop. Compression Level: The level of compression to be used when supported by a particular form of encoding. The lower the number the less compressed which has a saving against processor time. Do not transfer Clipboard contents: This prevents the contents of the Clipboard from being transferred to the remote client/viewer. Encoding: Allows the selection of encoding types for the session.
Advanced Tab
Each of the options is described briefly below: Level of Logging: Change level of log output. Use higher numbers to aid debugging. Output Console: Display log output on the console.
Once the application options have been entered click the next button to advance to the next page.
Step 5
This page allows for the configuration of policies to be applied against the new application record. Policies can be added, removed or even configured from his page. When all relevant policies have been applied click the Next button which displays the following page.
Step 6
This is simply a summary page detail key information. If all information on this page is correct press the Finish button to advance to the final wizard page as shown below.
Step 7
Clicking the Exit Wizard button returns to the main applications page where the newly created applications record is present.
That is it. This shortcut can now be executed and the configured resource will connect to the remote machine.
Step 2
To edit an application just click the Edit action against the application to be altered. This will then show a tabbed screen where values can be changed for all of the associated information against an application. In the following example an UltraVNC application type is shown.
Step 3
Clicking the Save button will store the altered values and redisplay the applications screen. Selecting the Cancel button will not alter any values and return to the application screen.
Removing an Application
Step 1 To remove an existing application navigate to the applications screen (Management Console Resource Management Applications). A list of existing applications is displayed as shown below.
Step 2
To remove an application select the Remove action against the application to be removed. The following screen is presented.
Step 3
Selecting No will cancel the action and return to the application screen. Selecting Yes will remove the application and return to the main application screen.
Linux rdesktop
rdesktop is a Remote Desktop Protocol (RDP) client for most Unix-like systems such as BSD and Linux. rdesktop works by interacting with Microsoft Terminal Services. Linux rdesktop supports all features of RDP, including mapping local drives and printers to the remote computer. For a full list of features please visit the projects main site. Operating Systems: Unix variants such as BSD and Linux. License: It is free and open source software released under the GNU General Public License. Official Site: http://www.rdesktop.org/
Each of the options is described briefly below: Hostname: The Hostname of the remote RDP server. Port: The Port on which the remote RDP server is running (defaults to 3389). Domain: The Windows domain name to use for authentication. Username: The Windows username to use for authentication. Password: The Windows password to use for authentication. Color depth: Number of bits per pixel to use. The lower the number the less colors are available. 16bpp for example has 65536 colors available. Full screen: The remote desktop will take up the entire local desktop.
Each of the options is described briefly below: Hostname: The hostname of the remote RDP server. Port: The port on which the remote RDP server is running (defaults to 3389). Width: If full screen is not selected this will set the width of the remote desktop in pixels. Height: If full screen is not selected this will set the height of the remote desktop in pixels. Full screen: If enabled the remote desktop will take up the entire display. Console Session: Connects to the Windows console desktop.
General Tab
Each of the options is described briefly below: NX Server Hostname: The hostname of the server which is running NX. NX Server Port: The port number on which the NX server is listening. Because NX uses SSH this will normally be 22. NX Public Key: Each NX server uses public key authentication to validate the initial connection. There is only one key per server. NX Username: The name used for authentication on the NX server. Session: This defines the type of session. Session can be Unix, Windows or VNC. Desktop: Allows for the selection of the remote desktop type to use. For example Gnome or KDE. Connection: Enables the selection of the speed of the network connection. Possible values are Modem, ISDN, ADSL, WAN or LAN. Display Size: Defines the size of the display window.
Custom Width: When using the custom display size this value will set the display width in pixels. Custom Height: When using the custom display size this value will set the display height in pixels.
Advanced Tab
Each of the options is described briefly below: Disable no-delay on TCP connection: Selecting this option will disable the no-delay setting when using TCP connections. Disable ZLIB stream compression: Selecting this option will disable the ZLIB stream compression for a connection. Enable SSL encryption of all traffic: Allows the session to be encrypted using SSL. Cache in memory: Sets the amount of cache to be used in memory. Cache on disk: Set the amount of cache to be used on the disk..
Environment Tab
Use font server: Allows the use of a font server. Font Server Host: The hostname of the font server to be used. Font Server Port: the connecting port of the font server.
These settings are used if the Desktop field is set to use XDM. Each of the options is described briefly below: XDM Settings: Specifies how the XDM settings are collected. XDM Display Host: The hostname of the XDM Display Server. XDM Display Port: The port the XDM Display Server connects on.
These settings are used if the Desktop field is set to use Custom. Each of the options is described briefly below:
Application: Allows the user to select how the desktop is launched. Run the following command: Runs the entered command at startup but only if the option is selected in the application field. Virtual Desktop: Sets either a fixed display or a moveable window. Enable the X agent encoding: Enables X agent encoding in the desktop. Enable taint of X replies: This option when enabled will short-circuit simple replies on the X client side in single application mode.
Each of the options is described briefly below: RDP Hostname: The hostname of the Windows systems being connected too. RDP Domain: The domain of the target system. RDP Authentication: The method of authentication to be used. RDP User: Specifies the name to be used if Show Windows logon Screen is selected in the RDP Authentication field. Run an Application at Start-up: Allows an application to be launched when a connection is made. Run the following Application: Runs the enter Application path at start-up if the previous option is true.
Each of the options is described briefly below: VNC Hostname: The Hostname of the system being connected to. VNC Display Port: The Display port number that is used.
For a full list of features please visit the projects main site. License: MIT licence Official Site: http://www.chiark.greenend.org.uk/~sgtatham/putty/
Each of the options is described briefly below: Hostname: The Hostname on which the SSH server is running. Port: The Port on which the SSH server is using. Defaults to the normal SSH port number of 22. Username: Username used to authenticate with the SSH server.
Each of the options is described briefly below: Hostname: The Hostname on which the RDP server is running. Port: The Port that the RDP Server is using. Defaults to 3389. Domain: The Windows domain name used for authentication. Username: The Windows user name used for authentication. Password: The password used for the authentication process. Bandwidth Saving: Enables the use of the Bandwidth saving mode. Fullscreen (Java 1.4+): When enabled this will display the remote desktop on the entire display area of the local desktop. Java 1.4 or higher must be present for this to work. Screen Width: Defines the width of the remote desktop as long as full screen mode is not in use. Screen Height: Defines the height of the remote desktop as long as full screen mode is not in use. Keyboard: Keyboard language code. Start Program: A program to start running upon connection.
Each of the options is described briefly below: Hostname: The hostname running the terminal emulator. Port: The port being used by the terminal emulator.
Each of the options is described briefly below: Hostname: The Hostname of the remote system running a VNC server. Port: The VNC Display port to be used. Password: The VNC Password. Operate in a separate window: This will open this connection in a new display window if one is already open. Restricted colors to 8 bits: Restricts the display to only use 8 bit colors. View only: Disables the mouse and keyboard allowing only the viewing of the connection. Show Controls: Displays a toolbar containing the VNC controls. Share desktop: Shares the connection with other clients on the same VNC server. Defer screen updates (in ms): Use this option to set the number of milliseconds between each screen update. Defer cursor updates (in ms): Use this option to set the number of milliseconds between each cursor update. Defer update requests (in ms): Use this option to set the number of milliseconds between each update request.
SSL-Tunnels
SSL Tunnels allow for ad-hoc connections to be made between networked computers. The following items are covered in this section. This section will cover: What is an SSL Tunnel? SSL Tunnels Interface Create a new SSL Tunnel Edit an existing SSL Tunnel Remove an existing SSL Tunnel
Tunnel Types
Tunnels come in two types: Local: A local forwarding is where the client acts as the listening device. Remote: A remote forward is where the client acts as the listening process. Here the roles are reversed and it is the remote target that acts as the listener of any communication request. The practical implication of this is that a remote user can connect to a central company networked SSH server and use it as a go between to access another client machine within that network.
The main SSL Tunnels page provides information on all tunnels present within the system.
Action Icons
The action icons against each SSL-Tunnel performs functions on the associated tunnel, their respective objective is detailed below:
Delete SSL Tunnel Edit SSL Tunnel details Execute resource (User Console)
This will then start the wizard, the first page of which follows.
Step 2
Name: The name to be used to identify the SSL Tunnel. Description: A description of the SSL Tunnel. Add to favorites: A checkbox that if selected will add the SSL Tunnel to the favorites of the appropriate accounts.
Once all the relevant values have been completed simply click the Next button. This will show the following page.
Source Interface: The interface the local server will listen on. This can be any valid local IP address. For example, it could be your network IP address in which case you would connect to <hostname>.co.uk in this case other external hosts will be able to connect to you via your hostname. This replaces the original allow external hosts parameter. It could also be 127.0.0.1 in which case the local loopback address localhost will be used. In this case only you can connect using localhost or 127.0.0.1. It could also be blank in which case it will listen on both. Source Port: The port number to use with the source interface. The port on which the client agent creates a server that is connected via the tunnel to the destination on the SSL-Explorer network. This can be any port number (over 1024 on UNIX based systems)
and is the number that should be used when configuring the client application. For example, if you were connecting a tunnel from port 60025 to an SMTP server running on port 25 on the host mail.mycompany.com, the source port is 60025 Destination Host: The name of the host that forms the other end of the tunnel. Destination Port: The port number of the host that forms the other end of the tunnel. The port on which the SSL-Explorer server creates a server that is connected via the tunnel to the agent which then is in turned connected to the client application (a server of some kind, VNC server for example in this case people on the SSL-Explore would be able to use a VNC viewer to display and control the remote desktop e.g. this would run on port 5900). Auto. Start: A checkbox that is disabled as default. When checked this will automatically try to start the tunnel for the duration of the SSL Explorer server session. Type: This drop down box supports the values Local and Remote. A local SSL Tunnel type allows for local connections only. The Remote option will allow for connections to the remote clients network.
Step 3
Once all the relevant values have been completed simply click the Next button. This will show the following page.
Step 4
Once all the relevant values have been completed simply click the Next button. This will show the summary page.
Step 5
If the summary information is all correct simply click the Finish button. This will show the final wizard page.
Step 6
Finally click on the Exit Wizard button to close and exit the wizard. The newly created SSL Tunnel will now be displayed on the main page.
In addition to this a new item will become available from the User Console as shown below (Navigation is: User Console Resources SSL Tunnels).
SSL Tunnels require the SSL-Explorer Agent to be running in order to operate correctly. More information is available on the SSL-Explorer Agent in the Configuration Management document.
Step 2
To edit an SSL Tunnel select the Edit action the SSL Tunnel to be altered. This will then show a tabbed screen where values can be changed for all of the associated information against an SSL Tunnel.
Step 3
Clicking the Save button will store the altered values and redisplay the SSL Tunnels screen. Selecting the Cancel button will not alter any values and return to the SSL Tunnels screen.
Step 2
To remove an SSL Tunnel just click the Remove action against the SSL Tunnel to be removed. After pressing the Remove button the following screen is presented.
Step 3
Selecting No will cancel the action and return to the SSL Tunnels screen. Selecting Yes will remove the SSL Tunnel and return to the main SSL Tunnels screen.
Profiles
Profiles configure the general working environment for a user. The system provides two areas of control and they are the session and SSL-Explorer agent properties. This chapter covers all that is needed to use and manage profiles from creating to configuring them. The sections covered in this chapter are: What is a Profile? Profiles Interface Creating a new Profile Editing Profile Parameters Editing a Profile Description Deleting a Profile
By the end of this chapter the reader should have a good understanding of profiles and how best to configure them to suit their own environment.
What is a Profile?
Simply a profile provides a means for a Super User or user to alter the general working environment of the system. Modification is encapsulated into two distinct areas those that affect a session and those that affect the SSL-Explorer Agent. The SSL-Explorer Agent is an applet that tunnels data from insecure applications. The agent intercepts the data and encrypts transmission. The agent is mainly used by resources as SSLTunnels and Web Forwards further information on the agent and resources can be found in the SSL-Explorer: Resource Management Guide. The session parameters affect how the active session behaves and includes such things as session inactivity timeout which defines how long a user can sit idle before being automatically logged out. Profiles can be accessed and configured by both the Super User and the user, however only the user can configure the system default profile. Users themselves, if given the permission to do so (refer to the Permissions chapter in SSL-Explorer: Access Control Guide), can create and manage their own profiles. Profiles are a great way for users to configure an environment based upon where they are accessing the system from. For example a user might configure a home profile which is configured for use when working from home. Another might be to create a profile called On-site which could be used for when the user is on a customer site.
Profiles Interface
The main profiles page lists the currently configured profiles. This page is located under Management Console Resource Management Profiles.
The main page details which policy a profile is associated with. If a user has been given the permission to maintain profiles only those profiles associated with a users policy are visible from the user console under User Console Resources My Profiles.
Action Icons
The action icons against each profile performs functions on the associated profile, their respective objective are detailed below: Delete profile Edit profile name and description details View or edit profile parameters (More)
Step 2
The first step in the wizard is the naming of the resource. Provide an appropriate name and description.
The profile itself when created has to be based on an exiting profile. All the current parameters set within this base profile are copied into the new profile. The Base on profile parameter should be used to select an appropriate profile to use. Step 3 The next step is associating this profile to a policy. Select the appropriate policy.
Step 4
Pressing the Finish button will end the wizard and create the profile. Thats all there is to it. As you will have noticed the configuration of the profile has not be done. The profile takes on the properties of the base profile. To configure this profile further the edit profile parameters action must be selected. This is detailed next.
From here the Session and Agent properties can be altered. Selecting the appropriate icon will take the user to the edit page for that area. Each area is detailed below.
Web server
Session inactivity timeout: Number of minutes a user may sit idle before the system logs the user out automatically Compression: Data received will be compressed. This has an affect on processor power but delivered data quickly.
Note
Replacement Variables The ${} indicates that replacement variables can be included in the resource definition. Click this icon will load the available variables that can be used. The session variables are values taken from the current session. The args variables are values taken from user defined attributes.
User Interface
Enable tool tips: This enables SSL-Explorer tips to be shown where necessary Special effects: Enable or disable special window effects. Theme: There is only one theme provided with the default installation called default. New themes can be added later when offered by 3sp from the extension store. The user can also manually change the look and feel of the SSL-Explorer user interface. A theme has three parts: 1. CSS: used to change fonts, colours, borders, a few images etc 2. Images: Each theme can have its own set of images 3. Layouts: These allow a user to radically change the user interface very easily. Using layouts a user can change the positioning of items for example the default left hand menu could be moved to run across the top of the page. However these dont allow the alteration of the main content area for each page. The best way to create your own company theme is to copy webapp/theme/default and webapp/WEB-INF/theme/default to another folder such as webapp/theme/myTheme and webapp/WEB-INF/theme/myTheme respectively and edit the content. Images are easiest to change followed by CSS and finally layouts.
Default user console resource view: The default view type to use when listing resources in the user console Date format: In which format should dates be used in the system Clock type: Select the type of clock you wish to display, this clock is visible in the event pane.
Client displays the clients local time, Server displays the servers time and Disabled prevents the clock from being displayed.
Agent Configuration
Keep-Alive interval: Because the agent does not have a permanent connection to SSLExplorer as HTTP is stateless, a heartbeat is required to inform SSL-Explorer is alive. If SSL-Explorer fails to receive this heartbeat then all open connections are closed. Shutdown interval: When an agent is being shutdown either by logging off or clicking the agent shutdown button a message is sent to the agent to shutdown. If SSL-Explorer does not receive a de-registration request from the agent within this configured interval SSL-Explorer takes it upon itself to clean up any unnecessary connections tunnels, objects etc. Registration sync timeout: When the agent is launched the agent applet downloads and tries to start the agent. The applet then waits for the agent to connect to SSL-Explorer and send registration request. If this is not received within this allotted time then the applet is informed and an error is raised.
Note
No Requirement to Adjust Parameters The heartbeat, registration and shutdown intervals shouldnt be altered unless you are working with a slow network or old hardware.
Start automatically on logon: Start the agent automatically whenever a user logins Browser command: Command to launch browser, leave blank for automatic Web forward inactivity timeout: If a web forward has been inactive for the given duration close the connection Tunnel inactivity timeout: If a tunnel has been inactive for the given duration close the connection Debug: Enable logging, logs will be held on the client machine under <User_home>/.sslexplorer/applications/Agent/cpn-client.log
Force basic agent: Force the use of the basic SSL-Explorer agent. This is supported on all Java platforms and versions from 1.1 upwards (including the Microsoft JVM) and is a smaller downloaded that the more full featured agent Clear cache directory on exit: Enabling removes the SSL-Explorer Agent from the clients computer on shutdown. Disabling leaves the SSL-Explorer Agent files will be left inside a hidden directory enabling a faster start up time on next use. Display information popups: Enabling this shows messages when the agent is performing an actions in a popup. Disabling this removes these popups and lets the agent to operate silently. Cache directory: The location for storing downloaded applications and other resources. This directory is maintained within the users home directory. Remote tunnels require confirmation: Enabling will force the user to accept any remote tunnel connections. Disabling will automatically create connections. No session timeout if active: This prevents the user session from timing out if the agent is running regardless of whether the agent has any open tunnels Localhost address: The address to use when SSL-Explorer needs to connect to the loopback address on the client. For example, this may be set to 127.0.0.2 as a workaround for connection problems when using the RDP extension on Windows XP SP1
Type: Type of proxy server, this can also be configured to use whatever proxy the browser is using. Hostname: The hostname of the proxy server Port: Port number of proxy server Username: If proxy server requires authentication this will be the username provided. Leaving this blank will force authentication when the agent connects to the proxy. Password: Associated with the above username Domain: Authenticating domain if proxy server uses Windows authentication. Preferred authentication: If authentication is used the preferred authentication method can be configured.
Deleting a Profile
The Delete action removes a profile permanently from the system. Selecting the Delete action against a profile will result in a warning message informing that the profile is about to be deleted, as shown below.
Selecting Yes will result in the removal of the resource from the system. If this profile is associated with any policies this link will also be removed along with all other associated links.
Network Extensions
The SSL-Explorer Network Extension (nEXT) is a feature which provides users with full network connectivity allowing them to upload download files and even mount drives as if they were on the local network. The feature works on Linux and Microsoft Windows 2000, XP and 2003 operating systems. This chapter covers everything a Super User will need to know to set-up, deploy and administer the nEXT extension and furthermore it provides details on how a user can get the benefits out of the service. The sections included are: What is nEXT? Network Extension Interface Configuring the Server Configuring the Client Additional Configuration Running the Service Creating Bridged Configuration Sample Scripts
By the end of this chapter the reader should have a good understanding the nEXT extension from knowing the benefits to creating, using and deploying a successful nEXT deployment.
What is nEXT?
The SSL-Explorer Network Extensions plug-in provides an OSI layer 2 or 3 secure network extension, providing an easy-to-configure network interface which has minimal maintenance overheads. As part of the Enterprise Edition, SSL-Explorer nEXT is a plug-in to SSL-Explorer that provides full network connectivity to the connecting client. Meaning that a user gains access to the company network and may perform remotely all of the standard functions as adding new drives, moving files etc as if they were connected sitting in their actual office. Once installed, a Super User is able to configure any number of virtual network interfaces on the server and allow full network access to the SSL-Explorer user population. SSL-Explorer nEXT consists of two components: the server-side component which opens up interfaces and the client-side component which connects to these interfaces. It is through these connections that data is transmitted and received between both parties.
As the diagram below shows in affect nEXT creates a tunnel between two networks.
Each separate network remains to work independently on its own subnet but in addition a new subnet is created by nEXT - in this example, 192.168.70. The home network server has to hop from one subnet to the other to communicate between the nEXT server (and the corporate network) and the home network. The single clients are not connected to any home network and so run the nEXT client independently. Each has two network addresses, their standard internet address and the new nEXT address on the 192.168.70 subnet. The nEXT plug-in is not a full clientless solution since it needs to install network virtual devices on each clients operating system. However all configuration data is maintained on the server so any changes to these is pushed down to client when it connects. Once installed, its operation is quite transparent to the user.
Typical Scenarios
There are a couple of typical connection scenarios that this document will address. The Road Warrior: One of the more common requirements of a VPN solution is to provide connectivity to employees out in the field. These users may want access to the companys Local Area Network to upload files, read email and use VOIP to make calls from their laptops. The Remote Office: Another common requirement of a VPN solution is to connect two offices together.
System Requirements
The nEXT extension requires a certain level of resources available on both the SSL-Explorer server as well as the client machines that will be installing the client software and so to successfully run nEXT the following requirements should be met:
Server System
OR Linux 2.4 or higher with integrated TUN/ TAP driver Microsoft Windows 2000, XP or 2003 Server SSL-Explorer 0.2.4 SSL-Explorer Enterprise Edition
Client System
OR Linux 2.4 or higher with integrated TUN/ TAP driver Microsoft Windows 2000, XP or 2003 Server
Requires Administrative Account to Install Service In order to install and run the SSL-Explorer: nEXT service on your client machines, you will require the use of an account with administrative permissions in Windows. Once the service is installed, a regular user can launch nEXT configurations from Windows system tray.
A number of actions are available against each server and client component these are detailed in the next section.
Action Icons
The icons are split into those available for a client and those available for a server interface, where necessary hyperlinks have been provided to allow direct access to information on the action. It is recommended however that the process of configuring and executing the nEXT service successfully that the entire process should be followed in order, from the Configuring the Server section onwards.
Client Icons
Launch Client Configuration. Refer to Connecting Client Install Windows Service. Refer to Windows Service Add Windows TAP driver Install Client TAP Driver
Server Icons
Start Network Extension Starting Server Interface Add Windows TAP driver Install Server TAP Driver
Delete Windows TAP driver Edit Server Interface Remove Client Configuration
For this particular extension the SSL-Explorer server will need restarting before nEXT can be used. For Linux servers the nEXT extension files are compiled on the operating system, GCC and GCCC++ should be installed on the server for successful compilation. If compilation does fail SSLExplorer will report this when the Super User logs back in. Avoiding Recompilation with Server Restart Each time a Linux SSL-Explorer instance is restarted it searches for a nEXTserver binary in $SSLX_HOME/bin directory. If this is not found then a compile of the binary is performed and the output copied to $SSLX_HOME/bin directory. A compile is only performed again when the Network Extensions version has changed. A compiled binary from another server can be used by copying the binary to $SSLX_HOME/bin directory and checking the 'Do not compile' parameter under System Configuration Resources Network Extensions. If this is not set the system will re-compile and not use the copied binary. If the system is not compiling the binary itself then at each version change take a newly compiled version and copy to $SSLX_HOME/bin, failure to do so may result in problems as the binary may not be compatible with the latest version of the plug-in. The basic steps that need to be carried out for a successful server side implementation is as follows: Configuration of the server interface Installation of the TAP driver
Note
Both these steps are covered below. Step 1 The first step in the process is the creation of a server interface. The server interface is a virtual network adapter that resides on the operating system that hosts your SSL-Explorer server. This virtual adapter (typically called a TAP device) provides the connection between your LAN and your VPN clients.
Step 2
This opens the Network Extensions main page. From the Action list in the event pane choose whichever actions is appropriate Create Bridged Interface or Create Routed Interface action.
Bridged: A bridged interface essentially involves combining an existing Ethernet interface on your server with a virtual TAP interface, placing them together under the umbrella of a single bridge interface
Note
Benefit of Bridged Interface One of the benefits of using a bridged interface is that a connecting client can obtain an IP address from the LAN subnet. Routed: A routed interface involves creating a separate subnet for VPN clients; each connecting client receives an IP address from the VPN subnet and not an IP address from the LAN. This requires some additional network configuration, setting up routes on your gateway and ensuring that the operating system hosting SSL-Explorer is acting as a router Benefit of Bridged Interface One of the benefits of using a routed interface is that Routing is more scalable and efficient than bridging.
Note
Overall bridging and routing are very similar, with the major difference being that routed interfaces will not pass IP broadcasts across the VPN, but a bridged interface will. Step 3 To create an interface a number of details are required, firstly the name and description of the interface
The parameters are as follows: Network: Network address for this subnet in CIDR format. In the screenshot above a private subnet of 192.168.70.0/24 has been created. This is the same as using 192.168.70.0 with a subnet mask of 255.255.255.0 which will provide 256 hosts (254 useable addresses as 192.168.70.0 is the network address and 192.168.70.255 is the broadcast address). IP Address: IP address assigned to the first from the defined subnet. By default the server will be assigned the first available IP address in the subnet range which in the above example would be 192.168.70.1. Max Clients: Maximum number of concurrent clients that can connect to this subnet. This figure is also affected by the number of concurrent users you have licensed for SSLExplorer: Enterprise Edition.
Step 4
If you have chosen to create a routed interface then the routing tab will need completing.
Published Network: This box contains a list of the published networks for this server interface. A published network is any network which you want clients connecting to this interface to have access to. In the example, we have added the 192.168.0.0/24 subnet which is the main LAN that clients will need to access. MTU: The Maximum Transmission Unit for Ethernet frames. Route between clients: If checked clients on the VPN will be able to communicate with other clients on the same VPN. Publish client networks to other clients: The client configuration page allows the publication of networks published by connecting clients. By default these networks are not accessible by other clients. However by checking this box these published networks
become accessible by other clients. This will also require the above option, Route between clients to be checked also. Step 5 For advanced users select the command tab to configure any required up and down commands. Up Commands: A command that will be executed once the interface has started. In the screenshot above the comments in speech marks will be displayed with the $IPADDR variable being replaced for the actual IP address. Any command executable from a script file is useable. In fact the commands listed here are themselves executed from a temporary script file. Much like the $IPADDR token there are a number that can be used, these are listed below.
Option ${IPADDR} ${DEVICE} ${NETADDR} ${SUBNET} ${CIDR} ${MTU} ${BADDR} Description The IP address of the interface The name of the TAP device created by the ifconfig command. The network address for this interface The subnet mask for this interface The CIDR string for this interface The MTU of the interface The broadcast address of the network
Down Command: Similarly to the Up command parameter, only these commands will be executed when the interface is stopped.
Step 6
Once configured, pressing the Save button will store these parameters. The newly created interface will now be visible from the main page.
The main page displays the current status of the interface and the available options that be performed on the associated interface. The final step is the installation of a corresponding TAP driver on the server to service the new interface this is detailed in the next section.
DHCP Configuration
When a nEXT client connects to the server, DHCP is used to retrieve the IP address they will be assigned. The parameters configured in the DHCP tab are pushed to the client to allow it to configure necessary components such as DNS servers, WINS servers and, NTP servers.
The configurable items are detailed below: Address Pool Start Address: Start address of the DHCP address assignment, only IPs in this range will be allocated by nEXT. Address Pool End Address: End of the DHCP address assignment Domain name: Set connection-specific DNS Suffix, this is used to search domains when a FQDN is not provided, i.e. hostname rather than hostname.company.co.uk. Primary DNS: Set primary domain name server IP address. Secondary DNS: Set the secondary DNS server IP address.
Defining Flush and Register Commands for Windows If you have problems resolving the DNS server set the clear DNS cache command, ipconfig /flushdns and the DNS registration command, ipconfig /registerdns, to the client Up command pane in the client configuration window.
Primary WINS: Set primary WINS server IP address (NetBIOS over TCP/IP Name Server). Secondary WINS: Set the secondary WINS server IP address. NBDD server: Set primary NBDD server IP address (NetBIOS over TCP/IP Datagram Distribution Server) NTP server: Set primary NTP server IP address (Network Time Protocol). NBT type: Set NetBIOS over TCP/IP Node type. Possible options: 1 = b-node (broadcasts) 2 = p-node (point-to-point name queries to a WINS server) 4 = m-node (broadcast then query name server) 8 = h-node (query name server, then broadcast) NBS Scope-Id: Set NetBIOS over TCP/IP Scope. A NetBIOS scope Id provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network
to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer name, as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique. Disable NBT: Disable NetBIOS over TCP/IP.
These parameters can be accessed for use in the Commands tab also. The relevant replacement variables are detailed below.
Option ${DOMAIN} ${PRIMARY_DNS} ${SECONDARY_DNS} ${PRIMARY_WINS} ${SECONDARY_WINS} ${NTP} ${NBDD} ${NB_SCOPE_ID} Description Domain name Primary DNS IP Secondary DNS IP Primary WINS IP Secondary WINS NTP server NBDD server NetBIOS scope Id
Note
Multiple Server Interfaces For each new network you wish to extend to a new TAP driver will need to be installed on the server to service that network. This will begin downloading files from the server on to the client machine.
Step 4
As the SSL-Explorer nEXT TAP driver is currently unsigned a warning will appear. Select Continue Anyway to install the driver.
Note
Warning Message The warning message will appear for every instance of the TAP driver you have installed this could be multiple times. Continue pressing Continue Anyway until the driver installation is complete.
Step 5
Linux
Most Linux distributions come with an integrated TUN/TAP driver. Step 1 Firstly, make the device node. mknod /dev/net/tun c 10 200 Step 2 Add to /etc/modules.conf alias char-major-10-200 tun Step 3 Load TUN/TAP driver modprobe tun That is all there is to configuring the server-side of the nEXT plug-in. The next section details the client side which must also be configured.
Both these steps are detailed below. Step 1 From the Network Extensions page select the appropriate client configuration action. A client configuration is seen as a single client connecting the nEXT server whereas a routed client can be seen as a external network connecting to the nEXT server.
Step 2
This will start the Create Client Configuration wizard. The first step requires the name of the configuration and description.
Checking the Add to favorites add this to the clients favorites page. Step 3 The next step requires the interface configurations defined.
Step 4
Server Interface: the server configuration to use. This should be the interface that was configured earlier. IP Address: Optionally you can specify an IP address to bind to this client configuration. Device Name: Optional you can also specify a device name associated with the TAP network driver.
If you have chosen to create a routed client configuration then you can configure any routing information in this step.
Step 5
Published Network: a list of the published networks for this client interface. A published network is any network which you want clients connecting to this interface to have access to. In the example above I have made the client side LAN, 192.168.70.0/24 visible to the server. MTU: The Maximum Transmission Unit for Ethernet frames.
The next step for both configurations allows any up and down commands to be defined.
Step 6
Select the policy this resource should be attached to. Adding this to the Everyone policy ensures that the entire user population will have access to this client.
Step 7
The final step displays the summary of the configuration. If you are happy with the configuration select the Finish button to create the resource. The newly created client will be visible from the main Network Extension page.
The next step is the installation of a TAP driver to route requests from the client machine to the corresponding TAP driver on the server; this is detailed in the next section.
Log into your machine using an administrative account. The TAP driver is installed form the SSL-Explorer server. So the next step in this process is to log in to the user console with the client machine you wish the TAP driver to be installed on. From the correct client configuration select the Install Windows TAP driver action.
Note
Multiple Server Interfaces Each client TAP driver is tied to a TAP interface on the server at runtime. If you wish to be able to access multiple TAP drivers on the server then multiple TAP drivers on the client should also be installed one for each network (which should have a corresponding TAP driver installed on the server) you wish to access. This will begin downloading files from the server on to the client machine.
Step 5
As the SSL-Explorer nEXT TAP driver is currently unsigned a warning will appear. Select Continue Anyway to install the driver.
Note
Warning Message The warning message will appear for every instance of the TAP driver you have installed this could be multiple times. Continue pressing Continue Anyway until the driver installation is complete.
Step 6
Thats all there is to installing a Windows TAP driver. The client is now configured.
Additional Configuration
Before we can actually start the server interface a few external items for the server need to be configured: Configuration of necessary routes Enabling IP routing on the server
These are detailed below. In order for the machines on the new subnets created through nEXT to operate successfully with the VPN the routes need to be configured on the published networks. As a minimum the VPN network should be added to routes on those machines clients may require access to over the VPN. Where SSL-Explorer is the Default Gateway If the SSL-Explorer server is the default gateway for your network adding the VPN network will not need to be added to these routes.
Note
Local routes
If the SSL-Explorer server uses the LAN IP address 192.168.0.10 with the VPN subnet being 192.168.70.0.
To add routes across the LAN execute the following command on the machines clients should be able to access: Linux: route add net 192.168.70.0 netmask 255.255.255.0 gw 192.168.0.10 Windows: route p add 192.168.70.0 mask 255.255.255.0 192.168.0.10
The machines will be aware of the VPN and thus be able to respond to requests from the subnet IP addresses. If all machines needed to see the subnet then these commands would need to be executed on all machines.
Global routes
An alternative is to add the route to the default gateway. In this way all machines will instantly be able to see the subnet through the default gateway. For example if we have a default gateway of 192.168.0.1 we need to execute the route command to route all 192.168.70.0/24 traffic to the SSL-Explorer server on 192.168.0.10.
route add net 192.168.70.0 netmask 255.255.255.0 gw 192.168.0.10
When a client tries to access a machine on the new subnet it will not be able to locate the IP address. Instead it will go to the default gateway which will then direct the machine to the SSL-
Explorer server which has visibility of the subnet. In the local routes example the default gateway is not configured and so if a machine has no knowledge of the subnet the machine is unreachable.
Microsoft Windows
To enable routing the IPEnableRouter value in the registry must be set to 1. Step 1 Run regedit.exe
Step 2
Locate the IPEnableRouter parameter from the registry. This should be located under HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Change the value from 0 to 1.
Step 3
Linux
Run the following command: echo 1> /proc/sys/net/ipv4/ip_forward
Since Linux does not use a registry, this should be added to your startup script to save from having to execute this command every time you restart the operating system. How this is configured depends upon your flavor of Linux, to achieve this on a Fedora Core installation you can add/edit the following line in /etc/sysctl.conf. net.ipv4.ip_forward = 1
Step 2
Connecting Client
The client can be executed from the user console in one of two ways: Win32 direct Linux Client Command line
Win32 Direct
This is launched directly from the Network Extension page in the user console. Since the process will start the TAP driver, the user logged in to the client machine must have Administrator privileges and must also have the TAP driver installed. Step 1 From the Network Extension page select the Start Client Configuration action against the appropriate client configuration
Step 2
This will start the client, in the taskbar the TAP driver icon will appear.
While nEXT attempts to establish a connection the icon will flash briefly. Once a connection to the server has been established the icon will stop flashing indicating the connection has been established. The new nEXT network will be available to use. From Windows Explorer you should now be able to access the drives of those machines on the nEXT network. Routes are not immediately published on Microsoft Windows systems Due to restrictions imposed by Windows networking, the VPN routes are not immediately published when the nEXT client is launched. Expect to wait around 10-15 seconds after launching the client before the routes are published and the nEXT VPN client is fully usable.
Note
Linux
The Linux client can only be downloaded and compiled straight from the Network Extension page as the system is unable to execute the client. Instead the client user will have to manually take the compiled file and run the client as a command line executable. Details on this can be found in the Command Line Client section. Step 1 You will need to have GCC, GCC-C++ and OpenSSL installed on the system before compilation can be performed Avoid Moving Compiled Binaries It is recommended that you do not attempt to move compiled binaries across Linux Platforms as the C++ runtime support may be different even on same versions of Linux. Step 2
From the Network Extension page select the Compile Linux Client action against the appropriate client configuration.
Step 3
The system will begin downloading the client. Once completed you will receive a notice.
Step 4
Once the client has been built you can move it to somewhere appropriate on your system and configure platform scripts to install it as a service. To run the command please refer to the section below, Command Line Client.
The executable comes with a host of options applicable to both Windows and Linux. In both cases running the client will require Administrative/root privileges to allow the client to start the TAP drivers. The command line options available are as follows:
Switch -h -P -c -u -p -i -m -C -f -l -r -I -o -a -F Switch alternative --hostname --port --config --username --passsword --ip --mtu --console --logfile --loglevel --reconnect --interval --option --frames --certfile Description SSL-Explorer server hostname (required) Port on which SSL-Explorer resides (default=443) Client configuration identifier Connecting user's username (prompt if not given) User's password. (prompt if not given) Request the given ip address from the server Override the client configuration's MTU setting Force log output to the console Alternate path to applications log file Defines the log level Reconnect if the connection is lost Interval between reconnect attempts (in seconds) Set a system option for example ifconfig.path=/usr/sbin Log frame information (requires INFO debug level) Client certificate file for authentication (PKCS12)
A script should be created to save having to retype the command every time you wish to start the client. Below are two examples: nEXTclient -h <hostname> -u <username> -C r nEXTclient h <hostname> F <certificate file>.p12 p <certificate password> The <certificate file> needs to be a standard P12 certificate obtained from the SSL-Explorer CA and <certificate password> its associated password. For further information on certificates refer to the Access Control Guide chapter titled Authentication Schemes
Note
Windows Client nEXTPass.exe As part of the Windows Client zip file there is an executable called nEXTPass.exe. This enables a user to encrypt a password for use by the service (i.e. password entered in registry settings) or either of the Windows clients. Usage: nEXTPass <unencrypted password> For example nEXTPass.exe enter_10 outputs an encrypted string TY2MTM2ZWYzNGY5OTMyMzVmNTkz. This can then be used when running the command line
client, nEXTclient.exe h sslexplorer u majid p TY2MTM2ZWYzNGY5OTMyMzVmNTkz. Users can also use this to encrypt the passphrase of their client certificate if using client certificates.
Windows Service
A Windows Service action is available from the Network Extension main page that allows the configuration of the nEXT client as a Windows service on the client machine. Again Administrative privileges are required to install the service but once installed any user can use the service. Step 1 From the Network Extension page in the user console click the Install Windows Service icon against the appropriate client configuration.
Step 2
Once successfully installed, a dialog will appear. Press OK to accept the message.
Step 3
The service is installed but requires configuration. To configure the service run regedit.exe and create the following key if not present: HKEY_LOCAL_MACHINE\Software\SSL-Explorer nEXT
Step 4
Set the log level. Two values can be attributed to this key: logFile, an absolute path to a file to log to, and logLevel, either INFO or DEBUG. Add these if required.
Step 5
To configure a connection, create a subkey under the key. The key can have any name assigned to it. In the example below the key has been named Office.
Step 6
In the new key add an args string value and add the arguments that need to be passed into the nEXT client executable. Above you can see the arguments for username, password and hostname are used. If you wish the nEXT configuration to auto start on boot up you need to create another value here, a new DWORD value named autostart. Its value should be set to 1. Thats it, the final step is to start the service from Service Control Panel (Control Panel Administrative Tools Services). The SSL-Explorer nEXT service will have been installed previously through the Network Extension page. When the service is started the nEXT icon should appear in the taskbar as before while the connection is being made. The networks should be accessible once the service has established a connection.
Step 7 Step 8
Windows
This configuration requires Windows XP or higher on the bridge side as Windows 2000 does not support bridging, however a Windows 2000 machine can be a client on a bridged network. Ensure that you have at least one spare TAP driver installed on the SSL-Explorer server. Rename this to tap0 or any other name of your choosing. Next select tap0 and your ethernet adapter with the mouse, right click, and select Bridge Connections. This will create a new bridge adapter icon in the control panel. Edit the TCP/IP properties on the bridge adapter and set to the IP address of your SSL-Explorer server. It is not possible to use DHCP as the IP address must be known to SSL-Explorer. Your bridged connection has now been created and you can proceed to configuring SSL-Explorer
Linux
First, make sure you have the bridge-utils package installed. On Fedora Core this can be installed using the command yum install bridge-utils Create a new file in $SSLX_HOME/bin called bridge-start.sh. Paste in the contents of the sample script below Sample Scripts and set the br, tap, eth, eth_ip, eth_netmask, and eth_broadcast parameters according to the physical Ethernet interface you would like to bridge. Make sure to use an interface which is private and which is connected to a LAN which is protected from the internet by a firewall. You can use the Linux ifconfig command to get the necessary information about your network interfaces to fill in the bridge-start parameters. Now run the bridge-start script. It will create a persistent tap0 interface and bridge it with the active Ethernet interface. If the file is not executable the execute the command, you can use the same command to make bridge-start.sh and network-bridge scripts executable. chmod 755 bridge-start.sh Do the same for the bridge-stop.sh script Sample Scripts, ensuring that you edit the content to reflect the device names entered into bridge-start.sh. Now run the bridge-stop.sh script, this should remove the persistent tap interface and remove the network bridge.
These scripts should be configured to start upon system boot. An example script is provided that has been tested on Fedora Core installation. Simply create a new file in /etc/rc.d/init.d called network-bridge and past in the contents. Assuming you have named the files above as suggested you should only need to edit the location of SSLX_HOME if it differs from your installation. Save this file and then execute the command chkconfig add network-bridge This should make it available as a service to start on run levels 3, 4 and 5. You can test this by executing the command service network-bridge start
Step 2
Now select the Interface tab, in the Network field enter the subnet of your LAN, in this example its 192.168.1.0/24. Next enter the IP address of the SSL-Explorer server, this should be the same IP address that you configured on the network bridge. Finally, set the Device Name field to the tap adapter name that is included in the network bridge, in this example its tap0
Step 3
Unless you have some specific commands you want executing when the interface comes up or goes down you can skip the Commands Tab. Now select the DHCP tab and enter an IP range for the VPN clients, this should be within your LANs network scope and NOT part of any existing DHCP range in the LAN. It is also important to enter your LANs domain name and DNS server information
Step 4
The next step is to create a client configuration. At this stage we are going to setup a simple client configuration that allows single clients to connect and obtain a LAN IP address
Step 5
Next, ensure that the Server Interface in the dropdown is the bridged interface we created previously. You can leave the IP address and Device name fields empty as they are not required in this configuration.
Step 6
Finally you may want to enter some up commands to ensure that DNS is updated on the client correctly, in the UP commands enter ipconfig /flushdns
ipconfig /registerdns This will ensure that any previous DNS entries are removed and that the TAP interface of the client is registered with the operating systems DNS service. If you want to force your user's internet traffic through SSL-Explorer you could also add the following: Route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1 Route delete 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1
Sample Scripts
bridge-start.sh
#!/bin/bash ################################# # Set up Ethernet bridge on Linux # Requires: bridge-utils ################################# # Set this to the root of your SSL-Explorer installation SSLX_HOME=/opt/sslexplorer # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged, # for example tap="tap0 tap1 tap2". tap="tap0" # Define physical ethernet interface to be bridged # with TAP interface(s) above. eth="eth0" # Define the IP settings for the bridged interface # NOTE: this must match the IP address assigned to # the SSL-Explorer server interface eth_ip="192.168.1.61" eth_netmask="255.255.255.0" eth_broadcast="192.168.1.255" for t in $tap; do ${SSLX_HOME}/bin/nEXTserver --mktun $t done brctl addbr $br brctl addif $br $eth for t in $tap; do brctl addif $br $t done for t in $tap; do ifconfig $t 0.0.0.0 promisc up done ifconfig $eth 0.0.0.0 promisc up ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
bridge-stop.sh
#!/bin/bash #################################### # Tear Down Ethernet bridge on Linux #################################### # Set this to the root of your SSL-Explorer installation SSLX_HOME=/opt/sslexplorer # Define Bridge Interface br="br0" # Define list of TAP interfaces to be bridged together tap="tap0" ifconfig $br down brctl delbr $br for t in $tap; do ifconfig $t down ${SSLX_HOME}/bin/nEXTserver --rmtun $t Done
network-bridge
#!/bin/bash # chkconfig: 345 50 26 # description: Network Bridge # # An init script to start and stop the Network Bridge SSLX_HOME=/opt/sslexplorer case "$1" in start) echo "Starting Network Bridge" ./${SSLX_HOME}/bin/bridge-start.sh ;; stop) echo "Stopping Network Bridge" ./${SSLX_HOME}/bin/bridge-stop.sh ;; restart) $0 stop sleep 1 $0 start ;; *) echo $"usage: $0 {start|stop|restart}" ;; esac exit 0
Virtual Hosts
SSL-Explorer is able to host more than one domain on the same server this is known as virtual hosting. This chapter details what virtual hosting is and how you can configure your SSL-Explorer instance to host multiple domains. The sections covered in this chapter are: What is Virtual Hosting Virtual Host Interface Creating a new Virtual Host Editing a Virtual Host Deleting a Virtual Host
Action Icons
The action icons against each entry performs functions on the associated virtual host, their respective objective are detailed below: Delete virtual hosting Edit virtual hosting
Step 2
Step 3
Name: Name that will be shown in the main window. Description: The description for the virtual host
The next bit of information necessary is the actual virtual host information
Step 4
External Hostname: The host header that needs to be redirected. Any traffic directed at this host will be controlled by this virtual host resource. Internal Hostname: The actual destination of where this traffic should be directed to.
As a final step a DNS entry needs to be made that will map the external hostname hostname, timebooking.co.uk, to the SSL-Explorer instance. This creates the initial link between the host and SSL-Explorer without this entry the workstation will try and resolve timebooking.co.uk and not find any site.
Selecting Yes will result in the removal of the resource from the system.
What is RPC/HTTPS?
RPC over HTTP allows Microsoft Outlook clients to access Microsoft Exchange server over the internet. The MAPI protocol usually uses RPC to make calls to the Exchange server using TCP, but here we are able to tunnel Outlook RPC requests inside an HTTP session. The RPC over HTTP Proxy networking component extracts the RPC requests from the HTTP request and forwards the RPC requests to the appropriate server. The advantage of this approach is that only the RPC proxy server has to allow access from the Internet. Back-end Exchange servers do not have to allow access from the Internet.
Article Technical details of using RPC over HTTP to access exchange from an Outlook client Microsoft TechNet
Configuration
Configuration is broken into two parts, the server and the client. This document assumes that the Exchange administrator has already configured the Exchange server to accept RPC calls over HTTP. For further information on how to configure this please refer to the Microsoft website or to this site http://www.kuhnline.com/index.php?id=51. This chapter however does detail how to configure a new mail account to use SSL-Explorer as a proxy to communicate with the configured RPC/HTTPS Exchange server.
Pre-requisites
Trusted Certificate: SSL-Explorer must have a trusted certificate installed or alternatively each client must trust the SSL-Explorer certificate by adding it to the Internet Explorer trusted certificate authorities store. HTTPS Proxy hostname: The HTTPS proxy configured within Outlook must match that of the certificate used by SSL-Explorer. If the SSL-Explorer server is setup with a trusted certificate for the host vpn.sslexplorer.com then this must be entered exactly into Outlook configuration for HTTPS otherwise Outlook will not connect to the SSL-Explorer server. NTLM Authentication: The RPC proxy will only work with Outlook Clients that authenticate over NTLM.
Step 2
A new tab under Configuration System Configuration Resource titled Outlook should be visible.
From here the mail server can be defined the associated port as well as the type of backend server HTTPS or HTTP. In addition all policies that have access to this feature can be added. To add a policy simply select the available policies from the RPC/HTTPS policies list.
Any policy not part of the Selected Policies window those attached users will not have the ability to use Outlook over HTTPS.
Client Configuration
The final step in the configuration is that of the email client Outlook. Each user can either add an a new profile to an existing account or as the following details, a new email account is created. Either way the main steps are the same detailed here are relevant to both. From control panel, access the mail setup by selecting the mail icon.
Step 1
Step 2
Step 3
Step 4
Step 5
Under the Exchange server settings step select the newly configured Exchange server and the name of your new mailbox.
Step 6
From the same window select More settings. From the first window under the Connection tab check the Connect to my exchange mailbox using HTTP box.
Step 7
Selecting the Exchange proxy settings button opens a final window in which the FQDN of the SSL-Explorer server should be keyed into the Use this URL to connect to my proxy server for Exchange parameter. Also under the Proxy authentication settings select NTLM Authentication.
Thats all there is to configuring the client. Once Outlook is started, if SSL-Explorer has not been configured to use the same Windows account as what the user is logged in with, the system will prompt for the SSL-Explorer authentication credentials. After which if the user is recognized as a valid user of the RPC/ HTTPS resource SSL-Explorer will enable communication between Outlook and the mail server over HTTPS.
Simply Add the appropriate ones from the OMA policies list. Any policy not part of the Selected Policies window those attached users will not have the ability to use Outlook Mobile Access. Step 3 Finally to access mail from a mobile device simply connect your mobile to the following address: https://<servername>/oma
Internationalization
Internationalization extends the accessibility of your SSL-Explorer installation by providing a mechanism to provide a user base with different translated versions of SSL-Explorer. This chapter details all that is needed to translating SSL-Explorer, and covers the following sections: What is Internationalization? Internationalization Interface Creating a New Translation Editing a Translation Activating a Language Translate Extensions Share Language Deleting a Translation Language Selection
By the end of this chapter the reader should have a firm understanding of how to translate SSLExplorer and how it can benefit an organizations multilingual global user base. System Configuration Options For details on the configuration options available for internationalization refer to the SSL-Explorer Configuration Guide
Note
What is Internationalization?
The internationalization feature provides to the user a method to take the content of SSLExplorer and translate this into a language of their choice that may not be currently supported by the current SSL-Explorer product. You may also use this feature to create your own companyspecific version of SSL-Explorer, with customized messages that are more relevant to your organization and working practices. This mechanism means that SSL-Explorer is able to cater for a wider array of users. For example if your enterprises user base spans a number of countries and continents, you now have the ability to provide translated versions of the same system to all users,. SSL-Explorer can be altered specifically to a companys language needs providing a more user friendly environment of the system where users are not struggling to understand the system. 3SP extends this translation process further by providing a mechanism to submit your translations to 3SP for possible inclusion in a future release. All users can then benefit from these community-created submissions.
Internationalization Interface
The main internationalization page lists the available shares. This page is located under Management Console Resource Management Internationalization.
The main page details which languages have been installed and which of these is currently activated.
Action Icons
The action icons against each language performs functions on the associated language, their respective objective are detailed below: Delete inactivated language Edit a inactivated language Download language (More)
Language Status
A language can have one of three states, depending on the state the language can either be edited for translation, deleted from the system or neither of these two actions can be performed until the language is set to the appropriate state. These states and their rules are listed below:
State Default Inactivated Installed Can language be edited? Can language be deleted?
Step 2
Predefined language and country: This requires the locale for the new language. In this example I am using the French Canada language. Base language: This provides a list of currently installed language. Selecting one loads the content of the language into the new translation. Name: The name will be shown on the main page and by all users in the Language Selection box so it is essential that a sensible name is used.
Select the Save button to store the new translation. Thats it. The new language will be visible from the main internationalization page.
As you can see above any newly created language is Inactivated, to activate it the content needs to be translated. This is done through the Edit action icon.
Editing a Translation
Step 1 Step 2 The language which needs translating new or old must not be currently in use. From the main window set the language to Inactive (refer to the section titled Action Icons to do this). From the internationalization page select the Edit action against the required resource, this will start the edit translation wizard. The first step in the wizard is selecting the category to translate.
The translation wizard breaks the required sentence which need translating into logical groupings based on the area they appear in. As can be seen from the screenshot above the Categories column lists all the different areas of the system from Installation Wizard right through to the individual enterprise plugins. The first step is to choose the area you wish to translate. Step 3 Selecting a category lists the available sentences in the column to the right.
As the screenshot above shows, the certificates category has been selected. The associated sentences are listed. The column listing the sentences is split into two equal columns. The column to the left shows the actual original English text whilst the right column shows the translated equivalent, in this example the translation is in French. Sentences not translated in English Those sentence that have yet to be translated their equivalent translated sentence in the right-hand column are shown in English. As each sentence is translated the English is replaced.
Note
Step 4
The purpose of internationalization is to translate each sentence. To modify a sentence, press the Modify button.
The original sentence is shown above. The text box to the left is used to enter the new translation. Depending on the sentence a number of rules may be required. An example of these would be a sentence requiring a dynamic parameter. The instructions to cater for such sentences are detailed in the information box to the right. To save the sentence press the Save button.
To move to the next sentence without going back to the previous page (Step 2) simply press the Next button. To move back to the sentence above the current one without going back to the previous page (Step 2) simply press the Previous button. Thats all there is to it. Once satisfied that all sentence have been translated simply press Cancel and select the next category to translate. Translation State Saved The system stores the current state of the translations so it is not essential that all sentences in a category or even all categories must be translated in one session. The system saves the currently translated sentence, the same user or a new user with the correct permissions can continue on translating in a later session.
Note
Activating a Language
Once all the sentences have been modified for users to use the language it needs to be activated. From the edit page (Step 2 in the wizard) simply press the Activate button at the bottom of the page.
All Sentences Must Be Translated For a sentence to be installed for use there must not be any empty sentences. All sentences must be translated whether temporarily to English or the new translation. This will step the state of the language to Installed in the main page.
The new language will instantly be accessible from Language Selection box.
All users with permissions to choose a language will see this new language.
Translate Extensions
Step 1 Once a language is installed its extensions can be translated. To translate the extensions of a newly installed translation select the More... button against the selected language and choose Translate Extension.
The page lists all extensions currently being edited and those currently installed.
Step 2
To edit a new extension select the Translate New Extension action from the action menu to the right.
Step 3
This produces a list of currently installed extensions. Anyone listed can be translated. Select the extension that you wish to translate.
Step 4
To begin translating simply select the edit action against extension. Step 5 From the translation page follow the same principle as with the standard edit action, selecting the modify button against each sentence allows the sentence to be translated.
If all sentences are completed selecting the Activate button will install the extension. The translated extension will only be accessible once the core language has been selected from the Language Selection box. Once the core language is loaded the system then loads any installed extensions associated with this language, in this example it will include the mail check extension.
Share Languages
Once you are satisfied with a translation and have installed it you can download the language as a packaged zip file and share it with other SSL-Explorer users. Step 1 Against the installed language simply select the download action
Step 2
The system compresses all the necessary data into a zip file which needs to be downloaded and saved.
If the download does not start simply press the Here link in the dialog above. Step 3 Translations you wish to share with the SSL-Explorer community need to be sent to support@3sp.com.
Deleting a Translation
The Delete action removes the resource permanently from the system. Selecting the delete action against a language will result in a warning message informing that the resource is about to be deleted, as shown below.
Selecting Yes will result in the removal of the resource from the system.
Language Selection
During logon and throughout the system the language selection box is visible to the right of the interface.
This box allows the current translation of SSL-Explorer to be altered. Using the pull down box any installed languages are visible. Selecting one changes the current language instantly.
Once a language has been translated and its state set to Installed the translation will become visible from this box. Various restrictions on this are available; refer to the chapter titled Configure User Interface in the SSL-Explorer: Configuration Guide for more information.
System Functions
This section introduces the final section in the menu tree the System section. System encapsulates functionality that affects the instance as a whole from functions such as shutting down the server to viewing the status of the system.
Auditing
The audit module is exclusive to the SSL-Explorer: Enterprise Edition. This powerful reporting tool allows for the real-time capture and analysis of user and system events. This ranges from items such as starting and stopping the system through to specific user events such as creating a favorite. This section details how to: Auditing Interface Initializing the Auditing Module Creating a New Report Running One-Off Reports Checking Audit Report Integrity Uploading a Report Template Changing Recorded Events
Auditing Interface
The main auditing page lists the currently stored reports. This page is located under Management Console System Auditing.
The main page details which languages have been installed and which of these is currently activated.
Action Icons
The action icons against each language performs functions on the associated language, their respective objective are detailed below:
Step 2
The next step allows the selection of the events to monitor. By default all events have been selected. If you should wish to remove any of the selected events just highlight the item you wish not to record and press the 'remove' button. Once all the events that are to be recorded are selected click the 'next' button. This will display the following page
Step 3
Archive Directory: This is an absolute path or a relative path of the SSL-Explorer Audit archive directory. This is where any archives are physically stored. Minimum Recorded Months: This is the minimum amount of months that archives will be kept for. Day to Archive: The significant day of the month that the Audit Archive is to be performed. Time of Day to Archive: The time of the day that the Audit Archive is to be performed.
Step 4
Finally the configurations details are summarized, pressing Finishing will save the auditing details. The main page for auditing should now be loaded each time the auditing menu item is pressed.
Step 2
All tabs contain specific information to the report, each can be configured. For example dates can be defined in the Date tab. Below the report has been configured to report on the weeks auditing results.
Those who can run this report can also been defined through normal policies by selecting the policy tab.
Step 3
Once saved this report should be visible from the main page
These reports can be executed over and over again by pressing the execute icon against the appropriate report. Predefined dates such as 'Last Week and 'Last Month' are run relative to the current date.
Step 2
From here items for the report can be configured such as date ranges.
Step 3
This will generate the report and allow it to be downloaded. When the file download dialog appears simply save or open the file.
This requires the seed for the audit report to check against.
Once the seed has been entered simply press the Check button to begin the validation process. The amount of time this will take will depend on the size and number of Audit files to be checked. Once the files have been checked the following page will be displayed if no inconsistencies were found.
Alternatively, if inconsistencies were found the following page is displayed. This page will also show the first record that was found to be incorrect. This will help in determining how and when the inconsistency occurred.
The next step is to locate and upload the required template into the system. Pressing the Browse button will list the local system directories.
The filename refers to a zipped directory containing the appropriate report files. Simply press the Upload button. This will load the new report template into the system.
Step 2
Use the event selection tools to move events from available to selected.
Status
Status provides vital information pertaining to the current instance from sessions currently active within the system as well as hardware details on which the connected instance is running. The sections covered in this chapter are: Session Information Status Information nEXT Clients Outlook Client
Session Information
All users logged into the system are made visible from this page.
As with all resources hovering over a user provides further information on the user. Pressing the LogOff button against the user will disconnect his session.
Status Information
System information provides hardware information to the user such as the specification of the server being used, the operating system its running on etc.
nEXT Clients
From here we can see who is connected to the instance through nEXT. Much like the user sessions each session can also be terminated.
Outlook Client
Much like the nEXT client page this shows a list of outlook sessions connected via this instance. Again these can be terminated.
Message Queue
The message queue is used to configure and deliver messages to all users of the System. Depending on the delivery system a message can be sent to online as well as offline users. This chapter provides information on how to enable an appropriate delivery system as well as how to send messages. The sections covered are as follows: What is the Message Queue Message Queue Interface Enabling a Delivery System Sending a Message Clear Message Queue
As shown above messages can be delivered either as an SMTP email or via the SSL-Explorer Agent. In addition to this below the delivery system window is the message queue window which lists the status of any messages sent.
Sending a Message
Step 1 To send a message select the Send Message action from the action box in the top right of the screen.
Step 2
Step 3
Select the recipients of the message. Select the recipient tab and choose who must receive the message.
Recipients can be selected in a number of ways, through policy, or individual accounts and even roles if supported. Step 4 Once done hit the Send button. The message will be send through the chosen delivery system. The newly created message will be visible from in the delivery queue from the main page.
The system will ask for clarification of the action before clearing out the queue.
Shutdown
Certain actions within SSL-Explorer require the instance be restarted before a new additions can be activated such as some extensions. It is from this page that the system can be shutdown. The sections covered in this chapter are: Shutdown the Instance Restarting the Instance
Step 2 Step 3
Select a delay time, after this time the instance will be shutdown. Select the Ok button. From here the system will begin counting down and when the delay has been achieved the instance will shutdown. The server will need to be manually restarted.
Step 2 Step 3
Select a delay time, after this time the instance will be restarted. Select the Ok button. From here the system will begin counting down and when the delay has been achieved the instance will be restarted.
The server will come back online after a few minutes with any changes that required restarting operational.