Wuench,

I have been looking for this exact type of application, thanks for the pointer.

I do have a couple of questions however,
a) Thier diagram shows the orenosp server in the dmz. I would doubt it, but is this where yours is placed ?
b) Looks like it is only a 30 day trial.

Steven

Yes, it is $100 to buy a license. I haven't done that yet. I wanted to make sure it met my needs. I am going to buy it when my eval is up at the end of the month.

You don't have to have it in the DMZ that would just be the most secure place to put it. I just have it in my regular network and have my router set to forward port 443 to the machine. I also run zonealarm on that machine, so I can secure it further. It will only answer on url's you have setup and will deliver a really generic error page on anything else.

It is a proxy so it terminates the client connection on one side and opens a new connection to your web server (HS for example). I work with load balancers at work, and this software performs most of those functions. Since it recreates the connection it can perform all kinds of functions, like encryption (un-encrypt or re-encrypt), content replacement, or performance enhancements like HTTP chunking, compression.

And I don't see how anyone can stop you if you are using the tunnelling features. The only thing that might tip them off is that you have an SSL connection open for a long period of time and transmitting a lot of data through it. Since it is all encrypted they won't be able to see into the tunnel. My proxy at work does terminate the connection if it is idle for a few minutes, but as long as I am doing something it stays up.

I use the Java web page client for tunnelling, so you don't need to download anything to the client pc. You just authenticate and click a link and the java applet sets up connections on your client machine like 127.0.0.2:23. Then you just telnet to that address and port and it gets redirected through the tunnel to your home server. Way more secure than exposing telnet or rdp to the internet directly.

Thanks very much for sharing this. Orenosp looks cool. Please let us know how it performs (stability, CPU load, etc.) as you spend more time with it.

Not to hijack your thread , but I'd also be interesting in learning from others what software (or hardware) they are using for secure access and tuneling to their LANs, especially for remote RDP access.

Don

SSL Explorer also looks very good, though I haven't tried it.

It is open source / free:
http://www.sshtools.com/showSslExplorer.do

Don

SSL explorer looks pretty slick, it even has a formal install. Look like it is a lot easier to setup than orenosp. And you can't beat the price.

When I get some time I am going to give it a shot...

Wuench, all,

I've been using SSL Explorer now for a few days and I am very impressed.

It provides secure access to your LAN , including RDP, web access (e.g. HomeSeer), and shared web folders all over SSL/VPN. You only need to open one port in your router/firewall and forward it to the computer running SSL Explorer. No software has to be pre-installed on your client computer(s), as the VPN client is a Java applet that is downloaded once you connect/login to SSL Explorer (via https).

Also, if you try to connect from a client that is behind a HTTP/HTTPS proxy then the VPN applet can detect the proxy settings from your browser and tunnel through.

The software feels very professional and is completely free. Performance is pretty good too, even RDP into the LAN via DSL works well. Configuration is likely easier than orenosp since it is accomplished via the web interface (no scripts to create).

Don

I installed SSL Explorer and become a little confused in the setup process. There are various options available and I don't know which route is best for me. I simply want to get access to my Homeseer Web Server on port 8080 from an external WAN connection that has port 8080 blocked. The problem is getting through port 8080 and SSL should do that for me.

With SSL Explorer there is the Web Forwading, there are Services and variations of different types of proxies. The first I tried based upon the outlook example limited access to specific paths without doing DNS games, so I do not think this is the correct way.

Can you tell me what approach I should take and any pointers?

I have also gotten SSL Explorer up and running. And Michael I am feeling your pain. The SSL VPN applications seem to be working good. And were simple to setup under My Applications.

Web Forwarding settings are a bit confusing. Here is how I understand the 3 options.

1.) Reverse Proxy - is used to forward to servers using the path to make it's decision. But unlike orenosp, the path has to already exist on the server or you have to use activeDNS/wildcard DNS so it can append a name to the front of the DNS name to make a decision on where to send you. This doesn't work for me since I am using dyndns which won't allow wildcard DNS, and my multiple sites don't have paths. Kind of a screwy setup if you ask me. Seems to be designed almost specifically for OWA.

2.) Secure Proxy - Not sure exactly how this works, but it looks like it want's to pass the authentication info to the web site. I get 500 (authentication) errors.

3.) Single Site - This is the only one that works for me. But it requires you to activate the SSL VPN tunnel so you can tunnel your request through. Setup your target URL as your homeseer box http://x.x.x.x:8080. Activate the VPN client (click the offline on the top right) and it should work.

As far as stability, it takes me several tries to connect with the VPN client from work, but they recently upgraded our ISA array and we are having lots of issues so I am blaming our Windows group (and MS) for now.

I have also been doing some reading on how to prevent tunneling. And basically the recommendation is that they block HTTPS to all but known sites. Kind of difficult for the administrators. So I would say, if they let you hit sites like Amazon, etc to do your xmas shopping then they won't stop this. Unless of course they deny your home IP or DNS name specifically. Again, a big pain for the security admins to keep up with.

Hi Michael,

If you only have one web server (HS) running on your LAN, and you want secure access to the server from the WAN, then it's probably easiest to use the "single site web forward" option. You don't need to create any specific tunnels under "Admin->Global Resources->SSL-Tunneling".

The first thing you must do is open port 443 on your router/firewall and forward this to port 443 on the computer in your LAN which is running SSL explorer. This is the only port that needs to be opened on your router/firewall -- not 8080, 80, etc.

Assuming you've already created an account and a certificate in SSL explorer, then the next step is to setup a single site web forward with a target URL of "http://addrort" where addrort is the private IP address (or computer name) and port where the HS web server is running. For example, http://192.168.1.1:8080 or http://homeseer:8080.

From inside your LAN, you can continue to access the HS web server directly as you did before.

From any client PC on the WAN, you instead connect to SSL explorer (https://your_home_public_ip) and login to the account you've created in SSL explorer. Once logged in, you start the VPN client applet (button on web page) and then click on the web forward shortcut you've setup in SSL explorer per above. This will launch a new browser window that will connect back to the HS web server by tunneling traffic through the secure link into your LAN. So, if you look at the "URL" shown in the new browser window on your client, it will actually appear as http://localhost:randomport.

Just let me know if you need more help, and I can try to capture some screen shots for you.

Don

PS Once you have this working, you might also want to configure an application short cut or two for RDP'ing into computers on your LAN. The network places (web folders) feature is also pretty slick for secure access to shared folders.

Oh yeah, one other fix I had to make was to update the XML extension file for Putty. It is setup for SSH and I needed telnet for my Tivo. Basically I had to go in and strip out the arguments being passed on the command line forcing SSH.

If you guys haven't looked at this yet, it is really easy to setup your own extensions. It uses XML to create the web page and you will basically download the application (Putty.exe or Default RDP profile) and it will call it with arguments entered on the web page.

Wuench,

With regards to stability, you don't by chance have a firewall enabled on the box that is running SSL explorer, do you? When ZoneAlarm was running on my box, it did not work very well, especially with RDP connections.

I breifly looked at the XML stuff. Very cool, but more than I needed at the moment.

Do you notice much/any difference in performance/speed between SSL explorer and orenosp?

Don

Thank You for the pointers.

I was able to get the Single Site to work. I actually would like multiple ports and multiple PCs on the LAN to have the same access. It would also be nice to allow LAN links be honored over the WAN. Should I continue to setup individual Single Site links and forget about the LAN links? Is there a more efficient way to move to the next level?

I will have typically 20 or so links at the top of each of my web pages which point to other locations on the LAN so they will have addresses such as 192.168.x.x:yy. I could setup 20 SSL Explorer links, but it would be nice to be able to navigate my LAN links from the WAN. If I though about it enough I may be able to make link dynamically generated in the asp, but I'm not certain what I will get when I have a URL such as http://localhost:50509/ and I need to get to 192.168.x.x:yy?Page=Water

Hi Michael,

Like Wuench, I tried secure proxy and it didn't work with the HS server, so I don't think a solution lies there (at least not yet).

Currenly, I'm only accessing the HS web page (single site) and all links within the page work fine. In your case, maybe your best bet is to setup RDP to the HS server machine, and then once RDP'd in, you can open a browser and work just as you would on your LAN. No other changes needed to web links, etc.

I don't think this is a bad solution really, as both single site web forward and RDP require the VPN client to be run anyway, and in my testing over the DSL line, RDP was just as snappy as web forwarding, perhaps moreso.

Don

I was not aware that RDP was a viable option with W2K Professional. I think the reason you do not have a problem with your links is becase they are all relative to the HS server. In my case each link has a unique server.