cancel
Showing results for 
Search instead for 
Did you mean: 

Access to the Web site is blocked by your administrator

SOLVED
Contributor

Access to the Web site is blocked by your administrator

Hi, 

 

I have this problem:

I would like to permit my VPN users to access to external IP by VPN Network.

 

For example:

My VPN Network is: 10.10.10.0/23

My External IP is: 192.192.192.x

 

The External IP is on AWS and have restrict IP inbound (only public IP of SSLVPN).

 

Now I created a user roles and set Web lik on 8080 port.

I created and associated a WSAM allowed servers 

 

But when I connet to SSLVPN, and click on the link I receive this error:

Access to the Web site is blocked by your administrator. Please notify your system administrator. Made http request for GET / HTTP/1.1 to 192.192.192.x:8080

 

Thanks for the support

Marco

15 REPLIES 15
Moderator
Moderator

Re: Access to the Web site is blocked by your administrator

Hi Marco,

You have to create a selective rewrite policy to do the action (Don't Rewrite. Redirect to the target web server) for 192.192.192.x:8080 resource.

Selective Rewrite Policy: Users -- Resource Policies -- Web -- Rewriting -- Selective rewrite policy -- http://192.192.192.x:8080 or https://192.192.192.x:8080 --- Don't Rewrite. Redirect to the target web server.

If you have created the bookmark using Web resource profile, then browse to the porfile and click on "Show all autopolicy" -- Check the Autopolicy: Rewriting --- Select "No Rewriting (use WSAM) -- Save changes. Doing this will automatically creates a selective rewriting policy just like the above step.

Hope this helps.

Ray.
Pulse Connect Secure Certified Expert
Contributor

Re: Access to the Web site is blocked by your administrator

Hi Ray,

thanks for your reply.

 

But if I select Don't Rewrite (with redirect) the IP ins't of SSLVPN and the page is not visible.

 

Thanks

Marco

Occasional Contributor

Re: Access to the Web site is blocked by your administrator

Hi Marco,

 

Are you using also the external interface or just the internal interface?

The WSAM connections use as source interface the internal interface. You have to be sure that the internal interface can go to the AWS resource and also you have to be sure that the IP address of the internal interface (or the NAT used) is allow by the AWS resource

 

 

Moderator
Moderator

Re: Access to the Web site is blocked by your administrator

Hi Marco,

 

You're right, selecting Don't Rewrite (with redirect) will redirect the users to go the webpage directly which then should be tunneled by WSAM proxy and the VPN server should be able to send the traffic out using it's Internal port.

 

Does the redirected traffic is not being captured by WSAM?

 

NOTE: If you're using Windows 10 RS5 (1809 update), please use PSAM (Enable Pulse Secure Client option on the user role + WSAM >> Connect directly from Pulse Client / Logon through web browser to get the Pulse Client installed) and check the behavior.

 

If you're not planning on using WSAM to capture the 192.192.192.x:8080 traffic which I thought you did, then to fix the "Access blocked" issue, please allow the 192.192.192.x:8080 by adding an allow Web ACL (Users >> Resource policies >> Web >> Web ACL >> Under resources, enter http:// or https://<IP address>:<port> and save changes.

 

Thanks,
Ray.

 

 

Pulse Connect Secure Certified Expert
Contributor

Re: Access to the Web site is blocked by your administrator

Sorry I don't understand this:

 

You're right, selecting Don't Rewrite (with redirect) will redirect the users to go the webpage directly which then should be tunneled by WSAM proxy and the VPN server should be able to send the traffic out using it's Internal port.

 

With Don't Rewrite (with Redirect) the IP is the local Ip of the pc and not the SSLVPN IP correct?

 

I created a Web Access Policies and add the AWS IP, now (whitout Don't Rewrite) I can see the portal by SSLVPN IP but I have a view problem that all component isn't load correctly.

Moderator

Re: Access to the Web site is blocked by your administrator

@m.ferrara: it depends. if you do not have WSAM active and configured to capture the traffic, yes, the local IP will be seen; if, however, WSAM is active and configured to capture the traffic, the local IP will not be seen. this is because WSAM is proxying the traffic through the PCS to the backend service.

yes, sometimes web applications do not rewrite (viewed through web browser) properly. if that is the way you are looking to deploy, please open a case with our support team for further assistance
Highlighted
Contributor

Re: Access to the Web site is blocked by your administrator

Hi Ray,

 

could you help me to configure this, please:

 

NOTE: If you're using Windows 10 RS5 (1809 update), please use PSAM (Enable Pulse Secure Client option on the user role + WSAM >> Connect directly from Pulse Client / Logon through web browser to get the Pulse Client installed) and check the behavior.

 

I need to allow web access to external IP passing by SSLVPN, because the external IP allow connection only from Public SSLVPN IP.

 

Moderator

Re: Access to the Web site is blocked by your administrator

 

 

 

If you are looking to enable Pulse-based SAM, you do this by doing the following:

  • login as admin
  • Navigate to Users>User Roles>roleName>General
  • At the top of the role, under Options click on Pulse Secure client
  • Save changes
  • Navigate to Users>User Roles>roleName>SAM
  • Click on Add Server… under Options
  • provide a name for the policy
  • provide the IP address(es) of the application server
  • provide the DNS name of the application server
  • save changes
  • Navigate to Users>Resource Policies>SAM>Access Control
  • Click on New Policy…
  • Provide a name and list the application server IP and names in the resource text box
  • Save changes

    To use the above, users will need to do one of the following:

    • Login as usual
    • Click on Start next to the Pulse Secure client icon
    • Open a new browser
    • Connect

       

      OR (after Pulse is installed)

      • Click on the Pulse icon in the system tray
      • Click on the profile installed
      • Click on Connect

        Can you clarify your comment on the external IP being allowed? Do you mean that your network range outbound from your firewall/gateway has been whitelisted and your PCS internal port goes out that same network OR do you mean that the whitelist has been enabled specifically for the external port of the PCS? If the latter, that will not work as the external port does not source traffic. All traffic will be sourced from the internal port (with egress through your network based on the routing).

Contributor

Re: Access to the Web site is blocked by your administrator

Hi,

thank for your reply.

I tryed you solution, but I don't understand this step:

  • Navigate to Users>User Roles>roleName>SAM
  • Click on Add Server… under Options

    I created a WSAM destination (under SAM>Application) with IP and port, is it correct?

    I need to enable VPN Tunneling under Users>USer Roles>My Role>General

     

    The web application is on AWS, and its Inbound rules IP is allow only the external IP of the SSLVPN, I need to configure it to allow the user to access to link by SSLVPN.