NETASQ Technical Support Training Session 4
SSL VPN
© NETASQ 2006
NETASQ – CORPORATE PRESENTATION
1
Summary • • • •
Interests and Prerequisites NETASQ SSL VPN Analysis of SSL VPN problems Important points and known problems
NETASQ – CORPORATE PRESENTATION
2
Interests and Prerequisites Interests No intervention of the customer required on the client workstations Need just a browser You don't purchase a licence for each client SSL encoding Centralization of the applications, all servers on one portal
NETASQ – CORPORATE PRESENTATION
3
Interests and Prerequisites Prerequisites To configure the SSL VPN, you need to configure a LDAP base To use SSL VPN you need to be authenticated You need to give the right SSL VPN to the users
NETASQ – CORPORATE PRESENTATION
4
NETASQ SSL VPN It exists two modes: WEB for HTTP connections FULL for the other TCP connections
NETASQ – CORPORATE PRESENTATION
5
NETASQ SSL VPN WEB mode HTTP Server The web mode allow to access to HTTP servers. Mechanisms: =>Traffic till the IPS-Firewall is encapsulated in SSL protocol.
NETASQ – CORPORATE PRESENTATION
6
NETASQ SSL VPN WEB mode
Example of a client which is connecting to an Intranet through the SSL VPN NETASQ – CORPORATE PRESENTATION
7
NETASQ SSL VPN WEB mode => A first connection between the client and the IPS-Firewall: SSL connection, a second one between the IPS-Firewall and the web server: HTTP connection => For the first web access, the Firewall listens on port 11222, for the second it listens on the port 11223,... URLs on the portal in case of several web servers first: https://10.1.34.200:11222/netasq0000/ second: https://10.1.34.200:11223/netasq0001/ ...
NETASQ – CORPORATE PRESENTATION
8
NETASQ SSL VPN WEB mode => URLs are rewritten by the SSL module, for example : http://intranet.myfirm.com/page.php?P=static/accueil/&Action=Connet become in the browser https://”FW-IP”:11222/rhs0000/page.php?P=static/accueil/&Action= Connect or https://”FW-SN”:11222/rhs0000/page.php?P=static/accueil/& Action=Connect If you have enabled the option DNS Resolution
NETASQ – CORPORATE PRESENTATION
9
NETASQ SSL VPN WEB mode some configuration options: => Rewrite URL tag: https://10.1.34.200:11222/rhs0000/ example with a tag « netasq »: https://10.1.34.200:11222/netasq0000/ => HTTP Header tag for login: for example tag as value in the client request: GET / HTTP/1.0 Host: intranet.netasq.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 ... Tag: faridi
NETASQ – CORPORATE PRESENTATION
10
NETASQ SSL VPN WEB mode => Server: make sure you use an object whose name is identical to the name of the FQDN server its refers to. If this is not the case, IPS-Firewall queries to this server may be refused. => Server alias list: this option indicate to the SSL VPN module that the server is known by several names and/or IP addresses. Exemple with webmail.intranet.com, if a link does not refer to this fqdn but to the IP: http://192.168.1.1/..., you will need to configure the IP as an alias for the server in order the SSL module rewrite the URLs correctly. => Activate white list: List of URLs that mustn't be rewrited by the SSLVPN module. => Hide server from portal: all servers configured in SSL VPN module are listed on the web portal. However it may be necessary that some servers are reachable just from another one, and not displayed on the portal. NETASQ – CORPORATE PRESENTATION
11
NETASQ SSL VPN WEB mode OWA: A specific HTTP Access: (Since version 6.1) This is a particular HTTP access in which the following options are automatically enabled for the compatibility with OWA: => Activation of the white list with the following URLs: schemas.microsoft.com/* www.w3.org/TR/* These URLs won't be rewrited by the SSL VPN module => Disable Negociate and NTLM authentication method: some web servers may request authentication before the transfer of the data between the server and the user. This method can be disabled for servers that do not support this authentication method for traffic passing through the IPS-Firewall. By doing so, the user will no longer be able to select this method for authentication on the remote web server. NETASQ – CORPORATE PRESENTATION
12
NETASQ SSL VPN WEB mode You may need to enable this option (NTLM) with another server than an OWA
WEB mode and Interaction with ASQ Plugin: You have to enable « Webdav » in the options of the HTTP plugin. (not automatically enabled).
NETASQ – CORPORATE PRESENTATION
13
NETASQ SSL VPN FULL mode
Example of a client which is connecting to a mail server through SSL VPN NETASQ – CORPORATE PRESENTATION
14
NETASQ SSL VPN
FULL SSL VPN Configuration Screen NETASQ – CORPORATE PRESENTATION
15
NETASQ SSL VPN FULL mode Mechanisms: => Authenticated user launch a java applet from the portal => TCP connection is encapsulated into an SSL connection between the java applet and the IPS-Firewall => The user's application has to connect to the local socket open by the java applet (loopback) => The local socket is closed when the java applet is closed
NETASQ – CORPORATE PRESENTATION
16
NETASQ SSL VPN FULL mode => Reconfiguration of the client application to initiate the connection to the loopback interface and on the listening port. => Only useful for mono stream connections ( not for ftp,... )
NETASQ – CORPORATE PRESENTATION
17
NETASQ SSL VPN FULL mode How to avoid client reconfiguration : => Using Split DNS Use an external DNS registration configured with the IP address 127.0.0.1 Example : Configuration for a mail client However you can't change the application port and you need high privileges to bind a port inferior at 1024
NETASQ – CORPORATE PRESENTATION
18
NETASQ SSL VPN FULL mode => by executing a script during the applet loading The script could for example replace the host file of a workstation to redirect the fqdn server to the loopback. The users need just to click on « launch » on the web portal to execute the application. examples of scripts : • •
mstsc.exe /v 127.0.0.1:3389 /f : Launch a terminal server in full screen putty
[email protected] -pw adminadmin : Launch a SSH putty terminal
NETASQ – CORPORATE PRESENTATION
19
NETASQ SSL VPN
NETASQ – CORPORATE PRESENTATION
20
NETASQ SSL VPN SSL Profiles The concept of using profiles enables determining which users will have access to which servers configured in SSL VPN module. VPN SSL profiles are supported since the version 6.2.3 with an external Active Directory Database. You can configure the “SSL profile” in the user profile (Tab Access). You can also configure a default profile for the users who don't have one configured in their user profile.
NETASQ – CORPORATE PRESENTATION
21
NETASQ SSL VPN Interaction with the authentication (authd) Two options of the authentication can change the behavior of the VPN SSL module: Use DNS Resolution: if this option is enabled, all the URLs will be rewrited using the CN of the certificate (serial number of the IPSFirewall with the default certificate), and not with the IP. The clients need to resolve the serial number of the Firewall on its IP address. Cookies : If you don't use them, a second client behind the same translation will have access to the SSL VPN resources of a first one authenticated.
NETASQ – CORPORATE PRESENTATION
22
NETASQ SSL VPN Configuration File => Location: /Firewall/ConfigFiles/xvpn => Section description 1 general Section named [Config] 1 section for each defined server => Use the command enxvpn to reload the configuration
NETASQ – CORPORATE PRESENTATION
23
NETASQ SSL VPN Configuration File Config Section [Config] State=1 XserverState=1 HttpServerState=1 Verbose=1 Verbosefile=/tmp/xvpn.debug XvpnId= (Name of default profile) ProfileAccess=Pass XserverStartScript=c3RhcnQgInZwbnNzbCBzaGVsbCIgZWNobyAiIlN0YXJ0 aW5nIFNTTCBWUE4iIg== XserverEndScript= HttpRewriteURL= HttpHeaderLoginTag= CheckClientCert=0 BasicAuth=1 (disabling of NTLM method) OwaCompatibility=0 (Rewrite user Agent) NETASQ – CORPORATE PRESENTATION
24
NETASQ SSL VPN Configuration File HTTP Server Section [HttpServer_Intranet] Name=Intranet Host=intranet.netasq.com Port=http URL= Hidden=1 Link=intranet WhiteListUrls= Idx=1 Alias=
(server identification number, define servers order)
NETASQ – CORPORATE PRESENTATION
25
NETASQ SSL VPN Configuration File FULL server Section [Xserver_SSH] Name=SSH Host=SSh_ Server Port=ssh Chost=127.0.0.1 Cport=22 Script=cHV0dHkgYWRtaW5AMTI3LjAuMC4xIC1wdyBhZG1pbmFkbWlu script command encoded in base 64
NETASQ – CORPORATE PRESENTATION
26
NETASQ SSL VPN LDAP Attributes User entry: NetasqAllowed-Access and NetasqAllowed-xvpn
NETASQ – CORPORATE PRESENTATION
27
NETASQ SSL VPN LDAP Attributes Profile entry
NETASQ – CORPORATE PRESENTATION
28
Analysis of SSL VPN problems For WEB and FULL mode Check the Alarms Check the logs (XVPND and System) XVPD debug and AUTHD debug (described below), Indeed authd debug can provide information about the users authenticated, his profile,... Debug Activation: tokens Verbose=0/1 for xvpnd and Verbose=all for authd and VerboseFile=/tmp/*.debug in the configuration file. Command xvpnd -d or authd -d to start or stop the debug
NETASQ – CORPORATE PRESENTATION
29
Analysis of SSL VPN problems Some extracts of XVPND debug 2007-01-25 09:09:36 xvpn_add_user_htable : (faridi) is authorized to access xvpnd 2007-01-25 09:09:36 xvpn_add_user_htable : profile for (faridi) is (ALL) 2007-01-25 09:09:36 xvpn_add_user_htable : ldap_err = 0 ... 2007-01-25 09:09:36 Client come from internal IF 2007-01-25 09:09:36 User (faridi) from (10.1.34.9) authorized to access (ad.netasq.com) 2007-01-25 09:09:36 Connect to (10.1.15.200 ) ...
click here to be redirected to intranet 2007-01-25 09:09:36 (HTTP HEADER) : Date: Thu, 25 Jan 2007 09:10:23 GMT 2007-01-25 09:09:36 (HTTP HEADER) : Content-Type: text/html 2007-01-25 09:09:36 (HTTP HEADER) : Accept-Ranges: bytes 2007-01-25 09:09:36 (HTTP HEADER) : Last-Modified: Tue, 23 Jan 2007 13:25:01 GMT 2007-01-25 09:09:36 (HTTP HEADER) : ETag: "8021a4e2f13ec71:aa7" 2007-01-25 09:09:36 (HTTP HEADER) : Content-Length: 276 2007-01-25 09:09:36 10.1.15.200:81 : not an alias NETASQ – CORPORATE PRESENTATION
30
Analysis of SSL VPN problems For WEB and FULL mode Some extracts of XVPND debug 2007-01-25 09:09:36 AD not use whitelist 2007-01-25 09:09:36 intranet.netasq.com:80 : not an alias 2007-01-25 09:09:36 AD not use whitelist ... 2007-01-25 09:17:51 xvpn_add_user_htable : (faridi) is authorized to access xvpnd 2007-01-25 09:17:51 xvpn_add_user_htable : profile for (faridi) is (ALL) 2007-01-25 09:17:51 xvpn_add_user_htable : ldap_err = 0 2007-01-25 09:17:51 xvpn_add_user_htable : add user (faridi), addr (153223434), if_type (1) time (241123), password (-492659823), XvpnTemplateIdx (0) , in htable 2007-01-25 09:17:51 Add (faridi) on htable ... 2007-01-25 09:17:51 (faridi) authorized to access (SSH) 2007-01-25 09:17:51 Connect to (Name=SSH) (Ip=10.1.15.62) (Port=22) 2007-01-25 09:17:51 xvpnd_redirect success NETASQ – CORPORATE PRESENTATION
31
Analysis of SSL VPN problems For WEB and FULL mode Some extracts of AUTHD debug (XPNVS)(fd=41):user=faridi,xvpn_right=YES,template=ALL (XVPNS)(fd=41):XVPNS=>config(0)(name) =AD (XVPNS)(fd=41):XVPNS=>config(0)(host) =ad.netasq.com (XVPNS)(fd=41):XVPNS=>config(0)(url) = (XVPNS)(fd=41):XVPNS=>config(0)(link) =AD (XVPNS)(fd=41):XVPNS=>config(0)(addr) =-938540790 (XVPNS)(fd=41):XVPNS=>config(0)(port) =11224 (XVPNS)(fd=41):XVPNS=>config(0)(cport) =80 (XVPNS)(fd=41):XVPNS=>config(0)(idx) =2 (XVPNS)(fd=41):XVPNS=>config(0)(hidden)=0 ... (XPNVC)(fd=41):user=faridi,xvpn_right=YES,template=ALL (XVPNC)(fd=41):XVPNC=>config(0)(name) =SSH (XVPNC)(fd=41):XVPNC=>config(0)(host) =SshLaurentG NETASQ – CORPORATE PRESENTATION
32
Analysis of SSL VPN problems For WEB and FULL mode (XVPNC)(fd=41):XVPNC=>config(0)(lhost) =127.0.0.1 (XVPNC)(fd=41):XVPNC=>config(0)(addr) =1041170698 (XVPNC)(fd=41):XVPNC=>config(0)(port) =22 (XVPNC)(fd=41):XVPNC=>config(0)(cport) =22 ... (XPNVS)(fd=41):user=faridi,xvpn_right=YES,template=ALL (XVPNS)(fd=41):XVPNS=>config(0)(name) =AD (XVPNS)(fd=41):XVPNS=>config(0)(host) =ad.netasq.com (XVPNS)(fd=41):XVPNS=>config(0)(url) = (XVPNS)(fd=41):XVPNS=>config(0)(link) =AD (XVPNS)(fd=41):XVPNS=>config(0)(addr) =-938540790 (XVPNS)(fd=41):XVPNS=>config(0)(port) =11224 (XVPNS)(fd=41):XVPNS=>config(0)(cport) =80 (XVPNS)(fd=41):XVPNS=>config(0)(idx) =2 (XVPNS)(fd=41):XVPNS=>config(0)(hidden)=0 ... NETASQ – CORPORATE PRESENTATION
33
Analysis of SSL VPN problems For WEB and FULL mode (XPNVC)(fd=41):user=faridi,xvpn_right=YES,template=ALL (XVPNC)(fd=41):XVPNC=>config(0)(name) =SSH (XVPNC)(fd=41):XVPNC=>config(0)(host) =SshLaurentG (XVPNC)(fd=41):XVPNC=>config(0)(lhost) =127.0.0.1 (XVPNC)(fd=41):XVPNC=>config(0)(addr) =1041170698 (XVPNC)(fd=41):XVPNC=>config(0)(port) =22 (XVPNC)(fd=41):XVPNC=>config(0)(cport) =22 ...
NETASQ – CORPORATE PRESENTATION
34
Analysis of SSL VPN problems For WEB and FULL mode Check the implicit rules for VPN SSL module: Port 11220/TCP is used for the FULL access Port 11222/TCP, 11223/TCP,... are used for WEB access VPN SSL implicit rules on internal interfaces (with command sfctl -s filter): 0 0 0 0 0 0 0 0 0 0
:0 :0 :0 :0 :0 :0 :0 :0 :0 :0
: pass on dmz2 proto tcp from any@any to dynamic 0.0.0.0 port 11222 : pass on dmz2 proto tcp from any@any to dynamic 0.0.0.0 port 11223 : pass on dmz1 proto tcp from any@any to dynamic 0.0.0.0 port 11222 : pass on dmz1 proto tcp from any@any to dynamic 0.0.0.0 port 11223 : pass on in proto tcp from any@any to dynamic 0.0.0.0 port 11222 : pass on in proto tcp from any@any to dynamic 0.0.0.0 port 11223 : skip 3 proto tcp from any to any port 11220 : pass on dmz2 proto tcp from any@any to dynamic 0.0.0.0 port 11220 : pass on dmz1 proto tcp from any@any to dynamic 0.0.0.0 port 11220 : pass on in proto tcp from any@any to dynamic 0.0.0.0 port 11220
NETASQ – CORPORATE PRESENTATION
35
Analysis of SSL VPN problems For WEB and FULL mode dstat: show if the deamon is running xvpnd : /var/supervise/xvpnd: up (pid 4259) 70172 seconds If the LDAP DataBase is not reachable, xvpnd would not run correctly netstat command allow to know if the daemon is listening on the ports netstat -an | grep LIST tcp4 0 0 *.1200 tcp4 0 0 *.443 tcp4 0 0 *.11223 tcp4 0 0 *.11222 tcp4 0 0 *.11220 ...
*.* *.* *.* *.* *.*
LISTEN LISTEN LISTEN LISTEN LISTEN
-> 2nd web server -> 1st web server -> full access
tcpdump: to verify that the traffic is not blocked between the IPSFirewall and the Clients (ports 11220, 11222,...) NETASQ – CORPORATE PRESENTATION
36
Analysis of SSL VPN problems For WEB If you have a problem with a specific URL or with a specific page: An Interesting test would be to test the access to the web server through the IPS-Firewall but not through the SSL VPN and at the same time through the VPN SSL module to be able to compare the real links and the rewrited links With Mozilla Firefox, you can use the extension 'Live HTTP Hearders' to see the HTTP headers in real time. With two tabs of Firefox (1 through SSL VPN and 1 through the NAT), you can compare the real and rewrited links. With WEB mode be aware of all technologies which exchange information like IP address in the applicative layers: for example java applets.
NETASQ – CORPORATE PRESENTATION
37
Analysis of SSL VPN problems For WEB For example, you have configured a SSL VPN Web access to connect to the fqdn intranet.myfirm.com. There is a redirection to an external link: http://www.osvdb.org/13152 Through the VPN SSL module, the URL become : https://10.1.34.200:11222/netasq0065/13152 A tag with the number « netasq0065 » indicate there is an error with the link.. If you click on the link, you will see a new page with the message : « You tried to access a web page which has not been authorized by your administrator » Generally, either this is a link to be redirected to an external site whose URL is not configured in the WhiteList OR the link contains an alias of the server that is not configured in the VPN SSL configuration. NETASQ – CORPORATE PRESENTATION
38
Analysis of SSL VPN problems For FULL => The java applet on the portal display the Error Message “WARNING: Connection on 127.0.0.1:cport failed !!” Generally, the JAVA applet can't bind the listening port configured because it's already used by another application or because the user don't have enough privileges (ports The java applet on the portal doesn't display any error messages but the client application is unable to connect to the server. Check the JAVA debug console For example, if you use the option « DNS Resolution » and your client can't resolve the fqdn (serial number by default), you can see such error message in the JAVA console:
NETASQ – CORPORATE PRESENTATION
40
Analysis of SSL VPN problems For FULL new ServerSocket on 127.0.0.1:22 new ServerSocket on 127.0.0.1:33389 Your OS is : WINDOWS XP (WINDOWS XP) executed command : start "vpnssl shell" echo ""Starting SSL VPN"" Your OS is : WINDOWS XP (WINDOWS XP) executed command : putty
[email protected] -pw adminadmin Socket error. java.net.UnknownHostException: F200XA105410400601 at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.(Unknown Source) at java.net.Socket.(Unknown Source) at netasq.connection.FirewallSocket.(Unknown Source) at netasq.connection.SRPClient.authentication(Unknown Source) NETASQ – CORPORATE PRESENTATION
41
Important points and known problems The object name of the server configured in the WEB access must be the fqdn of the web server. The FTP protocol because of its double connection, control connection and data one using ephemeral ports not predictable is not supported through SSL VPN. It's the same for all the protocols using this kind of mechanism such as H323, MGCP... All the applications using UDP protocol are not possible through SSL VPN. The native RDP client of Windows XP can't connect to the loopback interface. You have to use the version 5.1.2600.2180 provided with the SP2. Same listening ports on two different full access: possible if both servers are not in the same profile. Private IP address on Firewall external interface, the links will be rewritten using the private IP. You have to use the option “Use DNS Resolution“.
NETASQ – CORPORATE PRESENTATION
42
Important points and known problems For the XVPND Verbose, you have to use 1/0 and not on/off If on the web server, there is the following link: http://intranet.myfirm.com:80 The alias « intranet.myfirm.com:80 » has to be configured. Case of clients translated behind a routers on which ports 11220,11222,... are filtered. Not possible to configure a default profile using an external LDAP database Active Directory
NETASQ – CORPORATE PRESENTATION
43