Practical Sample Configuration This document guides you to set up an simple SSL VPN configuration (HTTPS reverse proxy + SSL Port Forwarding). For more complete information on SSL tunneling, refer to "SSL Tunneling Guide" (ssltunnel_en.txt). This document assumes that the reader has completed the basic set up described in readme_en.txt. Terminology In this document words "SSL port forwarding" and "SSL Tunneling" are used interchangeably for the same thing. Overall SSLVPN configuration ---------------------------- - There are two target PCs (hosts), namely: host1 : (the same host as that running Orenosp, IP address: 127.0.0.1) host2 : (IP address:192.168.1.100) In this sample configuration, host1 is typically a Windows PC, and host2 is typically a Linux or Mac OS X machine. On the Orenosp host, we assume that both hostnames (host1, and host2) are configured to be resolved to 127.0.0.1, and 192.168.1.100 respectively. (using etc/hosts or similar mechanism). - Use single unified port 443 for both HTTPS reverse proxy and SSL tunneling (or port forwarding). - Offer the following service via HTTPS reverse proxy http://host1/ - Offer the following services via SSL port forwarding: host1 : rdp, telnet, smtp host2 : vnc, ssh, pop3, imap4 Regular users are allowed access to smtp, pop3, and imap4 services only. Admin users are allowed access to all services. default port numbers are used: rdp=3389, vnc=5900, ssh=22, telnet=23, smtp=25, pop3=110, imap4=143 - Users admin users: admin1 regular users: user1, user2 - User Authentication Methods You can choose either HTTP Basic Auth or Form-Based Auth - HTTP Basic Auth This is the method enabled in the sample configs. - Form-Based Auth Please see "Using Form-based Authentication" later in this guide. - on SSLVPN client side, the services are mapped as follows: HTTPS reverse proxy: http://host1/ is mapped to https://external.example.com/ SSL port forwarded services: host1 is mapped to 127.0.0.2, host2 is mapped to 127.0.0.3. Note that the following services are mapped to different ports from their default ones. This is because these services may be already running on client machines occupying the default ports. host1:rdp 127.0.0.2:3390 (default is 3389) For Unix-based clients, All ports that are less than 1024 will be mapped to 9000+(port#), i.e., host1:telnet 127.0.0.0:9023 (9000+23) Note2: the current version of TnApplet does not yet support automatic hostname mapping (by rewriting etc/hosts file, etc). Even if it did, this method would only work for users on Windows with local admin privilege. - provide users with SSL Tunneling Java applet (TnApplet) from a specific local directory on the reverse proxy. you can also offer other files (such as local menu pages, help files, etc) from this directory. Detailed configurations ----------------------- - Virtual paths on the reverse proxy /vpn/host1/... /vpn/host2/... virtual paths for SSL port-forwarding access (i.e., SSLVPN labels). must be protected by HTTP basic authentication /_intmenu/vpn/tnlis.conf config file for TnApplet, i.e., client-side IP/port configuration. must be protected by HTTP basic authentication that requires the same username and password as the one that protects /vpn/xxx/. This is because when you "login" via TnApplet it verifies usernamd/password by retrieving this file and then the same usernamd/password is used when actually connecting to SSLVPN vpaths. You can of course discriminate users who can access a particular SSLVPN path. That is, user authentication must be the same, but user authorization can be different. /_intmenu/vpn/tnlis_unix.conf For Unix-based clients. /_intmenu/... If you want to offer other local files without any access restriction you can use this directory. - TnApplet (Java applet) In this example, we will put it in /_intmenu/vpn/. TnApplet itself doesn't have to be protected. So you could also place it under /_intmenu/. tnapplet.jar : Java applet file index.html : welcome page for SSL port forwarding service tnapplet.html : HTML file to start TnApplet as a Java applet tnapplet2.html : HTML file to start TnApplet as a Java applet (alternative, IE only) tnapplet_form.html : HTML file to start TnApplet in form-based auth mode. (See Using Form-based Authentication) --- not explained in this example --- tnapp.html, tnapplet.jnlp : to run TnApplet as a Java Web Start application --- Sample files ============ Sample config files are in /padmin/doc/tunnel directory. sproxy.conf : overall config file for server-side orenosp to be placed as /sproxy.conf tnlis.conf : client-side port-forwarding config file (for TnApplet) to be placed as /_intmenu/vpn/tnlis.conf otunnel.conf, jtunnel.conf : for use with standalone tunneling applet not explained in this text All other sample files (html files) are in the direcotry /padmin/_intmenu. These should be placed as /_intmenu. Laying out sample files ======================= - Copy the entire /padmin/_intmenu directory to /_intmenu. Windows: > cd > xcopy /s /e /i padmin\_intmenu _intmenu\ Linux/Mac: > cd > cp -R padmin/_intmenu _intmenu - Place sproxy.conf under Windows: > copy \padmin\doc\tunnel\sproxy.conf Linux/Mac: > cp /padmin/doc/tunnel/sproxy.conf - copy client-side config fles to /_intmenu/vpn/ Windows: > cd \padmin\doc\tunnel > copy tnlis.conf \_intmenu\vpn Linux/Mac: > cd /padmin/doc/tunnel > cp tnlis.conf /_intmenu/vpn These are optional (for otunnel.exe and standalone Tnapplet) > copy otunnel.conf \_intmenu\vpn > copy jtunnel.conf \_intmenu\vpn - Edit sample config files and html files in \_intmenu\vpn as necessary. - sproxy.conf : - tnlis.conf : - tnlis_unix.conf : tnapplet.jnlp : if you want to offer TnApplet under Java Web Start, be sure to change two URLS in this file to your setup. - Make sure everything works - using browser, open http://external.example.com/_intmenu/vpn/index.html. -> should ask for username/password for basic authentication - open TnApplet page -> Java plugin loads -> Java plugin should ask for the same username/password -> Java plugin should ask permission to execute TnApplet - enter username/password in TnApplet and press Login -> TnApplet should start listening threads - start an application (Remote Desktop, Email, etc) and see connections will be forwarded. Using Form-based Authentication =============================== From 0.8.5, you can use form-based authentication instead of HTTP basic authentication. - Prepare files for form-based auth as described in Orenosp Users Guide. Specifically, do the following: > cd > xcopy padmin\formauth _formauth\ [Linux/Mac]$ cp -R padmin/formauth _formauth - Edit sproxy.conf Comment out HTTP basic auth related parameters, as follows: # # User Access Control (HTTP Basic Auth) # #proxy_auth_path = / -u="nobody:nonono" #proxy_auth_path = /vpn/ -u="admin:passa,user1:pass1,user2:pass2" #proxy_auth_path = /vpn/host1/rdp -u="admin:passa" #proxy_auth_path = /vpn/host1/telnet -u="admin:passa" #proxy_auth_path = /vpn/host2/vnc -u="admin:passa" #proxy_auth_path = /vpn/host2/ssh -u="admin:passa" #proxy_auth_path = /_intmenu/ -u="admin:passa,user1:pass1,user2:pass2" Then, enable all form-based auth related parameters # # User Access Control (Form-based Auth, Alternative to HTTP Basic Auth) # Note that access control rule is much simpler thatn HTTP basic auth case. # proxy_authck_enable = 1 proxy_authck_define = fmusers -u="admin:passa,user1:passwd1,user2:passwd2" \ -rlm="SSLVPN Users" proxy_authck_assign = * fmusers - Point your users to /_intmenu/vpn/tnapplet_form.html to run TnApplet in form-based auth mode. EOF