SSL Tunneling Guide


This guide tries to explain concepts and functionalities of SPR module
(SSL tunneling in Orenosp).  SPR stands for "Secure or SSL Packet Relay"
and is the internal module name for tunneling in Orenosp.
There are also sections for SPR parameter reference and trouble-shooting
tips at the end.

Related documents
- ssltunnel_en.txt : SSL Tunneling Guide (this document)
- sampleconfig_en.txt : Practical Sample Configuration
- tips_en.txt : SSL Tunneling Tips (and random memos)


If you want to start quick, first read "Practical Sample Configuration"
and follow the instructions in it to set up the sample SSL tunneling.
Then come back to this document to gain more understaning.


Contents

- Configuration Overview
- Client Side Applets
- SPR Parameters Reference
- SPR Trouble-Shooting Tips


======================
Configuration Overview
======================

The primary purpose of the Orenosp SSL tunneling is to support SSL
port-forwarding of many fixed-TCP-port applications.  So this document
will focus on SSL port-forwarding cases, but other usage scenarios are also
presented as examples.

To achieve SSL port forwarding, Orenosp must run both on server side and on
client side.  The client side tunnels an ordinary TCP connection over SSL
and the server side "untunnels" it and route the connection to a PC
in the LAN


Actual programs to be used:

  === server-side programs ===
  orenosp.exe:
    The same instance that works as a reverse proxy will act as the server
    side.  You will add config parameters into sproxy.conf.

  === client-side programs ===
  TnApplet:
    Java applet/application.
  otunnel.exe:
    A windows command line program.  This program will use otunnel.conf
    for configuration, which uses similar or same set of parameters as
    those in sproxy.conf.
  orenosp.exe:
    You can also use orenosp.exe as an NT service on the client side if you
    want to set up a permanent SSL VPN connection.

  Throughout this section we will use otunnel as the primary example because
  its configuration is symmetric to orenosp's configuration.

  For wide deployment however you will probably use TnApplet (Java).
  It is a specialized client-side program that is simple to configure
  and deploy.  (It uses a different set of parameters).




example-1 (SSL port forwarding on a separate port from https reverse proxy)
---------
A multiplexing SSL-port-forwading case for tunneling POP3 and telnet
in SSL protocol.

internal LAN-1                   |                 internal LAN-2
                                 |
[host-1@110]                     |                     :110  [client-1]
                  [orenosp-srv]--@443--[orenosp-cli]
[host-1@23]                      |                     :23  [client-2]
                                 |

Client-1 in LAN2 

In this configuration you will use "multiplexer" (mpx) mechanism to
let clients to connect to different services using a single port (443)
over the internet.


# configuration for orenosp-cli (in otunnel.conf)
tunnel_listen_name = pop3   0.0.0.0@110  raw
tunnel_listen_name = telnet 0.0.0.0@23   raw
tunnel_dest_name = orenosp-srv   orenosp-srv-host:443  ssl  -mpx=sslvpn
tunnel_pass_by = lis pop3    orenosp-srv  -mpxlabel=host1:110
tunnel_pass_by = lis telnet  orenosp-srv  -mpxlabel=host1:23


# configuration for orenosp-srv (in sproxy.conf)
tunnel_listen_name = mpx   0.0.0.0@443  ssl -mpx=sslvpn
tunnel_dest_name = lan-pop3   host1:110  raw
tunnel_dest_name = lan-telnet host1:23  raw
tunnel_pass_by = label host1:110  lan-pop3
tunnel_pass_by = label host1:23   lan-telnet



Multiplexer and labels
----------------------

Continueing with example-1 in the above, I will explain how multiplexer(mpx)
and mpx lables are used.

- orenosp-cli accepts a non-SSL (raw) connection from a client on 
  port 110 (pop3).
- it establishes an SSL connection to orenosp-srv-host:443.
- it sends the following a pseudo-HTTP command over SSL to orenosp-srv:

  SSLVPN host1:110 HTTP/1.1
  <other headers...>
  <end-of-HTTP-headers>

- orenosp-srv replies with the following HTTP status:

  HTTP/1.1 200 OK
  <other headers...>
  <end-of-HTTP-headers>

- orenosp-srv then starts forwarding all packets to the destination
  lan-pop3 (which is at host1:110).


The argument for SSLVPN command (URI part) is a label.  The label is used
in determining a destination port to forward the connection to.
It is used in "tunnel_pass_by" label mode.

Note that a label can be any ASCII string with max length of 64 bytes.
In the above example, "host1:110" is used as a label, but you can also
use virtual path style labels, such as "/host1/pop3".


Access Control and Usesr Authentication
---------------------------------------
In example-1 there is no restriction on who can connect.

First, each tunneling port (defined by tunnel_listen_name) can be 
protected by IP-based access control.  See "IP-based Access Control"
in SPR parameter reference down below for details.

In the example-1, you could specify a range of client IP addresses:

tunnel_listen_name = mpx   0.0.0.0@443  ssl -mpx=sslvpn \
                     -ip_allow="aa.bb.cc.dd/24"


The second option is to use a pair of username and password that will
be passed along in an SSLVPN command.

In the example-1, you can have orenosp-srv to authenticate peer's
(orenosp-cli's) identity.

In the server side config (sproxy.conf), you can specify user auth info
in listen port definitions.

tunnel_listen_name = mpx   0.0.0.0@443  ssl -mpx=sslvpn \
                     -mpxusers="user1:pass1,user2:pass2"

In the client side config (e.g., otunnel.conf), you specify username
and password in -auth= option in tunnel_pass_by.

tunnel_pass_by = lis pop3  orenosp-srv -mpxlabel=host1:110 -auth=user1:pass1

As you can see this auth mechanism works only if the listen port is
configured for SSLVPN (-mpx=sslvpn).  Also note that this access restriction
is applied per listen port basis, not label(i.e. service), basis.

You probably want to use HTTPS proxy integrated mode, described below.


HTTPS proxy integrated mode
---------------------------
If you need to use a single port (443, for example) for both HTTPS
reverse proxy and SSL port-forwarding purposes,  you need to use HTTPS proxy 
integrated mode.  In this mode, HTTPS proxy accepts SSLVPN command
in addition to regular HTTP commands and pass the connection to
SPR (tunneling) module for SSL port forwarding.

An advantage of integrated mode other than using a unified port
for HTTPS and SPR is that you can use existing authentication
and logging facilities in the proxy.

As noted earlier, a mpx label can be any form, so you can use 
virtual path style labels.

To enable integrated mode add the following parameter.  You can
specify multiple instances of the parameter for multiple labels.
Note that you have to specify the same label twice, once in proxy_sslvpn_label
and once in tunnel_pass_by.

  proxy_sslvpn_label = <mpx-label-1> 

  e.g., 
  proxy_sslvpn_label = /vpn/host1/pop3
  proxy_sslvpn_label = /vpn/host1/telnet

Since 0.8.5, you can also specify an wild-card extended-url syntax instead of
proxy_sslvpn_label parameter:

  proxy_sslvpn_url = <extended-url-wc>

  e.g.,

  proxy_sslvpn_url = /vpn/*
    or
  proxy_sslvpn_url = lis-ssl://vhost1.example.com/vpn/*   


All SSLVPN requests having host header and path part that match
<extended-url-pattern-wc> are passed to SPR (tunneling) module.

examples

-- parameter --
proxy_sslvpn_url = https://vhost1.example.com/vpn/*   

-- HTTP request --
SSLVPN /vpn/host1/rdp  HTTP/1.1
Host: vhost1.example.com

==> pass connection to SPR with "/vpn/host1/rdp" as label



For authentication, use HTTP basic authentication

  proxy_auth_path = <mpx-label>  ...
or
  proxy_auth_url = <mpx-label> ...


SSLVPN commands are logged in proxy access.log files.


example-2 (SSL port forwarding with unified port)
---------
A multiplexing SSL-port-forwarding case with unified port (443) that
accepts: 1) HTTPS requests (reverse proxy), 2) SSLVPN requests (SSL
port-forwarding) for pop3 and telnet.


# configuration for orenosp-srv (in sproxy.conf)
#
# --- proxy settings ---
#

#                   <lisname> <lisport>     <protocol> <options...>
proxy_listen_name = lis-ssl   0.0.0.0@443   https

# forward all requests received on lis-ssl to backend server (localhost:80)
proxy_pass_by = lis  lis-ssl  http://localhost

# other necessities
proxy_ssl_keypass = orenosp

# proxy to tunneling gateway
proxy_sslvpn_label = /vpn/host1/pop3
proxy_sslvpn_label = /vpn/host1/telnet

# authenticate users for both HTTPS and tunneling.  any path that starts with
# "/" will be subject to this authentication
proxy_auth_path = /   -u="user1:pass1,user2:pass2"

#
# --- tunneling settings ---
# Notice there's no tunnel-specific listen port defined (tunnel_listen_name)
# 
tunnel_dest_name = lan-pop3   host1:110  raw
tunnel_dest_name = lan-telnet host1:23  raw

tunnel_pass_by = label /vpn/host1/pop3     lan-pop3
tunnel_pass_by = label /vpn/host1/telnet   lan-telnet



# configuration for orenosp-cli (in otunnel.conf)
tunnel_listen_name = pop3   0.0.0.0@110  raw
tunnel_listen_name = telnet 0.0.0.0@23   raw
tunnel_dest_name = orenosp-srv   orenosp-srv-host:443  ssl  -mpx=sslvpn
tunnel_pass_by = lis pop3    orenosp-srv  -mpxlabel=/vpn/host1/pop3 \
                 -auth=user1:pass1
tunnel_pass_by = lis telnet  orenosp-srv  -mpxlabel=/vpn/host1/telnet \
                 -auth=user1:pass1


Access Logging
--------------

There are two types of access logs.  One type is primarily used for
logging access attempts to the system (intended for security audit).
The other is used for collecting session duration and other resource
related information (intended for statistics).
The former is called access log and the latter is called session log.

- Access log 
If you are using only the proxy integrated mode, access attempts to
the tunneling are logged into proxy's access log.  The HTTP command is
"SSLVPN <label>".

If you use SPR's own listener (tunnel_listen_name), access attempts
to that listen port will be logged into "spr_access.log".


- Session log
Regardless of whether you use proxy integrated mode or not, SPR's session
log will be "spr_session.log".

Session log format:

  end-date end-time client-ip listener "label" port-local proto port-remote proto sess-time recv-bytes send-bytes <other-internal statistics...>



example-3 (SSL-enabling servers for native SSL clients)
---------
This is not an SSL port-forwarding, but rather it is used to SSL-enable
non-SSL server programs.

This example wraps up existing POP3 and telnet services to accept
POP3 over SSL and telnet over SSL connections.


internal LAN                |    internet
                            |
[host-1@110]                |       +- [ssl-enabled-client-1]
                   [orenosp@995,992]+
[host-1@23]                 |       +- [ssl-enabled-client-2]
                            |

The only way to differentiate services is by using different port numbers.
That is to say that the orenosp in the LAN/DMZ must have several ports open
(995 and 992 in this example).


# part of configuration for orenosp (in sproxy.conf)
tunnel_listen_name = pop3s   0.0.0.0@995  ssl
tunnel_listen_name = telnets 0.0.0.0@992  ssl
tunnel_dest_name = lan-pop3   host1:110  raw
tunnel_dest_name = lan-telnet host1:23  raw
tunnel_pass_by = lis pop3s    lan-pop3
tunnel_pass_by = lis telnets  lan-telnet

In the example-3, there can be no additional user authentication except
for using SSL client certificate authentication (which will be supported
in later versions).


example-4 ("unSSLifying" HTTPS servers)
---------
This case is a reverse operation of example-3, i.e, tunneling lets non-SSL
client to talk to SSL servers.  Useful when testing SSL servers with telnet
client program.
You can run this either in orenosp or otunnel, but since this is typically
used for testing, it's easier to run it in otunnel.

# part of configuration for otunnel (in otunnel.conf)
tunnel_listen_name = lis-http  0.0.0.0@9999  raw
tunnel_dest_name = lan-https   host1:443     ssl
tunnel_pass_by = lis lis-http  lan-https


example-5 (simple TCP to TCP relay, for already-SSL enabled client/servers)
---------

# relay RDP traffic on 9999 to host1:3389
tunnel_listen_name = lis-some  0.0.0.0@9999  raw
tunnel_dest_name = host1-rdp   host1:3389    raw
tunnel_pass_by = lis lis-some  host1-rdp



SSL Profiles
------------
An SSL profile is a set of SSL related parameters that you can assign
to either a listen port (server-side) or connect port (client-side).
For details of SSL Profiles see Orenosp Users Guide.

-- server-side profiles used --
In HTTPS proxy integreated mode, the SSL profile specified in proxy_listen_name
parameter is used.  If none is specified, the default server profile ("svdflt")
is assumed.

When using SPR dedicated listen port, it always defaults to the default server
profile ("svdflt").  This will be enhanced in future versions.

-- client-side profiles used --
It always uses the default client profile ("cldflt").  This will be enhanced in
future versions.  You need to use client-side profile if otunnel needs to
specify client certificate and private key to use SSL client authentication.


Please note that parameters used to define SSL profiles are different between
orenosp (sproxy.conf) and otunnel (otunnel.conf):

orenosp: (in sproxy.conf)
  proxy_sslprof_<profname>_XXX = ...

otunnel: (in otunnel.conf)
  tunnel_sslprof_<profname>_XXX = ...



SSL Client Authentication
-------------------------
SSL Client Authentication can be enabled / disabled per a server SSL profile.

- Server Side Config
If you are using HTTPS proxy integreated mode, follow the instructions
in Orenosp Users Guide.

If you are using SPR's own listen port, in many cases it may not be possible.
This is because the current version of SPR always use the default server
SSL profile "svdflt" which is shared by HTTPS proxy.


- Client Side Config

If you are using TnApplet, see TnApplet section below.

The current version otunnel always uses the default client SSL profile "cldflt".
Put the following parameters in otunnel.conf.

  tunnel_sslprof_define = cldflt
  tunnel_sslprof_cldflt_ptype = client
  tunnel_sslprof_cldflt_svauth = none
  tunnel_sslprof_cldflt_cacertstore = os
  tunnel_sslprof_cldflt_mycertstore = file ssl.crt/client.crt ssl.key/client.key
  tunnel_sslprof_cldflt_keypass = <password-for-client.key>


To extract client certificate and private key from a pkcs#12 file:
> openssl pkcs12 -in client.p12 -out client.crt -clcerts -nokeys
> openssl pkcs12 -in client.p12 -out client.key -nocerts


For more on the Openssl tool, see certmemo_en.txt.


===================
Client Side Applets
===================

TnApplet
--------
This is a Java application that can also run as an applet in web browsers.
Minimum version required is Java 1.4.1.
This program is configured differently from otunnel.

In a regular configuration, tnapplet.jar is placed in
<ORENOSP_HOME>/_intmenu/vpn/.  When TnApplet starts up and the user tries
to log in, it tries to fetch tnlis.conf file on the gateway server.
tnlis.conf includes port-forwarding configuration and is placed 
usually at <ORENOSP_HOME>/_intmenu/vpn/tnlis.conf.  This directory must
be protected by HTTP basic authentication that shares username/password
information with the one that protects SSLVPN labels.  If TnApplet
successfully fetches tnslis.conf, the user is considered as logged in.
TnApplet then fires up listener threads to forward connections to the
gateway.


TnApplet can be run in three different configurations:

1) runs as an applet in a web browser using Sun Java Plugin
   a user needs to have Java 1.4.1 or higher enabled in his/her browser.

   <ORENOSP_HOME>/_intmenu/vpn/tnapplet.html  (uses APPLET tag)
   <ORENOSP_HOME>/_intmenu/vpn/tnapplet2.html (uses OBJECT tag)

2) runs as a Java Web Start application
   a user needs Java Web Start that comes with Java 1.4.2.

   <ORENOSP_HOME>/_intmenu/vpn/tnapp.html
   <ORENOSP_HOME>/_intmenu/vpn/tnapplet.jnlp

   You need to modify tnapplet.jnlp to suit your environment, i.e.,
   change two URLs in that file.

3) runs as a standalone Java application
   a user needs to download tnapplet.jar and jtunnel.conf into a local
   folder.

   >java -cp tnapplet.jar TnApplet
   
   jtunnel.conf should include the URL of tnlis.conf.  Users can also
   specify their proxy in jtunnel.conf.

   ---
   gateway = https://external.example.com/_intmenu/vpn/tnlis.conf
   #gateway_proxy = www-proxy:8080
   ---

To run as a browser applet or a Java Web Start application, TnApplet must
be a signed applet/application.  tnapplet.jar as distributed is signed
by a self signed certificate.  This self signed certificate is included
in Orenosp package as "tnapplet_selfcert.cer".  You can re-sign tnapplet.jar
with more appropriate certificate if you have one.


- Multiple versions of tnlis.conf

You may want to provide different versions of tnlis.conf depending on
the client OS that the user is using.  For example, you may want to
direct Linux/MacOS X users to use tunneling ports that are above 1024
while letting Windows users to use applicaions' default ports that are
below 1024.

As an applet, TnApplet has an applet parameter "gateway" to specifiy
the URL for a tnlis.conf:

  <param name="gateway" value="https://external.example.com/_intmenu/vpn/tnlis2.conf">

The above must be placed between <applet> and </applet> tags.


As an application, TnApplet accepts the first command line argument as
the URL for a tnslis.conf.

   >java -cp tnapplet.jar TnApplet https://external.example.com/_intmenu/vpn/tnlis2.conf

As an application, you can also put the URL of tnslis2.conf in jtunne.conf.


   gateway = https://external.example.com/_intmenu/vpn/tnlis.conf



- SSL Client Authentication

Because the SSL Client Authentication support in Sun Java Plugin 1.4.x is
somewhat lacking, deployment scenario is complicated to end-users and/or
not very secure.

Common configuration:

Path to Keystore file : 
  a file that contains client's certificate and private key
Type of Keystore file : 
  specifies format of the keystore file.
  PKCS12 : a file with .p12 or .pfx extension is typically this format.
           this format is used by many personal certificate issuer.
           gencert included in Orenosp also generates files in this format.
  JKS : a standard Java keystore which "keytool" included in J2SDK uses.
Password for Keystore file or private key in the Keystore file :
  a password for PKCS12 keystore.
  a keystore password for JKS keystore. (assumes key password is the same).

Note: In Java 1.4.x, not all PKCS#12 files can be used because PKCS#12 support
is limited in encryption methods supported.  For example you cannot use
a PKCS#12 file created by EasyCert.


As a standalone application: 
Use the button "SSL Client Auth Setting" to specify the three required
items.  For the path to Keystore file, you can pre-set it in jtunnel.conf
using the following parameter:

  ssl_clauth_mycert_path = c:\\mycerts\\pfxmine.p12


As a Web Start application:
As of Java 1.4.2, this is not supported.

As an applet:
A big problem is that both Java Plugin and Java Web Start in 1.4 try to load
an applet JAR file using Java Runtime which won't prompt for a keystore
information required for SSL Client authentication.

There are two possible ways.  

1) Tell JRE beforehand about which keystore to use and its password.

Open Java Plug-in from Control Panel and select "Detail" tab.  Put the 
following into parameters:

-Djavax.net.ssl.keyStore=<keystore-file> -Djavax.net.ssl.keyStorePassword=<password> -Djavax.net.ssl.keyStoreType=<type>

where <keystore-file> is a full path to keystore file, <password> is a password
for the keystore and <type> is either PKCS12 or JKS.  Note that you cannot use
a pathname that contains a space (like d:\Documents and Setting...).

Example:
-Djavax.net.ssl.keyStore=c:\tnapplet\mycert.p12 -Djavax.net.ssl.keyStorePassword=mypwd -Djavax.net.ssl.keyStoreType=PKCS12

Once you set this, restart the browser and point to the applet page.  If the
applet successfully starts up, then it means your certificate is authenticated
by the orenosp gateway.  You do not re-specify the key info using "SSL Client
Auth Settings" button because TnApplet automatically uses the existing key info.

The above procedure is too complicated and thus error-prone to end-users.
It is also insecure because users would store their own certificate's private
key along with its protection password in the clear text.  I also noticed
that many third party Java applets that use SSL will break when this setup
is done in Java plug-in.  Using this method is strongly discouraged.


2) Store tnapplet.jar where SSL client authentication is not required.
See the following example:

--- /_intmenu/vpn/tnapplet3.html ---
<p align="center">
<applet code="TnApplet.class" archive="tnapplet.jar"
  codebase="http://hp.vector.co.jp/authors/VA027031/orenosp/"
  width="400" height="400">
</applet>
--- end ---

This will direct the browser to load tnapplet.jar on Orenosp homepage.
Then, when the applet successfully starts up, you should specify the required
keystore information by pressing "SSL Client Auth" button.



otunnel
-------
otunnel is a Windows command prompt program to act as an SSL tunneling
applet.  This program is configured differently from TnApplet.  It uses
otunne.conf file located on the client side.

otunnel is separately distributed from Orenosp package.
(get http://home.comcast.net/~makataoka/otunnel031.zip)


orenosp.exe
-----------
You can also use orenosp.exe as a client-side SSL tunneling if you want
to set up a permanent SSL VPN connection.

- install Orenosp onto the client machine or just make a 2nd instance by
  copying all the files.
- starting with default sproxy.conf, add the contents of your otunnel.conf
  into sproxy.conf.
- you may need to tweek some params. (see below)


--- sproxy_as_tunneling_client.conf ---
# sample sproxy.conf when using orenosp.exe as SSL tunneling client

# these params are not used, 
proxy_listen_name = lis-dummy   0.0.0.0@56789   http
proxy_pass_by = lis-dummy  http://byebye/

# --- main switch to turn on SPR (tunneling module) --
tunnel_enable = 1

# You can copy all params from otunnel.conf to here.

--- end ---



========================
SPR Parameters Reference
========================
All parameters described here apply to both sproxy.conf and otunne.conf
except where it is stated otherwise.


# --- main switch to turn on SPR (tunneling module) --
# tunnel_enable = 1

# trace level for debugging
# tunnel_trace_level = 1


# --------------------------------------
# Define a listen port for SSL tunneling
# --------------------------------------
#
# tunnel_listen_name = <lis-name> <listen-port> <proto> <options>
#
# <lis-name> is a name you give to the listen port you are defining.
# <listen-port> is a listen-port-specifier.
# <proto> can be either "ssl" or "raw".  If this listen port is to except SSL
#   connections use "ssl".  "raw" is used for simple relaying.
#
# <options> : optional parameters
#
# -mpx=sslvpn : this option must be used if this listen port is to accept
#  SSLVPN command for multiplexing and authentication.
#
# -mpxusers="username:password,..." : list of users and passwords, separated
#  by ':'.  for example, -mpxusers="user1:pass1,user2:pass2"
#  NOTE: this access restriction is effective only if SSLVPN is enabled
#  on the listen port (-mpx=sslvpn).
#
#  Alternatively, you can have reverse proxy module to also accept SSLVPN
#  requests.  See "HTTPS proxy integrated mode" in ssltunnel_en.txt.
#
# -ip_allow="ap1,ap2,..."
# -ip_deny="ap5,ap6,..."
# -ip_order={ allow-deny | deny-allow }
#  These options control client's access to the listen port by their IP
#  addresses (IP-based Access Control).
#  Please refer to "IP-based Access Authorization" in sproxy_full.txt for
#  details.


# ----------------------------------------------------
# Define a destination to relay/tunnel connection data
# ----------------------------------------------------
#
# tunnel_dest_name = <dst-name> <connect-port> <proto> [-mpx=sslvpn] \
#                    [-proxy=<proxy-spec>] [-proxyuser=<user-passwd>]
#
# <dst-name> is a name you give to the destination you are defining.
# <connect-port> is a regular "host:port" style connect-to specifier.
# <proto> can be either "ssl" or "raw".  If the destination service expects SSL
#   connections use "ssl", use "raw" otherwise.
#
# -mpx=sslvpn : this option must be used if the destination service expects
# SSLVPN command for multiplexing and authentication.
#
# -proxy=<proxy-spec> : specify HTTPS CONNECT proxy server if required.
#                       <proxy-spec> is host:port.
# -proxyuser=<user-passwd> : username/password for proxy
#  Specify username and password for HTTPS CONNECT proxy server.
#  Specify it as username:password.  Authentication method supported is
#  HTTP Basic only.


# ----------------------------------------
# Define rules for determining destination
# ----------------------------------------
#
# tunnel_pass_by = <method> {<lis-name>|<label>} <dst-name> [-mpxlabel=...] \
#                  [-auth=<username>:<passwd>]
#
# destination can be determined based on either the listen port that accepted the
# connection or the "mpx label" that the connection passes during SSLVPN initial
# handshake.
#
# <method> : 
#  "lis" : pass by listener name
#
#  "label" : pass by mpx label
#
# <lis-name> : name of listen port
# <label> : mpx label (can be any ASCII string up to 64 bytes)
# <dst-name> : destination to which we forward connection
#
# -mpxlabel=<label> : label that is passed along with SSLVPN command to
#   connect to the destination.
# -auth=<username>:<passwd> : username and password for SSLVPN that require
#   user authentication.
#
# Note that there are two label-related settings in this parameter.  They exist
# for different purposes.
# Typically, SSLVPN server-side tunneling uses pass-by-label mode and <label>.
# SSLVPN client-side tunneling uses pass-by-lis mode and -mpxlabel=<label>
# and -auth=<username>:<passwd>.

# ----------------------
# SSL Profile parameters
# ----------------------
#Please note that parameters used to define SSL profiles are different between
#orenosp (sproxy.conf) and otunnel (otunnel.conf):
#
#orenosp:
#  proxy_sslprof_<profname>_XXX = ...
#
#otunnel:
#  tunnel_sslprof_<profname>_XXX = ...
#
#Refer to sproxy_full.txt for details on SSL profiles.
#


=========================
SPR Trouble-Shooting Tips
=========================

- You are using HTTPS proxy integrated mode.  On the server side,
  proxy's access log shows:

    "SSLVPN <label> HTTP/1.1" 404 0

  -> 404 is NOT_FOUND error, so most likely the label you specify is not
     found in sproxy.conf settings.

     - Do you have "proxy_sslvpn_label = <label>" parameters?
     - Do you have "tunnel_proxy_by = label <label> ..." parameter?

     - On the client side, do you have the following parameter?
       (if you are using otunnel.exe)

       "tunnel_pass_by = lis <listener> <dest-name> -mpxlabel=<label>"


EOF