Endian banner

Portal

New in version 3.0-2014MMDD.

The VPN portal seamlessly operates between a client and a server, allowing a client to retrieve remote HTTP and HTTPS resources without a direct connection to the server. To do so, it processes requests from the client, then it fetches the resource from the server, and finally it delivers it back to the client. In other words, the VPN portal acts as a kind of proxy, and more precisely as a reverse proxy, i.e., a proxy in which, contrary to a normal (forward) proxy, the server resides within one zone served by the Endian UTM Appliance -usually the DMZ, while the client connects from a remote location. Hence, the connection originates from the RED untrusted network segment and, without the VPN portal, it would not be allowed.

Although in principle very similar to methods like port forwarding, the Endian UTM Appliance‘ s VPN portal advantages are manifold, as it is a fully featured web server, which provides the abilities to authenticate the client and restrict the possible source IPs for the connection, making the communication more secure. Moreover, the ability to define multiple paths from the remote connection to different resources on the server adds more flexibility to the possible configuration.

A very immediate use case that can be devised from the description is to allow a company’s employee or coworker to remotely access a resource located in the company’s Intranet, without the necessity of setting up and enabling the OpenVPN server. It is worth noting that on the same Endian UTM Appliance may coexist both a VPN server and a VPN portal.

In order to implement this use case, define a new path and the destination, then require authentication for the user, which can be carried out locally on the Endian UTM Appliance, or by connecting to a LDAP/AD installation in the Intranet.

Configuration

In this tab it is possible to configure the main portal’s options, related to the domain name and uplink used.

Enable Portal
To activate the portal, click on the grey switch, which would turn green after a few seconds.
Name
The name assigned to the portal.
Domain
The domain for which the portal is responsible and accepts traffic.
Portal owner’s name
The name of the company that owns the domain. It will be used in the help page, see next option.
Help page
By ticking this option, when a domain’s root path has not been configured, an informative page will be shown to the user connecting to the domain. The portal’s owner name will be included in that page’s content as reference for contact.
Uplink / IP Address
The uplink through which to access the resources associated to the domain.
HTTPS support
By ticking this checkbox, the VPN portal would also allow to connect to HTTPS domains.
Certificate Configuration
The certificate to be used to connect to HTTS sites.

A few more options can be configured in the Advanced panel.

HTTP Port
The port used by the portal for normal HTTP traffic.
HTTPS Port
The port used by the portal for encrypted HTTPS traffic.
Additional domains
Write in the text-field additional domain names associated with the main one, one per line.

Paths

Once the main portal configuration has been carried out, it is possible to set up the various resources that can be accessed within the zones. Here, a table carrying all the paths already defined to local resources appears at the bottom of the table. On each path it is possible to carry out the following actions:

  • on off - Disable or enable the path.
  • edit - Modify the path.
  • delete - remove the path.

New paths can be defined by clicking on the Add new path link above the table.

Path

The path to the resource requested by the client.

Note

Also all the sub-paths relative to the main path are included.

Destination
The local resource to which the traffic will be redirected by the portal, which should be located in any zone reachable from the Endian UTM Appliance.
Extended content rewriting

When this checkbox is ticked, also the content present in the local resource’s header will be rewritten

Hint

Disable this option if you experiences issues (like e.g., badly displayed pages, pages not loading, browser crash) on the path.

Allowed source IP addresses
The source IP addresses allowed to access the path.
Remark
A custom description.
Authentication required
Tick the checkbox to require authentication for the path.
Override portal authentication settings
If a custom authentication server should be used to access the path, tick the checkbox and select one from the multiselect box below.
Enabled
Tick the checkbox to activate the path.

Best practices for nested authentication.

While authentication can be present on both the VPN portal and the path reached through the portal, it is a good practice to have authentication only on either of the two sides. Indeed, there is a subtle problem with the nested authentication. Consider a scenario in which the portal requires as username-password the pair john/somepass whereas the path requires mary/otherpass. At the first connection, in the pop-up that requires authentication, the pair john/somepass shall be supplied, to gain access to the path behind the portal. Now, the pair mary/pass gives access to the path. However, when another page in the path is required, the portal receives the last credentials stored, which are those of the path and do not match with those required for the portal and another pop up for authentication is presented.

As a workaround, if nested authentication is a mandatory requirement, the suggestion is to use the same username-password pair for both the portal and the path authentication.