Proxy SSL tunneling
Hello.
I'm having a problem with a distributed application where the client connects via a proxy server (Squid 2.5 in my case) to a server using SSL (port 443).
Sometimes the tunneling works fine and sometimes it doesn't. Doing some debugging, it seems from the logs of both the client and server that their sockets are disconnected by something. Now, I suspect that the proxy server is disconnecting them but I can't really prove it.
I have tried using a different free proxy server (Proxy+ I think it's called) and the problem persists.
Have any of you guys experienced problems with the proxy disconnecting the tunnel?
You might do better to post in the "Java Secure Socket Extension" forum!
Similar Messages
-
ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client
Hi
Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
Example:
Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
The "client" Server does not support SSL.
Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
RegardsHello Byron,
Yes, the ACE can do it
Here you have some of the flavors of SSL with the ACE.
Here you have a sample about it:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
class CLEAR_TEXT_VIP
loadbalance vip inservice
loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
class class-default
serverfarm ENCRYPTED-SERVERFARM
ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
key TAC-key
cert TAC-cert
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
inservice
Here you have some additional details under the configuration guide:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
Here you have some additional samples:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
Hope this helps for you and fix your issue
Jorge -
SSL tunneling with reverse proxy
Hi,
I have configured reverse proxy on Sun Web Proxy server. Now I am trying to configure SSL tunneling .
Steps followed :
1. Server Manager tab -> my server instance -> Routing tab.
2. Clicked the Enable/Disable Proxying link.
3. Created a new regular expression connect://.*.5000 (as my content server listens for SSL connections on port 5000.
4. Selected the connect://.*.5000 resource from the drop-down list.
5. Selected Enable Proxying Of This Resource and clicked OK.
But it doesn't seems to work, Is there a way to verify ? Does SSL tunneling applicable to reverse proxy ?
Thanks,
NitinSSL tunneling is a forward proxy operation.
-
SSL-Tunneling Problem with Stronghold
Hello,
I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
throuch a Stronghold-Server using mod_wl_ssl.so.
But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
plugin is no longer working correctly. I get the following output in the log
of the plug-in:
--------------Begin--------------
========New Request: [GET
/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
5830116743121 HTTP/1.0] =========
Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
Thu Jan 4 18:46:57 2001 queryStr =
wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
Thu Jan 4 18:46:57 2001 The request string is
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 After trimming path:
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
Thu Jan 4 18:46:57 2001 Connected to agni:7002
Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-WebLogic-Force-Cookie]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[Proxy-Client-IP]=[192.168.17.116]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-Forwarded-For]=[192.168.17.116]
Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
errmsg=[Error 0]
Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
Return Value = -1
Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
retry
Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
turned ON : [1]
Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
[http://www.finance.ch]
Thu Jan 4 18:47:12 2001 r->status=302 returning 0
Thu Jan 4 18:47:14 2001
---------------End
Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
Thank you
Remo"Remo Schnidrig" <[email protected]> wrote:
Hello,
I installed HTTP-Tunneling between a Java-Client and a WLS 4.5.1SP 13
throuch a Stronghold-Server using mod_wl_ssl.so.
But when I'm trying to connect via HTTPS (port 443) to the Stronghold, the
plugin is no longer working correctly. I get the following output in the log
of the plug-in:
--------------Begin--------------
========New Request: [GET
/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=634395
5830116743121 HTTP/1.0] =========
Thu Jan 4 18:46:57 2001 Cookie String missing in the Cookie
Thu Jan 4 18:46:57 2001 queryStr =
wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=6343955830116743121
Thu Jan 4 18:46:57 2001 The request string is
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 After trimming path:
'/HTTPClntLogin/a.tun?wl-login=https+dummy+WLREQS+4.5.1+dummy+%0A&rand=63439
55830116743121'
Thu Jan 4 18:46:57 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:46:57 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:46:57 2001 general list: trying connect to 'agni'/7002
Thu Jan 4 18:46:57 2001 Connected to agni:7002
Thu Jan 4 18:46:57 2001 Headers from the client [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Headers from the client [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Headers from the client [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Accept]=[text/html,
image/gif, image/jpeg, *; q=.2, */*; q=.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS [Host]=[sbcipx:443]
Thu Jan 4 18:46:57 2001 Sending header to WLS [User-Agent]=[Java1.2.2]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-WebLogic-Force-Cookie]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS [WL-Proxy-SSL]=[true]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[Proxy-Client-IP]=[192.168.17.116]
Thu Jan 4 18:46:57 2001 Sending header to WLS
[X-Forwarded-For]=[192.168.17.116]
Thu Jan 4 18:47:12 2001 sysRecv failed, return val = [0] errno=0
errmsg=[Error 0]
Thu Jan 4 18:47:12 2001 Error reading WebLogic Response from agni:7002
Return Value = -1
Thu Jan 4 18:47:12 2001 Marking agni:7002 as bad
Thu Jan 4 18:47:12 2001 Got FAILOVER response from sendRequest... will
retry
Thu Jan 4 18:47:12 2001 Attempting a connect with the forceCookie bit
turned ON : [1]
Thu Jan 4 18:47:12 2001 Now trying whatever is on the list;
ci->canUseSrvrList = 1
Thu Jan 4 18:47:12 2001 AttemptConnect(): Srvr# [1] = [agni:7002]
Thu Jan 4 18:47:12 2001 Request timed out after 10 seconds
Thu Jan 4 18:47:12 2001 Redirecting the error response to the errorPage =
[http://www.finance.ch]
Thu Jan 4 18:47:12 2001 r->status=302 returning 0
Thu Jan 4 18:47:14 2001
---------------End
Any Ideas, what I didn't configured correctly for the stronghold/plug-in/WLS
Thank you
Remo
As far as I know, HTTPS-Tunneling through NES, APACHE, and IIS
is not supported. You can setup HttpClusterServlet to do HTTPS-
Tunneling.
Jong -
Can I query for WL-Proxy-SSL header?
I want to be able to enforce certain pages to be loaded via https.
Is it ok to query for the WL-Proxy-SSL header in order to detect if a request
was via https, or is there a better way? I cannot find any documentation on this.
TIA,
-grahamYou should read the Servlet spec, Graham:
ServletRequest.isSecure() returns true and ServletRequest.getScheme() returns
https
Glad to be of help ;)
-graham
"Graham Lyus" <[email protected]> wrote:
>
I want to be able to enforce certain pages to be loaded via https.
Is it ok to query for the WL-Proxy-SSL header in order to detect if a
request
was via https, or is there a better way? I cannot find any documentation
on this.
TIA,
-graham -
WebLogic SAML 1.1 & Apache as proxy & SSL between browser and Apache
Hi,
I'm trying to configure SAML 1.1 to work with WebLogic Server 10.3.
Here is a short description of the configuration
- Browser connects to Apache front end with ssl https://myserver:444/...
- Apache proxies requests to WebLogic Server instances in http. In the following example one of the WLS instances is listening on the port 555 on myserver.
During the SAML 1.1 requests the following url appears:
https://myserver:444/mysamlits?RPID=rp_00001&TARGET=http://myserver:555/myapp
Here http://myserver:555/myapp is the backend server listening address. Instead it should be the frontend server address instead:
https://myserver:444/mysamlits?RPID=rp_00001&TARGET=https://myserver:444/myapp
Problem:
Despite of all My efforts, WLS picks up the backend protocol and port and puts them in the TARGET. I can't find how to set up WebLogic Server to supply the frontend address as TARGET, so I'm asking help here.
Details:
I try to describe the setup in more detail below.
I have NOT installed mod_wl to Apache because My intention is to employ Apache to simulate a hardware load balancer (HLB).
I have appended the following lines to Apache httpd.conf:
# Added so that we can set the "WL-Proxy-SSL: true"
# HTTP header which tells a back-end WebLogic Server
# that requests are being proxied through a front-end
# SSL load-balancer or proxy server.
<IfModule headers_module>
RequestHeader set WL-Proxy-SSL true
</IfModule>
I have also verified that the header WL-Proxy-SSL is present in requests arriving at the backend WebLogic Server.
On the WebLogic Server side I have
- Frontend Host: myserver
- Frontend HTTP Port:0
- Frontend HTTPS Port:444
I have also tried setting WebLogic Plugin Enabled:true.
Regards,
Kari
Edited by: 858107 on May 11, 2011 10:00 PM: Removed a duplicated subject line.I was mistaken. TARGET can very well be the backend address. The actual problem was that the browser was getting redirected to the backend address.
That was fixed by resetting the frontend settings:
Frontend Host: <empty>
Frontend HTTP Port:0
Frontend HTTPS Port:0
Kari -
Hello.
I'm having a problem with a distributed application where the client connects via a proxy server (Squid 2.5 in my case) to a server using SSL (port 443).
Sometimes the tunneling works fine and sometimes it doesn't. Doing some debugging, it seems from the logs of both the client and server that their sockets are disconnected by something. Now, I suspect that the proxy server is disconnecting them but I can't really prove it.
I have tried using a different free proxy server (Proxy+ I think it's called) and the problem persists.
Have any of you guys experienced problems with the proxy disconnecting the tunnel?In article <[email protected]>, Tsougleris
wrote:
> When a non-priv user attempts login, login page timesout
> When a non-priv user, running IE as priv a/c attempts login, all is
>
If you have client32 running, you will have an easier time using
CLNTRUST...
For browser-specific issues, try disabling TLS 1.0 support on the
browsers.
OK - if I understand you, normal users get a login prompt, log in, and
browse. Which is as it should be. If users not in the tree try to log
in, they should be denied, but not just time out. Is that what is
happening here - that users not in a tree aren't getting a failure
message, but just a timeout?
Or do you mean privileged in terms of Windows rights?
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Sunone webserver(proxy) --SSL- weblogic
In our environment we are using Sunone webserver 7.0.9 as a proxy server to forward the request to the weblogic server 10.3.3. Now the requirement is to secure the communication between the proxy and weblogic server. As a standard way we can configure the proxy server to use SSL in obj.conf as below:
<Object name=”weblogic” ppath=”*/DefaultWebApp/*”>
Service fn=wl_proxy WebLogicHost=”myIP WebLogicPort=”mySSLPort SecureProxy=”ON” Debug=”ALL” WLLogFile=”/home/support/IPlanet60SP5/server/logsupport.txt” TrustedCAFile=”/home/support/IPlanet60SP5/TrustedCA.pem” RequireSSLHostMatch=”true”
</Object>
My question is when we have installed a self signed certificate on weblogic, how do we trust that certificate in the proxy server. If it was a third party certificate we can get the root CA certificate that can be added as trust entry in the obj.conf. But in self signed case we do not have a intermediate or root certificate. So how do we trust the self signed server certificate in the proxy server.851935 wrote:
In our environment we are using Sunone webserver 7.0.9 as a proxy server to forward the request to the weblogic server 10.3.3. Now the requirement is to secure the communication between the proxy and weblogic server. As a standard way we can configure the proxy server to use SSL in obj.conf as below:
<Object name=”weblogic” ppath=”*/DefaultWebApp/*”>
Service fn=wl_proxy WebLogicHost=”myIP WebLogicPort=”mySSLPort SecureProxy=”ON” Debug=”ALL” WLLogFile=”/home/support/IPlanet60SP5/server/logsupport.txt” TrustedCAFile=”/home/support/IPlanet60SP5/TrustedCA.pem” RequireSSLHostMatch=”true”
</Object>
My question is when we have installed a self signed certificate on weblogic, how do we trust that certificate in the proxy server. If it was a third party certificate we can get the root CA certificate that can be added as trust entry in the obj.conf. But in self signed case we do not have a intermediate or root certificate. So how do we trust the self signed server certificate in the proxy server.Just import the self signed cert as trusted. -
Reverse proxy + SSL question
Hi everyone.
I try to setup a proxy for my organization (I downloaded the latest 4.0.x version of Sun Web Proxy Server). The idea is that, through it we need to offer acces to a part of our intranet.
There is a public (internet) address available (with SSL activated, it's an Apache server).
The idea is :
- normal extranet : https://foo.bar.com
- reverse proxy : https://foo.bar.com:4443/path/inside/intranet (which would be, for the proxy https://intranet.foo.bar.com/path/inside/intranet).
Do you have any advice on how I should do that ? I tried to import the apache certificate inside the proxy, but it won't work. Is there something I'm missing ?
Thanks in advance for your answers.
Edited by: TiamatB5 on Dec 8, 2008 7:42 AMAlright, I found the solution :
- apache is used as a front reverse proxy, accepting SSL requests
- a specific url is used like : https://extranet.foo.bar/intranet that does the reverse proxy to http://extranet.foo.bar:8888 (on the same server as apache)
- Sun Proxy Web server is used to do the real reverse proxying of http://extranet.foo.bar:8888 to http://intranet.foo.bar
- the content rewriting is used to rewrite internal url to https ones like : http://intranet.foo.bar/foo/bar is rewritten to https://extranet.foo.bar/intranet/foo/bar
After testing it works like a charm. No need to request a specific certificate for the Sun Proxy, and it's exactly what's been asked to me, that is : the client mustn't see the internal redirection. With this, they don't see that there is a proxy and they don't see the http://extranet.foo.bar:8888 part. It seems a bit complicated, but at least it works ;)
Edited by: TiamatB5 on Dec 9, 2008 12:50 AM -
"I am trying to run TradeRecive sample program that come with 7.0 on a machine behind the firewall at remote site and I am having the following exception. (java command line has proxy specified, server has http tunneling enabled)
Can someone help ?
C:\ArthurTest\JMS>java -Dhttp.proxyHost=134.142.50.10 -Dhttp.proxyPort=8080 -cp
.;.\weblogic.jar TraderReceive http://205.172.179.92:80
<May 6, 2003 4:33:25 PM CDT> <Error> <RJVM> <000515> <execute failed
java.net.ProtocolException: Tunneling result unspecified - is the HTTP server a
t host: '205.172.179.92' and port: '80' a WebLogic Server?
java.net.ProtocolException: Tunneling result unspecified - is the HTTP server at
host: '205.172.179.92' and port: '80' a WebLogic Server?
at weblogic.rjvm.http.HTTPClientJVMConnection.handleNullResponse(HTTPCli
entJVMConnection.java:173)
at weblogic.rjvm.http.HTTPClientJVMConnection.receiveAndDispatch(HTTPCli
entJVMConnection.java:409)
at weblogic.rjvm.http.HTTPClientJVMConnection.execute(HTTPClientJVMConne
ction.java:305)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
>
Exception in thread "main" javax.naming.CommunicationException. Root exception
is java.net.ConnectException: http://205.172.179.92:80: Bootstrap t
Hi,
The tunneling problem likely has nothing to do with JMS.
JMS likely hasn't been called yet. I have little experience here,
so all I can suggest is trying to connect
to the WL server directly without the
firewall/proxy-server/interposed-web-server in between --
to see if you can narrow down the problem to the HTTP pass-through
to the WL server. Then check the BEA docs, and google search and/or
post to the more relevant rmi and/or jndi newsgroups...
Tom, BEA
tieeren wrote:
> "I am trying to run TradeRecive sample program that come with 7.0 on a machine behind the firewall at remote site and I am having the following exception. (java command line has proxy specified, server has http tunneling enabled)
>
> Can someone help ?
>
>
>
> C:\ArthurTest\JMS>java -Dhttp.proxyHost=134.142.50.10 -Dhttp.proxyPort=8080 -cp
> .;.\weblogic.jar TraderReceive http://205.172.179.92:80
> <May 6, 2003 4:33:25 PM CDT> <Error> <RJVM> <000515> <execute failed
> java.net.ProtocolException: Tunneling result unspecified - is the HTTP server a
> t host: '205.172.179.92' and port: '80' a WebLogic Server?
> java.net.ProtocolException: Tunneling result unspecified - is the HTTP server at
> host: '205.172.179.92' and port: '80' a WebLogic Server?
> at weblogic.rjvm.http.HTTPClientJVMConnection.handleNullResponse(HTTPCli
> entJVMConnection.java:173)
> at weblogic.rjvm.http.HTTPClientJVMConnection.receiveAndDispatch(HTTPCli
> entJVMConnection.java:409)
> at weblogic.rjvm.http.HTTPClientJVMConnection.execute(HTTPClientJVMConne
> ction.java:305)
> at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:153)
> at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:134)
>
> Exception in thread "main" javax.naming.CommunicationException. Root exception
> is java.net.ConnectException: http://205.172.179.92:80: Bootstrap t
-
Here is example code for HTTPS Tunneling through proxy(400 Lines of code
Here is the source for Https Tunneling that I have gotten working. It is based on Pua Yeow Cheong's JavaWorld Tip 111. Thanks to David Lord for providing the final breakthrough that I needed.
I have posted it here for anyone who wishes to use it. If you find any bugs, or write any improvements, please tack them onto the end of this thread.
I have been trying to tackle this problem for quite some time, so I hope this helps a few of you out there.
Lots of Luck,
nightmask.
<----- Begin Copy and Paste -------->
import java.net.*;
import java.io.*;
import java.security.*;
import sun.misc.BASE64Encoder;
import javax.net.*;
import javax.net.ssl.*;
* This example is based on JavaWorld Tip 111. Thanks to Pua Yeow Cheong for writing it.
* It tunnels through a proxy using the Https protocol.
* Thanks go to David Lord in the java forums for figuring out the main problem with Tip 111
* PLEASE NOTE: You need to have the JSSE 1.0.2 jars installed for this to work
* Downloads contents of a URL, using Proxy Tunneling and Basic Authentication
public class URLReader {
* The main program for the URLReader class
public static void main(String[] args) throws Exception {
//set up strings for use in app. Change these to your own settings
String proxyPassword = "password";
String proxyUsername = "username";
String proxyHost = "myproxy.com";
String proxyPort = "3128";
String connectionURL = "https://www.verisign.com";
//set up system properties to indicate we are using a proxy
System.setProperty("https.proxyHost", proxyHost);
System.setProperty("https.proxyPort", proxyPort);
System.setProperty("proxyHost", proxyHost);
System.setProperty("proxyPort", proxyPort);
System.setProperty("proxySet", "true");
System.setProperty("http.proxyHost", proxyHost);
System.setProperty("http.proxyPort", proxyPort);
System.setProperty("http.proxySet", "true");
//set up handler for jsse
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");
java.security.Provider prov = new com.sun.net.ssl.internal.ssl.Provider();
Security.addProvider(prov);
//create the connection
URL myURL = new URL(connectionURL);
URLConnection myConnection = myURL.openConnection();
if (myConnection instanceof com.sun.net.ssl.HttpsURLConnection) {
((com.sun.net.ssl.HttpsURLConnection) myConnection).setSSLSocketFactory(new SSLTunnelSocketFactory(System.getProperty("proxyHost"), System.getProperty("proxyPort")));
myConnection.setDoInput(true);
myConnection.setDoOutput(true);
BufferedReader in;
try {
System.err.println("opening Input stream1");
in = new BufferedReader(
new InputStreamReader(
myConnection.getInputStream()));
String inputLine;
System.err.println("Input stream is Open1");
while ((inputLine = in.readLine()) != null) {
System.err.println(inputLine);
in.close();
System.err.println("Input stream is Closed1");
} catch (Exception e) {
e.printStackTrace(System.err);
String tmp = e.getMessage().toLowerCase().trim();
System.err.println("tmp *" + tmp + "*");
if (tmp.indexOf("http") > -1) {
//http error message to be parsed
tmp = tmp.substring(tmp.indexOf("http")).trim();
System.err.println("tmp *" + tmp + "*");
tmp = tmp.substring(8).trim();
System.err.println("tmp *" + tmp + "*");
if (tmp.startsWith("407")) {
//proxy authentication required
myURL = new URL(connectionURL);
myConnection = myURL.openConnection();
if (myConnection instanceof com.sun.net.ssl.HttpsURLConnection) {
((com.sun.net.ssl.HttpsURLConnection) myConnection).setSSLSocketFactory(new SSLTunnelSocketFactory(System.getProperty("proxyHost"), System.getProperty("proxyPort"), proxyUsername, proxyPassword));
myConnection.setDoInput(true);
myConnection.setDoOutput(true);
try {
System.err.println("opening Input stream 2");
in = new BufferedReader(
new InputStreamReader(
myConnection.getInputStream()));
String inputLine;
System.err.println("Input stream is Open 2");
while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
in.close();
System.err.println("Input stream is closed 2");
} catch (Exception ex) {
System.err.println(ex.getMessage());
ex.printStackTrace(System.err);
* SSLSocket used to tunnel through a proxy
class SSLTunnelSocketFactory extends SSLSocketFactory {
private String tunnelHost;
private int tunnelPort;
private SSLSocketFactory dfactory;
private String tunnelPassword;
private String tunnelUserName;
private boolean socketConnected = false;
private int falsecount = 0;
* Constructor for the SSLTunnelSocketFactory object
*@param proxyHost The url of the proxy host
*@param proxyPort the port of the proxy
public SSLTunnelSocketFactory(String proxyHost, String proxyPort) {
System.err.println("creating Socket Factory");
tunnelHost = proxyHost;
tunnelPort = Integer.parseInt(proxyPort);
dfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
* Constructor for the SSLTunnelSocketFactory object
*@param proxyHost The url of the proxy host
*@param proxyPort the port of the proxy
*@param proxyUserName username for authenticating with the proxy
*@param proxyPassword password for authenticating with the proxy
public SSLTunnelSocketFactory(String proxyHost, String proxyPort, String proxyUserName, String proxyPassword) {
System.err.println("creating Socket Factory with password/username");
tunnelHost = proxyHost;
tunnelPort = Integer.parseInt(proxyPort);
tunnelUserName = proxyUserName;
tunnelPassword = proxyPassword;
dfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
* Sets the proxyUserName attribute of the SSLTunnelSocketFactory object
*@param proxyUserName The new proxyUserName value
public void setProxyUserName(String proxyUserName) {
tunnelUserName = proxyUserName;
* Sets the proxyPassword attribute of the SSLTunnelSocketFactory object
*@param proxyPassword The new proxyPassword value
public void setProxyPassword(String proxyPassword) {
tunnelPassword = proxyPassword;
* Gets the supportedCipherSuites attribute of the SSLTunnelSocketFactory
* object
*@return The supportedCipherSuites value
public String[] getSupportedCipherSuites() {
return dfactory.getSupportedCipherSuites();
* Gets the defaultCipherSuites attribute of the SSLTunnelSocketFactory
* object
*@return The defaultCipherSuites value
public String[] getDefaultCipherSuites() {
return dfactory.getDefaultCipherSuites();
* Gets the socketConnected attribute of the SSLTunnelSocketFactory object
*@return The socketConnected value
public synchronized boolean getSocketConnected() {
return socketConnected;
* Creates a new SSL Tunneled Socket
*@param s Ignored
*@param host destination host
*@param port destination port
*@param autoClose wether to close the socket automaticly
*@return proxy tunneled socket
*@exception IOException raised by an IO error
*@exception UnknownHostException raised when the host is unknown
public Socket createSocket(Socket s, String host, int port, boolean autoClose)
throws IOException, UnknownHostException {
Socket tunnel = new Socket(tunnelHost, tunnelPort);
doTunnelHandshake(tunnel, host, port);
SSLSocket result = (SSLSocket) dfactory.createSocket(tunnel, host, port, autoClose);
result.addHandshakeCompletedListener(
new HandshakeCompletedListener() {
public void handshakeCompleted(HandshakeCompletedEvent event) {
System.out.println("Handshake Finished!");
System.out.println("\t CipherSuite :" + event.getCipherSuite());
System.out.println("\t SessionId: " + event.getSession());
System.out.println("\t PeerHost: " + event.getSession().getPeerHost());
setSocketConnected(true);
// thanks to David Lord in the java forums for figuring out this line is the problem
// result.startHandshake(); //this line is the bug which stops Tip111 from working correctly
return result;
* Creates a new SSL Tunneled Socket
*@param host destination host
*@param port destination port
*@return tunneled SSL Socket
*@exception IOException raised by IO error
*@exception UnknownHostException raised when the host is unknown
public Socket createSocket(String host, int port)
throws IOException, UnknownHostException {
return createSocket(null, host, port, true);
* Creates a new SSL Tunneled Socket
*@param host Destination Host
*@param port Destination Port
*@param clientHost Ignored
*@param clientPort Ignored
*@return SSL Tunneled Socket
*@exception IOException Raised when IO error occurs
*@exception UnknownHostException Raised when the destination host is
* unknown
public Socket createSocket(String host, int port, InetAddress clientHost,
int clientPort)
throws IOException, UnknownHostException {
return createSocket(null, host, port, true);
* Creates a new SSL Tunneled Socket
*@param host destination host
*@param port destination port
*@return tunneled SSL Socket
*@exception IOException raised when IO error occurs
public Socket createSocket(InetAddress host, int port)
throws IOException {
return createSocket(null, host.getHostName(), port, true);
* Creates a new SSL Tunneled Socket
*@param address destination host
*@param port destination port
*@param clientAddress ignored
*@param clientPort ignored
*@return tunneled SSL Socket
*@exception IOException raised when IO exception occurs
public Socket createSocket(InetAddress address, int port,
InetAddress clientAddress, int clientPort)
throws IOException {
return createSocket(null, address.getHostName(), port, true);
* Sets the socketConnected attribute of the SSLTunnelSocketFactory object
*@param b The new socketConnected value
private synchronized void setSocketConnected(boolean b) {
socketConnected = b;
* Description of the Method
*@param tunnel tunnel socket
*@param host destination host
*@param port destination port
*@exception IOException raised when an IO error occurs
private void doTunnelHandshake(Socket tunnel, String host, int port) throws IOException {
OutputStream out = tunnel.getOutputStream();
//generate connection string
String msg = "CONNECT " + host + ":" + port + " HTTP/1.0\n"
+ "User-Agent: "
+ sun.net.www.protocol.http.HttpURLConnection.userAgent;
if (tunnelUserName != null && tunnelPassword != null) {
//add basic authentication header for the proxy
sun.misc.BASE64Encoder enc = new sun.misc.BASE64Encoder();
String encodedPassword = enc.encode((tunnelUserName + ":" + tunnelPassword).getBytes());
msg = msg + "\nProxy-Authorization: Basic " + encodedPassword;
msg = msg + "\nContent-Length: 0";
msg = msg + "\nPragma: no-cache";
msg = msg + "\r\n\r\n";
System.err.println(msg);
byte b[];
try {
//we really do want ASCII7 as the http protocol doesnt change with locale
b = msg.getBytes("ASCII7");
} catch (UnsupportedEncodingException ignored) {
//If ASCII7 isn't there, something is seriously wrong!
b = msg.getBytes();
out.write(b);
out.flush();
byte reply[] = new byte[200];
int replyLen = 0;
int newlinesSeen = 0;
boolean headerDone = false;
InputStream in = tunnel.getInputStream();
boolean error = false;
while (newlinesSeen < 2) {
int i = in.read();
if (i < 0) {
throw new IOException("Unexpected EOF from Proxy");
if (i == '\n') {
headerDone = true;
++newlinesSeen;
} else
if (i != '\r') {
newlinesSeen = 0;
if (!headerDone && replyLen < reply.length) {
reply[replyLen++] = (byte) i;
//convert byte array to string
String replyStr;
try {
replyStr = new String(reply, 0, replyLen, "ASCII7");
} catch (UnsupportedEncodingException ignored) {
replyStr = new String(reply, 0, replyLen);
//we check for connection established because our proxy returns http/1.1 instead of 1.0
if (replyStr.toLowerCase().indexOf("200 connection established") == -1) {
System.err.println(replyStr);
throw new IOException("Unable to tunnel through " + tunnelHost + ":" + tunnelPort + ". Proxy returns\"" + replyStr + "\"");
//tunneling hanshake was successful
}<----- End Copy and Paste -------->BTW, if you are using an implementation in which
the http/https implementation recognises
the java.net.Authenticator properly, you can use
that framework to do basic/digest authentication.
I think Sun's JDK 1.4 supports both basic
and digest for both proxies and the actual end
site you connect via http/https, but I haven't
tested it to be sure. I know it works
with http/basic at the end host.
Today's Ob hack:
import java.net.*;
import java.io.*;
class MyAuth extends Authenticator {
protected PasswordAuthentication getPasswordAuthentication() {
System.out.println("The realm '" + getRequestingPrompt() +
"' at '" + getRequestingHost() + ":" + getRequestingPort() +
"'\n" + "using " + getRequestingProtocol() + " is requesting " +
getRequestingScheme().toUpperCase() + " authentication.");
System.out.println("");
System.out.println("What should we send them? Let's send them ...");
System.out.println("");
return new PasswordAuthentication("username", "password".toCharArray()); }
public class MyURL {
public static void main(String[] args) throws Exception {
// set to the authenticator you want to use.
Authenticator.setDefault(new myAuth());
URL url =
new URL("http://www.some.com/something_protected/index.htm");
BufferedReader in = new BufferedReader(
new InputStreamReader(
url.openStream()));
String inputLine;
while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
in.close(); -
SSL VPN - Bypass DefaultWEBVPNGroup
Hi All,
I'm using the default tunnel-group and group-policy for my general user community. I want to apply a filter for that group, and have a special use case for another group that bypasses the filter. My goal: for people hitting the "RAS_Engineering" group policy, I want to bypass the filter applied to "DfltGrpPolicy"
Is there a way for me to configure the group-policy so that it doesn't pick up the default settings? Here's what I have (some output omitted to reduce lines):
# sh vpn-session detail svc filter name amy.eryilmaz
Session Type: SVC Detailed
Username : amy.eryilmaz Index : 13568
Assigned IP : my.vpn.assigned.ip Public IP : my.pub.lic.ip
Group Policy : RAS_Engineering Tunnel Group : DefaultWEBVPNGroup
Clientless Tunnels: 1
SSL-Tunnel Tunnels: 1
Clientless:
Tunnel ID : 13568.1
Public IP : my.pub.lic.ip
Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client Type : Web Browser
Client Ver : AnyConnect Windows 2.5.3046
Bytes Tx : 11456 Bytes Rx : 3986
SSL-Tunnel:
Tunnel ID : 13568.2
Assigned IP : my.vpn.assigned.ip Public IP : my.pub.lic.ip
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 2.5.3046
Filter Name : default-vpn-filter
group-policy DfltGrpPolicy attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
dhcp-network-scope xx.xx.xx.xx
vpn-filter value default-vpn-filter
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value mydomain.com
webvpn
svc ask none default svc
group-policy RAS_Engineering internal
group-policy RAS_Engineering attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
dhcp-network-scope xx.xx.xx.xx
vpn-tunnel-protocol l2tp-ipsec svc
webvpn
svc ask none default svc
# sh run all tunnel-group DefaultWEBVPNGroup
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group my_radius
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
dhcp-server xx.xx.xx.xx
no strip-realm
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization myCustom
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no pre-shared-key
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 300 retry 2
no radius-sdi-xauth
isakmp ikev1-user-authentication xauthHi,
By default you will inherit any implicit values from the default group policy.
To stop inheriting the "vpn-filter" please do:
group-policy RAS_Engineering attributes
vpn-filter none
The same applies for any other feature within the group-policy, make sure you explicitly define every parameter according to the specific requirements.
Thanks.
Portu.
Please rate any helpful posts. -
VPN Split-Tunneling not working
Hello,
First off - thanks to all who post here. I often browse the forums and search for help on here and its very useful, so a great pat on the back for everyone who contributes. My first time posting so here goes.....
I have my ASA 5505 v8.2 configured to allow AnyConnect. This is working. Client can connect and access the remote systems through VPN. What is causing me a massive headache is that the client loses internet connectivity. I have played around with my config somewhat so what I am about to post I know for certain is incorrect but any help is greatly appreciated.
Notes
1. The Router was set up for a standard site-to-site VPN which is no longer functional but as you can see all the settings are still in the router.
2. The router also has a DMZ setup to allow some clients access to the internet through it using the DMZ
CONFIGURATION:
ASA Version 8.2(5)
hostname MYHOST
enable password mUUvr2NINofYuSh2 encrypted
passwd UNDrnIuGV0tAPtz2 encrypted
names
name x.x.x.x AIME-SD
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.0.0
interface Vlan7
no forward interface Vlan1
nameif DMZ
security-level 20
ip address 137.57.183.1 255.255.255.0
ftp mode passive
clock timezone MST -7
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255 .255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.25 5.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 64000
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set batus esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map batus 100 match address 10
crypto map batus 100 set peer AIME-SD
crypto map batus 100 set transform-set batus
crypto map batus interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=MYHOST
keypair ClientX_cert
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 0f817951
308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
63ebd49d 30dd06f4 e0fa25
quit
crypto isakmp enable outside
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ClientX_access internal
group-policy ClientX_access attributes
vpn-tunnel-protocol svc
split-tunnel-network-list value split-tunneling
default-domain value access.local
address-pools value Internal_Range
ipv6-address-pools none
webvpn
svc mtu 1406
svc rekey time none
svc rekey method ssl
username ClientX password ykAxQ227nzontdIh encrypted privilege 15
username ClientX attributes
vpn-group-policy ClientX_access
service-type admin
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group ClientX type remote-access
tunnel-group ClientX general-attributes
address-pool Internal_Range
default-group-policy ClientX_access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy ClientX_access
tunnel-group ClientX_access type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e7d92a387d1c5f07e14b3c894d159ec1
: end
Thank you for any help!!Karsten!
That fixed my internet access problem. Yippee!
Unfortunately it seems to have broken my access to the internal network. Boo!
I can no longer access/ping anything on the internal IP range (192.168.101.x).
I assume this is a nat issue somewhere along the line. Posting the top half of my config for any assistance and the info requested by Raj (although VPN is connecting fine). Thank you both for your very prompt replies!!!
Short Config
object-group network obj_any_dmz
access-list 10 extended permit ip 192.168.25.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list no_nat extended permit ip host x.x.x.x 192.168.25.0 255.255.255.0
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list no_nat
nat (inside) 1 access-list nonat
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 207.229.2.129 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
Show vpn-sessiondb svc
Session Type: SVC
Username : ClientX Index : 9
Assigned IP : 192.168.101.125 Public IP : x.x.x.x
Protocol : Clientless SSL-Tunnel DTLS-Tunnel
License : SSL VPN
Encryption : RC4 AES128 Hashing : MD5 SHA1
Bytes Tx : 11662 Bytes Rx : 62930
Group Policy : ClientX_access Tunnel Group : DefaultWEBVPNGroup
Login Time : 22:40:56 MST Mon Jul 1 2013
Duration : 0h:11m:08s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none -
SFTP/FTP Proxy Problems - Works for DMZ but not for Internet Hosts?!
Hi together,
we have a strange problem with our TMG Proxy, some infrastructure informations first
So we have the Client LAN with the IP range 192.168.11.x which is routeable to Server LAN 192.168.3.x but not to DMZ LAN 192.168.200.x.. The TMG is a 2 Node Array, 192.168.200.5 is the DMZ VIP. TMG DMZ IP Adress (192.168.200.5) and physical Adresses have
an NAT relation to one Public IP. HTTPS Inspection is active. We dont use (and dont want to) the TMG Client component.
When i use WinSCP, Putty or Filezilla and connect to a DMZ LAN Host (192.168.200.x) with "HTTP Proxy" (192.168.3.108:8080) everything is fine, it works like expected...
When i connect to an Internet Host it fails regardless which protocol i use - ftp, sftp or ssh. The error i get is
"The token supplied to the function is invalid."
An example for a failed SFTP Connection
Filezilla
Status: Connecting to system.internet.de...
Trace: Going to execute "C:\Program Files (x86)\FileZilla FTP Client\fzsftp.exe"
Response: fzSftp started
Trace: CSftpControlSocket::ConnectParseResponse(fzSftp started)
Trace: CSftpControlSocket::SendNextCommand()
Trace: CSftpControlSocket::ConnectSend()
Command: proxy 1 "tmg.local" 8080 "domain\user" "***********"
Trace: CSftpControlSocket::ConnectParseResponse()
Trace: CSftpControlSocket::SendNextCommand()
Trace: CSftpControlSocket::ConnectSend()
Command: open "[email protected]" 22
Trace: Looking up host "system.internet.de"
Trace: Connecting to 192.168.3.108 port 8080
Trace: Proxy error: 502 Proxy Error ( Das Token, das der Funktion übergeben wurde, ist ungültig. )
Error: Proxy error: 502 Proxy Error ( Das Token, das der Funktion übergeben wurde, ist ungültig. )
Trace: CControlSocket::DoClose(64)
Trace: CSftpControlSocket::ResetOperation(66)
Trace: CControlSocket::ResetOperation(66)
Error: Could not connect to server
Trace: CFileZillaEnginePrivate::ResetOperation(66)
TMG protocol throws this
Protokolltyp: Webproxy (Forward)
Status: 0x80090308
Regel: Webzugriff FTP Test
Quelle: Intern (192.168.11.31:44673)
Ziel: Extern (78.46.182.171:22)
Anforderung: system.internet.de:22
Filterinformationen: Req ID: 106f1cb7; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protokoll: https-inspect
Benutzer: domain\user
Hope you can explain me what we doin wrong or how to find out whats the problem. I didn`t find many informations about "0x80090308" or "The token supplied to the function is invalid.". Disabling HTTPS Inspection for the Source 192.168.11.31
doesnt change anything...
Connection to an DMZ Host looks like this:
Filezilla
Status: Connecting to system.dmz...
Trace: Going to execute "C:\Program Files (x86)\FileZilla FTP Client\fzsftp.exe"
Response: fzSftp started
Trace: CSftpControlSocket::ConnectParseResponse(fzSftp started)
Trace: CSftpControlSocket::SendNextCommand()
Trace: CSftpControlSocket::ConnectSend()
Command: proxy 1 "tmg.local" 8080 "domain\user" "***********"
Trace: CSftpControlSocket::ConnectParseResponse()
Trace: CSftpControlSocket::SendNextCommand()
Trace: CSftpControlSocket::ConnectSend()
Command: open "[email protected]" 22
Trace: Looking up host "system.dmz"
Trace: Connecting to 192.168.3.108 port 8080
Trace: Server version: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
Trace: Using SSH protocol version 2
Trace: We claim version: SSH-2.0-PuTTY_Local:_Mar_28_2014_10:34:48
Trace: Doing Diffie-Hellman group exchange
Trace: Doing Diffie-Hellman key exchange with hash SHA-256
Trace: Host key fingerprint is:
TMG Protocol
Protokolltyp: Webproxy (Forward)
Status: 0 Der Vorgang wurde erfolgreich beendet.
Regel: Webzugriff FTP Test
Quelle: Intern (192.168.11.31:48818)
Ziel: Umkreis 2 (192.168.200.205:22)
Anforderung: system.dmz:22
Filterinformationen: Req ID: 10727dce; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protokoll: SSL-tunnel
Benutzer: domain\user
Thanks in advance.
Regards
MatthiasHi Keith,
ok i found out the problem is https inspection is enabled....
- when i disable https inspection for source, same problem
- when i disable https inspection for destination, problem solved
the root cause why this worked is we had https inspection disabled for dmz destinations.
there is no direct route relation between the lan and dmz.
why is source exception not working in this? -
I need to use https on my client computer and my previously problem of websites not showing up was due to the fact thatI need to set a port for the browser to go to but now I get this error now,
2005/05/17 03:54:47| Using certificate in /root/test_cert.pem
FATAL: Failed to acquire SSL certificate: error:0200100D:system library:fopen:Permission denied
Now I have squid pointed to a key in the squid.conf file but I am really new to openssl and any help would be greatly appreciated seeing as how this board has already put up with alot of my asinine questions.So you would like to do SSL termination on the proxy basically? That's indeed perfectly possible through for example SslBump. The user will have to trust a certifate which will be generated by the prxy and which will be served for all https sites, replacing the actual certificate the https site is using (the actual session towards the site will be terminated on the proxy).
I know you're probably only thinking about the caching part; but the problem is that you'll be decrypting everything that passes through the ssl tunnel (login credentials,...) and hence breaching a user's privacy by doing that. So all in all, not something you would want to do.
Maybe you are looking for
-
[iPhone] Really struggling with views and transitions. Please Help.
Hello All, First off let me apologize; I've been trying to do this on my own, reading the docs and guides and such, but I just can not get this to work. I feel like once I understand this scenario I'll be able to learn the rest on my own. Basically I
-
Help viewer takes 5 minutes to launch after transferring data from ibook
I have bought an iMac and transferred my data from my old iBook G4 (Tiger) using the migration assistant. The iMac is running Tiger 10.4.11 as is the iBook. When I launch the "Help Viewer" the beach ball starts spinning. Two messages appear one after
-
Flash CS4 crashes on 2nd publish preview (v10 and 10.0.2)
I've seen this problem for so long, I've become desensitized to it. In flash 8, flash CS3, and flash CS4 (with and without the 10.0.2 patch), the program crashes and burns about 75% of the time when I publish preview, leave the playing swf open, and
-
Recovering iPhone data after crashed HD.
I lost my computer HD and my iPhone backup was not updated. How do I get my data back from the iPhone (contacts, pictures)? Apps and Music is connected to the app store, but the rest? I'm a Mac OS X user.
-
Battery life on macbook pro late 2013
Hi im having some battery issues on my new macbook pro retina 13 inch model(4 days old ). For example it shows me at about 40% charge only 3 hours of battery remaining while using safari. It also uses kinda a lot battery while in standby or turned of