[Normal] -
[Tree] -
[Index] -
[Thread]
-
| 331 |
Reply |
Inactivity Timer |
Bryan |
2005/01/04 01:28 |
|
|
|
Is there a way to implement an inactivity timer to end the client browser's session after being inactive for a period of time?
I saw some timer documentation in a config file I believe. I didn't know what to set on it to test this functionality?
Thanks,
Bryan |
-
| 335 |
Reply |
Re:Inactivity Timer |
Masato Kataoka |
2005/01/04 10:19 |
|
|
|
The Orenosp form auth has inactivity timeout.
proxy_authck_define = owa -u="..." -tmo=
If the client session is inactive over period, Orenosp drops the client session. The default is 30 (minutes).
Thanks
Masato
|
-
| 336 |
Reply |
Re:Inactivity Timer |
Masato Kataoka |
2005/01/04 10:21 |
|
|
|
Rewriting as brackets are eaten by HTML.
> The Orenosp form auth has inactivity timeout.
>
> proxy_authck_define = owa -u="..." -tmo=[n-minutes]
>
> If the client session is inactive over [n-minutes] period, Orenosp drops the client session. The default is 30 (minutes).
>
> Thanks
> Masato
> |
-
| 338 |
Reply |
Re:Inactivity Timer |
Bryan |
2005/01/05 07:50 |
|
|
|
> Rewriting as brackets are eaten by HTML.
>
> > The Orenosp form auth has inactivity timeout.
> >
> > proxy_authck_define = owa -u="..." -tmo=[n-minutes]
> >
> > If the client session is inactive over [n-minutes] period, Orenosp drops the client session. The default is 30 (minutes).
> >
> > Thanks
> > Masato
> >
On the -u"...", is this where I specify the user name and password for each user to login? I noticed in the example where you had -u(admin:pass). Are we authenticating against the backend owa server, or against the local sproxy configuration file user information?
I would like the form to collect information and pass it to the back end for auth. I know this works maybe I am not understanding, or able to get it to work from the sample files. Should I use the specific code above?
Thanks,
Bryan |
-
| 340 |
Reply |
Re:Inactivity Timer |
Masato Kataoka |
2005/01/05 08:26 |
|
|
|
Hi Bryan,
Sorry for a vague description.
This is what you want to use:
proxy_authck_define = our_owa -u="_valid_:" -rlm="Our OWA" -tmo=5
which should be in sproxy_owa_d.txt.
The special username "_valid_:" instructs Orenosp to use the backend auth server specified with proxy_authck_authsrv_XXX (in your case, proxy_authck_authsrv_url).
This is what happens:
- Orenosp intercepts a request to OWA and redirect the client to Orenosp's form-based auth page.
- The user sends in the username and password to Orenosp. Orenosp verifies the username and password against the backend auth server.
- If verified, Orenosp connects to the OWA server, forward the client request along with the verified username and password (as converted to HTTP basic auth data).
- OWA allows the client request because the client has the correct username and password that OWA requires.
Thanks
Masato
|
-
| 341 |
Reply |
Re:Inactivity Timer |
Bryan |
2005/01/07 07:33 |
|
|
|
I am still having trouble getting this to work. Can I send your my conf file and see if you can help me spot what is wrong?
I think everything is right, and basic pass through auth works just fine. I have created the _formauth folder locally, the orenosp_auth on the IIS server, modified the config with the examples, and I can't get this to work.
Thanks,
Bryan |
-
| 342 |
Reply |
Re:Inactivity Timer |
Masato Kataoka |
2005/01/07 08:11 |
|
|
|
Yes, please do send your config files and associated information to ma_kataoka@yahoo.co.jp. As for the public folder problem, I may have to ask to enable tracing in Orenosp. Let's do this over emails.
Thanks
Masato
|
-
| 330 |
Reply |
OWA Public Folders and Form Auth |
Bryan |
2005/01/04 00:38 |
|
|
|
The error in IE that I get is:
This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?
I choose Yes, and then I get a new window error with a Yellow triange with an exclamation point that says:
A connection with the server could not be established
-2147012867
The OWA website comes up, but the public folders do not.
I am not sure if this is browser / machine dependant. I have gone to other computers, and it comes right up, and I do not get this error message.
On another topic - back to form auth. What is the advantage of form auth, over the prompt that comes up now, for user name and password? Also, your instruction in the previous message, do I create the _formauth folder on the OWA backend server, or on the orenosv computer?
Thanks,
Bryan |
-
| 334 |
Reply |
Re:OWA Public Folders and Form Auth |
Masato Kataoka |
2005/01/04 10:14 |
|
|
|
Could you please let me know the details of the client machine that's having the connection error? Can you also try another browser on the same client PC?
One advantage of form auth over HTTP basic auth (browser popup asking username/password) is that the server-side (webserver or reverse proxy) can log out the user independently from the client-side. So it can do inactivity time-out.
_formauth directory must be created in the Orenosp PC.
Thanks
Masato
|
-
| 337 |
Reply |
Re:OWA Public Folders and Form Auth |
Bryan |
2005/01/05 07:47 |
|
|
|
>
> Could you please let me know the details of the client machine that's having the connection error? Can you also try another browser on the same client PC?
>
> One advantage of form auth over HTTP basic auth (browser popup asking username/password) is that the server-side (webserver or reverse proxy) can log out the user independently from the client-side. So it can do inactivity time-out.
>
> _formauth directory must be created in the Orenosp PC.
>
> Thanks
> Masato
>
Masato,
The client computer that I am testing from is the Orenosp server, It's IE version is 5.00.370.1000 w/128 bit cipher, Windows 2000 SP4. If I go to the http://exchangesrv/exchange it opens it up correctly and displays public folders with no error message. If I go through the reverse proxy on that computer I get the error. Now, I have tested with a number (4) of clients, and all that I have tested with access it correctly, except for 1 which is an XP machine...
I have not found a commonality.
Please let me know if there is anything else I can tell you.
Thanks,
Bryan |
-
| 329 |
Reply |
RFC Std. |
Bryan |
2005/01/04 00:30 |
|
|
|
Does your software conform the output to the client browser from the reverse proxy server to HTTP RFC standards for the protocol. I read where OWA breaks standards and that Linux/Apache reverse proxy does conform to standards.
Thanks,
Bryan |
-
| 333 |
Reply |
Re:RFC Std. |
Masato Kataoka |
2005/01/04 09:59 |
|
|
|
Thank you for your interest in Orenosp.
I wouldn't say Orenosp conforms 100% to HTTP/1.1 standards. My design policy is to focus on interoperability with de fact standard products.
OWA makes use of MS-specific WebDAV extensions (Bxxx methods) and Orenosp does expose those extension.
I'm sure there are also other standard non-conforming behavior in Orenosp. If you could point out any incompatibility problems, please let me know.
Thanks
Masato
|
-
| 339 |
Reply |
Re:RFC Std. |
Bryan |
2005/01/05 07:58 |
|
|
|
> Thank you for your interest in Orenosp.
>
> I wouldn't say Orenosp conforms 100% to HTTP/1.1 standards. My design policy is to focus on interoperability with de fact standard products.
>
> OWA makes use of MS-specific WebDAV extensions (Bxxx methods) and Orenosp does expose those extension.
>
> I'm sure there are also other standard non-conforming behavior in Orenosp. If you could point out any incompatibility problems, please let me know.
>
> Thanks
> Masato
>
Masato,
I don't know of any incompatibility. I was more asking about what I had read about Linux/Apache as a reverse proxy - conformed the output to the client browser to RFC Http standardss. That apparently OWA bends the rules. And the paper I read indicated this to be potential for security issues or attacks. That is my concern more than anything. What is the security risk, or liability allowing this to occur.
Thanks,
Bryan |
-
| 328 |
Reply |
SSL Tunnel binding |
Rudolf |
2005/01/03 23:26 |
|
|
|
Hello Masato
Is it possible to use integrated mode and bind the ssl tunnel to just one ssl listen port , if i have two ssl listen ports ?
proxy_listen_name = lis-ssl1 192.168.0.2@443 https -ssl_cli=svmain
proxy_listen_name = lis-ssl2 192.168.0.3@444 https -ssl_cli=svmail
I didn't found a clou in the manual.
Thanks Rudolf
|
-
| 332 |
Reply |
Re:SSL Tunnel binding |
Masato Kataoka |
2005/01/04 09:50 |
|
|
|
Hi Rudolf,
The parameter currently used "proxy_sslvpn_gateway" is not a well-thought syntax. In the upcoming 0.9.0, I will replace the parameter with a new parameter that 1) allows you to specify extended URL pattern, and 2) simplify the syntax so that you do not have to list all SSLVPN labels.
Thanks
Masato
|
-
| 326 |
Reply |
radius authentication |
dave |
2005/01/03 05:58 |
|
|
|
orenosp
Do you have any plans to allow external authentication via Radius on the windows platform
Thanks
Dave
|
-
| 327 |
Reply |
Re:radius authentication |
Masato Kataoka |
2005/01/03 15:53 |
|
|
|
Yes, it is planned. It's a matter of priority. I'll try to push it up. Thanks
Masato
|
-
| 322 |
Reply |
FTP IIS and Orenosp |
Yonker Guy |
2004/12/30 13:12 |
|
|
|
I have Orenosp running on my Windows 2003 server for the purposes of securing my Tivo on the web. I do also want to install FTP and a webserver IIS and am wondering if I should expect and compatability issues with Orenosp.
Thanks for you help |
-
| 325 |
Reply |
Re:FTP IIS and Orenosp |
Masato Kataoka |
2004/12/31 17:40 |
|
|
|
Hi Yonker,
Thank you for using Orenosp.
By default, IIS listens on port 80 only. Orenosp does not by default listen on port 80. So they should not conflict. But certainly you cannot have both to listen on the same port (like SSL port 443).
IIS's FTP should have no problem co-residing with Orenosp.
Thanks
Masato
> I have Orenosp running on my Windows 2003 server for the purposes of securing my Tivo on the web. I do also want to install FTP and a webserver IIS and am wondering if I should expect and compatability issues with Orenosp.
>
> Thanks for you help |
-
| 323 |
Reply |
OWA Public Folders and Form Auth |
Bryan |
2004/12/31 07:47 |
|
|
|
I am interested in using orenosp for a reverse proxy to my OWA site. I have a test computer setup with a good running configuration. When reverse proxy to the OWA site, I get an error, and Public folders are not displayed. Can you tell me what to do to fix this?
Also, I had a devil of a time understanding and setting up form auth. I used OWA sample D. I ended up commenting all the lines from the sample and inserting:
proxy_auth_pass_to_backend = 1
So that the basic auth would pass to the backend OWA server. This seems to work, without double authenticating. I do not want the users to double authenticate!
I went through the instructions on setting up the orenosp_auth folder on the OWA server under C:\inetpub\wwwroot\orenosp_auth, and setup the virtual directory as in the instructions. Maybe you can shed some light on form auth.
Thanks in advance for your help!
Bryan
PS. What are your future plans for the software. Is it opensource? How many simultaneous OWA users can it support? I have a 2ghz Xeon Compaq ML 350 with 2 gigs of ram. |
-
| 324 |
Reply |
Re:OWA Public Folders and Form Auth |
Masato Kataoka |
2004/12/31 17:37 |
|
|
|
Hi Bryan,
Thank you for using Orenosp.
Orenosp Form Authentication
============================
The instruction "Instructions for setting up Orenosp form-based authentication" in OWA section is missing one thing:
- Create ORENOSP_HOME/_formauth directory
> cd ORENOSP_HOME
> xcopy padmin\formauth _formauth\
Have you done this already ?
This instruction is described in User Authentication section. The OWA section should have directed a reader to that section.
Public Folder Link
==================
Most likely, the reason you get the error is that OWA is sending http (not https) URL to the public folder.
Are you using OWA 2003 or OWA 2000?
I think OWA 2003 should take care of this automatically (in my testing). If not, you may have to set up manual rewriter filter. I also need detailed description of the error.
Thanks
Masato |
-
| 316 |
Reply |
proxy_pass_by - 16 rules limit |
TNC |
2004/12/28 05:44 |
|
|
|
We are looking to use orenosp as a kind of "portal" for our remote users and field offices to access our file servers using one generic point of entry (I hope this makes sense!).
Each field or file server has a "proxy_pass_by" entry that redirect to the appropriate server.
ex. wi.portal.xxx.org is redirected to wi.xxx with
proxy_pass_by = url https://wi.portal.xxx.org/ http://wi.xxx/
It works fine but for the 16 limit rules. Is there a way around that or to increase the limit to say 255 rules. |
-
| 318 |
Reply |
Re:proxy_pass_by - 16 rules limit |
Masato Kataoka |
2004/12/29 15:51 |
|
|
|
Thank you for using Orenosp.
Versions later than or equal to 0.4.2a should support up to 32 proxy_pass_by rules (contray to sproxy_full.txt).For the up coming 0.8.3 I raised the max # to 256. Alphas for 0.8.3 are already in /alpha/ directory.
If you need a dev version for Linux, please let me know.
Thanks
Masato |
-
| 320 |
Reply |
Re:proxy_pass_by - 16 rules limit |
TNC |
2004/12/29 23:54 |
|
|
|
That will be great.
Thank you!
> Thank you for using Orenosp.
>
> Versions later than or equal to 0.4.2a should support up to 32 proxy_pass_by rules (contray to sproxy_full.txt).For the up coming 0.8.3 I raised the max # to 256. Alphas for 0.8.3 are already in /alpha/ directory.
>
> If you need a dev version for Linux, please let me know.
>
> Thanks
> Masato |
-
| 321 |
Reply |
Re:proxy_pass_by - 16 rules limit |
TNC |
2004/12/30 04:50 |
|
|
|
Soory I skip a line but yes, I need it for Linux. Thanks
> That will be great.
> Thank you!
>
> > Thank you for using Orenosp.
> >
> > Versions later than or equal to 0.4.2a should support up to 32 proxy_pass_by rules (contray to sproxy_full.txt).For the up coming 0.8.3 I raised the max # to 256. Alphas for 0.8.3 are already in /alpha/ directory.
> >
> > If you need a dev version for Linux, please let me know.
> >
> > Thanks
> > Masato |
-
| 317 |
Reply |
Password |
Yonker Guy |
2004/12/29 09:52 |
|
|
|
I have installed the program and got it to work so that I can access my Tivo from the internet. The only issue I have is I thought I would be asked for a password when connecting. It does not ask the instructions are not clear as to how I can implement this security measure. Please help |
-
| 319 |
Reply |
Re:Password |
Masato Kataoka |
2004/12/29 15:59 |
|
|
|
Thank you for using Orenosp.
The most simple form is:
proxy_auth_url = * -u="admin:pass" -rlm="Admin Only"
You can add this line to your sproxy.conf.
Thanks
Masato |
-
| 314 |
Reply |
SSL Client Certificate Mapping |
Masato Kataoka |
2004/12/16 17:50 |
|
|
|
In the next versions of Orenosp / Orenosv FTP, SSL Client Certificate Mapping will be implemented.
It would be great if I get concrete requests and examples in this feature from those wanting to use Client Certificate authentication.
Currently I'm looking at SSH's certificate mapping file syntax.
Thanks
Masato |
-
| 315 |
Reply |
Re:SSL Client Certificate Mapping |
Masato Kataoka |
2004/12/24 18:40 |
|
|
|
I have uploaded alpha versions of Orenosp 0.8.3 and Orenosv 0.8.1 onto /alpha/ directory. Certificate Mapping and Authorization are implemented in both Orenosv FTP and Orenosp. Please refer to respective Users Guide for configuration. Feedback greatly appreciated.
Thanks
Masato
|
-
| 312 |
Reply |
Server garden / cluster |
Poloman |
2004/12/14 18:54 |
|
|
|
Hello,
we would like to make "FTP cluster", so we'll install ftp server on 5 computers and one server and reserve some disk space on all machines for ftp. Then we would like to access main server and see all servers as one ftp site. Is this possible, do you have any examples/tutors?
Thanks. |
-
| 313 |
Reply |
Re:Server garden / cluster |
Masato Kataoka |
2004/12/15 15:22 |
|
|
|
Thank you for your interest in Orenosv.
You could make an FTP cluster that is a virtual single FTP server if you use CIFS to connect all nodes. But Orenosv is not equipped with any special FTP-specific cluster facility.
If you could list your requirements in more detail, it would help.
Thanks
Masato
|
-
| 310 |
Reply |
Form based authentication |
Wolfgang |
2004/12/13 22:13 |
|
|
|
On my SAP Portal users also login via Form based Auth. I have the same Problem that the authentication is not working. In the logfile thes is also a 302 error.
Has anybody a solution for that?
regards,
Wolfgang |
-
| 311 |
Reply |
Re:Form based authentication |
Masato Kataoka |
2004/12/14 02:11 |
|
|
|
Thank you for using Orenosp.
It would be much easier if you give more detail about your problem, like what kind of errors your users are facing, etc.
Thanks
Masato
|
-
| 307 |
Reply |
Palm Hotsync (Netsync) and otunnel |
Dennis |
2004/12/09 05:30 |
|
|
|
I was wondering if anyone has had any success getting Palm's netsync to work through a VPN tunnel. The TCP Port is 14237 and the UDP port is 14238. I'm having difficulty on the client side as the Hotsync/Netsync listener is conflicting with the otunnel port, 127.0.0.4:14238. Any ideas?
Much thanks!
Dennis |
-
| 308 |
Reply |
Re:Palm Hotsync (Netsync) and otunnel |
Masato Kataoka |
2004/12/10 19:59 |
|
|
|
Hi Dennis,
I have no experience with Palmsync software but Orenosp SSL port forwarding (or tunneling in general) does not support UDP traffic.
Thanks
Masato |
-
| 309 |
Reply |
Re:Palm Hotsync (Netsync) and otunnel |
Dennis |
2004/12/11 08:19 |
|
|
|
I see. Thanks for your help.
|
-
| 301 |
Reply |
Authentication |
TNC |
2004/11/23 05:44 |
|
|
|
Is there a way for orenosp (running on linux) to authenticate using an external authentication service such as LDAP or Radius without the need for a local password file?
|
-
| 302 |
Reply |
Re:Authentication |
Masato Kataoka |
2004/11/23 15:35 |
|
|
|
Thank you for using Orenosp.
In the latest dev version (0.8.2-preX), there is a direct support for Linux PAM as a backend authentication service (in Linux version only).
With this, you may be able to use pam_radius_auth module.
There's no document yet. Just add the following parameter to your sproxy.conf:
proxy_auth_authsrv_pam = svcname=orenosp
and comment out any other proxy_auth_authsrv_XXX parameters.
Then create /etc/pam.d/orenosp file, possibly copying another service like login or telnet. Please note that I have just tested standard PAM auth modules, not radius or LDAP yet. I'd appreciate any feedback on this.
I have uploaded orenosp082_pre2.tgz into /alpha directory.
Thanks
Masato
|
-
| 304 |
Reply |
Re:Authentication |
TNC |
2004/11/30 02:57 |
|
|
|
> Thank you for using Orenosp.
>
> In the latest dev version (0.8.2-preX), there is a direct support for Linux PAM as a backend authentication service (in Linux version only).
> With this, you may be able to use pam_radius_auth module.
>
> There's no document yet. Just add the following parameter to your sproxy.conf:
>
> proxy_auth_authsrv_pam = svcname=orenosp
>
> and comment out any other proxy_auth_authsrv_XXX parameters.
>
> Then create /etc/pam.d/orenosp file, possibly copying another service like login or telnet. Please note that I have just tested standard PAM auth modules, not radius or LDAP yet. I'd appreciate any feedback on this.
>
> I have uploaded orenosp082_pre2.tgz into /alpha directory.
>
> Thanks
> Masato
>
It works fine using Radius with the form based authentication.
The only drawback is the need for the user's names to be defined in sproxy.conf. Is there a way around that?
Thanks |
-
| 306 |
Reply |
Re:Authentication |
Masato Kataoka |
2004/12/02 02:29 |
|
|
|
You can use
-u="_valid_:"
to allow any successfully authenticated user to get in.
The documentation regarding this is scattered among Users guide and sproxy_full.txt. I have added this to Users Guide also.
Thanks
Masato
|
-
| 299 |
Reply |
First alpha of Orenosv 0.8.0 uploaded |
Masato Kataoka |
2004/11/17 20:33 |
|
|
|
First alpha of Orenosv 0.8.0 uploaded onto http://www.orenosv.com/alpha/orenosv080_pre3.exe.
Thanks |
-
| 295 |
Reply |
Failed 10060 |
lonaman |
2004/11/09 15:07 |
|
|
|
Can anyone help me figure out what connect failed(10060) means? |
-
| 296 |
Reply |
Re:Failed 10060 |
Masato Kataoka |
2004/11/09 16:36 |
|
|
|
> Can anyone help me figure out what connect failed(10060) means?
You can obtain the error message by:
>net helpmsg 10060
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
It usually means the reverse proxy couldn't even establish a TCP connection to the backend server.
Hope this helps.
Thanks
|
-
| 290 |
Reply |
Form based authentication |
Michael M |
2004/11/04 06:08 |
|
|
|
I have successfully setup setup a SSL VPN. I am trying to setup form based authentication. Everything works to the point when I login to the TnApplet, I receive the following error in the Log window:
gateway returned: 302:Moved Temporarily
Any suggestions?
Thanks,
Michael |
-
| 291 |
Reply |
Re:Form based authentication |
Masato Kataoka |
2004/11/05 18:46 |
|
|
|
Hi Michael,
Thank you for using Orenosp.
Unfortunately the current SSL port forwarding doesn't support form-based authentication. You have to stick to basic authentication method.
Support for form-based and any other cookie-based authentication is planned.
Thanks
Masato
|
-
| 289 |
Reply |
Security Alert when using IIS |
Masato Kataoka |
2004/11/02 23:26 |
|
|
|
A serious security problem has been identified for Orenosp-IIS combination. Please read Download/Status section on Orenosp homepage.
Thank you
|
-
| 288 |
Reply |
rotatelogs-char problem with DST |
Masato Kataoka |
2004/11/01 15:47 |
|
|
|
There seems to be a problem in rotatelogs-char program when the current time goes back. This problem was observed during the recent DST change. When the problem occurs, no more log records are silently ignored. This problem happens when using any one of the calendar modes.
Please be sure to restart Orenosp/Orenosv when this happens. This problem is being investigated.
Thanks
|
-
| 284 |
Reply |
syslog support |
Rudolf |
2004/10/29 16:51 |
|
|
|
Hello Masato
Is it possible to log with orenosp to rbp to a syslog server ?
Or is ist planned in the near future to log from orenosp directly to a syslog server ?
Thanks Rudolf |
-
| 285 |
Reply |
Re:syslog support |
Masato Kataoka |
2004/10/31 03:34 |
|
|
|
Hi Rudolf,
Which log would you want to send to syslog?
Most log files except event.log are now pipe-logging enabled
so you can write a logging program that sends to syslog.
Better yet, since the program should be Apache-compatible,
you may find one already developed.
I'm interested in the configuration you wish to achieve.
Thanks
Masato
|
-
| 286 |
Reply |
Re:syslog support |
Rudolf |
2004/10/31 05:02 |
|
|
|
Hi Masato
I found this very interesting program. Sadly it is not available in english only in japanese. Can you help me with a little translation support ? :-)
http://winlogmon.sourceforge.jp
I think it should work with my apache and orenosp files (all logs available)
Thanks Rudolf |
-
| 275 |
Reply |
OWA working but can't delete |
Nick |
2004/10/25 17:25 |
|
|
|
I was able to get Outlook Web Access for Exchange 2003 working great. The only problem is when I try to delete a message, it tells me "some items can't be deleted. They were already moved, deleted, or access denied." It's something to do with Oreno, because if I try the same thing going directly to the server (bypassing Oreno) it works fine.
Any suggestions? Do I need to explicity allow certain verbs? |
-
| 278 |
Reply |
Re:OWA working but can稚 delete |
Masato Kataoka |
2004/10/26 16:09 |
|
|
|
Thank you for the problem report.
It turns out that Orenosp's rewriting of Destination header is causing this problem. When you are using OWA with "Front-end-HTTPS:ON" header, you must disable Orenosp's Destination header rewriting.
In the current version, there's no way to disable it. In Orenosp 0.8.0, I have added a new parameter "proxy_rewrite_destination" which you would set to zero when using OWA.
I have uploaded the first alpha version of Orenosp onto /alpha directory:
http://www.orenosv.com/alpha/orenosp080_pre2.exe
Upgrade procedure:
- do upgrade install
- add "proxy_rewrite_destination = 0" to sproxy.conf
The updated Users' Guide mentions this parameter in OWA section.
A work-around without this 0.8.0 version would be to use OWA's basic mode (as opposed to Premium mode).
Thanks
Masato
|
-
| 279 |
Reply |
Re:OWA working but cannot delete |
Nick |
2004/10/26 17:08 |
|
|
|
> Thank you for the problem report.
>
> It turns out that Orenosp's rewriting of Destination header is causing this problem. When you are using OWA with "Front-end-HTTPS:ON" header, you must disable Orenosp's Destination header rewriting.
I'm actually not using this method, but a non-documented registry workaround that basically allows the forms login, but without the requirement of SSL or passing on the Front-End headers.
> I have uploaded the first alpha version of Orenosp onto /alpha directory:
>
> http://www.orenosv.com/alpha/orenosp080_pre2.exe
Do you have a Linux version?
Thanks!
-Nick |
-
| 280 |
Reply |
Re:OWA working but cannot delete |
Masato Kataoka |
2004/10/26 18:15 |
|
|
|
Are you using SSLOffloaded registry key then?
I believe it is essentially the same in this regard.
> Do you have a Linux version?
I have uploaded just-compiled, not-tested alpha version onto:
http://www.orenosv.com/alpha/orenosp080_pre2.tgz
Please let me know if this doesn't work.
Thanks
Masato |
-
| 281 |
Reply |
Re:OWA working but cannot delete |
Nick |
2004/10/27 09:15 |
|
|
|
> Are you using SSLOffloaded registry key then?
> I believe it is essentially the same in this regard.
I beleive so. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSExchangeWeb\OWA
Created a new key (DWORD) AllowRetailHTTPAuth and set it to 1.
> I have uploaded just-compiled, not-tested alpha version onto:
>
> http://www.orenosv.com/alpha/orenosp080_pre2.tgz
Thanks, I'll test it out now. |
-
| 282 |
Reply |
Re:OWA working but cannot delete |
Nick |
2004/10/27 11:13 |
|
|
|
Yep, everything works great now! This also fixed the double-authentication problems I was having when I was using strictly the Outlook only forms based authentication and not Orenos'.
Thanks again!
-Nick |
-
| 270 |
Reply |
SSL client authentication |
Enrico Mancini |
2004/10/22 00:11 |
|
|
|
It is not clear to me if all the people that have a valid certificate from a CA are validated.
How can I macth people with a valid certificate and a list of users?
Where can I define this list of users and how can I match the userid of the users and some field in the cartificates?
Thanks and regards. |
-
| 272 |
Reply |
Re:SSL client authentication |
Masato Kataoka |
2004/10/22 00:30 |
|
|
|
Thank you for yor interest in Orenosp.
The functionality you describe is not implemented, but it's planned. Would you be needing it?
Thanks
Masato |
-
| 276 |
Reply |
Re:SSL client authentication |
Enrico Mancini |
2004/10/25 19:54 |
|
|
|
> Thank you for yor interest in Orenosp.
> The functionality you describe is not implemented, but it's planned. Would you be needing it?
>
> Thanks
> Masato
You mean that is not implemented what I required, but can you assure that the SSL client auth is today working?
Yes, I need an SSL client auth with a match between the DN of the certificate and a list of names stored on one file on the reverse proxy. |
-
| 277 |
Reply |
Re:SSL client authentication |
Masato Kataoka |
2004/10/26 00:16 |
|
|
|
Yes, the SSL client authentication as documented in the Orenosp Users Guide works today.
As for the certificate to username mapping functionality, I will include it in future plan.
Thanks
Masato
|
-
| 268 |
Reply |
redirect to OWA dont work |
tom |
2004/10/19 23:00 |
|
|
|
hi,
tody I installed the latest the latest version on my
suse linux box and try aout the sample configuration for
owa access, but the connection failded.
I found no errors in the logfiles.
the OWA/IIS is on http://fv-mail.bfv.local
and will be resolved with 10.100.102.2
the Orenosp ist installed on
https://owa.bfv.local
and will be resolved with 10.100.189.189
# Orenosp - sample configuration for OWA
# for Orenosp 0.7.2 or later.
proxy_listen_name = ls-https 0.0.0.0@443 https
proxy_pass_by = url ls-https://owa.bfv.local/exchange \
http://fv-mail.bfv.local/exchange -hh="_self_" -rq_hdr="Front-end-HTTPS:ON"
proxy_pass_by = url ls-https://owa.bfv.local/ExchWeb \
http://fv-mail.bfv.local/ExchWeb -hh="_self_" -rq_hdr="Front-end-HTTPS:ON"
proxy_pass_by = url ls-https://owa.bfv.local/Public \
http://fv-mail.bfv.local/Public -hh="_self_" -rq_hdr="Front-end-HTTPS:ON"
proxy_redirect_by = url ls-https://owa.bfv.local/ \
https://owa.bfv.local/exchange -s
proxy_authck_enable = 1
proxy_authck_pass_to_backend = 1
proxy_authck_define = noone -u="" -rlm="nobody allowed"
proxy_authck_define = our_owa -u="_valid_:" -rlm="Our OWA"
proxy_authck_assign = * noone
proxy_authck_assign = ls-https://owa.bfv.local/* our_owa
proxy_authck_authsrv_url = http://fv-mail.bfv.local/auth_exchange/
proxy_ssl_keypass = orenosp
proxy_hctrace_level = 1
proxy_hbtrace_level = 1
#end
Only https connections to the OWA/IIS are allowed.
Do I have a mistake in my Orenosp configuration, or
are there some changes at the IIS nescasary?
thanks in advance
regards
tom |
-
| 271 |
Reply |
Re:redirect to OWA dont work |
Masato Kataoka |
2004/10/22 00:27 |
|
|
|
Hi tom,
I reviewed your config file but couldn't find anything wrong. If you could elaborate more and send me the log and trace files, I would be able to tell more.
Thanks
Masato |
-
| 267 |
Reply |
gtOrenoPC Port forwarding problem |
Raffi |
2004/10/19 22:42 |
|
|
|
I am unable to get the SSL port forwarding for RDP to work. I have installed the SP2 patch from MS and The following messages come up when i start the RDP session:
127.0.0.2:3390 => /vpn/host1/rdp
127.0.0.3:3390 => /vpn/host2/rdp
Starting listen threads...
Listening on 127.0.0.2@3390
Listening on 127.0.0.3@3390
Start forwarding to /vpn/host1/rdp (#0)
Ended forwarding to /vpn/host1/rdp (#0)
And then the RDP session times out without connecting. any thoughts? |
-
| 269 |
Reply |
Re:gtOrenoPC Port forwarding problem |
Masato Kataoka |
2004/10/20 02:35 |
|
|
|
Yes, XP SP2 has this problem. Please look at:
http://hp.vector.co.jp/authors/VA027031/orenosp/winxpsp2_en.html
for details.
Thanks
Masato
|
-
| 261 |
Reply |
Service Error on Linux machine |
email68 |
2004/10/16 15:00 |
|
|
|
Loaded the latest version of orenosp on my linux box.
I am getting a status error:
/etc/init.d/orenosp:line 69: status: command not found
I have tried reinstalling and even going back a version but I get the same error.
Any help is appreciated. |
-
| 262 |
Reply |
Re:Service Error on Linux machine |
Masato Kataoka |
2004/10/16 15:30 |
|
|
|
Thank you for the bug report.
Please change the following line (line 69)
status)
# don't know if this works
status $svc_prog <=== Comment out this line
Thanks
Masato |
-
| 263 |
Reply |
Re:Service Error on Linux machine |
email68 |
2004/10/16 17:04 |
|
|
|
> Thank you for the bug report.
>
> Please change the following line (line 69)
>
>
> status)
> # don't know if this works
> status $svc_prog <=== Comment out this line
>
I don't think I understand how to do this? Where do I comment out the line? I don't think you mean in the sproxy.conf since it's' not in there.
Thanks
> Thanks
> Masato |
-
| 264 |
Reply |
Re:Service Error on Linux machine |
Masato Kataoka |
2004/10/17 14:14 |
|
|
|
Sorry I wasn't clear enough on the 1st post. The file /etc/init.d/orenosp should be edited as follows:
line 69
OLD
status $svc_prog
NEW
# status $svc_prog
Or you can just delete that line.
Thanks
Masato
|
-
| 265 |
Reply |
Re:Service Error on Linux machine |
email68 |
2004/10/18 08:28 |
|
|
|
Thank you.
That took care of it.
Thans for supporting your fine product.
Sorry I wasn't clear enough on the 1st post. The file /etc/init.d/orenosp should be edited as follows:
>
> line 69
> OLD
> status $svc_prog
> NEW
> # status $svc_prog
>
> Or you can just delete that line.
>
> Thanks
> Masato
> |
-
| 257 |
Reply |
Server-relative URLs |
minhtu |
2004/10/13 19:45 |
|
|
|
could you please tell me how set orenosp to work with Server-relative URLs.
I have problem ie:
setting in sproxy.conf:
proxy_pass_by = url lis-ssl://*/test1/ http://localhost -rw_url=on
proxy_pass_by = url lis-ssl://*/test2/ http://localhost -rw_url=on
but all links like do not work:
/images/1.gif |
-
| 260 |
Reply |
Re:Server-relative URLs |
Masato Kataoka |
2004/10/14 14:45 |
|
|
|
Thank you for your interest in Orenosp.
So you need to "/" as "/test1" and "/test2".
Unfortunately, as described in Orenosp Users' Guide (See Example 4), many applications / web sites cannot be published with differing virtual paths. ("/test1" vs. "/").
The automatic content rewrite (-rw_url=on) does not handle path part. So the only option you can try is manually configure content rewrite rules.
For example:
/images/=/test1/images/
Thanks
Masato
|
-
| 258 |
Reply |
RDP Terminal Services |
shane |
2004/10/14 04:11 |
|
|
|
Do you have an example configuration file for both the client and server to help show how to set this up for accessing Terminal Services over port 443 only? A proxy server is being used on the client side and only port 443 is open. Additionally all RDP protocols are restricted on the proxy server.
Thank you. |
-
| 259 |
Reply |
Re:RDP Terminal Services |
Masato Kataoka |
2004/10/14 13:45 |
|
|
|
Thank you for your interest.
Are you using Orenosp or gtOrenoPC? gtOrenopc is the dedicated solution for securing RDP traffic. It comes with the default configuration for RDP. Please try out the latest gtOrenoPC and ask any question you might have.
Please note that currently the only supported authentication method for client-side proxy is Basic. NTLM (Windows Integrated Authentication) is not supported.
Thank you
Masato
|
-
-
| 252 |
Reply |
Blank password allow access |
Brent |
2004/10/06 14:28 |
|
|
|
Hello,
Just installed gtOrenoPC and all seemed to be working, but now I notice that you can log in regardless of what is in the user and password file by simply entering nothing.
Any ideas? |
-
| 253 |
Reply |
Re:Blank password allow access |
Masato Kataoka |
2004/10/07 13:31 |
|
|
|
Thank you for the report.
Could you please send me your passwd and sproxy.conf,
with any senstive information masked? (to ma_kataoka@yahoo.co.jp)
Thanks
Masato
|
-
| 254 |
Reply |
Re:Blank password allow access |
Brent |
2004/10/08 00:36 |
|
|
|
Actually, I cannot, as I've completely removed your program in favor of OpenSSH with public/private key authentication and port forwarding through it instead of SSL.
But I can tell you the steps I followed.
1.) Install your software
2.) in username/password file removed the default user1:pass1 and user2:pass2 and replaced with username::: os_auth=1
3.) Created the server certificate as described in your documentation.
4.) Started the service and connected to it from my remote location by going to https://[my url]
I did not change anything in the sproxy.conf file from the default installation.
Sadly I don't have your software installed, and I've removed all files relating to it...If you want I could re-install and then send you that stuff, as I tried re-installing two or three times and I always got the same results...no password required.
Also note that even though the SSL tunnel would connect without a password, when I connected to 127.0.0.2:3390 in remote desktop I still required a password as expected.
-Brent
> Thank you for the report.
>
> Could you please send me your passwd and sproxy.conf,
> with any senstive information masked? (to ma_kataoka@yahoo.co.jp)
>
> Thanks
> Masato
> |
-
| 255 |
Reply |
Re:Blank password allow access |
Masato Kataoka |
2004/10/08 23:51 |
|
|
|
Brent,
Thank you for the information.
The use of "_valid_" special name in basic authentication had this bug. I consider this bug in gtOrenoPC is a critical security hole as this feature is used in gtOrenoPC's default configuration.
I have updated gtOrenoPC to 0.7.4c and also Orenosp to 0.7.4c to include this bug fix.
Thank you again for bringing this up.
Masato
|
-
| 251 |
Reply |
Windows XP SP2 Info |
Masato Kataoka |
2004/10/01 16:00 |
|
|
|
Orenosp has a problem with SSL port forwarding on Windows XP Service Pack 2 (SP2). The detail is here:
http://hp.vector.co.jp/authors/VA027031/orenosp/winxpsp2_en.html
Thanks |
-
| 250 |
Reply |
First alpha for Orenosp 0.7.4 |
Masato Kataoka |
2004/09/07 22:40 |
|
|
|
I have uploaded a first alpha version of Orenosp 0.7.4 onto:
http://www.orenosv.com/alpha/
The 0.7.4 will feature
- ICMP (ping) checking of all LB nodes (already implemented)
- a couple of minor bug fixes
In this version, ICMP checking is mandatory so if you are
blocking ICMP echo packets, say, from DMZ to the intra-net, you cannot use load-balancing.
If any of you need an alternative method (like TCP connect checking), please let me know.
Thanks
Masato
|
-
| 244 |
Reply |
otunnel |
Rudolf |
2004/09/03 18:46 |
|
|
|
Hi Masato
Everything works perfect now !!! The only missing thing for me is that otunnel must be started with a "hidden window" vbs. Is it possible to redesign otunnel so it would function as a native windows service ?
Thanks Rudolf
|
-
| 245 |
Reply |
Re:otunnel |
Masato Kataoka |
2004/09/05 05:19 |
|
|
|
Hi Rudolf,
In that case, you can use orenosp.exe as a SSL tunneling client.
- install Orenosp onto the client machine or just make a 2nd instance by copying all the files.
- starting with default sproxy.conf, add the contents of your otunnel.conf into sproxy.conf.
- you may need to tweek some params.
I haven't actually tested this configuration yet, but it's designed to work. Please let me know if this doesn't work.
Thanks
Masato
|
-
| 247 |
Reply |
Re:otunnel |
Rudolf |
2004/09/07 04:02 |
|
|
|
Hi Masato
Can you assist me a bit with the right parameters.
tunnel_*** commands are not fully recognized by orenosp.
If i use proxy_*** instead i get an error about unknown protocol with the proxy_listen_name command (only http and ssl are recognized), etc. .I think i cannot tweak it without your help.
Thanks Rudolf |
-
| 248 |
Reply |
Re:otunnel |
Rudolf |
2004/09/07 17:44 |
|
|
|
Hi Masato
It works now. Is there a way to supress the following rules in sproxy.conf
proxy_listen_name = lis-http x.x.x.x@80 http
proxy_pass_by = lis lis-http x.x.x.x
Without this rules orenosp won't start.
Thanks Rudolf |
-
| 249 |
Reply |
Re:otunnel |
Masato Kataoka |
2004/09/07 22:30 |
|
|
|
Hi Rudolf,
Sorry for the delayed response.
You are right about additional required parameters. You have to put the following three additional parameters.
proxy_listen_name = lis-dummy 0.0.0.0@56789 http
proxy_pass_by = lis-dummy http://byebye/
tunnel_enable = 1
For the first two, you can use any non-usable settings.
Thanks
Masato
|
-
| 242 |
Reply |
-rw_url=on in gtOrenoPC not working? |
Luca |
2004/08/25 18:36 |
|
|
|
Hello,
im trying to use gtOrenoPC to build a sort of personal portal page on my PC that is securely accessible from Internet. I'm trying to access sites on the Internet using Reverse Proxy with this command line added in sproxy.conf:
proxy_pass_by = url lis-ssl://*/site1/ http://www.site1.com/ -rw_url=on
(this way I can anonimize my web browsing to specific sites when I'm away from home :)
The event log says:
2004/08/25 11:08:13 [3284.988](svmain)bad option [-rw_url] in []
The -rw_url=on is documeted in OrenoSP manual so I think I could use it in gtOrenoPC.
A final debug note: I'm running gtOrenoPC on Windows XP pro with UPNP service disabled. in this configuration, enabling the UPNP option in sproxy.conf crashes gtOrenoPC with this debug log:
------
pid=3440 tid=3432 exception code: c0000005
frameptr retaddr arg1 arg2 arg3 arg4 funcname
00AFFBC4 100019CA 00B768A0 000001BB 00AFFC5C 00AFFF44 10001867
00AFFBD8 00403780 00B768A0 000001BB 00AFFC5C 7AF5FEA9 100019CA
00AFFD98 0041345A 000001BB 00AFFEF4 77DABD32 00000001 htp_upnp_add_port+60
00AFFF44 0041415B 00000001 00000004 00AFFF88 00000001 htpp_init+39a
00AFFF5C 00418490 00000004 00AFFF88 00000001 0014AEE0 htpp_svc_init+1b
00AFFFA4 77DABD25 00000001 0014AEE0 0012F89C 77E5D33B ntsvc_become_service+220
00154DE0 0072004F 006E0065 0050006F 00000043 00000000 CreateProcessAsUserW+43c
00740067 00000000 00000000 00000000 00000000 00000000 0072004F
Thanx a lot for your excellent software!
Luca
|
-
| 243 |
Reply |
Re:-rw_url=on in gtOrenoPC not working? |
Masato Kataoka |
2004/08/26 01:15 |
|
|
|
Hi Luca,
Thank you for the report. -rw_url= option is a new feature in 0.7.3, so it's not available in gtOrenoPC 0.7.2 (which is based on 0.7.3).
Currently gtOrenoPC uses the same executable for orenosp.exe, so you can safely copy the following files from orenosp073_exe to gtOrenoPC's directory.
orenosp.exe
orenosp.dbg
util_upnp_win.dll (required for UPNP)
As for the trap when XP UPNP is disabled, I will fix it by the next version.
Thanks
Masato
|
-
| 238 |
Reply |
orenosv FTP TLS |
Allen Hewes |
2004/08/25 15:40 |
|
|
|
Hi Masato,
I am trying to get FTP TLS working. I am using Win2k3 with RRAS filtering and built in firewall-ing. I can connect to the ftp service and initate TLS but I always get an ssl error.
It seems that no matter what I config for a pasv port range or a port number, orenosv always wants to do something on 3333 or higher (just from what I am observing-I sm sure its a random port about 1024). I guess this is the redirect at the socket layer. I need orenosv to use the pasv range for all socket communications, ala ProFTPD (which is what I was using before switching). Or be able to define a range for all socket communications.
Thanks,
-Allen Hewes |
-
| 239 |
Reply |
Re:orenosv FTP TLS |
Masato Kataoka |
2004/08/25 15:59 |
|
|
|
Hi Allen,
Thank you for using Orenosv.
I'm not sure I correctly understand your problem.
Could you show me the session log from your ftp client?
Also does Orenosv's event.log say anything, like 'parameter not recognized'?
Thanks
Masato
|
-
| 240 |
Reply |
Re:orenosv FTP TLS |
Allen Hewes |
2004/08/25 16:13 |
|
|
|
Hi Masato,
DOH! I could smack myself! I completely forgot I changed my home firewall setup to OBSD and I hadn't setup the ftp-proxy!!! I am sorry to bug you! Its working now...
BTW, I am using Win2k3 with Stand Alone CA. It took me a while to get the SSL stuff working with this config, but it looks like it is working (AUTH TLS is working--I only need to scramble the bits on passwords and user ids). Once I exported my CA private keys and cert and cut-n-pasted into different files, orensov worked great! I do have some Qs though, so I will be back to run them by you.
And if your are curious why I switched from ProFTPD on Cygwin, there is some goofy NT security permissions and file events happening. I wrote some services in C# to do stuff on file notifications, and sometimes I would get the event and most of the time I didn't. When I did get the event, I couldn't do stuff to the file because of perms. When I didn't get the event, cygwin (or something in Cygwin) still had a lock on the file. So I found your stuff and I am going to test it out with my stuff.
Thanks for making orenosv available!
TIA,
-Allen
> Hi Allen,
> Thank you for using Orenosv.
>
> I'm not sure I correctly understand your problem.
> Could you show me the session log from your ftp client?
>
> Also does Orenosv's event.log say anything, like 'parameter not recognized'?
>
> Thanks
> Masato
> |
-
| 241 |
Reply |
Re:orenosv FTP TLS |
Masato Kataoka |
2004/08/25 16:31 |
|
|
|
Thank you for the info on Proftpd on Cygwin.
My understanding is that Cygwin works best in little utility programs like grep, but it is not suitable for any server programs which require security, performance and stability. You might have better luck with SFU 3.5.
Please feel free to post or email any questions.
Thanks
Masato
|
-
| 234 |
Reply |
Orenosp functionalities in development |
Masato Kataoka |
2004/08/16 03:21 |
|
|
|
The following major features and enhancements are in development:
Major features
- Optimized rewrite filters
This will greatly improve rewrite filter performance, by removing large overhead when passing data to these filters.
- Static file caching
- "Backend-coordinated" cookie authentication
This will be useful if Orenosp is to cache protected-contents.
Minor enhancement
- ICMP (ping) checking of all LB nodes
- TnApplet etc/hosts rewriting
If any of you have a request regarding the above features and/or their priorities, please post here or directly email me.
Thanks
Masato
|
-
| 235 |
Reply |
Re:Orenosp functionalities in development |
Masato Kataoka |
2004/08/17 15:57 |
|
|
|
I have uploaded orenosp073_pre15.exe, which includes the optimized rewrite filter. Please see readme_en.txt for how to use it.
A simple benchmark shows substantial speed improvement:
processing rate comment
---------------------------------------------
old regex 4204KB/sec
new regex 7229KB/sec no algorithm change (PCRE)
old simple 2943KB/sec
new simple 7863KB/sec also changed search algorithm
The test file is a 510KB HTML file.
The only rewrite rule is "http://localhost:8887=http://localhost:9997/simple"
Thanks
Masato
|
-
| 236 |
Reply |
Re:Orenosp functionalities in development |
Rudolf |
2004/08/17 23:08 |
|
|
|
Hi Masato
The new filter is really much faster then the "old" one.
Long line support > 1024 Bytes is not possible in this release, right ?
Thanks Rudolf |
-
| 237 |
Reply |
Re:Orenosp functionalities in development |
Masato Kataoka |
2004/08/18 00:02 |
|
|
|
Hi Rudolf,
The old filter module breaks the long lines into 1024
byte chunks to process them. The new one has much higher limit, currently 30KB.
Also I forgot to add the no rewrite case to the above benchmark:
no rewrite 14167KB/sec this is the base line number
Thanks
Masato
|
-
| 231 |
Reply |
Publish to internal web site. What IP is shown in web server log? |
Kiliman |
2004/08/06 03:41 |
|
|
|
Hi Masato,
I found your site on google.com. I haven't installed it, but it looks interesting.
I'm currently using ISA Server 2000 Web Publishing to publish multiple web sites on a single IP address using virtual host header. Unforutnately with ISA 2000, the client IP address in the web server logs always show the internal address of the ISA server.
I understand that ISA 2004 fixes this problem so the true client IP address now appears in the logs.
I was wondering if Orenosv passes the external client IP to the local web server.
Thanks,
Kiliman
|
-
| 232 |
Reply |
Re:Publish to internal web site. What IP is shown in web server log? |
Kiliman |
2004/08/06 03:49 |
|
|
|
Never mind... after browsing this forum, I see that you set a HTTP Header with that information. I was hoping it would simply be in the logs.
Thanks anyway. |
-
| 233 |
Reply |
Re:Publish to internal web site. What IP is shown in web server log? |
Masato Kataoka |
2004/08/06 09:04 |
|
|
|
Hi Kiliman,
Thank you for the information.
I'm running ISA Server 2004 trial version and saw that feature. The functionality you describe is "Requests appear to come from the original client". It has a limitation that the host running ISA server must be configured as the IP gateway (i.e. as a router) for the Internet because ISA server rewrites source IP address of the HTTP traffic. In many environments, that's not applicable. Of cource, ISA is well intended for such a use, so it's perfectly reasonable for ISA server to have that feature.
I think that using X-Forwarded-For head instead is an industry-standard convention. May be I could write an ISAPI filter for X-Forwarded-For...
Thanks
Masato |
Previous Message
Latest
|