Re: Web Access via SSL VPN

nitin21_ · ‎06-16-2013

Hi All

I am looking forward for some advise in respect SSL VPN configuration. Hope to get the same via this forum.

I have a scenario in which I have to access the internet web servers located outside my campus. The catch here is that I can access these websites directly from internet as well but unless I access them from a specific IP address lets say 1.1.1.1 ie my public IP, I do not get extra privileged access.

SSL VPN device is installed in the DMZ Zone with IP address range say 192.168.1.0/24. Users need to come from outside ie internet. Public IP address of the SSL VPN Server is 1.1.1.5, which is natted to 192.168.1.10 (SSL VPN Device private IP address). When users access 1.1.1.5 from outside they land on SSL VPN device. A single bookmark is provided to them. This Bookmark again leads to a web page on a server in DMZ, wherein URLs to internet websites are placed. Only authentication in this whole process is configured on the SSL VPN Device.

Now if I initiate a connection from inside, ie intranet, I get to same web page as hosted on the server and if I click any of the URLs provided I get the access as per required, but in case I come from internet, access the web page and click on the URL, I do not get the privileged access as per required.

The main cause of problem that I had been able to ascertain is that my source IP remains the same as Public Internet IP. So when I access the web page as hosted on the server, I am not able to be NATted by the firewall to public IP address ie 1.1.1.1. whereas the expected source IP should be of the SSL VPN Server ie 192.168.1.10.

Can some one advise what needs to be configured for this to be possible??

In short, I am looking for configuration ideas in which I can terminate the outside connection to SSL VPN device and reinitiate the connection to the intranet server with source IP address of my SSL VPN device.

Thanks

Nitin

jayLaiz_ · ‎06-17-2013

This should happen by default when the web pages hosted on the Juniper SA/MAG device is rewritten.The source that the servers should see will be the internal port ip address.

Enable TCP sniffing on the Juniper on both external and internal interfaces and put a filter as host ipaddofwebserver and see the source ip that is communicating with the intended web server

Regards,

jay

nitin21_ · ‎06-17-2013

Hi

That is exactly what is not happening. I had checked the web server but there the packet reaches with public source IP address rather than the MAG IP address.

I had also tried Vlan/Source IP option, still unable to get the source IP changed

Thanks

Nitin Kataria

jayLaiz_ · ‎06-18-2013

Hi,

Which interfaces are connected on the SSL VPN, is both external and internale interface connected.

when you click in bookmark, in address bar, do you see https://SAhostname,danainfo=webserver.....

Regards,

Jay

braker_ · ‎06-18-2013

As Jay stated, by default, bookmarks are "rewritten" by the SA. The SA functions as a reverse proxy and fetches the requested web page for the client using its inside interface. In this case, traffic will appear to originate from the inside interface IP address. This happens regardless of whether Network Connect is running or not.

You can avoid the default behavior by setting up a no rewrite rule. When you do this, the target URL will not get rewritten and the client will attempt to connect to it directly. If you don't have Network Connect running, connections to the target will originate from the client's LAN IP address. If you do have Network Connect running, connections to the target will originate from the Network Connect IP *if* the target is within the VPN tunneling access policy and is within the VPN tunneling split tunneling policy or split tunneling is disabled.

zanyterp_ · ‎06-18-2013

It sounds like the IP of the internal port should be used. Can you confirm that the name/IP of the server will be captured in any of the rules listed at Users>Resource Policies>Web>Selective Rewriting with an action set for "rewrite"