A DIY SSL VPN with SSL.doc
时间:2006-10-08 来源:mzwindy
A DIY SSL VPN with SSL-Explorer- Part 2
A DIY SSL VPN with SSL-Explorer - Part 2
Introduction
At a Glance |
|
Product |
3SP Ltd. SSL Explorer "Community" Edition SSL VPN 0.2.4 |
Summary |
Multi-featured open source browser-based SSL VPN server |
Pros |
- Easy to install and set up |
Cons |
- Some advanced capabilities are reserved for the "Enterprise" ($) edition |
Remote access to a home or work PC is almost a requirement these days, especially if you telecommute. Unfortunately, navigating the plethora of remote access solutions available today can be a daunting task. Today most organizations require data to be secured in some fashion (i.e. encrypted). The standard accepted way of deploying remote access to users has been some sort of virtual private network solution (VPN).
Traditionally, IPsec and PPTP VPNs have been used to provide secure network access for mobile users by providing an encrypted tunnel for data. These VPNs can provide a remote user with an actual "local" IP address, which essentially makes the user's PC a node on the local network. The user then has access to any of the resources on the local network with the exception of any restrictions enforced by the VPN server.
Unfortunately, VPN protocols by nature are very sensitive to hardware and network changes (IPsec especially) and require the installation of a specialized client software. With such complexity, it can be very difficult to troubleshoot what is wrong when it breaks. Nobody likes fielding the phone calls of frustrated VPN users who can't connect or reliably sustain a connection back into a company network.
If any of these issues sound like situations to avoid then let me introduce you to a new type of VPN, which I believe offers the best of connectivity without all of the complexity. Secure sockets layer (SSL) VPNs have really begun to take the IT community by storm, in part due to their inherent ease of installation as opposed to the complexity of a traditional VPN setup. Most require only a Web browser and a small applet or ActiveX control to support the tunneling features.
Don't be led to believe that only Web based applications can be served up through an SSL based VPN. In reality, an SSL-based VPN can offer the same services which you could access through a traditional IPsec based VPN through the implementation of a secure tunneling mechanism.
In this two-part series, we will explore a very popular open source SSL VPN from 3SP Ltd. called SSL Explorer. SSL Explorer can give you the ability to securely access your files remotely, access private intranet resources and even remotely control your PC desktop just by using a Java-enabled Web browser. Part 1 will cover SSL Explorer's feature set and installation. Part 2 will then show you how to configure SSL Explorer for some common road-warrior tasks.
Features And Hardware Requirements
SSL Explorer is actually available in two flavors: the basic "Community" edition and an enhanced "Enterprise" edition. Complete feature lists for each version are available at 3SP's Website, but here are a few to whet your appetite:
"Community" edition features
- Granular policy-based rights management
- No concurrent user restrictions
- Remotely browse Windows file systems via Windows Explorer
- Reverse proxy Web forwarding feature
- Configurable authentication schemes
- Access your desktop remotely
- Connect using any modern Web browser
- No dedicated appliance necessary
- Supports Wake-On-LAN - bring up systems remotely
- Supports Microsoft Windows XP/2000/2003 and Red Hat Linux 8.0 or later (other Linux distributions are unofficially supported)
"Enterprise" edition features (in addition to "Community" features)
- Commercially supported
- Enhanced Authentication including SSL client certificate, LDAP, public-key
- Bi-directional split-tunneling
- Full auditing and reporting capabilities
- Lightweight remote management applets supporting SSH1, SSH2, Telnet and VNC remote access protocols
- SSH-based remote management CLI (alpha)
One other important difference is that the Java VPN client included in the "Enterprise" edition provides a connection more like a conventional IPsec VPN as opposed to the port forwarding/tunneling functionality of the Java VPN client included in the "Community" edition.
Commercial support plans are available for a fee for both the "Community" edition and the "Enterprise" edition of SSL Explorer. Visit the 3SP Ltd. Website for more details on the support options available.
For the purposes of this article we'll be looking at the free "Community" edition.
The SSL Explorer software package can turn a humble PC into a full-fledged SSL VPN gateway. SSL Explorer software is released under the GPL and is written in Java. All that is needed for a PC to become a server is Windows 2000/XP/2003 and the Java Runtime Environment 5.0 (JRE). It is also possible to install it on Linux distributions such as Redhat and Fedora. However, for this article, we will concentrate on the Windows platform.
All that is required on the client side is a Java-enabled Web browser such as Microsoft Internet Explorer or Mozilla Firefox. As far as hardware requirements go, SSL Explorer will run on a very humble PC. It will easily accommodate one to five concurrent users running on a Windows XP box with a 2 GHz Intel Celeron CPU with 256 MB RAM. You can actually get away with even a little less if you choose to install it onto Linux instead of Windows.
Prepare For Installation
The "Community" edition of SSL Explorer is distributed as an archive file with source code that needs to be compiled using the Apache ANT utility, available at ant.apache.org. You will also need the 1.5.0 Java Runtime Environment (JRE), which is available at java.sun.com. Make sure that the JRE package you download is at least version 1.5.0 or higher. Both Apache ANT and SSL Explorer require the JRE as both are Java applications.
Download and install the JRE first, then install Apache ANT. ANT does not come with an installer so we need to just extract the contents of the archive file into a suitable place on our system. If you wish, you can use "C:\Program Files\Apache ANT" as I did.
After the installs are done, we need to set up some environment variables so that our system can find the ANT and Java binaries. Go to the Windows Control Panel and select the System icon. Once the System Properties window is displayed, select the Advanced tab, click on the Environment Variables button and do the following:
1. Create a new system variable called ANT_HOME and make its value the directory location of ANT. On my machine I placed ANT in C:\Program Files\Apache ANT\apache-ant-1.6.5.
2. Next, we need to create another system variable called Java_HOME and we will make its value the directory location of the JRE. The JRE is installed in C:\Program Files\Java\jre1.5.0_07.
3. Lastly, we need to modify the PATH variable. Add the following to the PATH variable:
;%Java_HOME%\bin;%ANT_HOME%\bin;
The semicolons are there to separate the PATH entries. Now we can move on to the installation of SSL Explorer itself.
Installation
Updated 7/25/2006
Go ahead and download the SSL Explorer "Community" edition package from sourceforge.net and unzip the package to a suitable directory. On my machine I used C:\Program Files\sslexplorer-0.2.4. Then copy tools.jar from C:\Program Files\sslexplorer-0.2.4\sslexplorer\lib to C:\Program Files\JAVA\jre1.5.0_07\lib folder.
Next, start up a command window (this can be accomplished by selecting Run from the START menu and typing cmd). Navigate to the SSL Explorer directory (cd C:\Program Files\sslexplorer-0.2.4) and type the following command to start the compile/install process: ant install.
The command window at this point should look similar to Figure 1.
Figure 1: Command line window after build completes (click image to enlarge)
ANT will chug away for a few minutes compiling Java source files and then it will attempt to launch a Web browser pointed at special port (28080) on your machine. This special port is only used until you have set up the basic options for your install. You will configure your keystore and SSL certificate in this mode before placing the server into operation.
If you are installing SSL Explorer on a system with the Windows firewall enabled, then you will probably see a window similar to Figure 2 at least once.
Figure 2: Windows firewall message
Be sure and choose unblock so that you will be able to configure the application through your Web browser. If SSL Explorer was successful at launching the Web browser, then you should see a screen similar to Figure 3.
Figure 3: Select certificate type (click image to enlarge)
If your computer did not bring up the Web browser automatically, then you should be able to open up a browser and connect to the setup page manually by using the following URL: http://127.0.0.1:28080.
Setup
Certificate Creation
The first step in the setup is choosing what SSL certificate to use. Figure 3 shows the option of either importing an existing certificate or creating a new untrusted certificate. The SSL certificate is used in the encryption of the traffic between SSL Explorer and your PC. We will create a new untrusted certificate (Untrusted simply means that the certificate has not been digitally signed by a Certificate Signing Authority). Before creating the certificate we need to create a keystore password (Figure 4).
Figure 4: Create keystore password (click image to enlarge)
Next, we need to enter the information that identifies our certificate (Figure 5).
Figure 5: Create the certificate (click image to enlarge)
User Database, Super User, Webserver
You will now be presented with options for where to obtain the user database. SSL Explorer has the ability to authenticate against Active Directory and several other mechanisms. However, we will choose the "built-in" option (Figure 6).
Figure 6: Configuring a User Database (click image to enlarge)
Now we need to create a "Super User" account (Figure 7) to perform administrative tasks including creating new user accounts.
Figure 7: Create Super User account (click image to enlarge)
With that out of the way, we can now make changes to the Web server, such as the port number (Figure 8). We will leave all settings at the defaults on this screen and skip to the next section.
Figure 8: Configure Web Server screen (click image to enlarge)
Proxies, Extensions
The Configure Proxies step (Figure 9) is only necessary if you have a proxy server on your network (such as a Web proxy). We will again take the default settings and skip to the next section.
Figure 9: Configure Proxies screen (click image to enlarge)
Now we should be at the "Install Enterprise Edition" screen (Figure 10). We will once again skip to the next section, as we are not interested in the "Enterprise" edition right now.
Figure 10: Enterprise Edition screen (click image to enlarge)
Once we are at the "Install other extensions" section, we need to check the PuTTY box (Figure 11). Feel free at this point to check any other extensions that might be helpful in supporting additional services that you might like to use with SSL Explorer. In the next section, we will install another custom extension not listed on the list called TightVNC.
Figure 11: Enable the PuTTY extension (click image to enlarge)
The last section of the install is a Summary page (Figure 12), which displays the choices that we have selected for our install. If would like to change your mind about any of the previous setup options now would be a good time to go back and make changes. Once you are confident of your settings click the Finish button to apply the new settings.
Figure 12: Setup Summary (click image to enlarge)
Once the Install Complete screen (Figure 13) is displayed we can move on to creating user accounts, installing the TightVNC custom extension and setting up shortcuts to our network services.
Figure 13: Installation Complete (click image to enlarge)
Add Users
Before moving on to creating a new user, we need to install SSL Explorer as a service so that it will be started each time our PC is booted. From our command line window we can run ant install-service.
NOTE: If you have another program currently listening on port 443 then you will have to disable that program before SSL Explorer will start successfully.
Now, let's put the server into operation by issuing ant start from the command line window (this is a one time task as once it is installed as a service it should be started automatically upon bootup). Pull up a browser and type in the following URL: https://localhost/. You should see a login screen similar to the one shown in Figure 14.
Figure 14: Login screen
Go ahead and login as the "Super User" we previously created. If you type in the username and password combination correctly then you should be rewarded with the Management Console screen.
Figure 15: Management console screen (click image to enlarge)
Click on the Accounts link under the Access Control menu and you will see a list of currently configured users on the system (Figure 16).
Figure 16: Accounts List screen (click image to enlarge)
In the upper right hand corner of the screen, select the Create Account link to create a new user for the system. I created a user called John Smith (Figure 17).
Figure 17: Create account screen (click image to enlarge)
Enter all the details for the new user. For the group, I entered Users and then clicked on the Add button. Next, click on the Save button to finalize the new user. After finalizing the new user account the system will ask you to assign a password (Figure 18).
Figure 18: Account password screen (click image to enlarge)
After clicking the Save button one more time you should be returned to the main Accounts screen. You should see both the "Super User" and the new user you created in the account list.
Figure 19: Accounts screen with new account (click image to enlarge)
Conclusion
SSL Explorer is now set up and ready to go. In Part 2, we'll walk through how to set up access to a remote network's shares. We'll also show you how to use SSL Explorer for remote desktop access to even a Windows XP Home machine.
In the meantime, if you can't wait to get going, you can explore these flash demos on 3SP's website.
A DIY SSL VPN with SSL-Explorer - Part 2
Introduction
At a Glance |
|
Product |
3SP Ltd. SSL Explorer "Community" Edition SSL VPN 0.2.4 |
Summary |
Multi-featured open source browser-based SSL VPN server |
Pros |
- Easy to install and setup |
Cons |
- Some advanced capabilities are reserved for the "Enterprise" ($) edition |
Remote File Access
In Part 1, we got SSL Explorer installed and ready for action. In this last installment, we'll walk through how to set up access to a remote network's shares and show you how to use SSL Explorer for remote desktop access to even a Windows XP Home machine.
You can test everything that I'm about to describe on your LAN. But since the whole point of a VPN is secure remote access, you should take the time to open up port 443 on your router's firewall to the IP address of the computer that is running SSL Explorer.
Once you've set up the port forwarding, you'll access the SSL Explorer server by entering the IP address of our router's WAN port, i.e. the IP address assigned by your ISP, into your Web browser's address box. For most of us, this address changes occasionally, if not more often. So if you're going to be using remote access on a regular basis and don't have a static IP address from your ISP, it's a good idea to sign up for a dynamic DNS service.
One of the most basic tasks that remote users need to do is access remote shares. Let's tackle that first by setting up an application shortcut, which is a link to a service or application that is served up through the SSL Explorer encrypted tunnel.
For this example, we set up a shortcut to an internal SMB/CIFS file server on the local network called ANAKIN. In this case, the file server is a Linksys NSLU2 mini NAS with two USB hard drives attached to it. I have three shares on ANAKIN that I would like to make available to remote users via SSL Explorer. The first step is to click on the Network Places link under the Resource Management menu (Figure 1).
Figure 1: Network places screen (click image to enlarge)
Next, locate the Create Network Place link in the upper right hand corner of the screen and select it to start the process of defining our shares (Figure 2).
Figure 2: Create Network Place screen (click image to enlarge)
Enter the name and description details and proceed to the next screen where we fill in the network path details (Figure 3).
Figure 3: Network Place Path details (click image to enlarge)
|
|
Remote File Access, Continued
After entering the network path details, we move to the next screen to associate access policies with the Network Place (Figure 4).
Figure 4: Network place association (click image to enlarge)
In this example, we'll just add the Everyone policy. This brings us to the Summary screen (Figure 5).
Figure 5: Network Place Summary screen (click image to enlarge)
Here, we check the settings and then create the network place by clicking the Finish link. After the network place shortcut has been created you will be returned to the main Network Places menu (Figure 6). You will notice from the screenshot that I added all three of my shares.
Figure 6: Network places with shares created (click image to enlarge)
Since we're already logged in, we can just click on one of the shortcut links shown in Figure 6 and be presented with a GUI that allows us to transfer and manipulate files on the network shares we set up. Otherwise, we'd have to hit the login screen first, click on the Network Places link under the Resource Management menu and then open the desired share (Figure 7).
Figure 7: Network places screen (click image to enlarge)
If this is a little confusing, there's a great Flash demo on the 3SP site that walks you through all the tricks that the Network Places feature can perform.
Remote Desktop Connectivity Using TightVNC
The network shares example is just one of the many uses of the SSL Explorer package. In this section, I will describe a method for providing complete remote access to your Windows desktop using an open source package called TightVNC, coupled with the tunneling connectivity of SSL Explorer.
Many of you might ask: "Why do I need TightVNC? It looks like SSL Explorer already supports RDP through an included extension." Well, the short answer is that RDP is indeed supported and TightVNC is not absolutely necessary. Unfortunately, if RDP were the only remote desktop method available, many individuals would be left out in the cold. The most common example is that Windows XP Home does not include RDP support.
Also, whereas RDP is a proprietary protocol, VNC is very much a cross platform protocol. This means that with a Windows TightVNC extension installed on your SSL Explorer box, you could access not only your Windows desktop but your Linux desktop and any other desktop for which you had a VNC server running. Another reason, VNC is open source so it is free and you can modify it if you so choose. SSL Explorer also comes with extensions that support many commercial desktop environments such as the Citrix ICA client extension for those who have Citrix servers.
There will three steps to setting up the TightVNC example:
1. Upload the custom TightVNC extension to the SSL Explorer install via the "Extension Manager".
2. Install the TightVNC application on the PC that you want to be able to access remotely.
3. Create the application shortcut, which will tell SSL Explorer how to connect to your PC.
Setup Step 1
First download the custom TightVNC extension. Extensions are packaged zipfiles that include specialized XML that tells the SSL Explorer Java VPN client what to do in order to utilize a specific service.
Next, we will need to click on the Extension Manager link underneath the Configuration menu (Figure 8).
Figure 8: Extension Store screen (click image to enlarge)
In the upper right hand corner of the screen in Figure 8, we want to select the Upload Extension link. This will change the screen to the one shown in (Figure 9).
Figure 9: Extension upload screen (click image to enlarge)
Select the Browse button to select the location of the downloaded TightVNC extension on your local PC. Then select the Upload button to load the extension into the SSL Explorer installation.
Setup Step 2
Now we need to load the TightVNC server package onto the PC we wish to control. The package can be downloaded here. Once the download completes, install the application onto your PC. Make sure you allow the installer to install TightVNC as a service so that it can start automatically when the PC boots up. You will also need to set up a password for the server component of TightVNC. The setup tab can be found in the Show current user properties dialog box shown in Figure 10.
Figure 10: TightVNC server tab
The password you set up will be required anytime you wish to connect to your computer and control it from another VNC client (such as the TightVNC custom extension for SSL Explorer). Also be sure to check the allow loopback connections option under the Administration tab (Figure 11).
Figure 11: TightVNC administration tab
NOTE: Whereas SSL Explorer uses TCP port 443 for its communication, TightVNC by default will use TCP port 5900. So make sure any firewall software on the PC will allow incoming TCP connections to port 5900.
|
|
Setup Step 3
Now we need to create the application shortcut that will ultimately define how SSL Explorer is to connect to the TightVNC service on our PC. Click on the Applications link underneath the left-hand Resource Management menu. You'll now see a screen similar to that in Figure 12 .
Figure 12: Applications screen (click image to enlarge)
Next we need to choose the type of application shortcut that we wish to create. Click on the Create Application Shortcut link in the upper right-hand corner of the Applications screen and choose TightVNC for Windows from the selections shown in Figure 13.
Figure 13: Create Application screen (click image to enlarge)
Now, enter a name and description details for the shortcut (Figure 14).
Figure 14: Applications Details screen (click image to enlarge)
Setup Step 4
The next step requires entering the IP address and connection port for the TightVNC server on your PC, which is 5900 unless you have specified otherwise (Figure 15).
Figure 15: Application Options screen (click image to enlarge)
We need to select the policy that we want to associate with this resource. Be sure and select the Everyone policy (Figure 16).
Figure 16: Application Policy selection screen (click image to enlarge)
The next screen (Figure 17) simply confirms our choices. If all is correct, click the Finish button to finalize the application shortcut.
Figure 17: Application Shortcut summary screen (click image to enlarge)
The very last screen (Figure 18) should confirm creation of the application shortcut. Go ahead and click Exit Wizard at this point to return to our main menu.
Figure 18: Applications Shortcut creation confirmation screen (click image to enlarge)
That completes the setup for Remote Desktop access using TightVNC.
Checking Out Remote Desktop
Use the Logout link located in the extreme upper right hand corner of the screen to logout as Super User. Now log back in as the ordinary user we created during the installation (ex. John Smith). Once logged in, you should see a list of shortcuts referred to as My Favorites on the screen, which represent the applications that we set up (Figure 19).
Figure 19: User console screen (click image to enlarge)
This screen shown in Figure 19 is what most normal users would see on a daily basis when using SSL Explorer. Select the TightVNC connection link that we just created from the Favorites list. SSL Explorer will then launch the Java VPN client, set up a tunnel and execute the TightVNC client in an effort to connect to our PC desktop. If all is successful then you should see a TightVNC authentication dialog box asking for the TightVNC password that you set up (Figure 20).
Figure 20: TightVNC authentication
Once you have successfully authenticated, you will be presented with a remote desktop for your PC. See Figure 21 for an example.
Figure 21: TightVNC remote desktop (click image to enlarge)
Once again, there is a great Flash demo on 3SP's site that walks you through many aspects of setting up remote administration. Even though the demo uses SSL Explorer's built-in RDP client instead of TightVNC, many of the other aspects of remote administration are the same. You can obtain further documentation on how to use TightVNC from tightvnc.com.
Conclusion
SSL Explorer makes a perfect secure gateway to your SOHO network if you need to access data or applications on your PC from time to time. It is very user friendly and very robust. And there are many other features that I have not even begun to touch upon in this article due to space limitations.
I hope that this article has given you some ideas on how to free yourself from the hassles of IPsec and PPTP tunneling through the wonders of an SSL VPN. Now go have some fun and do some office work from the beach maybe?
Other resources
Although the SSL Explorer Community Edition doesn't include free support from 3SP, there are a number of resources available from 3SP's Website and SourceForge:
- Quick Start, Configuration and Access Control manuals are available at the SSL-Explorer SourceForge Project page
- SourceForge also hosts the SSL-Explorer user forum
- In addition to the Network Places and Remote Admin Flash demos, 3SP also has few more Flash movies. Here's a complete list:
·
- Installation
- Remote Administration
- Web Forwarding (Reverse Proxy)
- Web Forwarding (Tunneled Proxy)
- Web Forwarding (Replacement Proxy)
- Network Places