NETASQ Technical Support Training SSL VPN

NETASQ – CORPORATE PRESENTATION. WEB mode. => Server: make sure you use an object whose name is identical to the name of the FQDN server its ...
Télécharger le PDF
778KB taille 182 téléchargements 803 vues
commentaire
Report
NETASQ Technical Support Training Session 4

SSL VPN

© NETASQ 2006

NETASQ – CORPORATE PRESENTATION

1

Summary • • • •

Interests and Prerequisites NETASQ SSL VPN Analysis of SSL VPN problems Important points and known problems

NETASQ – CORPORATE PRESENTATION

2

Interests and Prerequisites Interests No intervention of the customer required on the client workstations Need just a browser You don't purchase a licence for each client SSL encoding Centralization of the applications, all servers on one portal

NETASQ – CORPORATE PRESENTATION

3

Interests and Prerequisites Prerequisites To configure the SSL VPN, you need to configure a LDAP base To use SSL VPN you need to be authenticated You need to give the right SSL VPN to the users

NETASQ – CORPORATE PRESENTATION

4

NETASQ SSL VPN It exists two modes: WEB for HTTP connections FULL for the other TCP connections

NETASQ – CORPORATE PRESENTATION

5

NETASQ SSL VPN WEB mode HTTP Server The web mode allow to access to HTTP servers. Mechanisms: =>Traffic till the IPS-Firewall is encapsulated in SSL protocol.

NETASQ – CORPORATE PRESENTATION

6

NETASQ SSL VPN WEB mode

Example of a client which is connecting to an Intranet through the SSL VPN NETASQ – CORPORATE PRESENTATION

7

NETASQ SSL VPN WEB mode => A first connection between the client and the IPS-Firewall: SSL connection, a second one between the IPS-Firewall and the web server: HTTP connection => For the first web access, the Firewall listens on port 11222, for the second it listens on the port 11223,... URLs on the portal in case of several web servers first: https://10.1.34.200:11222/netasq0000/ second: https://10.1.34.200:11223/netasq0001/ ...

NETASQ – CORPORATE PRESENTATION

8

NETASQ SSL VPN WEB mode => URLs are rewritten by the SSL module, for example : http://intranet.myfirm.com/page.php?P=static/accueil/&Action=Connet become in the browser https://”FW-IP”:11222/rhs0000/page.php?P=static/accueil/&Action= Connect or https://”FW-SN”:11222/rhs0000/page.php?P=static/accueil/& Action=Connect If you have enabled the option DNS Resolution

NETASQ – CORPORATE PRESENTATION

9

NETASQ SSL VPN WEB mode some configuration options: => Rewrite URL tag: https://10.1.34.200:11222/rhs0000/ example with a tag « netasq »: https://10.1.34.200:11222/netasq0000/ => HTTP Header tag for login: for example tag as value in the client request: GET / HTTP/1.0 Host: intranet.netasq.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 ... Tag: faridi

NETASQ – CORPORATE PRESENTATION

10

NETASQ SSL VPN WEB mode => Server: make sure you use an object whose name is identical to the name of the FQDN server its refers to. If this is not the case, IPS-Firewall queries to this server may be refused. => Server alias list: this option indicate to the SSL VPN module that the server is known by several names and/or IP addresses. Exemple with webmail.intranet.com, if a link does not refer to this fqdn but to the IP: http://192.168.1.1/..., you will need to configure the IP as an alias for the server in order the SSL module rewrite the URLs correctly. => Activate white list: List of URLs that mustn't be rewrited by the SSLVPN module. => Hide server from portal: all servers configured in SSL VPN module are listed on the web portal. However it may be necessary that some servers are reachable just from another one, and not displayed on the portal. NETASQ – CORPORATE PRESENTATION

11

NETASQ SSL VPN WEB mode OWA: A specific HTTP Access: (Since version 6.1) This is a particular HTTP access in which the following options are automatically enabled for the compatibility with OWA: => Activation of the white list with the following URLs: schemas.microsoft.com/* www.w3.org/TR/* These URLs won't be rewrited by the SSL VPN module => Disable Negociate and NTLM authentication method: some web servers may request authentication before the transfer of the data between the server and the user. This method can be disabled for servers that do not support this authentication method for traffic passing through the IPS-Firewall. By doing so, the user will no longer be able to select this method for authentication on the remote web server. NETASQ – CORPORATE PRESENTATION

12

NETASQ SSL VPN WEB mode You may need to enable this option (NTLM) with another server than an OWA

WEB mode and Interaction with ASQ Plugin: You have to enable « Webdav » in the options of the HTTP plugin. (not automatically enabled).

NETASQ – CORPORATE PRESENTATION

13

NETASQ SSL VPN FULL mode

Example of a client which is connecting to a mail server through SSL VPN NETASQ – CORPORATE PRESENTATION

14

NETASQ SSL VPN

FULL SSL VPN Configuration Screen NETASQ – CORPORATE PRESENTATION

15

NETASQ SSL VPN FULL mode Mechanisms: => Authenticated user launch a java applet from the portal => TCP connection is encapsulated into an SSL connection between the java applet and the IPS-Firewall => The user's application has to connect to the local socket open by the java applet (loopback) => The local socket is closed when the java applet is closed

NETASQ – CORPORATE PRESENTATION

16

NETASQ SSL VPN FULL mode => Reconfiguration of the client application to initiate the connection to the loopback interface and on the listening port. => Only useful for mono stream connections ( not for ftp,... )

NETASQ – CORPORATE PRESENTATION

17

NETASQ SSL VPN FULL mode How to avoid client reconfiguration : => Using Split DNS Use an external DNS registration configured with the IP address 127.0.0.1 Example : Configuration for a mail client However you can't change the application port and you need high privileges to bind a port inferior at 1024

NETASQ – CORPORATE PRESENTATION

18

NETASQ SSL VPN FULL mode => by executing a script during the applet loading The script could for example replace the host file of a workstation to redirect the fqdn server to the loopback. The users need just to click on « launch » on the web portal to execute the application. examples of scripts : • •

mstsc.exe /v 127.0.0.1:3389 /f : Launch a terminal server in full screen putty [email protected] -pw adminadmin : Launch a SSH putty terminal

NETASQ – CORPORATE PRESENTATION

19

NETASQ SSL VPN

NETASQ – CORPORATE PRESENTATION

20

NETASQ SSL VPN SSL Profiles The concept of using profiles enables determining which users will have access to which servers configured in SSL VPN module. VPN SSL profiles are supported since the version 6.2.3 with an external Active Directory Database. You can configure the “SSL profile” in the user profile (Tab Access). You can also configure a default profile for the users who don't have one configured in their user profile.

NETASQ – CORPORATE PRESENTATION

21

NETASQ SSL VPN Interaction with the authentication (authd) Two options of the authentication can change the behavior of the VPN SSL module: Use DNS Resolution: if this option is enabled, all the URLs will be rewrited using the CN of the certificate (serial number of the IPSFirewall with the default certificate), and not with the IP. The clients need to resolve the serial number of the Firewall on its IP address. Cookies : If you don't use them, a second client behind the same translation will have access to the SSL VPN resources of a first one authenticated.

NETASQ – CORPORATE PRESENTATION

22

NETASQ SSL VPN Configuration File => Location: /Firewall/ConfigFiles/xvpn => Section description 1 general Section named [Config] 1 section for each defined server => Use the command enxvpn to reload the configuration

NETASQ – CORPORATE PRESENTATION

23

NETASQ SSL VPN Configuration File Config Section [Config] State=1 XserverState=1 HttpServerState=1 Verbose=1 Verbosefile=/tmp/xvpn.debug XvpnId= (Name of default profile) ProfileAccess=Pass XserverStartScript=c3RhcnQgInZwbnNzbCBzaGVsbCIgZWNobyAiIlN0YXJ0 aW5nIFNTTCBWUE4iIg== XserverEndScript= HttpRewriteURL= HttpHeaderLoginTag= CheckClientCert=0 BasicAuth=1 (disabling of NTLM method) OwaCompatibility=0 (Rewrite user Agent) NETASQ – CORPORATE PRESENTATION

24

NETASQ SSL VPN Configuration File HTTP Server Section [HttpServer_Intranet] Name=Intranet Host=intranet.netasq.com Port=http URL= Hidden=1 Link=intranet WhiteListUrls= Idx=1 Alias=

(server identification number, define servers order)

NETASQ – CORPORATE PRESENTATION

25

NETASQ SSL VPN Configuration File FULL server Section [Xserver_SSH] Name=SSH Host=SSh_ Server Port=ssh Chost=127.0.0.1 Cport=22 Script=cHV0dHkgYWRtaW5AMTI3LjAuMC4xIC1wdyBhZG1pbmFkbWlu script command encoded in base 64

NETASQ – CORPORATE PRESENTATION

26

NETASQ SSL VPN LDAP Attributes User entry: NetasqAllowed-Access and NetasqAllowed-xvpn

NETASQ – CORPORATE PRESENTATION

27

NETASQ SSL VPN LDAP Attributes Profile entry

NETASQ – CORPORATE PRESENTATION

28

Analysis of SSL VPN problems For WEB and FULL mode Check the Alarms Check the logs (XVPND and System) XVPD debug and AUTHD debug (described below), Indeed authd debug can provide information about the users authenticated, his profile,... Debug Activation: tokens Verbose=0/1 for xvpnd and Verbose=all for authd and VerboseFile=/tmp/*.debug in the configuration file. Command xvpnd -d or authd -d to start or stop the debug

NETASQ – CORPORATE PRESENTATION

29

Analysis of SSL VPN problems Some extracts of XVPND debug 2007-01-25 09:09:36 xvpn_add_user_htable : (faridi) is authorized to access xvpnd 2007-01-25 09:09:36 xvpn_add_user_htable : profile for (faridi) is (ALL) 2007-01-25 09:09:36 xvpn_add_user_htable : ldap_err = 0 ... 2007-01-25 09:09:36 Client come from internal IF 2007-01-25 09:09:36 User (faridi) from (10.1.34.9) authorized to access (ad.netasq.com) 2007-01-25 09:09:36 Connect to (10.1.15.200 ) ... click here to be redirected to intranet 2007-01-25 09:09:36 (HTTP HEADER) : Date: Thu, 25 Jan 2007 09:10:23 GMT 2007-01-25 09:09:36 (HTTP HEADER) : Content-Type: text/html 2007-01-25 09:09:36 (HTTP HEADER) : Accept-Ranges: bytes 2007-01-25 09:09:36 (HTTP HEADER) : Last-Modified: Tue, 23 Jan 2007 13:25:01 GMT 2007-01-25 09:09:36 (HTTP HEADER) : ETag: "8021a4e2f13ec71:aa7" 2007-01-25 09:09:36 (HTTP HEADER) : Content-Length: 276 2007-01-25 09:09:36 10.1.15.200:81 : not an alias NETASQ – CORPORATE PRESENTATION

30

Analysis of SSL VPN problems For WEB and FULL mode Some extracts of XVPND debug 2007-01-25 09:09:36 AD not use whitelist 2007-01-25 09:09:36 intranet.netasq.com:80 : not an alias 2007-01-25 09:09:36 AD not use whitelist ... 2007-01-25 09:17:51 xvpn_add_user_htable : (faridi) is authorized to access xvpnd 2007-01-25 09:17:51 xvpn_add_user_htable : profile for (faridi) is (ALL) 2007-01-25 09:17:51 xvpn_add_user_htable : ldap_err = 0 2007-01-25 09:17:51 xvpn_add_user_htable : add user (faridi), addr (153223434), if_type (1) time (241123), password (-492659823), XvpnTemplateIdx (0) , in htable 2007-01-25 09:17:51 Add (faridi) on htable ... 2007-01-25 09:17:51 (faridi) authorized to access (SSH) 2007-01-25 09:17:51 Connect to (Name=SSH) (Ip=10.1.15.62) (Port=22) 2007-01-25 09:17:51 xvpnd_redirect success NETASQ – CORPORATE PRESENTATION

31

Analysis of SSL VPN problems For WEB and FULL mode Some extracts of AUTHD debug (XPNVS)(fd=41):user=faridi,xvpn_right=YES,template=ALL (XVPNS)(fd=41):XVPNS=>config(0)(name) =AD (XVPNS)(fd=41):XVPNS=>config(0)(host) =ad.netasq.com (XVPNS)(fd=41):XVPNS=>config(0)(url) = (XVPNS)(fd=41):XVPNS=>config(0)(link) =AD (XVPNS)(fd=41):XVPNS=>config(0)(addr) =-938540790 (XVPNS)(fd=41):XVPNS=>config(0)(port) =11224 (XVPNS)(fd=41):XVPNS=>config(0)(cport) =80 (XVPNS)(fd=41):XVPNS=>config(0)(idx) =2 (XVPNS)(fd=41):XVPNS=>config(0)(hidden)=0 ... (XPNVC)(fd=41):user=faridi,xvpn_right=YES,template=ALL (XVPNC)(fd=41):XVPNC=>config(0)(name) =SSH (XVPNC)(fd=41):XVPNC=>config(0)(host) =SshLaurentG NETASQ – CORPORATE PRESENTATION

32

Analysis of SSL VPN problems For WEB and FULL mode (XVPNC)(fd=41):XVPNC=>config(0)(lhost) =127.0.0.1 (XVPNC)(fd=41):XVPNC=>config(0)(addr) =1041170698 (XVPNC)(fd=41):XVPNC=>config(0)(port) =22 (XVPNC)(fd=41):XVPNC=>config(0)(cport) =22 ... (XPNVS)(fd=41):user=faridi,xvpn_right=YES,template=ALL (XVPNS)(fd=41):XVPNS=>config(0)(name) =AD (XVPNS)(fd=41):XVPNS=>config(0)(host) =ad.netasq.com (XVPNS)(fd=41):XVPNS=>config(0)(url) = (XVPNS)(fd=41):XVPNS=>config(0)(link) =AD (XVPNS)(fd=41):XVPNS=>config(0)(addr) =-938540790 (XVPNS)(fd=41):XVPNS=>config(0)(port) =11224 (XVPNS)(fd=41):XVPNS=>config(0)(cport) =80 (XVPNS)(fd=41):XVPNS=>config(0)(idx) =2 (XVPNS)(fd=41):XVPNS=>config(0)(hidden)=0 ... NETASQ – CORPORATE PRESENTATION

33

Analysis of SSL VPN problems For WEB and FULL mode (XPNVC)(fd=41):user=faridi,xvpn_right=YES,template=ALL (XVPNC)(fd=41):XVPNC=>config(0)(name) =SSH (XVPNC)(fd=41):XVPNC=>config(0)(host) =SshLaurentG (XVPNC)(fd=41):XVPNC=>config(0)(lhost) =127.0.0.1 (XVPNC)(fd=41):XVPNC=>config(0)(addr) =1041170698 (XVPNC)(fd=41):XVPNC=>config(0)(port) =22 (XVPNC)(fd=41):XVPNC=>config(0)(cport) =22 ...

NETASQ – CORPORATE PRESENTATION

34

Analysis of SSL VPN problems For WEB and FULL mode Check the implicit rules for VPN SSL module: Port 11220/TCP is used for the FULL access Port 11222/TCP, 11223/TCP,... are used for WEB access VPN SSL implicit rules on internal interfaces (with command sfctl -s filter): 0 0 0 0 0 0 0 0 0 0

:0 :0 :0 :0 :0 :0 :0 :0 :0 :0

: pass on dmz2 proto tcp from any@any to dynamic 0.0.0.0 port 11222 : pass on dmz2 proto tcp from any@any to dynamic 0.0.0.0 port 11223 : pass on dmz1 proto tcp from any@any to dynamic 0.0.0.0 port 11222 : pass on dmz1 proto tcp from any@any to dynamic 0.0.0.0 port 11223 : pass on in proto tcp from any@any to dynamic 0.0.0.0 port 11222 : pass on in proto tcp from any@any to dynamic 0.0.0.0 port 11223 : skip 3 proto tcp from any to any port 11220 : pass on dmz2 proto tcp from any@any to dynamic 0.0.0.0 port 11220 : pass on dmz1 proto tcp from any@any to dynamic 0.0.0.0 port 11220 : pass on in proto tcp from any@any to dynamic 0.0.0.0 port 11220

NETASQ – CORPORATE PRESENTATION

35

Analysis of SSL VPN problems For WEB and FULL mode dstat: show if the deamon is running xvpnd : /var/supervise/xvpnd: up (pid 4259) 70172 seconds If the LDAP DataBase is not reachable, xvpnd would not run correctly netstat command allow to know if the daemon is listening on the ports netstat -an | grep LIST tcp4 0 0 *.1200 tcp4 0 0 *.443 tcp4 0 0 *.11223 tcp4 0 0 *.11222 tcp4 0 0 *.11220 ...

*.* *.* *.* *.* *.*

LISTEN LISTEN LISTEN LISTEN LISTEN

-> 2nd web server -> 1st web server -> full access

tcpdump: to verify that the traffic is not blocked between the IPSFirewall and the Clients (ports 11220, 11222,...) NETASQ – CORPORATE PRESENTATION

36

Analysis of SSL VPN problems For WEB If you have a problem with a specific URL or with a specific page: An Interesting test would be to test the access to the web server through the IPS-Firewall but not through the SSL VPN and at the same time through the VPN SSL module to be able to compare the real links and the rewrited links With Mozilla Firefox, you can use the extension 'Live HTTP Hearders' to see the HTTP headers in real time. With two tabs of Firefox (1 through SSL VPN and 1 through the NAT), you can compare the real and rewrited links. With WEB mode be aware of all technologies which exchange information like IP address in the applicative layers: for example java applets.

NETASQ – CORPORATE PRESENTATION

37

Analysis of SSL VPN problems For WEB For example, you have configured a SSL VPN Web access to connect to the fqdn intranet.myfirm.com. There is a redirection to an external link: http://www.osvdb.org/13152 Through the VPN SSL module, the URL become : https://10.1.34.200:11222/netasq0065/13152 A tag with the number « netasq0065 » indicate there is an error with the link.. If you click on the link, you will see a new page with the message : « You tried to access a web page which has not been authorized by your administrator » Generally, either this is a link to be redirected to an external site whose URL is not configured in the WhiteList OR the link contains an alias of the server that is not configured in the VPN SSL configuration. NETASQ – CORPORATE PRESENTATION

38

Analysis of SSL VPN problems For FULL => The java applet on the portal display the Error Message “WARNING: Connection on 127.0.0.1:cport failed !!” Generally, the JAVA applet can't bind the listening port configured because it's already used by another application or because the user don't have enough privileges (ports The java applet on the portal doesn't display any error messages but the client application is unable to connect to the server. Check the JAVA debug console For example, if you use the option « DNS Resolution » and your client can't resolve the fqdn (serial number by default), you can see such error message in the JAVA console:

NETASQ – CORPORATE PRESENTATION

40

Analysis of SSL VPN problems For FULL new ServerSocket on 127.0.0.1:22 new ServerSocket on 127.0.0.1:33389 Your OS is : WINDOWS XP (WINDOWS XP) executed command : start "vpnssl shell" echo ""Starting SSL VPN"" Your OS is : WINDOWS XP (WINDOWS XP) executed command : putty [email protected] -pw adminadmin Socket error. java.net.UnknownHostException: F200XA105410400601 at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at java.net.Socket.(Unknown Source) at java.net.Socket.(Unknown Source) at netasq.connection.FirewallSocket.(Unknown Source) at netasq.connection.SRPClient.authentication(Unknown Source) NETASQ – CORPORATE PRESENTATION

41

Important points and known problems The object name of the server configured in the WEB access must be the fqdn of the web server. The FTP protocol because of its double connection, control connection and data one using ephemeral ports not predictable is not supported through SSL VPN. It's the same for all the protocols using this kind of mechanism such as H323, MGCP... All the applications using UDP protocol are not possible through SSL VPN. The native RDP client of Windows XP can't connect to the loopback interface. You have to use the version 5.1.2600.2180 provided with the SP2. Same listening ports on two different full access: possible if both servers are not in the same profile. Private IP address on Firewall external interface, the links will be rewritten using the private IP. You have to use the option “Use DNS Resolution“.

NETASQ – CORPORATE PRESENTATION

42

Important points and known problems For the XVPND Verbose, you have to use 1/0 and not on/off If on the web server, there is the following link: http://intranet.myfirm.com:80 The alias « intranet.myfirm.com:80 » has to be configured. Case of clients translated behind a routers on which ports 11220,11222,... are filtered. Not possible to configure a default profile using an external LDAP database Active Directory

NETASQ – CORPORATE PRESENTATION

43