WinGate Forums

[sduffey]

I am still running 6.22. I have an APC digital KVM on our network that I want to punch through the Wingate server to access. The problem is the web based interface on the KVM uses SSL. I created an incoming SSL connection in Wingate that is configured to forward to the KVM's ip address. However when I try to connect from the outside the page never loads and just spins. On the Wingate side I see the incoming connection but it just shows me trying to load "http://" and nothing else. I have the SSL connection configured to look for a specific URL to forward to the kvm like, "apckvm.mydomain.com" I have it forwarding any such request to the kvm on port 443.

What am I doing wrong?

[adrien]

Hi

what do you mean by "I created an incoming SSL connection in Wingate that is configured to forward to the KVM's ip address"

Is this a TCP mapping proxy which has SSL associated with its binding?

If so, you'll break the end-to-end SSL encryption with the KVM, since the connection between the client and WinGate will be SSL, but WinGate will make a non-SSL connection to the KVM.

Simply turning off SSL on the binding should fix this, then the SSL negotiation will go through to the KVM.

Adrien

[sduffey]

Yes it is a TCP mapping. So to turn off SSL I just need to deselect "Allow any port to be connected) under the https portion of the mapping?

[adrien]

you mean the encryption tab?

the encryption tab is related to qbik proprietary encryption, not SSL... it was originally designed/intended way back in like 1997 to enable 2 WinGates to set up a secure TCP tunnel across the internet.

So, yep - turn this off as well.

I guess the TCP mapping proxy could use an update, e.g. have a setting whereby if the incoming connection was SSL, then make the outbound connection SSL, or not, depending on config, so you could use it as a simple SSL front end to something that didn't use SSL, or you could use it to do whatever basic protocol analysis it does on an end-to-end SSL connection.

[sduffey]

Ok to clear up the confusion... I originally said it WAS a TCP mapping I had set up, it wasn't, it was an incoming web proxy that I configured to listen on 443. When I killed that and set up a TCP mapping like you said it worked right away. However now I have another problem. One of the reasons I originally tried doing this with an incoming reverse web proxy was so that I could apply policies to it that only served requests that had "sub.ourdomain.com" in them.

With a TCP mapping I can not do that but I need to find a way to restrict incoming access so people aren't bouncing off an open port 443. I currently have it restricted by having my home ip address as an assumed user. However I want to be able to access the KVM from anywhere, not just networks I statically define. How can I go about configuring the connection to do this without opening it up for the whole world to live on?

[adrien]

Hi

People can't bounce off a TCP mapping proxy, all they can do is hit whatever it points through to, in this case your KVM switch. depending on how much you trust the KVM switch to cope with attacks, you could do nothing or do something like set policy on the TCP mapping to require auth, then auth with something else before you connect.

I'd definitely recommend moving the port number off the standard port 443 as well.

Adrien

[sduffey]

Ok that is good advice, I moved it to a non-standard port and have it redirecting to the APC KVM on 443 on the back end.