SSL Web Proxy
Vigor2930, Vigor2950 and VigorPro 5500/5510 series router support SSL Web Proxy function to let user access lots of servers in security via Internet environment. We provide a general user application as a reference including case description and configuration of Web interface. There are two modes supported in this feature including Secured Port Redirection mode and SSL mode. Please refer to the following introduction about related application and configuration.
Introduction
Generally to access an internal web server which is behind a NAT router, you have the following two methods:
1. Open relevant ports (Usually TCP 80) on the router.
2. Connect a traditional VPN tunnel (PPTP, L2TP or IPSec) to the router.
Drawbacks of the above methods:
1.If the web server contains private or restricted information which just allow authorized access, open port is a potential security hole for hackers to exploit for invasion or file transfer. In this case, most administrators don’t select open port.
2. There are many blocking issues involving connections in relation to GRE port blocking or ESP/AH port blocking. And there are many IPSec NAT incompatibility problems. So if you are on a business trip, it happens frequently that you can’t connect a VPN to your company’s router caused by the router/firewall in hotel, airport, etc.
Advantages of SSL Web proxy Secured Port Redirection mode:
It works like Open Port but the port opened by router is random and temporary. The random port is opened when the session is established, and closed when the connection is dropped
.
SSL mode:
It uses HTTPS to establish a secure connection. Typical port blocking is decreased. No NAT incompatibility problem. No static IPs are required, and a VPN client is unnecessary.
Figure 1
OTRS is a working system which just permits the Support department to access. Gforge is another system which permits the Support, Sales, R&D etc. department to access. Both systems are based on web services. User A belongs to the Support department, and User B belongs to the Sales department. They are on business trips and need to access the systems from the Internet.
Configurations on the Router :
2. Enter the following:
·Enter a name for the OTRS system.
·If the web server is allowed to be accessed directly through IP address, you may input the format http://ip/directory in the URL field. Here http://172.17.1.40/login.pl
·If you have input IP address in the URL field, you needn’t setup the Host IP
Address field. In fact you will find it is grayed out.
·Select "Secured Port Redirection".
3. Enter the following:
·Enter a name for the Gforge system.
·If the web server is restricted to be accessed from domain name, you have to input the format http://domain_name /directory in the URL field. Here is http://swm.gforge.com
·Select "Secured Port Redirection".
5. Enter the following: ·Enable the account.
·Setup the username/password for User A.
·You needn’t, but you’d better disable all the VPN services in this profile. Otherwise users can also connect vpn to your router by using this account.
·Enable SSL Web Proxy, then enable relevant web servers (here both OTRS and
6. Enter the following: ·Enable the account.
·Setup the username/password for User B.
·You needn’t, but you’d better disable all the VPN services in this profile. Otherwise users can also connect vpn to your router by using this account.
7. Go to System Maintenance >> Management page and make sure HTTPS Server is enabled. If you don’t want to use the standard TCP 443 port, change the port as follows. Here we change it to 4443.
Steps for User A to use web proxy :
1. Open a web browser(I.E or Firefox), and go to the following URL : https://210.243.151.187:4443
confidence by pressing the Yes button.
3. A login window pops up. Input the username and password for User A.
5. This page will list all the web sites that you are allowed to access. In this example are
OTRS and Gforge for User A. But you are still not able to access them for the
moment. There is a button "Activate" for each web server. Press the button to open a random port and a session for an internal server.
Press the "Activate" button for the server you would like to access.
The Gforge system.
Steps for User B to use web proxy :
The steps are identical to the ones listed above. Just notice that after login successfully, the SSL Web Proxy page will just list the Gforge system for User B.
Limitation of Secure Port Redirection
1. It just supports web service.2. The web servers must be within the same subnet of the Vigor router. And they must point their default gateways to the Vigor router. Here the Vigor router is the SSL Web Proxy.
Application Note (SSL mode)
the same subnet. Web Mail server is another system which is also behind Vigor2950 but in a different subnet than Vigor2950. User A is on a business trip and need to access both systems from the Internet.
Configurations on the Router :
1. Go to the SSL VPN >> SSL Web Proxy page, and setup two entries.
2. Enter the following:
·Enter a name for the OTRS system.
·If the web server is allowed to be accessed directly through IP address, you may input the format http://ip/directory in the URL field. Here http://172.17.1.40/login.pl ·If you have input IP address in the URL field, you needn’t setup the Host IP
Address field. In fact you will find it is grayed out.
3. Enter the following:
·Enter a name for the Web Mail.
·If the web server is restricted to be accessed from domain name, you have to input the format http://domain_name /directory in the URL field. Here is http://ms.mailserver.com
4. Go to SSL VPN >> User Account page and add an account for User A.
5. Enter the following: ·Enable the account.
·Setup the username/password for User A.
·You needn’t, but you’d better disable all the VPN services in this profile. Otherwise users can also connect vpn to your router by using this account.
WebMail) for User A.
Steps for User A to use web proxy :
1. Open a web browser(I.E or Firefox), and go to the following URL : https://218.242.130.126:4443
3. A login window pops up. Input the username and password for User A.
5. This page will list all the web sites that you are allowed to access. In this example are
OTRS and WebMail for User A. Now you are able to access them by clicking the
Secured Port Redirection
vs
SSL
1. They both just support web service.2. Secured Port Redirection mode only work if the web servers are within the same subnet of the SSL Web Proxy. SSL mode doesn’t have this limitation.
