SSL-Explorer Administrators Guide

Security from 3SP
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR 3SP REPRESENTATIVE FOR A COPY.
IN NO EVENT SHALL 3SP OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF
3SP OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SSL-Explorer: Administrators Guide

Copyright © 2007 3SP Ltd. All rights reserved.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between 3SP and any other company.
2
PREFACE .......................................................................................................................................14
DOCUMENT OBJECTIVE ...................................................................................................................................... 14
Audience ................................................................................................................................................... 14
Related Documentation .......................................................................................................................... 14
Document Organization .......................................................................................................................... 15
Document Convention............................................................................................................................. 15
OBTAINING DOCUMENTATION ............................................................................................................................ 15
3SP.com .................................................................................................................................................... 15
DOCUMENTATION FEEDBACK .............................................................................................................................. 16
OBTAINING TECHNICAL ASSISTANCE................................................................................................................... 16
INTRODUCTION............................................................................................................................17
MANAGEMENT CONSOLE ..............................................................................................................17
PURPOSE ........................................................................................................................................................... 17
ACCESSIBILITY ................................................................................................................................................... 18
MANAGEMENT CONSOLE INTERFACE ................................................................................................................... 19
Areas of Functionality.............................................................................................................................. 19
Navigation Icons ...................................................................................................................................... 20
Options Icon ............................................................................................................................................. 20
WIZARDS ........................................................................................................................................................... 21
Cancel Process ......................................................................................................................................... 21
SELECTION PROCESS .......................................................................................................................................... 21
Configure................................................................................................................................................... 22
GETTING HELP................................................................................................................................................... 22
AMENDING CONFIGURATION PARAMETERS .......................................................................................................... 22
SSL-VPN OVERVIEW .....................................................................................................................23
BASIC TECHNOLOGY OVERVIEW ......................................................................................................................... 23
IPsec VPNs ................................................................................................................................................ 23
SSL-Based VPNs ....................................................................................................................................... 24
IPsec vs. SSL VPN .................................................................................................................................... 24
SSL-EXPLORER .................................................................................................................................................. 24
SSL-Explorer Editions .............................................................................................................................. 26
DEPLOYMENT ...............................................................................................................................27
DEPLOYMENT SCENARIOS ................................................................................................................................... 27
Non-DMZ ................................................................................................................................................... 27
Within the DMZ ........................................................................................................................................ 28
Behind the DMZ ....................................................................................................................................... 28
DEPLOYMENT CONSIDERATIONS ......................................................................................................................... 29
SUMMARY .......................................................................................................................................................... 29
INSTALLING SSL-EXPLORER ........................................................................................................31
INSTALLATION .............................................................................................................................31
INSTALLATION PREREQUISITES ........................................................................................................................... 31
INSTALLATION OF SSL-EXPLORER ...................................................................................................................... 31
SSL-EXPLORER: COMMUNITY EDITION - SOURCE CODE INSTALLATION ............................................................... 39
Pre-requisites............................................................................................................................................ 39
Configuring a Service .............................................................................................................................. 41
SSL-EXPLORER RPM INSTALLATION ON REDHAT 8.0......................................................................................... 42
3
UPGRADING SSL-EXPLORER ............................................................................................................................... 43
UPGRADING FROM 0.1.16 TO 0.2.X ................................................................................................................... 44
MANAGING THE INSTANCE .................................................................................................................................. 46
Build Scripts .............................................................................................................................................. 46
Managing the Windows Service ............................................................................................................. 47
Determining the Service Status ............................................................................................................. 48
ACCESSING THE INSTANCE ................................................................................................................................. 50
SERVER MIGRATION ........................................................................................................................................... 51
INSTALLATION WIZARD ..............................................................................................................53
CERTIFICATE MANAGEMENT........................................................................................................53
PROTECTING PRIVATE DATA............................................................................................................................... 53
What is an SSL Certificate? .................................................................................................................... 53
Certification Authority ............................................................................................................................. 54
CONFIGURE CERTIFICATE INTERFACE.................................................................................................................. 55
CREATE NEW CERTIFICATE................................................................................................................................. 55
What is a Keystore?................................................................................................................................. 57
IMPORT EXISTING CERTIFICATE ......................................................................................................................... 58
USER DATABASES .........................................................................................................................59
WHAT IS ACTIVE DIRECTORY? ........................................................................................................................... 59
Active Directory within SSL-Explorer..................................................................................................... 59
WHAT IS HSQLDB? .......................................................................................................................................... 60
HSQLDB within SSL-Explorer ................................................................................................................. 60
WHAT IS LDAP? ............................................................................................................................................... 60
LDAP within SSL-Explorer ....................................................................................................................... 60
WHAT IS NIS? .................................................................................................................................................. 60
NIS Database with SSL-Explorer ........................................................................................................... 61
CONFIGURE USER DATABASE INTERFACE ............................................................................................................ 61
CONFIGURING THE BUILT-IN DATABASE.............................................................................................................. 62
CONFIGURING ACTIVE DIRECTORY ..................................................................................................................... 62
CONFIGURING ENHANCED ACTIVE DIRECTORY .................................................................................................... 65
Organizational Units (OUs) ..................................................................................................................... 66
Organizational Unit Filter ........................................................................................................................ 66
Modifying Filters ....................................................................................................................................... 67
Troubleshooting ....................................................................................................................................... 68
CONFIGURING LDAP.......................................................................................................................................... 69
CONFIGURING NIS ............................................................................................................................................ 72
CONFIGURING SUPER USER ........................................................................................................73
SUPER USER RESPONSIBILITY ............................................................................................................................ 73
Super User Rights .................................................................................................................................... 74
CONFIGURE SUPER USER INTERFACE .................................................................................................................. 74
CONFIGURING THE SUPER USER ......................................................................................................................... 75
CONFIGURING WEB SERVER........................................................................................................77
WHAT IS HTTP/S? ........................................................................................................................................... 77
SSL-Explorer HTTP/S............................................................................................................................... 77
Is it Secure?.............................................................................................................................................. 77
THE JETTY WEB SERVER .................................................................................................................................... 78
CONFIGURE WEB SERVER INTERFACE ................................................................................................................. 79
CONFIGURE WEB SERVER................................................................................................................................... 79
Listening Interface ................................................................................................................................... 80
Modifying Interfaces ................................................................................................................................ 81
4
EXTERNAL HOSTNAMES ...................................................................................................................................... 81
Modifying Hostnames .............................................................................................................................. 81
EXTERNAL PROXY SUPPORT ........................................................................................................83
WHAT IS A PROXY SERVER? ............................................................................................................................... 83
PROXY USE WITH SSL-EXPLORER ....................................................................................................................... 84
CONFIGURE EXTERNAL PROXIES INTERFACE ........................................................................................................ 84
CONFIGURE EXTERNAL PROXIES ......................................................................................................................... 85
ENTERPRISE EDITION..................................................................................................................86
COMMUNITY EDITION VS. ENTERPRISE EDITION ................................................................................................. 86
INSTALL SSL-EXPLORER ENTERPRISE EDITION INTERFACE .................................................................................. 87
FINALIZING INSTALLATION ........................................................................................................88
THE SUMMARY PAGE .......................................................................................................................................... 88
Making Modifications ............................................................................................................................... 88
SUMMARY INTERFACE ......................................................................................................................................... 88
SUMMARY .......................................................................................................................................................... 89
Unsuccessful Configuration .................................................................................................................... 90
PUBLISHING SERVER ...................................................................................................................91
PRE-REQUISITES ................................................................................................................................................ 91
CONFIGURING SSL-EXPLORER WITH A FIREWALL ................................................................................................ 91
TESTING THE SSL-EXPLORER SERVICE................................................................................................................ 92
SYSTEM CONFIGURATION............................................................................................................93
SERVER CONFIGURATION............................................................................................................93
INTERFACE......................................................................................................................................................... 94
CONFIGURE WEB SERVER................................................................................................................................... 95
Web Server Interface .............................................................................................................................. 95
Configuration Parameters ....................................................................................................................... 95
Reconfigure Listening Interface............................................................................................................. 96
Reconfigure External Hostnames .......................................................................................................... 96
CONFIGURE PERFORMANCE ................................................................................................................................ 97
Performance Interface ............................................................................................................................ 97
CONFIGURE PROXIES ......................................................................................................................................... 98
Proxy Interface......................................................................................................................................... 98
CONFIGURE USER INTERFACE ............................................................................................................................. 99
UI Interface .............................................................................................................................................. 99
CONFIGURE SSL .............................................................................................................................................. 100
SSL Interface .......................................................................................................................................... 100
Configuration Parameters ..................................................................................................................... 100
CONFIGURE TIME SYNCHRONIZATION ............................................................................................................... 101
Time synchronization Interface ........................................................................................................... 101
RESOURCES ................................................................................................................................102
INTERFACE....................................................................................................................................................... 102
CONFIGURABLE RESOURCES ............................................................................................................................. 102
NETWORK PLACES............................................................................................................................................ 102
Network Places Interface...................................................................................................................... 103
5
WEB FORWARDING .......................................................................................................................................... 104
Web Forward Interface ......................................................................................................................... 104
MICROSOFT WINDOWS INTEGRATION .....................................................................................106
WINDOWS FILE SHARING ................................................................................................................................. 106
What is CIFS? ......................................................................................................................................... 106
File Sharing Interface ............................................................................................................................ 106
Configurable Parameters ...................................................................................................................... 107
What is WINS? ....................................................................................................................................... 109
What is the LMHOSTS File? .................................................................................................................. 109
What is NetBIOS? .................................................................................................................................. 109
What is DNS?.......................................................................................................................................... 110
SECURITY OPTIONS ...................................................................................................................111
INITIAL OPTIONS ............................................................................................................................................. 111
PASSWORD OPTIONS ....................................................................................................................................... 111
Password Options Interface ................................................................................................................. 112
SESSION OPTIONS ........................................................................................................................................... 114
Session Options Interface..................................................................................................................... 114
CONFIDENTIAL ATTRIBUTES ............................................................................................................................. 115
Confidential Attribute Interface ........................................................................................................... 115
CONFIGURATION PARAMETERS ......................................................................................................................... 115
POLICY OPTIONS ............................................................................................................................................. 116
Policy Options Interface ........................................................................................................................ 116
LOGON PAGE ................................................................................................................................................... 117
Logon Page Interface ............................................................................................................................ 117
MESSAGING................................................................................................................................118
MESSAGE QUEUE ............................................................................................................................................. 118
WHAT IS SMTP?............................................................................................................................................. 118
SMTP and SSL-Explorer ........................................................................................................................ 119
MESSAGING INTERFACE .................................................................................................................................... 119
BASIC CONFIGURATION ............................................................................................................121
EXTENSION MANAGER ...............................................................................................................121
WHAT ARE EXTENSIONS? ................................................................................................................................. 121
Installation of Extensions ..................................................................................................................... 122
Anatomy of an Extension...................................................................................................................... 122
EXTENSION MANAGER INTERFACE..................................................................................................................... 123
Action Icons ............................................................................................................................................ 123
INSTALL AN EXTENSION.................................................................................................................................... 124
UPDATING AN EXTENSION ................................................................................................................................ 125
REMOVING AN EXTENSION................................................................................................................................ 126
UPLOAD AN EXTENSION.................................................................................................................................... 126
BESPOKE APPLICATION EXTENSIONS ................................................................................................................. 127
SSL CERTIFICATES .....................................................................................................................128
6
REVISITING CERTIFICATES ............................................................................................................................... 128
Encryption ............................................................................................................................................... 128
Authentication ........................................................................................................................................ 129
SSL-Certificates ...................................................................................................................................... 129
Certification Authority ........................................................................................................................... 129
Trustworthy Certificates........................................................................................................................ 130
SSL-CERTIFICATES INTERFACE ........................................................................................................................ 130
Action Icons ............................................................................................................................................ 131
Certificate Actions .................................................................................................................................. 131
CREATING A CA ............................................................................................................................................... 132
PURCHASING CERTIFICATES ............................................................................................................................. 134
GENERATING A CSR......................................................................................................................................... 136
IMPORTING A CERTIFICATE .............................................................................................................................. 138
EXPORTING KEYS AND CERTIFICATES................................................................................................................ 139
ATTRIBUTES ...............................................................................................................................140
WHAT ARE ATTRIBUTES? ................................................................................................................................. 140
Security Questions ................................................................................................................................. 140
Applications ............................................................................................................................................ 141
Web Forwards ........................................................................................................................................ 141
Types of Attributes ................................................................................................................................ 142
ATTRIBUTE INTERFACE ..................................................................................................................................... 142
Actions Icons .......................................................................................................................................... 143
CREATING ATTRIBUTES .................................................................................................................................... 143
EDITING A ATTRIBUTE ..................................................................................................................................... 147
DELETING A ATTRIBUTE ................................................................................................................................... 147
HOW TO USE ATTRIBUTES ................................................................................................................................ 147
Session Variable ..................................................................................................................................... 148
LICENSE MANAGER ....................................................................................................................150
LICENSE MANAGER........................................................................................................................................... 150
LICENSE MANAGER INTERFACE ......................................................................................................................... 150
Actions Icons .......................................................................................................................................... 151
UPLOADING A LICENSE ..................................................................................................................................... 151
DELETING A LICENSE ....................................................................................................................................... 151
SECURE NODE.............................................................................................................................152
WHAT IS A SECURE NODE? ............................................................................................................................... 152
What is its function? .............................................................................................................................. 152
WHAT ARE ROUTES .......................................................................................................................................... 153
Visibility ................................................................................................................................................... 153
Compatible Resources ........................................................................................................................... 154
INSTALLING SECURE NODE CLIENT ................................................................................................................... 154
Authorize Secure Node ......................................................................................................................... 156
SECURE NODE INTERFACE ................................................................................................................................ 156
Action Icons ............................................................................................................................................ 156
CREATE NEW ROUTE........................................................................................................................................ 157
Enabling Routes ..................................................................................................................................... 158
EDITING A SECURE NODE ................................................................................................................................. 159
EDITING A ROUTE ............................................................................................................................................ 159
DELETING A SECURE NODE .............................................................................................................................. 159
DELETING A ROUTE.......................................................................................................................................... 159
SECURE NODE CONFIGURATION ....................................................................................................................... 160
PUBLIC KEY INFRASTRUCTURE .................................................................................................161
7
Encryption ............................................................................................................................................... 161
Authentication ........................................................................................................................................ 161
ACCESS CONTROL ADMINISTRATION........................................................................................164
INTRODUCTION..........................................................................................................................164
OVERVIEW ....................................................................................................................................................... 164
System of Trust ...................................................................................................................................... 165
Levels of Trust........................................................................................................................................ 165
ACCESS CONTROL ARCHITECTURE .................................................................................................................... 165
What is a Resource? .............................................................................................................................. 166
What is a Principal? ............................................................................................................................... 166
What is a Policy? .................................................................................................................................... 167
What is Permission? .............................................................................................................................. 167
FLEXIBILITY ..................................................................................................................................................... 168
CREATING ACCOUNTS ................................................................................................................169
PRINCIPAL TYPES ............................................................................................................................................. 169
SUPER USER ACCOUNT..................................................................................................................................... 169
ACCOUNT INTERFACE ....................................................................................................................................... 170
Action Icons ............................................................................................................................................ 170
CREATE NEW ACCOUNT.................................................................................................................................... 171
Assigning Groups ................................................................................................................................... 172
EDITING AN ACCOUNT ...................................................................................................................................... 172
DELETING AN ACCOUNT ................................................................................................................................... 173
CREATING GROUPS ....................................................................................................................174
WHAT ARE GROUPS?........................................................................................................................................ 174
GROUPS INTERFACE ......................................................................................................................................... 175
Action Icon.............................................................................................................................................. 175
CREATE NEW GROUP ....................................................................................................................................... 175
EDITING A GROUP............................................................................................................................................ 176
DELETE GROUP ................................................................................................................................................ 177
CREATING POLICIES ..................................................................................................................178
WHAT IS A POLICY?......................................................................................................................................... 178
Principal Pool .......................................................................................................................................... 178
Stateless .................................................................................................................................................. 178
POLICY INTERFACE........................................................................................................................................... 179
Action Icons ............................................................................................................................................ 179
CREATE POLICY ............................................................................................................................................... 179
EDITING A POLICY ........................................................................................................................................... 182
DELETE POLICY................................................................................................................................................ 182
CREATING ACCESS RIGHTS........................................................................................................183
WHAT IS A RESOURCE?.................................................................................................................................... 183
WHAT ARE ACCESS RIGHTS? ............................................................................................................................ 183
ACCESS RIGHTS INTERFACE ............................................................................................................................. 184
Action Icons ............................................................................................................................................ 184
CREATING AN ACCESS RIGHT ........................................................................................................................... 185
EDITING ACCESS RIGHTS ................................................................................................................................. 188
DELETE ACCESS RIGHTS .................................................................................................................................. 188
AUTHENTICATION SCHEMES......................................................................................................189
WHAT IS AN AUTHENTICATION SCHEME?.......................................................................................................... 189
8
AUTHENTICATION SCHEME INTERFACE .............................................................................................................. 191
Action Icons ............................................................................................................................................ 192
CREATING AN AUTHENTICATION SCHEME .......................................................................................................... 192
DELETING AN AUTHENTICATION SCHEME .......................................................................................................... 194
AUTHENTICATION MODULES ............................................................................................................................. 194
PASSWORD AUTHENTICATION........................................................................................................................... 196
Creating a Password.............................................................................................................................. 196
Modifying a Password ........................................................................................................................... 196
Configuring Passwords .......................................................................................................................... 198
PERSONAL QUESTIONS AUTHENTICATION ......................................................................................................... 201
Configuring Answers ............................................................................................................................. 201
PIN AUTHENTICATION ..................................................................................................................................... 203
Modifying a PIN...................................................................................................................................... 203
Configuring PIN ...................................................................................................................................... 204
OTP AUTHENTICATION .................................................................................................................................... 206
Defining Recipient Details..................................................................................................................... 207
Configure Service Provider ................................................................................................................... 209
Configuring OTP ..................................................................................................................................... 211
CLIENT CERTIFICATES ...................................................................................................................................... 213
Enable Authentication ........................................................................................................................... 215
Creating a CA ......................................................................................................................................... 216
Creating Client Certificates ................................................................................................................... 218
Importing Certificate into Browser ...................................................................................................... 223
Using Active Directory Certificates ...................................................................................................... 226
Configuring Client Certificates.............................................................................................................. 229
PUBLIC KEY AUTHENTICATION.......................................................................................................................... 230
Identity Creation .................................................................................................................................... 231
Reset Identity ......................................................................................................................................... 233
Configuring Public Key .......................................................................................................................... 235
Import Identity ....................................................................................................................................... 235
IP AUTHENTICATION ........................................................................................................................................ 237
Creating a Restriction ............................................................................................................................ 237
RADIUS AUTHENTICATION.............................................................................................................................. 238
Configuring RADIUS .............................................................................................................................. 239
REMOTE CLIENT AUTHENTICATION ................................................................................................................... 240
WebDAV .................................................................................................................................................. 240
Embedded Client .................................................................................................................................... 240
HARDWARE TOKEN AUTHENTICATION......................................................................................241
SAFENET IKEY 2032 CONFIGURATION ............................................................................................................ 241
SafeNet CIP Utilities .............................................................................................................................. 242
Importing SSL Certificates into the Devices....................................................................................... 243
ALADDIN ETOKEN PRO CONFIGURATION .......................................................................................................... 247
Using eToken Properties ....................................................................................................................... 247
RSA SECURID AUTHENTICATION MANAGER ..................................................................................................... 252
Configuring an Authentication Scheme that uses RADIUS .............................................................. 252
Add an Agent Host Record for the SSL-Explorer server................................................................... 255
Add the SSL-Explorer Server as a RADIUS client .............................................................................. 256
Importing and Assigning Tokens to your Users ................................................................................ 257
Test the Authentication Process .......................................................................................................... 259
Synchronization with Microsoft Active Directory ............................................................................... 261
VASCO DIGIPASS TOKEN CONFIGURATION ...................................................................................................... 263
Configure the RADIUS server in VACMAN Middleware..................................................................... 263
Add the SSL-Explorer Server to VACMAN as a RADIUS client......................................................... 265
9
Create Users in VACMAN Middleware ................................................................................................. 266
Importing Digipass Tokens to VACMAN ............................................................................................. 267
Assign Digipass Tokens to Users ......................................................................................................... 269
Test the Authentication Process .......................................................................................................... 270
SAFEWORD ..................................................................................................................................................... 272
Installing SafeWord ............................................................................................................................... 272
Configuring SafeWord ........................................................................................................................... 278
Configuring IAS ...................................................................................................................................... 281
Configuring SSL-Explorer ...................................................................................................................... 283
RESOURCE MANAGEMENT..........................................................................................................286
INTRODUCTION..........................................................................................................................286
WHAT ARE RESOURCES? .................................................................................................................................. 286
RESOURCE WIZARDS ........................................................................................................................................ 287
AVAILABLE RESOURCES .................................................................................................................................... 287
EXECUTING A RESOURCE .................................................................................................................................. 288
SSL-EXPLORER AGENT ...............................................................................................................289
WHAT IS THE SSL-EXPLORER AGENT? ............................................................................................................. 289
Communication with Browser .............................................................................................................. 289
Precautions ............................................................................................................................................. 290
STARTING THE AGENT ...................................................................................................................................... 290
STOPPING THE AGENT ...................................................................................................................................... 291
EXECUTING RESOURCES FROM AGENT............................................................................................................... 291
WEB FORWARDS ........................................................................................................................292
WHAT IS A WEB FORWARD? ............................................................................................................................ 292
TECHNICAL OVERVIEW ..................................................................................................................................... 293
Tunneled Web Forwards ....................................................................................................................... 293
Replacement Proxy Web Forwards ..................................................................................................... 293
Reverse Proxy ........................................................................................................................................ 294
WEB FORWARD INTERFACE .............................................................................................................................. 294
Action Icons ............................................................................................................................................ 295
CREATING A NEW WEB FORWARD..................................................................................................................... 296
Configuring a Tunneled Web Forward ................................................................................................ 297
Configuring a Replacement Proxy Web Forward............................................................................... 298
Configuring a Reverse Proxy Web Forward ....................................................................................... 300
EDITING A WEB FORWARD ............................................................................................................................... 304
DELETING A WEB FORWARD............................................................................................................................. 304
OUTLOOK WEB ACCESS AND MAIL CHECK......................................................................................................... 305
NETWORK PLACES......................................................................................................................307
WHAT IS A NETWORK PLACE? .......................................................................................................................... 307
Web Folders............................................................................................................................................ 307
NETWORK PLACES INTERFACE .......................................................................................................................... 308
Action Icons ............................................................................................................................................ 308
CREATING A NEW NETWORK PLACE .................................................................................................................. 309
File Management ................................................................................................................................... 312
EDITING A NETWORK PLACE ............................................................................................................................. 313
DELETING A NETWORK PLACE .......................................................................................................................... 313
WEB FOLDERS WINDOWS ACCESS .................................................................................................................... 313
ENTERPRISE DRIVE MAPPING ........................................................................................................................... 319
How does this differ from WebDAV? .................................................................................................. 319
Configuring Drive Mapping ................................................................................................................... 320
10
APPLICATIONS ...........................................................................................................................321
WHAT IS AN APPLICATION SHORTCUT?............................................................................................................. 321
APPLICATIONS INTERFACE ................................................................................................................................ 323
Action Icons ............................................................................................................................................ 323
PUBLISH A NEW APPLICATION ........................................................................................................................... 323
General Tab ............................................................................................................................................ 325
Display Tab ............................................................................................................................................. 326
Mouse Tab .............................................................................................................................................. 326
Protocol Tab ........................................................................................................................................... 327
Advanced Tab......................................................................................................................................... 328
EDIT AN EXISTING APPLICATION ....................................................................................................................... 330
REMOVING AN APPLICATION ............................................................................................................................. 331
ADDITIONAL APPLICATION CONFIGURATIONS.................................................................................................... 332
Linux rdesktop ........................................................................................................................................ 332
Microsoft RDP Client .............................................................................................................................. 333
NX Client for Windows .......................................................................................................................... 334
PuTTY for Windows ............................................................................................................................... 339
Remote Desktop Protocol (RDP) ......................................................................................................... 340
TN5250 AS/400 Terminal Emulator .................................................................................................... 341
Virtual Network Computing (VNC) ...................................................................................................... 342
SSL-TUNNELS .............................................................................................................................343
WHAT IS AN SSL TUNNEL? .............................................................................................................................. 343
Tunnel Types .......................................................................................................................................... 343
SSL TUNNELS INTERFACE ................................................................................................................................ 344
Action Icons ............................................................................................................................................ 344
CREATE A NEW SSL TUNNEL ............................................................................................................................ 345
EDIT AN EXISTING SSL TUNNEL ....................................................................................................................... 348
REMOVING AN SSL TUNNEL ............................................................................................................................. 349
PROFILES....................................................................................................................................350
WHAT IS A PROFILE? ....................................................................................................................................... 350
PROFILES INTERFACE ....................................................................................................................................... 351
Action Icons ............................................................................................................................................ 351
CREATING A NEW PROFILE ............................................................................................................................... 352
EDITING PROFILE PARAMETERS ........................................................................................................................ 354
Editing Session Details .......................................................................................................................... 354
Editing Agent Details ............................................................................................................................. 356
EDITING A PROFILE DESCRIPTION .................................................................................................................... 358
DELETING A PROFILE ....................................................................................................................................... 358
NETWORK EXTENSIONS .............................................................................................................359
WHAT IS NEXT?.............................................................................................................................................. 359
Typical Scenarios ................................................................................................................................... 360
System Requirements ........................................................................................................................... 361
NETWORK EXTENSION INTERFACE .................................................................................................................... 361
Action Icons ............................................................................................................................................ 362
CONFIGURING THE SERVER .............................................................................................................................. 363
DHCP Configuration ............................................................................................................................... 367
Install Server TAP Driver ...................................................................................................................... 369
CONFIGURING THE CLIENT ............................................................................................................................... 371
Install Client TAP Driver ........................................................................................................................ 373
ADDITIONAL CONFIGURATION .......................................................................................................................... 376
Enable Server IP Routing...................................................................................................................... 377
11
RUNNING THE SERVICE .................................................................................................................................... 378
Starting the Server Interface ............................................................................................................... 378
Connecting Client ................................................................................................................................... 378
Windows Service .................................................................................................................................... 381
CREATING BRIDGED CONFIGURATION ............................................................................................................... 383
Creating the Server ............................................................................................................................... 383
Configuring SSL-Explorer Bridged Server ........................................................................................... 384
SAMPLE SCRIPTS .............................................................................................................................................. 387
bridge-start.sh ........................................................................................................................................ 387
bridge-stop.sh ........................................................................................................................................ 388
VIRTUAL HOSTS .........................................................................................................................389
WHAT IS VIRTUAL HOSTING ............................................................................................................................. 389
VIRTUAL HOST INTERFACE ............................................................................................................................... 389
Action Icons ............................................................................................................................................ 390
CREATING A NEW VIRTUAL HOST...................................................................................................................... 390
EDITING A VIRTUAL HOST ................................................................................................................................ 391
DELETING A VIRTUAL HOST ............................................................................................................................. 391
MICROSOFT EXCHANGE 2003 RPC/ HTTPS ...............................................................................393
WHAT IS THIS RESOURCE?............................................................................................................................... 393
What is RPC/HTTPS? ............................................................................................................................. 393
CONFIGURATION .............................................................................................................................................. 394
Pre-requisites.......................................................................................................................................... 394
Configuring SSL-Explorer as a RPC Proxy .......................................................................................... 394
Client Configuration ............................................................................................................................... 395
WHAT IS OUTLOOK MOBILE ACCESS?............................................................................................................... 399
Configuring SSL-Explorer as a OMA Proxy ......................................................................................... 399
INTERNATIONALIZATION ..........................................................................................................400
WHAT IS INTERNATIONALIZATION? .................................................................................................................. 400
INTERNATIONALIZATION INTERFACE ................................................................................................................. 401
Action Icons ............................................................................................................................................ 401
Language Status .................................................................................................................................... 402
CREATING A NEW TRANSLATION....................................................................................................................... 402
EDITING A TRANSLATION ................................................................................................................................. 403
ACTIVATING A LANGUAGE ................................................................................................................................. 405
TRANSLATE EXTENSIONS .................................................................................................................................. 405
SHARE LANGUAGES .......................................................................................................................................... 408
DELETING A TRANSLATION ............................................................................................................................... 408
LANGUAGE SELECTION ..................................................................................................................................... 408
SYSTEM FUNCTIONS ..................................................................................................................410
AUDITING...................................................................................................................................410
AUDITING INTERFACE ...................................................................................................................................... 410
Action Icons ............................................................................................................................................ 410
INITIALIZING THE AUDIT MODULE .................................................................................................................... 411
CREATING A NEW REPORT ............................................................................................................................... 413
RUNNING ONE-OFF REPORTS ........................................................................................................................... 415
CHECKING AUDIT REPORT INTEGRITY............................................................................................................... 418
UPLOADING A REPORT TEMPLATE ..................................................................................................................... 419
CHANGING RECORDED EVENTS ......................................................................................................................... 420
STATUS .......................................................................................................................................421
12
SESSION INFORMATION .................................................................................................................................... 421
STATUS INFORMATION ..................................................................................................................................... 421
NEXT CLIENTS ................................................................................................................................................ 422
OUTLOOK CLIENT ............................................................................................................................................ 422
MESSAGE QUEUE ........................................................................................................................423
WHAT IS THE MESSAGE QUEUE ........................................................................................................................ 423
MESSAGE QUEUE INTERFACE ............................................................................................................................ 423
ENABLING A DELIVERY SYSTEM ........................................................................................................................ 424
SENDING A MESSAGE ....................................................................................................................................... 424
CLEAR MESSAGE QUEUE ................................................................................................................................... 425
SHUTDOWN ................................................................................................................................426
SHUTDOWN THE INSTANCE............................................................................................................................... 426
RESTARTING THE INSTANCE ............................................................................................................................. 426
13
Preface
This preface introduces the SSL-Explorer: Administrators Guide, as such it has been broken down into
the following sections:
• Document Objective
• Obtaining Documentation
• Documentation Feedback
• Obtaining Technical Assistance
Document Objective
This guide has two major objectives. The first is to provide all the relevant information required to
install and configure SSL-Explorer. The second is to give additional information on the features
available within SSL-Explorer once running.
This guide applies to both the Community/Enterprise editions of SSL-Explorer – release 0.2.15 or
greater. It should be noted that not all features are available in the Community Edition.
Audience
This guide is for anyone who wishes to successfully install and administrate the SSL-Explorer VPN
software. Although this is often people concerned with network administration, it may also be a useful
indication to managers of the ease that SSL-Explorer can be deployed. This guide is expected to be
useful if performing any of the following tasks:
• Installing a test/production SSL-Explorer server.

• Evaluating SSL-Explorer as a potential SSL-VPN solution.
• Reconfiguring an existing implementation of SSL-Explorer.
• Adding or removing features to SSL-Explorer.
Related Documentation
For more information refer to the following documentation:
• Knowledge Base Articles

• Forum Posts
14
Document Organization
This guide has been broken down into the following sections::
• Introduction
• Installing SSL-Explorer
• Installation Wizard
• System Configuration
• Basic Configuration
• Access Control Administration
• Resource Management
• System Functions
For ease of reference these sections reflect the organization of the menu tree in the management
console.
Document Convention
The following conventions are used in this document:
• Courier font characters represent system commands
Note
• ‘ single quoted text refer to buttons on a corresponding web page
Icons used in this manual are as follows:

Note additional information pertaining to the subject matter
Alert important information that requires special attention
Obtaining Documentation
3SP product documentation and additional literature is available on http://3SP.com. 3SP Ltd. also
provides several ways to obtain technical assistance and other technical resources. This section
explains how to obtain technical information from 3SP Ltd.
3SP.com
Additional articles and FAQ’s can be found at this URL:
http://3sp.com/kb
You can access the 3SP Ltd. Website at this URL:

http://3sp.com
15
Documentation Feedback
You can send comments about technical documentation to support@3sp.com or by writing to the
following address:
3SP Ltd.
3 The Glade Business Park,
Forum Road,
Nottingham,
United Kingdom.
NG5 9RW
We appreciate your comments.
Obtaining Technical Assistance

For all customers, partners, resellers, or distributors who hold valid 3SP service contracts, 3SP Ltd.
Technical Support provides prompt and dedicated technical assistance.
The 3SP Ltd. Knowledge base on 3SP.com features extensive articles and FAQ’s on all 3SP Ltd.
products.
16
Introduction
This chapter provides an overview of SSL-Explorer detailing the basic's of interacting with the system
through the Management Console aswell as reasons why you might want to install SSL-Explorer.
Management Console
The management console is the main point of interaction between the administrators of the system and
the system itself. This chapter introduces the reader to the management console and details its various
functions. The sections included in this chapter are:
• Purpose
• Accessibility
• Management Console Interface
• Wizards
• Selection Process
• Getting Help
• Amending Configuration Parameters
At the end of this chapter the reader should have an understanding of the management console and its
purpose.
Purpose
SSL-Explorer is broken into two views – the management view which this document discusses and
secondly, the user view. The management view known as the management console contains all the
necessary functionality to manage the workings of the SSL-Explorer instance.
From this console the user has the ability to create items which will affect users of the system whether
that refers to a small group of users or the entire user base of the SSL-Explorer instance. In addition, it
is from this console that the monitoring, configuring and system management is carried out. From
monitoring audit reports to modifying SSL-Explorer port configurations.
Secure Access
Due to the system-wide affect of changes made through the management console, it is
imperative that
the console is accessible only by authorized administrators.
17
Accessibility
Initially only the super user of the system will be able to access the management console. The super
user has access to every task and action available in the console and with this right is assigned the task
of creating accounts for his administrative team.
As the diagram above shows these administrative users are responsible for managing the system,
creating users of the system and assigning resources and creating policies.
Restrict access to the Super User account

After correct configuration of SSL-Explorer policies, the Super User account should no longer
be
required and access to this account should be locked down.
In order to carry out administrative tasks as creating policies and users the administrative users must be
assigned administrative control; Delegation Permission or System Permission, detailed in a future
chapter. Only then will the management console view become available.
Users of the system mainly access the system via the user console to perform their daily tasks,
accessing the internal network, creating application shortcuts, accessing internal files and documents in
accordance with your access policies.
However this is not to say that a standard user of the system cannot access the management console. In
fact as the above diagram shows, if given an appropriate delegation permission or resource
permission a standard user will be able to access this console too.
18
Management Console Interface
All system wide tasks are controlled through the Management Interface. To access this console simply
press the Management Console icon in the task bar above.
Both management and user console are broken into three distinct parts. These are as follows:
• Navigation Pane: This pane contains a dynamic menu listing all functions the user is
authorized to access. The contents are dependent on the permissions granted to each user. It
is always located on the left-hand side of the browser screen.
• Events Pane: This pane serves a number of purposes. It will show system messages, such as
warning and errors, as well as any valid actions a user can perform. This pane is always on
the right-hand side of the browser screen.
• Interaction Pane: This is the main panel of the SSL-Explorer application. It is where all
items are listed as well as any actions that can be performed against them. Its content style
changes between lists, wizards and tabbed views.
Areas of Functionality
Within the management console, on the Navigation Pane (the left-hand side column), there are a
number of groups. Each of these groups is explained in greater detail below.
• Configuration: This area holds the functionality that will affect the workings of the SSL-
Explorer instance. The impact of this will normally be system-wide.
• Access Control: This controls aspects of how users can enter the system and what
permissions they have within the system.
• Resource Management: Usable resources that impact the assigned policy.
• System: Items relating specifically to the SSL-Explorer instance.
All necessary functionality pertaining to this document is located within the ‘Access Control’ area.
Super User Access

Note
The super user has access to all areas throughout the lifecycle of the instance. All other
users have subsets of these areas which can alter throughout the lifecycle of the instance.
19
Navigation Icons
The icons at the top right of the page allow different areas of the system to be accessed, each icon is
detailed below. Some of these icons are only accessible through the enterprise edition.
The Home icon takes the user back to their defined home page
The Management Console icon switches the view from the User Console to the
Management Console.
The User Console icon switches the view from management console to user console. The
scope of impact is reduced from system-wide to local user only.
The SSL-Explorer agent icon activates the agent. The agent creates secure channels
during the execution of insecure resources.
The virtual keyboard icon enhances security by allowing all user input to be performed
through a virtual keyboard. No key presses are use and so cannot be logged by a hacker.
The Help icon provides context-sensitive information to assist the user in understanding
and using the current page.
The Log out icon exits the user from the application.
The options icon. This allows a user to reduce or increase the number of visible
information windows on screen
Options Icon
Selecting the options icon provides a list of all windows currently accessible.
Checking these will instantly remove or add the appropriate window. In addition the user can alter the
language and profile currently in use from this window.
20
Wizards
Wizards have been provided to make the task at hand easier by guiding the user through each step in
the process. By the end of the steps the user should have the intended item that can be used within the
system.
Progressing through each step in a wizard is a simply matter of clicking the Next button at the bottom
right of each wizard page.
Some wizards allow backward navigation. To step back to previous pages simply press the Previous
button at the bottom right of each wizard page.
Cancel Process
Any wizard from the Installation Wizard to the Resource Creation Wizard can be terminated at any
time. Clicking on the Cancel button at the bottom of the progress pane will instantly end the wizard
and no configuration changes will be applied.
Selection Process
Some steps in the wizard require the user to add and remove items from a text box to a list box.
Listing All Items

Note
The asterisk ‘*’ symbol may be entered into a text box to list all available entries that can be
assigned to
the corresponding list box.
To add items in this process simply enter the name of the item, for example the account name, in the
text box on the left, then select the Add button on the right.
The item will appear under the Selected list box to the right.
If you wish to remove an item simply select the item name from the selected list box, for example
Selected Accounts, then simply press the Remove button.
These buttons have been deliberately placed together and between two list boxes to help illustrate the
behavior of the buttons, taking from the list of available items on the left/ top and moving them to the
chosen items to the right/ bottom.
21
Configure
In some of the wizards the selection buttons also have an additional Configure button. This allows the
user to enter another wizard to help complete the step of the current wizard.
Getting Help
SSL-Explorer includes web-based on-line help. Clicking the Help button, at the top right corner
provides details on where help can be found. In addition many parameters come with tooltips to help
understand what a parameter requires.
Amending Configuration Parameters

Amendment of configurable items within the system also has standard controls these are as follows:
To accept a parameter change such as a proxy setting from System Configuration Æ Server Setting
Æ Web Server the page provides the apply button.
All changes made are stored and become the new default configuration settings for the current area. If
the reset button is applied the system will revert back to this configured state until a new state is saved.
To disregard any changes the configuration page provides the cancel button, pressing this will remove
any changes made – before the apply button has been selected.
If any configurable parameters are amended incorrectly the reset button reverts the configuration page
back to the last saved state, allowing the user to reconfigure the parameter(s).
22
SSL-VPN Overview
Before starting on the installation steps it is worth reviewing some of the technology that SSL-
Explorer uses, complements and competes against. This chapter can be skipped by the reader who is
eager to get on with the actual installation.
The following chapter is useful as a remote access primer and also for gaining an understanding of
where SSL-VPN solutions fit in with other similar remote access products. It also covers core concepts
of the prevalent VPN technologies as well as describing their differences. Later, the differences
between the Community and Enterprise Editions or SSL-Explorer are also covered.
Basic Technology Overview

A Virtual Private Network (VPN) encompasses a number of methods for allowing the connection of
network devices, over an often large geographical distance. The potential benefits of integrating a
remote access policy and infrastructure are hard to ignore in many business organizations. These
benefits are often reduced to simply better use of existing resources.
The VPN technology can be further broken down into ‘Trusted’ and ‘Secure’ methods of
communication. The ‘Trusted’ method generally involves the use of a dedicated ‘leased-line’ whereas
the ‘Secure’ method uses a public network (also know as the Internet).
A ‘Trusted VPN’ is normally cost prohibitive, especially when compared to ‘Secure VPNs’, so will
not be discussed any further in this document. Secure VPN technology is often a more viable solution
for fulfilling a remote access requirement.
The two dominant types of ‘Secure VPN’ technology are currently IPsec and SSL. The following
subsections describe each of these technologies further, finishing with a comparison of the two.
IPsec VPNs
IPsec was first proposed in the mid-nineties and has subsequently been revised a number of times. It
has been designated as a mandatory part of IPv6 and is currently optional in IPv4. IPsec can run in
either transport mode or tunnel modes, both have significantly different implications particularly with
regard to security. All data transmitted is encrypted and therefore secure although there have been
issues with the use of keys within this standard.
As with SSL, IPsec uses tunnels to make a connection between two endpoints. A typical deployment
will consist of one or more VPN gateways, providing full and unrestricted access to the networks to
which they are authorized access. VPN client software must be installed on each remote access user’s
computer. The VPN client is configured to define which packets it should encrypt and with which
gateway it should build the VPN tunnel. It is argued that this makes this method more secure as it is
more complex to configure, though this argument does not really stand up to scrutiny. One agreed
downside though is the additional costs when maintaining such a system. These costs normally appear
as additional support time, user downtime and remote access network maintenance.
IPsec works at the Network Layer of the OSI Model which means it operates independently of the
applications that may use it. IPsec encapsulates the original IP data packet with its own packet hiding
all application protocol information. Once a tunnel is created, any number of connections and protocol
types (web, email, file transfer, VoIP) can flow through it. The connecting client becomes a full
member of the corporate network, able to see and access everything; even printers.
23
SSL-Based VPNs
Originally developed by Netscape, the SSL protocol was revised by IETF to create the TLS 1.0
standard. The TLS has matured to version 1.1, but at the time of writing only the Opera web browser
currently supports the 1.1 implementation. That said, the 1.0 version is very well supported and in
widespread use.
The terms ‘TLS’ and ‘SSL’ are interchangeable, though ‘SSL’ is often used in preference and will be
for the remainder of this document.
Although the SSL protocol resides further up the OSI stack than the other protocols, SSL does not
suffer from any major disadvantages. If anything, it can offer significant advantages mainly due to its
flexibility. One example of this being that SSL is supported by all major browsers, therefore the issue
of client-side support for this VPN technology is covered by default.
One of the key strengths of SSL lies in its ability to authenticate both the client and server. This is
achieved during the initial ‘handshake’ routine where both parties identify themselves using digital
certificates. In addition to authentication, the handshake process generates session keys which are used
to encrypt any messages during the session.
The use of the SSL protocol provides these VPNs with a secure channel between client and server that
is transparent to the end user. No additional software is needed and no client application needs
installing on the remotely accessing client computer. In fact since most web browsers support SSL, it
is no exaggeration to state that virtually every modern computer is already equipped to connect to and
take advantage of the applications and services provided via an SSL VPN gateway.
Due to the lack of explicitly installed client-side VPN software (in direct contrast to IPsec), SSL VPNs
are often referred to as being ‘clientless’. Although technically a misnomer, the use of this term is
highly indicative of the transparency of this new VPN technology.
IPsec vs. SSL VPN

There is much debate as to what method is better - IPsec or SSL. This being the case it is wise to firstly
look at the factors agreed upon by both sides.
• IPsec technology is normally hindered by the burden of having to deploy, manage, and
maintain a client-side application on each remote computer that wishes to access the gateway
VPN. Its inability to effectively provide granular access to a network has also impacted it and
as a result, most organizations tend to limit the use of IPsec remote access to a relatively
small portion of their user base.
• In contrast, SSL VPNs take advantage of ubiquitous browser support and dynamically
downloaded modules to achieve the client end of an encrypted session. This introduces
greater flexibility as it relieves the limitation of which computers have preinstalled client
software. Home computers, computers on customers’ premises and even Internet café’s can
now be utilised to achieve secure remote access.
As a result of this, IPsec implementations will often cost more to maintain. It should be noted that the
true costs and benefits of using a particular method are often hard to quantify. Care should be taken in
order to realistically balance cost versus the actual security benefits offered.
SSL-Explorer
SSL-Explorer is the world's first open-source, browser-based SSL VPN solution. First released in
2004, the project has grown to a stage where the software now receives around ten thousand
24
downloads per month. The project is one of the few software-only SSL VPN solutions and already
delivers a feature set equivalent to or better than a number of the purely commercial vendors in this
market.
In direct contrast to other vendors, 3SP Ltd – the developers of SSL-Explorer – work closely with their
users in the open source community and constantly entertain ideas for enhancements or feature
requests. This closeness between users and developers has resulted in a tight knit community
following behind the software and its popularity is growing all the time.
The software itself is very easy to use, with a focus placed upon usability. 3SP understands that
software that is unnecessarily difficult to use, will most likely never actually be used. A powerful,
extensible design also makes third party contributions in the form of ‘extensions’ possible. Many of
the new features and commercial features may be seamlessly installed in this manner, meaning that
users can install just the components that they need, without unnecessary complexity.
SSL-Explorer currently offers Active Directory integration, LDAP and remote desktop access, as well
as web forwarding via a number of methods. System administration is done via SSL-Explorer’s
powerful policy-based access control infrastructure, and privileged users have the ability to grant
access to resources right down to the actions that can be performed on a specific resource.
SSL-Explorer’s nEXT (Network Extension) feature offers full network access to corporate resources.
A number of additional tasks can be performed when using nEXT over and above the functionality
offered by a basic, browser-launched SSL VPN tunnel.
To summarize, SSL-Explorer is a fully-featured, end-to-end SSL-VPN without the added expense or

the rigidity of fixed hardware appliances.
SSL-Explorer
Note The leading browser-based, open source SSL VPN solution.
25
SSL-Explorer Editions
There are currently two versions of SSL-Explorer.
• SSL-Explorer: Community Edition - SSL-Explorer: Community Edition is an entry-level

platform that has been designed for smaller businesses that find it difficult to justify the costs
involved with using the expensive solutions provided by alternative vendors. The core
functionality of SSL VPN is provided in an easy-to-use package that can be installed in
minutes. This edition is licensed under the GNU General Public License (GPL) which allows
use of the software in a commercial or non-commercial environment without payment of any
licensing fees. Commercial support is also now available for this edition.
• SSL-Explorer: Enterprise Edition - The Enterprise Edition is designed for those

organizations that require enhanced features and dedicated commercial support. Cutting edge
features are included such, virtual keyboards, enterprise drive mapping, a host of highly
recognized and secure authentication schemes but to name a few. SSL-Explorer Enterprise
Edition is at the height of SSL-VPN technology with a continually growing list of add-in
functionality and features. Enterprise Edition is not open source, but it builds upon and
extends the trusted open source foundation of the Community Edition.
26
Deployment
Understanding the environment is key to creating a successful SSL-Explorer deployment. In this
chapter a number of deployment scenarios – as well as information on security technologies - are
discussed. It is in no way meant to provide a recommended deployment structure but merely to provide
the reader with an idea of what to consider when deploying SSL-Explorer. If you have already
considered the environment you can always skip to the next chapter.
Specifically this chapter will cover:
• Deployment Scenarios
• Deployment Considerations
• Summary
Deployment Scenarios
The following diagrams have been provided to show some basic SSL-Explorer deployments. A brief
description of some of the more major characteristics is also provided. The actual firewall
configuration required to access SSL-Explorer from the internet is covered later in Chapter 13.
Non-DMZ
The first diagram depicts an installation of SSL-Explorer behind only a firewall. Typically all port 443
(standard SSL port) traffic is passed through the firewall to the SSL-Explorer instance. A proxy server
could easily be included by placing it on the Internet side of the SSL-Explorer instance should it be
required. As the SSL-Explorer server simply sits behind the firewall all port 443 traffic passes through
unchecked. This being the case care should be taken to ensure that unwanted traffic is dealt with
correctly.
27
Within the DMZ
In this instance SSL-Explorer sits within the DMZ. Access is made through the firewall securely on
port 443. Any access to resources on the trusted network requires another port to be opened on the
firewall. This allows for traffic to reach the resource as there is no direct connection for the VPN to the
internal network.
Source: Kindly submitted to 3SP Ltd. by Simon Drake.
Behind the DMZ

With this diagram SSL-Explorer has been placed behind the DMZ, on the trusted part of the network.
Traffic enters the DMZ and is terminated at the router. The IP address is now translated to a new DMZ
specific address. The DMZ can carry out authentication and then if successful forward the traffic
further with yet another address and routed to SSL-Explorer which is placed within the trusted
network. This is very similar in its characteristics to the Non-DMZ deployment described earlier.
28
Deployment Considerations
The decision of where to place SSL-Explorer on the corporate network depends on many factors. The
diagrams offered in the previous section each have their own specific characteristics, both good and
bad. Ultimately it is a matter of balancing current equipment, budget (if present) and value of assets
being accessed. The following list is not meant to be exhaustive but should give an idea of some more
important considerations when deploying SSL-Explorer.
• Any applicable statutory requirements or compliance regulations.

• SSL-Explorer performance (WAN speed, server CPU and memory etc.).
• Failover/redundancy (UPS, backups, hardware failure etc.).
• Corporate security policy (DMZ, Air Gap technology etc.).
Summary
It is essential when installing any VPN technology that the proposed deployment is well understood.
This helps ensure that the service behaves as expected as well as allowing for better management of
risk or threat. SSL-VPNs provide a great benefit to the ever expanding and mobile business but as with
any solution, if not properly deployed it could become more of a hindrance than a benefit.
Much information is available on security approaches and considerations, as shown in RFC 2196 (Site
Security Handbook. B. Fraser. September 1997). This is obviously only one source of information and
many others exist. Many forums have been created that aim to provide information as well as support
with self help. Even when implementing a ‘complete’ solution it is wise to have at least considered
some aspects of this chapter.
29
30
Installing SSL-Explorer
This section guides an administrator through the process of installing SSL-Explorer for both editions:
Community and Enterprise. Notes on upgrading and starting the instance are also detailed. By the end
of this chapter the reader will have a fully installed SSL-Explorer VPN server on their target machine.
Installation
The chapters covered are:
• Installation Pre-requisites
• Installation of SSL-Explorer
• SSL-Explorer: Community Edition - Source Code Installation
• SSL-Explorer RPM Installation on RedHat 8.0
• Upgrading SSL-Explorer
• Managing the Instance
• Accessing the Instance
• Server Migration
Installation Prerequisites
The SSL-Explorer server requires the Java Runtime Environment (JRE) 5.0 to operate this can be
downloaded freely from the Java website http://java.sun.com/j2se/1.5.0/download.jsp. This is
only a requirement on the server side. Your clients can connect from any Java-enabled browser,
including early versions of Internet Explorer that use the Microsoft VM.
Clean installation
If using a clean installation of your chosen operating system it is strongly recommended that
all service
packs, updates, patches and hot-fixes be applied.
Installation of SSL-Explorer
This section explains the steps required when using the standard SSL-Explorer installer. The process
is identical for both Community and Enterprise editions of SSL-Explorer. The process is also virtually
identical on Windows and Linux operating systems.
Instructions for installing the Source Code distribution of SSL-Explorer: Community Edition follow
later.
31
Step 1 Ensure that you are logged onto an account with the correct permissions to enable the running of an
installation program. Locate the SSL-Explorer installation program and run the appropriate process
below:
• Windows: Simply double-clicking on the SSL-Explorer icon will launch the application.
• Linux: Execute the SSL-Explorer script file by simply typing, from the same directory,
“./sslexplorer_linux_0_2_8.sh”
This will start the installation program and display the following screen.
Step 2 If the SSL-Explorer installation program is unable to locate the Java environment the following
message is displayed.
Step 3 Simply click on the Download button in order to retrieve the required Java environment or
alternatively select the path to an existing valid Java installation by using the locate button. The
following screen shot shows what happens when selecting the download option.
32
Step 4 Once the download is complete the following screen is displayed automatically.
Step 5 Now click the Next button to advance to the next screen.
Step 6 If you agree to the licensing agreement select the, I accept the agreement radio button. This enables
the Next button which should now be pressed. This then displays the following screen.
33
Step 7 Once you have selected where SSL-Explorer is to be installed simply click the Next button.
34
Step 8 This screen shows the components to be installed. There is only Program files displayed which can not
be de-selected. No changes to this page can be made so just press the Next button.
Step 9 This screen allows the selection of a Start Menu Folder. By default Start Menu Shortcut are created for
all recognised system users. Once the Folder has been selected simply press the Next button. This the
displays the Installing screen as shown below.
35
Step 10 This screen will close automatically and display the following screen.
Step 11 Clicking the Launch button triggers the launching of the web browser.
Step 12 The systems default browser will normally be started automatically, as shown below. If not enter
http://localhost:28080 as the browser address.
36
SSL-Explorer on Microsoft Windows XP with Service Pack 2
When installing SSL-Explorer on a Windows XP machine with Service Pack 2 installed, the
browser will
not be able to connect if the Windows Firewall is enabled. It is recommended in any case that
the SSL-
Explorer server should not be acting as both firewall and VPN server. If such a problem is
encountered,
check whether the problem disappears when the firewall has been disabled.
Step 13 There are a number of steps to complete the browser based installation wizard. These are covered in
Section 2 of this guide. Once these have been completed close the browser which will show the
previously mentioned screen, as below.
37
Step 14 Just click the Next button which will show the following screen.
Step 15 Now that the installation is complete it only remains for the Finish button to be clicked. This closes
the installation screen. The SSL-Explorer instance is automatically stopped when leaving the web
based installation wizard. Further information is available on using the SSL-Explorer service in the
remaining sections of this chapter.
38
SSL-Explorer: Community Edition - Source Code Installation
Both the Community and Enterprise versions are shipped with standard binary installers like many
applications. Some users may however wish to run the source code distribution of SSL-Explorer:
Community Edition. We recommend that most users simply use the standard installation package for
the simplest installation.
The following installation method is for advanced users only.
Pre-requisites
• To build the SSL-Explorer: Community Edition source code an installation of Apache ANT
is required, this can be downloaded from the Apache website, http://ant.apache.org.
• The Ant toolkit relies on the Java Development Kit (JDK) to run successfully. SSL-Explorer
itself also requires a Java environment to work in, in particular version 1.5.0 or above. The
JDK can be downloaded freely from http://java.sun.com/j2se/1.5.0/download.jsp.
This distribution contains only source code, therefore the installation process must include the
compilation of these files into an executable application. The following steps describe how to do this.
Step 1 Define the environment variables. The application has dependencies on two freely available tools, the
Java runtime and the Apache Ant build tool these should already have been downloaded and installed.
It should be noted that the variables created in this way only exist for the current session. If the build
process should be interrupted in any way the environment variables will need to be re-entered.
Accessing Environment Variables in Windows

Note
Windows users can access Environment Variables through the GUI by selecting “Start Æ
(Right Click)
My Computer Æ Advanced (Tab) Æ Environment Variables (Button)”. This opens an
interface that
allows for the creation, deletion and maintenance of system variables. This will permanently
create
environment variables.
Open a command prompt or shell window in the appropriate Operating System and configure the
JAVA_HOME variable executing the following command appropriate to your Operating System:
• Windows: set JAVA_HOME=<Java install directory>

• Linux: export JAVA_HOME=<Java install directory>
Where <Java install directory> is the home directory of the installed JRE.
Also add the environment variable for ANT_HOME:
• Windows: set ANT_HOME=<Ant install directory>

• Linux: export ANT_HOME=<Ant install directory>
Where <Ant install directory> is the home directory of the installed Ant build tool.
39
To run Ant from the SSL-Explorer directory the bin directory must be specified in the Operating
Systems Path variable.
• Windows: set PATH=%PATH%;%ANT_HOME%\bin

• Linux: PATH=${PATH}:${ANT_HOME}/bin
The Ant tool relies on Java to work and so the Java executables must be accessible through the Path
variable:
• Windows: set PATH=%PATH%;%JAVA_HOME%\bin

• Linux: PATH=${PATH}:${JAVA_HOME}/bin
To check that all parameters have been defined successfully use the SET or ECHO commands as
shown below:
• set This displays all the system variables, locate those defined.
• echo %PATH% (Windows)/ $PATH (UNIX)
Step 2 Run the build script. Locate the SSL-Explorer installation directory and from the root directory
execute the script using the following command:
<SSL-Explorer Installation directory>/ ant install
This will begin compiling the source code and produce compilation information much like the
screenshot below.
Step 3 Once completed the installation will automatically attempt to start a browser pointing to the
Installation Wizard. As shown below a message will appear displaying the URL for the Installation
Wizard. If a browser does not open then a browser will have to be manually opened and pointed to the
URL
The Installation Wizard page below continues the installation process by configuring the newly
installed instance.
40
This wizard guides the user through the steps required to successfully configure SSL-Explorer.
Information on the Installation Wizard can be found in part two of this document, ‘Installation
Wizard’.
SSL-Explorer on Microsoft Windows XP with Service Pack 2

When installing SSL-Explorer on a Windows XP machine with Service Pack 2 installed, the
browser will
not be able to connect if the Windows Firewall is enabled. It is recommended in any case
that the SSL-
Explorer server should not be acting as both firewall and VPN server. If such a problem is
encountered,
check whether the problem disappears when the firewall has been disabled.
Configuring a Service
The Community Edition comes with a script that can be used to execute the SSL-Explorer server as a
background service so that it is automatically started upon booting of the host Operating System.
To configure SSL-Explorer to run as a service, issue the following command:
ant install-service
This is another target present within the build.xml file. The target detects the Operating System and
executes the appropriate instructions to install the SSL-Explorer server as a service.
Steps on managing the SSL-Explorer service on both Operating Systems are detailed below.
41
SSL-Explorer RPM Installation on RedHat 8.0
This guide takes you through the RPM installation process on Red Hat Linux version 8.0. You will
need to download the RPM version of SSL-Explorer named
sslexplorer_linux_rpm_x_x_x.zip.
Step 1 Download the Java 5.0 JRE and follow the instructions for installation.
Step 2 Change directory to the location of your SSL-Explorer RPM package.
Step 3 Install the SSL-Explorer either by double-clicking on its icon using the Nautilus file browser, or by
executing the following command:
rpm -i ssl_explorer_0_1_14.rpm
Step 4 The rpm will begin installing SSL-Explorer. This will be installed to /opt/sslexplorer. Change
to this directory in your terminal.
Step 5 If you would like SSL-Explorer to be configured as a Red Hat service, execute the following
command:
/opt/sslexplorer/platforms/linux/install-service
Step 6 Run the SSL-Explorer configuration utility as follows:
./install-sslexplorer
Step 7 This will provide you with a URL which you will need to enter into your browser to begin the
installation wizard:
Step 8 This wizard will guide the user through the steps required to successfully configure SSL-Explorer.
Information on the Installation Wizard can be found in part two of this document, ‘Installation
Wizard’.
42
Step 9 Once you have configured SSL-Explorer to your preferences you are now ready to start the SSL-
Explorer server. Refer to the chapter titled Managing the Instance section, Managing Linux
Service.
Upgrading SSL-Explorer
Step 1 Shutdown server. This can be done either from the management console (System → Shutdown) or
specific to each operating system:
• Windows: From the services window (Control Panel → Administrative Tools → Services)
select the SSL-Explorer service and press stop
• Linux: From the shell run: 'service sslexplorer stop'
Step 2 Run the installer of the latest SSL-Explorer version you downloaded. This will guide you through the
standard installation process steps 4 – 7 under section Installation of SSL-Explorer. Step 7 asks for
an installation directory, the original directory should be chosen. A prompt will be shown asking if
you wish to overwrite the existing directory much like the image below:
You should select Yes.
The installation wizard should identify the currently installed configuration files and prompt whether
you wish to keep or remove these:
You should select Yes if you wish to keep your current configuration details such as certificate details,
database settings etc. Selecting No will install a fresh install of the new version, the extensions should
not be affected.
43
You should continue with the remaining installation steps.
Installation Wizard can be Skipped

Note
There is no need to work you way through the installation wizard again if the current
information is fine. Simply press Cancel in the wizard, this will move to the end of the wizard
requiring the server to be restarted. The remaining installation steps can be continued with.
Upgrading from 0.1.16 to 0.2.x

This upgrade applies to versions 0.1.16 and above of SSL-Explorer being upgraded with a target of
SSL-Explorer version 0.2.5 and onwards.
Step 1 Run uninstall from SSL-Explorer program group. This will leave the current data intact.
Renaming Old Installation

Note If you wish to use the same installation location then rename the remaining SSL-Explorer
folder.
Currently this still holds personal data which will be used by the Upgrader tool to transfer to
the new
installation.
Step 2 Windows 2000 users will need to now reboot in order to properly remove the old service
Step 3 Install SSL-Explorer, completing the install wizard and then starting the service and logging in at least
once to ensure configuration was successful.
Step 4 Once satisfied that the installation has been successful shutdown the service.
Step 5 From the SSL-Explorer program group run the Upgrader tool.
44
Step 6 Complete the Source parameter which is required and defines the location of the old SSL-Explorer
installation. The tool will detect the installation and present a number of additional options. These
options detail what resources require transporting across to the new installation. Select the appropriate
ones.
Step 7 Once done select the Start button to begin the transfer.
The upgrader provides output of its progress.
Step 8 Once completed the SSL-Explorer instance can be restarted.
When resources are transferred they are not attached to any policies. All resources should be reviewed
and resources reassigned.
Web forward resources transferred will lose their current credentials flag. To replicate this behaviour
add ${session:username} and ${session:password} replacement variables into the
authentication details.
45
Managing the Instance
There are a few pre-requisites that must be fulfilled before continuing with this topic, these are
highlighted below:
• Complete installation of SSL-Explorer: If this has not been accomplished yet please refer
to the topic titled, ‘SSL-Explorer Installation’.
• Successful configuration of SSL-Explorer: If this has yet to be achieved please refer to the
section titled, ‘Installation Wizard’.
SSL-Explorer can be started either from the build script or as a service both are detailed below.
Build Scripts
SSL-Explorer comes with a main script called build.xml that is situated at the root path of the SSL-
Explorer installation. It contains all the necessary targets to manage the instance. The targets and their
purpose are detailed below:
Start Server
• Start: The instance is started and runs quietly in the background without any console.
• Console: SSL-Explorer runs in the foreground with a console showing trace information.
Killing the console will result in termination of the server.
These commands are executed with the ant tool; for example:
ant start
Your location should be where the build.xml file is (usually in the home directory of the installation).
Stop Server
The only target available for this is the ‘stop’ target and is executed as follows:
ant stop
The more appropriate way would be to use the Shutdown or Restart functions available from the
running instance under Management Console Æ Shutdown.
46
Managing the Windows Service
If the SSL-Explorer instance has been configured to use the default SSL port to listen on (443) then the
World Wide Web Publishing service, if running, should be disabled. This service also uses the default
SSL port and so, if running, will prevent any other service from starting which also requires the use of
port 443.
As shown below the Services window should be opened, Control Panel Æ Administrative Tools Æ
Services, the service located and bringing up the Properties page (right-click on service name) the
Service Startup Type should be set to Disabled.
47
Determining the Service Status
To determine the state of the service locate the SSL-Explorer service through the Services dialog
(Control Panel Æ Administrative Tools Æ Services), as the diagram below shows and to the right of
the Service is the Status tab which indicates whether the service is Stopped or Started.
Start Service
If the Service Status is set to Stopped right click the SSL-Explorer Service and select Start as shown
above.
Stop Service
If the Service Status is set to Started the service can be stopped by right clicking the SSL-Explorer
Service and select Stop. However it is more appropriate to use the Shutdown or Restart functions
available from the Management Console of SSL-Explorer (Management Console Æ Shutdown).
48
Managing Linux Service
The command used for the management of SSL-Explorer as a service is the service command. This
command works on various flavors of Linux distributions such as Red Hat, Debian, Ubunto, Suse,
Slackware plus others. If your Operating System does not support this command please check the
available documentation for your distribution on how to manage services.
Determine Service Status

Red Hat uses the service command to determine information on a Service. For Linux distributions
that support this command, the Red Hat command below can be used. For others the standard ps
command may be substituted.
• Red Hat: service sslexplorer status

• Other Linux: ps –ef If running an SSL-Explorer entry should be listed.
Start Service
The service command also allows us to start a service, as shown below. Again those distributions
which support this command should use the command below, and for others an equivalent command
should be used.
• Red Hat: service sslexplorer start
Stop Service
The service command can also be used to stop the service. Operating Systems that do not support
this command must use any other equivalent service command.
• Red Hat: service sslexplorer stop
49
Accessing the Instance
Once SSL-Explorer is running we may now try to connect using a web browser.
Step 1 Interaction between users and the SSL-Explorer server is done through a standard browser such as
Internet Explorer or Firefox. To connect simply open a new internet browser.
Step 2 Enter the URL below replacing the <hostname> with the fully qualified hostname of the machine
running the instance.
https://<hostname>:<port>
The <port> variable requires the port number defined during configuration if the default 443 has not
been chosen. If the server has been configured successfully then the browser will connect to the
instance, a logon screen should be presented much like the image below:
Using your Active Directory or built-in credentials (depending how you configured the SSL-Explorer
server in the Installation Wizard) you will be able to log into the server.
50
Server Migration
If in the event you need to migrate SSL-Explorer to another server the steps are as follows:
Step 1 Disable any enterprise edition authentication schemes on the current server installation
Step 2 Install, on the target server, the same version of SSL-Explorer using the same folder locations as the
current installation
Step 3 For enterprise edition installations take a copy of your license file which should have been emailed to
you during your purchase and copy it to the target server
Step 4 From the current server copy the <SSL-Explorer_HOME>/conf folder
Step 5 Take a copy of the <SSL-Explorer_HOME>/db folder from the current server
Step 6 Copy these two folders to the same location in the new target server
Step 7 Start the SSL-Explorer server on the new server
Step 8 Log into the new instance as Super User
Step 9 Navigate to the license manager (Configuration -> License Manager) and upload the original license
previously copied over.
Step 10 Restart the service
51
52
Installation Wizard
This section provides details on how to configure the SSL-Explorer instance, once the server has been
installed all new installations are forced to go through the installation wizard. For upgrades this
process is not automatically initiated after an upgrade, instead an administrator can start the installation
wizard by running the exe from the installation directory. .
Certificate Management
SSL certificates give a website the ability to transmit data to and from SSL-Explorer securely. This
chapter provides details on the first step of the configuration wizard in which SSL certificates are set
up. The sections included are:
• Protecting Private Data

• Configure Certificate Interface
• Create New Certificate
• Import Existing Certificate
By the end of this chapter you should understand what an SSL certificate is and what it is used for.
More importantly you know how to successfully configure a certificate for an SSL-Explorer instance.
Protecting Private Data

Secure Socket Layers (SSL) is a secure data transmission protocol that is used for protecting sensitive
information across public networks such as the internet. Every email that you send, every website that
you visit, every piece of data that you send may be seen by more than just the intended recipient if the
data is not secured. The SSL protocol is the means by which this information can be secured.
SSL is the standard, trusted protocol for internet security, and working without it is like sending your
data through the mail on the back of a postcard.
What is an SSL Certificate?

SSL certificates are used to verify the identity of a web server before securely exchanging any
sensitive data. Without such a certificate, any information sent to a website could potentially be
intercepted and viewed by a malicious user.
A SSL session always begins with a cryptographic exchange of messages known as the SSL
handshake. The handshake allows the server to authenticate itself to the client by using a public key
and a private key. The public key is used to encrypt information and the private key is used to decipher
it.
When a browser points to a secured domain, the secure handshake authenticates the server and client
using the certificate. If the information does not match or the certificate has expired, the browser
displays an error message.
53
If successful the handshake then establishes an encryption method and a unique key for the session.
This key is used subsequently for rapid encryption, decryption, and tamper detection during the
session.
Once the exchanges are complete both parties can then begin a secure session that ensures a high
degree of message privacy and integrity.
Further information can be found in the SSL-Explorer: Configuration Guide under the chapter titled
SSL-Certificates.
Certification Authority
Without SSL encryption, packets of information are transmitted across networks in ‘plain text’
meaning that they are vulnerable to interception. We have already learnt how SSL provides protection
for the data in transit across the internet, but there are other attacks that you could still fall vulnerable
to.
For example, imagine that an attacker was able to set up a VPN server that looked and behaved
identically to one of your own trusted servers. If that individual was able to use one of the many
social-engineering techniques to convince your staff to log-on to that server, he would likely be able to
successfully harvest user credentials for a later, potentially damaging attack on your network.
Thankfully, this does not have to be the case. In this modern era, we have a way of verifying that a
secure server is exactly ‘who’ it proclaims to be. Every SSL certificate that is assigned to a particular
server on a specific hostname must be for a verified business entity. Much like a passport or a driver’s
license, SSL certificates for web servers are issued by a trusted third party known as a ‘Certification
Authority’ (CA).
Certification authorities are independent and trustworthy entities responsible for issuing and managing
digital certificates. It is the role of the CA to verify an individual or organization’s identity and their
claim to the hostname to which the certificate is to be registered. By digitally signing the issued
certificates, the CA guarantees the legitimacy of the data held in them. Since all participants of a
public key infrastructure must trust the CA, they can also trust the issued certificates and the public
keys of other participants.
54
Configure Certificate Interface
Step one allows the set up of an un-trusted certificate or alternatively import a trusted certificate issued
by a CA. Each one of these options is further detailed.
Use Current Certificate

Note Every subsequent execution of the installation wizard will result in an extra option becoming
available,
‘Use Current Certificate’. This allows the original certificate created or imported during the
previous
configuration process to be used again.
Create New Certificate

With this option SSL-Explorer can generate a self-signed certificate. With the additional assistance of
a CA this certificate can later be converted to a trusted certificate. We will cover this process later.
This self-generated certificate provides all the same functions as a certificate obtained from a CA but
by being un-trusted, this will cause the browser to display an ‘un-trusted root CA certificate’ security
alert (much like the one below) during log-on.
55
To produce an ‘un-trusted’ certificate follow the steps below.
Step 1 The first thing required to create an ‘un-trusted’ certificate is a ‘passphrase’. This will be used to
encrypt the generated keystore.
The passphrase must be at least 6 characters. A system message will appear on the message pane if
not.
Keystore and Certificates

Note
A keystore contains one or many SSL certificates and is encrypted by a passphrase.
56
Step 2 The actual content of a certificate is merely information on the owner of the certificate and information
detailing in what capacity the certificate is to be used.
The next step simply requires this information as can be seen below:
Each configurable parameter is detailed:
• Hostname: The hostname of the SSL-Explorer server running the instance.

• Organizational Unit: The logical unit or department using certificate.
• Company Name: Name of company using certificate.
• City: The city in which the company is located.
• State: The state in which the company is located.
• Country code: Country such as GB=Great Britain.
All the information is required to generate an un-trusted SSL certificate.
Certificate Generated when Wizard Completed

Note The installation will not generate the certificate until all the other steps are complete. This
means that at any time in the installation process you can step back and alter your
certification options and configuration details.
What is a Keystore?
A keystore is a key database file that contains both public keys and private keys. Public keys are stored
as signer certificates while private keys are stored in the personal certificates. Keys are used for a
variety of purposes mainly for authentication and data integrity.
57
Import Existing Certificate
This option allows for the importing of pre-existing certificates. If you have already obtained a signed
certificate from a CA, SSL-Explorer can import it using this option.
Each configurable parameter is detailed:
• Type: The certificate can be either JKS or PKCS12

• Passphrase: Passphrase protecting the importing certificate
• Alias: A name that will be used by SSL-Explorer to represents the certificate
• Filename: The actual certificate that relates to all the information provided above
Your CA authorized certificate has now been imported. Only when the installation wizard is complete
will the certificate will be used by SSL-Explorer.
58
User Databases
All user data used and managed by SSL-Explorer must be stored somewhere. SSL-Explorer allows the
configuration of a number of databases to store this information. This chapter provides information on
each of the following databases:
• What is Active Directory?

• What is HSQLDB?
• What is LDAP?
• What is NIS?
Further to this how to configure the following databases:
• Configure User Database Interface

• Configuring the Built-in User Database
• Configuring Active Directory
• Configuring Enhanced Active Directory
• Configuring LDAP
• Configuring NIS
By the end of this chapter the reader should have an understanding of each type of database and be
able to configure the appropriate one that suits their particular requirements.
Additional Databases
Note SSL-Explorer can be configured with databases other than those above for details refer to
the 3SP Knowledge Base at http://3sp.com/kb.
What is Active Directory?

Active Directory is the directory service used in Microsoft Windows 2000 and later versions. It refers
to a directory where information about users and resources are stored and that lets you access and
manipulate those resources.
Active Directory is a way to manage all elements of a network, including computers, groups, users,
domains, security policies, and any type of user-defined objects.
Active Directory within SSL-Explorer

Employing Active Directory with SSL-Explorer enables the integration of an organization’s existing
Microsoft Windows user and group hierarchies, allowing users to be authenticated with their
previously created Windows domain credentials and roles.
For a large organization with many users this removes the headache of creating new authentication
passwords and usernames all over again.
59
SSL-Explorer community edition comes with the basic Active Directory module which allows basic
actions as connecting and using the users installed in an existing database. SSL-Explorer Enterprise
has an additional Enhanced Active Directory module which allows the administration of Active
Directory from within SSL-Explorer; all administrative actions are reflected back to the actual Active
Directory service.
What is HSQLDB?
HSQLDB is an open source Java-based SQL relational database that is used by SSL-Explorer. The
product is currently being used as a database and persistence engine in many commercial and open
source projects and products. It is best known for its small size, its ability to execute completely in
memory, and lastly, its flexibility and speed.
HSQLDB within SSL-Explorer

The HSQLDB database is used as SSL-Explorer’s internal built-in database. This lightweight, fast
database is perfect for an organization that wishes to create and manage users solely from and for SSL-
Explorer only. The SSL-Explorer management console also provides an easy-to-use interface to
manage your users and policies.
Since the built-in database is not linked to any external application as with Active Directory, policies
and users can be created, removed and modified all from one single point - the management console.
What is LDAP?
Lightweight Directory Access Protocol is a standard method for communicating with a database. It is a
software protocol which allows for fast search and retrieval of data. LDAP represents stored data in a
directory structure much like a phone book. This makes it perfect for systems with high levels of
search and retrieves actions but not so well for systems which rely on a high degree of data updates.
LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which
is part of X.500 – a standard for directory services in a network.
LDAP within SSL-Explorer

In order to use SSL-Explorer with LDAP you must have a fully working and configured LDAP
service. During installation, the SSL-Explorer VPN server will attempt to communicate with service
using parameters supplied.
Since the LDAP service is tied into a third-party product such as OpenLDAP, SSL-Explorer itself
cannot assign groups or accounts to the directory. Instead, user and role management must be done
outside of SSL-Explorer using your LDAP directory browser.
SSL-Explorer: Enterprise Edition Feature

The LDAP user database is only available with SSL-Explorer: Enterprise Edition.
What is NIS?
NIS also known as yellow pages is a client-server directory service protocol for distributing amongst
other things hostnames and users between computers in a network. In a common UNIX environment
the list of users for identification is placed in /etc/passwd, and secret authentication hashes in
60
/etc/shadow. NIS adds another “global” user list which is used for identifying users on any client
of the NIS domain.
NIS Database with SSL-Explorer

To use SSL-Explorer with NIS you must a have a NIS service fully running. Even though SSL-
Explorer can use the accounts provided it cannot assign groups or accounts, removal of users and roles
can only be done outside of the SSL-Explorer.
Configure User Database Interface

The database configuration page lists the available databases.
61
Configuring the Built-in Database
Configuring the built-in database is very simple; just select the ‘Built-in’ option on the ‘Configure
User Database’ page. That is all there is to it. All configurations of the database itself are done
internally by SSL-Explorer.
As this is a new database, once SSL-Explorer is up and running you will have to create all necessary
users and groups from the management console. With the built-in database you will also be able to edit
and remove users and roles directly from SSL-Explorer.
Configuring Active Directory

Active directory configuration is divided into three distinct tabs.
The first of these is the configuration tab.
The following information is required:
• Domain Controller Hostname: The primary Active Directory service domain in the form of,
example.3sp.co.uk. The entry must be lowercase.
• Backup Domain Controller Hostnames: if backup domain controllers have been configured
then these should be added here. This list should contain active controllers which SSL-
Explorer can fail over to in the event the primary domain controller is inaccessible. For more
information on backup domain controllers refer to the section titled, Backup Domain
Controller. Hostnames can also be specified with a port number if different from the Domain
Controller Port parameter.
Service Account Authentication

Note The standard Active Directory database uses GSS-API authentication for the service
account. It is unable to authenticate credentials containing non-English characters, the
service account does not need to be fully qualified.
• Domain: The domain the controllers are on for example, example.co.uk.
62
• Service Account Username: The service account details needed to use authenticate Active
Directory users. This account serves as a link to the Active Directory database.
• Service Account Password: The password for the service account.
Service Account
Note It is recommended that a specific AD user account be created for the Service Account only.
This is
required to support some of the authentication methods available as part of SSL-Explorer:
Enterprise
Edition.
The next tab OU Filter is an optional tab but allows specific organizational units to be added or
removed from SSL-Explorer.
• Include Organizational Unit Filter: Add any OUs that should be used when listing accounts
and roles. Only the accounts residing in the OUs you specify will be shown. For further
details refer to the section titled, Organizational Unit Filter.
• Exclude Organizational Unit Filter: Add any OUs that should not be used in the listing of
accounts and roles.
• Include Built-in groups: This will include the default ‘Built-in’ group base CN=Builtin
built from the domain name to the filter list.
• Include standard Users and groups: This will include the default ‘User’ base CN=Users
built from the domain name to the filter list. All users and groups under this will be added.
The final tab, Options, allows an advanced user the ability to fine tune access to the AD service.
63
• User Authentication Type: which authentication method to use for user account
authentication. GSS-API type is unable to process credentials which contain none English
characters but allows for the service account to be defined without full qualification. Simple
authentication however is able to authenticate using non-English characters type such as,
ßóràt.
• Authentication Timeout: how long the system should wait authenticating
• Authentication Maximum Retries: how many times to try to authenticate. The total
authentication time will be timeout x retries.
• Cache Objects In Memory: The system can cache user objects either to file or memory. If
the user population is extremely large in-memory caching can be prone to running out of
memory when loading objects.
• Max Group Cache Objects: The maximum number of group objects stored in cache.
• Connection timeout: generic connection timeout for active directory sessions
• Page Size: The number of objects returned in each paged request, the default should be
acceptable in most cases.
• User/ Group details Cache TTL: This is the minimum ‘Time to Live’ value which must be
greater than 10 seconds. Default value of 300 seconds stores Active Directory user
information in cache for 5 minutes before clearing the cache. The next required action fetches
user details again caching for another 300 seconds. A value too low will cause severe delays
in processing any action as SSL-Explorer will continually be re-fetching data from the
domain controller.
• Enforce username case sensitivity: This enables checking of username case sensitivity
during log-on.
With the configured information the installation wizard will attempt to connect to the domain
controller and valid the service account. If the service is unreachable for whatever reason a message
will be shown like the one below:
The wizard will allow the configured details to be adjusted before selecting Next again to retry.
Once a successful connection is made and the service account has been authenticated the Active
Directory user database is ready to be used.
64
Configuring Enhanced Active Directory
Enhanced Active directory configuration is very similar to the basic Active Directory condiguration, it
to is divided into three distinct tabs.
The connections tab configures how to connect to the actual Windows Active Directory service.
The only differing information for Enhanced Active Directory is the service account details.
• Service Account DN: The service account details needed to use authenticate Active
Directory users. This account needs to be fully qualified e.g. CN=John Smith,
DC=Employees.
• Service Account Password: The password for the service account.
Enhanced Active Directory database uses Simple authentication for the service account. Simple
authentication allows the use of non-English characters such as ßóràt. With this type of authentication
the account credentials need to be fully qualified
The differing information here is the Group OU information:
65
• Create Group OU: The OU location within the AD where new groups will be created.
• Create User OU: The OU location within the AD where new users will be created.
That’s all there is that differs from the Active Directory installation detailed above.
User Account Authentication uses Simple

Note Enhanced Active Directory uses Simple authentication for both the service account as well as
user accounts.
Organizational Units (OUs)

In Active Directory, ‘Organizational Units’ (OUs) are the key structure for organizing users,
computers, and other object information into a more easily understandable layout.
As the diagram below shows the organization structure has a root OU with three nested OUs below.
This nesting enables the organization to distribute users across multiple logical structures for easier
administration of network resources.
When activated, SSL-Explorer uses the current Active Directory groups and maps them directly to
groups.
SSL-Explorer also creates all internal data for each user within the chosen OUs. Each user will be
assigned to the mapped roles.
Organizational Unit Filter

The Organizational Unit Filter makes adding OUs easier.
Entries in the filter must be of the form ‘OU=<Organizational Unit name>’. For example,
‘OU=Research’.
If an OU is held below another OU then the entire hierarchy up to the parent OU must be listed. If an
OU called ‘Marketing’ was stored under the ‘Employees’ OU; to add ‘Marketing’ the correct syntax
would be ‘OU=Marketing, OU=User’ with the separating comma being used to separate each
element in the hierarchy.
66
To add all OUs in the domain simply leave the Filters list box empty. When the list box is empty, all
OUs will be queried by SSL-Explorer. If problems are encountered with Active Directory, try clearing
the list box and seeing whether
To remove an OU from the search use the exclusion operator # against the OU name. For example to
exclude the Test Accounts from the search you would add #OU=Test Accounts.
Modifying Filters
The OUs listed within the ‘Filters’ list box are the only items that will be used by SSL-Explorer.
Clicking the ‘Add’ button takes the OU in the ‘Filter’ textbox and applies it to the list of filters.
Highlighting an OU from the Filters list and clicking the ‘Remove’ button takes the selected OU out of
the list box.
67
Troubleshooting
If your users are unable to connect via Active Directory, check that:
• The time settings between the Active Directory server and SSL-Explorer are synchronized.
Kerberos authentication, used by Windows, allows only a few minutes of clock skew between
Windows server and client. Ensure that both the domain controller and the SSL-Explorer
server are synchronized to the same date and time to within one minute.
• Confirm that the Windows server is configured for Active Directory authentication. If using
Windows NT4.0 server, then the server only supports NT Domain authentication.
If OUs have not been loaded successfully:

• Any organizational units held within a tree structure need to be added with the entire parental
structure.
In the above diagram to include‘Tester’ into the filters list the syntax should be
‘OU=Tester,OU=Engineer,OU=Staff’. The syntax begins with the lowest branch
first.
• If any OUs are stored underneath the default Windows OU such as Users the ‘OU=User’
root should not be included in the filter syntax.
• Check syntax of each filter. Every Organizational Unit must begin with ‘OU=’. If a hierarchy
structure is being included, be sure to separate each element with a comma. Also avoid using
unnecessary spacing.
• Clear the organizational unit filter to ensure that SSL-Explorer searches the entire Active
Directory tree.
Knowledge Base
Note For more information on overcoming other SSL-Explorer related Active Directory problems
refer to the
3SP Knowledge Base at http://3sp.com/kb
68
Configuring LDAP
LDAP much like active directory is divided into four distinct areas.
The first of these is the Configuration tab.
• Hostname: Hostname of the server hosting the LDAP service

• Port: Listening port of LDAP service
• Protocol: LDAP protocol to be used. Options include, secured ‘SSL’ communication or
‘plain’, unsecured communication
• Base DN of LDAP server: The ‘base DN’ represents the location where you want to start
LDAP queries within the namespace. This may be the root of the LDAP directory tree or a
specific branch.
• Service Account Authentication: The LDAP authentication method required to access the
service. The ‘simple’ method will require valid user account details to access the service;
‘anonymous’ will connect to the directory anonymously with no user credentials required and
‘MD5-Digest’ uses digest authentication to securely send the user credentials as an MD5 hash
to the LDAP service as opposed to plain-text as with the other two methods.
• Service Account DN: The ‘distinguished name’ to identify the Service Account User
• Service Account Password: The associated user password
69
• Create Role Organizational Unit: The OU where new roles will be created
• Create User Organizational Unit: The OU where new users will be created
• Include Organizational Unit Filter: Add any OUs that should be used when listing
accounts and roles. Only the accounts residing in the OUs you specify will be shown. For
further details refer to the section titled, Organizational Unit Filter.
• Exclude Organizational Unit Filter: Add any OUs that should not be used in the listing of
accounts and roles.
The next tab is the User Schema tab which provides schema information so SSL-Explorer can
successfully link to the correct user classes at run time.
• User class: The LDAP class object used to represent a User class
• Username attribute: ‘Username’ attribute from the User class, if one exists
• Fullname attribute: ‘Fullname’ attribute from the User class, if one exists
LDAP Class Objects

Note
SSL-Explorer needs to understand which User and Role classes are in use by the given
LDAP installation.
Since each installation can use a different type of schema this information makes SSL-
Explorer
70
compatible with a larger number of LDAP installations.
• Email attribute: ‘Email’ attribute from User class, if one exists

• Home directory attribute: ‘Home directory’ attribute from the User class, if one exists
• Role membership attribute: ‘Role membership’ attribute from the User class, if one exists
• Role membership contain DNs?: If the ‘role membership’ attribute value points to a
distinguished name then this box should be checked. The ‘role membership’ attribute can
contain a value or otherwise refer to another object in the directory
The next tab, Role Schema, requires role information so SSL-Explorer can successfully link to the
correct role classes at run time.
• Role class: The LDAP class object used to represent a Role

• Rolename attribute: The ‘rolename’ attribute from the Role class, if one exists
• Role membership attribute: The ‘role membership’ attribute from the Role class, if one
exists
• Role membership contains DN?: If the ‘role membership’ attribute value points to a
distinguished name then this box should be checked. The ‘role membership’ attribute can
contain a value or otherwise refer to another object in the directory
The final tab, Options, allows an advanced user to fine tune LDAP operations.
• Connection timeout: generic connection timeout for active directory sessions

• Max Cache Objects: amount of information, retrieved from the AD, to cache. If the Ad is
large this should be set to a high value. Typically an object is cached for each user and one for
each group. Calculating how many groups and users you have is a good guide when setting
this. If the setting is too low some users may not be able to login.
• Page Size: The number of objects returned in each paged request, the default should be
acceptable in most cases.
71
• User/ Group details Cache TTL: This is the minimum ‘Time to Live’ value which must be
greater than 10 seconds. Default value of 300 seconds stores Active Directory user
information in cache for 5 minutes before clearing the cache. The next required action fetches
user details again caching for another 300 seconds. A value too low will cause severe delays
in processing any action as SSL-Explorer will continually be re-fetching data from the
domain controller.
Configuring NIS
NIS only has one tab, Connection.
• Hostname: the hostname of the NIS server

• Domain name: the NIS domain name
• Refresh interval: Remote account and groups are cached. This value is the interval (in
minutes) between updates
• Include Local Accounts: If selected, local accounts are also include in the list of available
accounts. This only works on UNIX like system that have a /etc/passwd and or /etc/shadow
file
• Include Local Groups: If selected, local groups are also include in the list of available
accounts. This only works on UNIX like system that have an /etc/group file
72
Configuring Super User
The main administrator of SSL-Explorer is identified as the ‘Super User’. There is only one super user
in SSL-Explorer whose responsibility lies with the creation of the initial organizational structure of the
system. This chapter provides further information on this special user covering the following
information:
• Super User Responsibility

• Configure Super User Interface
• Configure a Built-in Super User
• Configure a Active Directory Super User
By the end of this chapter the reader should understand the purpose of the super user and the necessary
steps involved in configuring a super user.
Super User Responsibility

The super user is an administrator whose responsibility lie with the configuration and over seeing of
the entire system as a whole. Core activities such as running and managing the system are done by
other users. The super user should be used only for installation and configuration issue, all other
responsibilities should be delegated.
As the diagram above highlights, middle-tier users manage the everyday running of SSL-Explorer
from creating users to assigning permissions.
Disable the Super User

Note The super user should be disabled after handing over management duties to other users.
This helps
prevent security breaches against this highly privileged user account.
73
Super User Rights
As the super user is able to delegate duties to others, they also maintain delegation rights on all
resources as well as every permission on any resource.
Anything created within SSL-Explorer by the super user from policies to resources cannot be deleted
by any user other than the super user.
Configure Super User Interface

After the user database has been configured the next step is to identify who will be responsible as the
super user.
Super user is defined in one of two ways, when built-in database is chosen as the user database or
through an external database like active directory or LDAP.
74
Configuring the Super User
With built-in a brand new super user account is created. For this the system requires not only the
username but a secure password for the account.
Password Structure and Complexity

To enable tighter security of the super user password it is recommended that an
alphanumeric, mixed
case password is used. As is usually the case – the more complex the password, the greater
the
security.
If an external user database is chosen SSL-Explorer loads in all necessary users from the external
database. Since users and roles are managed outside the system the installation can only choose an
existing user to act as the super user.
All that needs to be done is choose an appropriate username. The installation wizard takes every user
found within the OU filters previously selected. As the screenshot below shows all users found
beginning with the letter ‘A’ are listed.
75
The password field is disabled as the user credentials are taken from the external database.
That’s all there is to using an existing external user database. Since all the necessary work involving
configuring of users and groups has already been carried out and stored within the database SSL-
Explorer can now use these.
76
Configuring Web Server
SSL-Explorer has an inbuilt web server that is used to process incoming and outgoing HTTP/ HTTPS
requests. This step allows the basic operation of the server to be configured. This section details the
web server currently in use by SSL-Explorer and the configuration options available. This chapter
includes the following sections:
• What is HTTP/ S
• The Jetty Web Server
• Configure Web Server Interface
• Configure Web Server
By the end of this chapter the reader should have an understanding of what a web server is and how the
internal SSL-Explorer web server can be configured if need be.
What is HTTP/S?
Hypertext Transfer Protocol (HTTP) is the foundation protocol of the World Wide Web. It defines the
rules for exchanges between browser and server. It provides for the transfer of hypertext and
hypermedia, for recognition of file types and other functions.
Hypertext Transfer Protocol Secure (HTTPS) is a variant of HTTP. HTTPS communications protocol
is designed to transfer encrypted information using the Secure Sockets Layer protocol (SSL).
SSL-Explorer HTTP/S
During the installation wizard SSL-Explorer runs using HTTP since at this stage, no SSL certificate
has yet been configured for use. Certificates are the key to maintaining secure transactions and during
the installation stage an appropriate certificate is configured, refer to chapter ‘Certificate
Management’.
Once installation is complete and everything has been successfully configured SSL-Explorer will then
begin to operate strictly over HTTPS. All transactions from all users are secured.
Is it Secure?
To be reassured that the SSL-Explorer service is operating securely you should see the following:
• A Secure URL: The SSL-Explorer URL will begin with ‘https’ instead of ‘http’ to denote a
secure URL.
• A Secure Browser: In the bottom right corner of the browser the padlock image should be
visible.
This denotes the browser is also secured.
Secure Communications
Note
77
HTTPS is a recognized worldwide standard for secure communications that was initially
created by
Netscape. These features are required by every web site claiming to be secure.
The Jetty Web Server

SSL-Explorer uses the widely acclaimed Jetty HTTP/S server as its internal web server.
Jetty is a fully-featured open source product developed by Mortbay Consulting providing a lightweight
and highly scalable servlet container.
As the diagram below shows, Jetty’s main responsibility within SSL-Explorer is to proxy requests
between a user’s browser (client) and the backend server.
When the user communicates with SSL-Explorer via static HTML pages, the browser generates a
HTTP request which is addressed to the Jetty HTTP server component.
If the request requires static information such as another HTML page then the server simply services
this request by locating and returning the necessary page.
However, dynamic content requires much more complex processing and this is where Jetty’s servlet
container comes in.
The HTTP server routes the request onto the servlet container, where the controller program intercepts
the request. The controller reads and decides the course of action necessary for the request.
The available tasks or actions an application can perform are defined within the Model component in
the form of object-oriented action classes.
The Controller maps the request to an appropriate action by creating an object of the action class and
calling one of its methods. If the invoked action needs to update the state of SSL-Explorer then it will
create or modify appropriate objects of the Model, known as ‘state objects’. State objects represent a
runtime view of the current state of the system.
Once an action has completed servicing the request the Controller invokes a JSP page template, part of
the View. The JSP template is then responsible for presenting the new updated state of the application
to the user; this maybe a new page, a new shortcut in network neighborhood or a new application
execution.
78
Configure Web Server Interface
Step four configures SSL-Explorer’s internal web server.
The main body of this step is in setting up the listening interfaces, the means by which clients can enter
the service. This and the remaining configurable features are detailed below.
Configure Web Server

Step 1 Select the HTTPS port number the web server will listen on. The default HTTPS port is 443. All
standard HTTPS requests are sent via port 443 on all internet services just as all default HTTP requests
are sent via port 80. For example:
https://securesite
If this URL was entered, the browser will look for securesite on port 443 regardless of the need to
complete the domain name or add port 443.
By specifying a different port, SSL-Explorer will listen only on that port for incoming requests. Any
requests to the SSL-Explorer service will need to have the new port number prefixed. The following
URL instructs the browser to use the alternate port 123:
https://securesite:123
Step 2 Specify any additional listening interfaces; this process is detailed further in section, ‘Listening
Interface’. The default, ‘All Interfaces’, should be sufficient for most standard SSL-Explorer
configurations.
Step 3 SSL-Explorer can specify specific external hostnames by which users can access the server however
for most standard implementations there should be no need to configure this option. Further details on
this can be found below in section, ‘External Hostnames’.
That’s all there is to configuring the web server.
79
Listening Interface
This option specifies which interfaces SSL-Explorer should listen on for incoming requests. The
installation wizard searches for all available network interfaces on the machine.
If the machine has two network cards then both of their interfaces will be loaded into the Available
Interfaces.
In addition, as can be seen above, any other interfaces such as virtual interfaces created by external
programs are also detected and listed as available.
These define all the interfaces by which external users can physically enter the machine and by default
‘All Interfaces’ is selected.
All network cards (and any available virtual network interfaces) will be used to listen for appropriate
incoming SSL-Explorer requests. This scenario should be acceptable in most situations.
For more advanced configurations, restrictions to specific interfaces can be specified.
As the diagram above shows the selected listening interfaces are only two despite the SSL-Explorer
machine having three. While connections to SSL-Explorer via the two selected interfaces are accepted,
any connection attempted via the un-selected interface will not be allowed.
If further analysis is made of the diagram all three connections are actually made and routed to the
SSL-Explorer instance. Pre-login code is executed which is where the interface addresses are validated
and appropriately the requests accepted or rejected.
80
Modifying Interfaces
The interfaces placed in the, ‘Selected Interfaces’ list box will be the only ones able to accept client
requests.
To add a new interface from the ‘Available Interfaces’ list box use the ‘Add’ button to the right of the
‘Available Interfaces’ list box.
To remove an interface from the ‘Selected Interfaces’ list box use the ‘Remove’ button to the right of
the ‘Available Interfaces’ list box.
External Hostnames
Any hostname entered into the ‘Valid External Hostnames’ list box enforces that only connections
made to those specific hostnames can access SSL-Explorer. This can be useful in cases where you may
wish to deprecate an old server; transparently redirecting incoming connections to a new server.
For example by specifying, ‘http://sslexplorer.com’ any user request that comes in on any
other URL such as, ‘http://sslexplorer.co.uk’ will be redirected to the designated
hostname, ‘http://sslexplorer.com’.
As the above diagrams shows the first request comes in on ‘http://sslexplorer.com’ (with
the user having located the location from its DNS entries). SSL-Explorer validates the incoming
hostname against its valid external hostname list.
This hostname is not valid and so a HTTP redirect message is posted back to the client browser with
the valid hostname entry. Again the browser validates this new hostname against its DNS entry and
finds a match. This time the request is made using the valid hostname,
‘http://sslexplorer.co.uk’ and the connection is successful.
If however the client was unable to validate the redirected hostname from its DNS list the client would
be unable to gain access to SSL-Explorer.
Modifying Hostnames
Hostnames placed in the ‘Valid Hostnames’ list box will be the only external hostnames acceptable.
Any other URL will be asked to re-connect via a valid hostname. The given valid hostname must be
available from the local machine’s DNS list else the second connection attempt by the client will fail.
81
To configure a new hostname type in the name in the text box labeled, ‘Hostname’. To then add this
hostname use the ‘Add’ button to the right of the ‘Hostname’ text box.
The hostname will be added to the list box labeled, ‘Valid External Hostnames’.
To remove a hostname from the list box use the ‘Remove’ button to the right of the ‘Hostname’ text
box.
82
External Proxy Support
Many organizations utilize proxy servers to control access to various resources such as internet and
email, as well as filtering outgoing and incoming connections. SSL-Explorer can be configured to
forward outgoing requests via your organizations proxy server if a direct connection to the internet is
not available.
This chapter discusses the purpose of a web proxy and how to configure SSL-Explorer to use a proxy
and includes the following sections:
• What is a Proxy Server

• Proxy use with SSL-Explorer
• Configure External Proxies Interface
• Configure External Proxies
By the end of this chapter the reader should be familiar with a proxy server and its purpose and in
particular how SSL-Explorer can be configured, in this step, to utilize an existing company web proxy
server.
What is a Proxy Server?

A proxy server is an application that enables a client to make indirect network connections to other
network services.
A client connects to the proxy server requesting a resource available on a different server. As the
diagram below shows the proxy retrieves the resource on the behalf of the client either by connecting
to the specified server or by serving it from its own cache.
In addition a proxy can also be configured to act as a firewall, controlling communication traffic to
resources and from certain clients.
The most common proxy application is a web proxy which proxies HTTP requests. Its main function is
to keep a cache of web pages and files available on remote web servers, allowing local client to access
them more quickly, reliably and without ever leaving the internal network.
83
Proxy use with SSL-Explorer
Some SSL-Explorer services need to make external calls across the internet. Resources (for example,
the RSS documentation feeds) need to make occasional contact with 3SP servers to provide required
and up to date help for users. Connections to the Extension Store also need to make external
connections to the 3SP servers providing administrators with the latest available SSL-Explorer
applications. These services all make secure TCP/IP level socket connections to their hosts.
The installation wizard can be used to configure the SSL-Explorer server to direct these external
accesses through a company proxy server if required. This then no longer makes direct contact but gets
screened via the specified proxy. Proxies are paramount to many businesses filtering communications
to and from the corporate network. The installation wizard proxy configuration step enables SSL-
Explorer to integrate with any HTTP server helping to maintain a company’s security policy.
With HTTP proxying all HTTP services such as RSS feeds, reverse and secure proxy as well as
extension store access will utilize this server. However non-HTTP services such as access to the 3SP
Extension Store will continue to use direct TCP/IP sockets.
Configure External Proxies Interface

This step configures the use of a proxy server.
84
Configure External Proxies
The HTTP server should already be configured correctly. For further information please refer to your
proxy server manuals.
Step 1 The appropriate configuration details will be made available. In order for SSL-Explorer to forward
external requests to the proxy server all server and account details must be supplied:
• Hostname: hostname of the proxy server

• Port: associated port number
• Username: if the proxy server has a secure authenticating account on it, then the details of
this account
• Password: password for the associated authenticating username
• Non-proxy hosts: any hosts added to this will bypass the proxy when accessed
Step 2 Configuration of the proxy is complete. SSL-Explorer will try to connect and authenticate itself with
the proxy server once everything has been configured.
85
Enterprise Edition
SSL-Explorer has both an opensource GPL edition and an Enterprise edition. The Enterprise edition
comes with high-end enterprise grade features as well as commercial support. This step in the
installation allows the an Enterprise License to be installed. Both versions of SSL-Explorer can take
advantage of additional extensions that are available from the 3SP Extension Store. Some extensions
add further functionality to the server itself, whilst others may be applications that can be deployed and
executed over the SSL-Explorer VPN. This chapter details exactly what extensions are and how to
install them, the sections included in this chapter are:
• Community Edition vs. Enterprise Edition

• Install SSL-Explorer Enterprise Edition Interface
Community Edition vs. Enterprise Edition

Below is a table comparing both editions, some features are still in development at the time of writing
but all will be available in upcoming releases in addition to many more in the pipeline.
Feature Community Enterprise

Granular policy-based rights management X X
Remotely browse Windows file systems via Windows Explorer X X
Microsoft Outlook Web Access 2003 supported - move vulnerable OWA servers out X X
of the DMZ
Reverse proxy web forwarding feature X X
Active Directory authentication supported X X
Built-in database authentication supported X X
UNIX authentication supported X X
Configurable authentication schemes X X
Access your desktop remotely X X
Intranet resources may be securely externalized using web forwarding X X
Accessible using zero-footprint VPN client X X
Connect using any modern web browser X X
Supports access through HTTP X X
Local and remote tunneling via SSL X X
Session inactivity timeouts X X
Web application URL masking X X
No dedicated appliance necessary X X
Supports Microsoft Windows XP/2000/2003 and Red Hat Linux 8.0 or later (other X X
Linux distributions are unofficially supported)
Commercial Support X X
SSL client certificate authentication - X
SMS (text message) authentication using one-time-password - X
SafeNet iKey 2032 and Aladdin eToken Pro USB devices supported for FIPS- - X
86
Feature Community Enterprise
certified PKI authentication
Enterprise Active Directory - X
LDAP authentication - X
Public-key authentication - X
PIN authentication - X
IP authentication - X
RADIUS authentication - X
Install SSL-Explorer Enterprise Edition Interface

This step allows an enterprise edition license to be uploaded if you have received one with your
purchase.
Simply use the Browse button to locate a valid license.
87
Finalizing Installation
Once all configuration details have been completed all that remains is the application of the
configurations to the SSL-Explorer VPN server.
This chapter details the final step and includes the following sections:
• The Summary Page

• Summary Interface
• Summary
The Summary Page

All configuration data that has been provided in the previous steps is accumulated. No actual data is
applied to the instance until the ‘Finish’ button is pressed.
The system provides a summary of all the configuration data that has been supplied by the user, as the
snippet above shows, for the Web Server configuration step the port was configured to 443 and the
interfaces ‘192.168.154.1, 192.168.1.163’. Everything is neatly detailed under the
appropriate step.
Making Modifications
The configuration can be modified by selecting the ‘Previous’ button to the bottom right of the page
the installation wizard can move back through the installation wizard process to any step.
Any previously configured step can be modified and again when the summary appears the new details
will be shown.
Summary Interface
The summary page is divided into two parts; the first is the summary page, highlighting the
configuration values set by the user.
88
Once Finish is pressed the installation wizard begins configuring the instance, a progress bar like the
one below is shown:
The second is the result after these configurations have been applied.
Summary
Step 1 The page displays a summary of all the configuration details entered by the user. To apply the
configurations details simply press the ‘Finish’ button.
If the details are incorrect simply press the ‘Previous’ button.
89
Step 2 The system begins to apply the configuration to the SSL-Explorer instances. This process takes a few
seconds to complete. Results of the configuration changes are displayed with any errors or warnings
clearly highlighted.
Step 3 After a successful result clicking on the ‘Exit Install’ button at the bottom of the page will complete
the process.
In order for the configurations to take affect SSL-Explorer is automatically shutdown.
The installation process is now complete. For users to begin using the newly configured instance SSL-
Explorer must be started in run mode. For details on starting SSL-Explorer in run-mode refer to the
section titled, Starting SSL-Explorer in this document.
Unsuccessful Configuration
If any configuration is unsuccessful an error message is shown similar to one below:
In addition a new option to re-run the installation process will become available.
Clicking on this button will return the user to the start of the installation process. This will allow the
user to re-configure SSL-Explorer and correct any details.
Configuration State
Note The installation wizard is able to maintain the state of each step and so there is no need to
retype all the
previous configuration details in again.
90
Publishing Server
An SSL-VPN’s purpose is to provide secure remote access from the internet. In order to achieve this
some additional configuration will be required on your firewall to route incoming requests to the SSL-
Explorer server on your internal network.
In this section we cover:
• Pre-requisites
• Configuring SSL-Explorer with a Firewall
• Testing the SSL-Explorer service
By the end of this chapter the reader should have a working SSL-Explorer server.
Pre-requisites
The following list shows the actions that should have already been performed. If these pre-requisites
have not been completed it is likely that the SSL-Explorer services will either not work or perform
unexpectedly.
• Install SSL-Explorer
• Configure SSL-Explorer: Using the Installation Wizard.
• Configure SSL-Explorer Service: This will be dependant on what operating system SSL-
Explorer is installed on.
Configuring SSL-Explorer with a Firewall

There are many implementations of firewalls using software or/and hardware to enforce an access
policy. The way in which these rules are created can vary greatly. This being the case it may be
necessary to consult the documentation accompanying the firewall being used.
SSL-Explorer needs the firewall to forward all SSL encrypted traffic in order to function correctly.
This is achieved by adding a port forwarding rule (also known as a DNAT rule). Even though there is
great variety with firewalls there will be a number of standard values required for SSL-Explorer to
operate as expected. The following list shows some typical values required for a port forwarding rule:
• Listening Port: This is the port that the firewall will listen for SSL traffic. By default this is
443 but can be another value.
• Target Port: This is the port that all SSL traffic will be passed onto. There again, by default
this is 443 but can something else.
• Target IP: The IP address of the machine running the SSL-Explorer instance is required
here.
Below is an example of a simple firewall interface, the required values have already been filled.
91
Testing the SSL-Explorer service
It is recommended that a test be conducted to ensure that SSL-Explorer functions as expected. This is
done by pointing the browser to the SSL-Explorer server using a HTTPS connection. For example:
• https://[IP Address]:[Port]
• https://www.mycomp.com:[Port]
If the connection attempt is successful then the following dialog will be presented.
Seeing the above dialog means that the SSL-Explorer server has successfully been contacted and has
sent a reply to the clients browser.
It is strongly recommended that you try port scanning your SSL-Explorer server from an external IP
address in order to be sure that all access to ports – apart from 443 – is correctly disabled.
92
System Configuration
This section provides details on how to configure SSL-Explorer whilst it is up and running. Some of
the items detailed have already been described in the installation wizard but many are only accessible
once the server instance is up and running.
Since configuration is a large area it has been divided into two this section covers the System
Configuration function.
By the end of this chapter the reader should know how to successfully reconfigure the SSL-Explorer
instance.
Server Configuration
The management console contains all the necessary functions that affect the workings of an SSL-
Explorer VPN server. As a super user all functions are accessible and configurable. This chapter
details the available options covering the following areas:
• Interface
• Configure Web Server
• Configure Performance
• Configure Proxies
• Configure User Interface
• Configure SSL
• Configure Time Synchronization
These pages are interacted through the standard control which can be found under the section titled,
Amending Configuration Parameters in the Management Console chapter.
93
Interface
The server configuration page is accessible from the Management Console Æ System Configuration
Æ Server.
The tabbed menu above the main page and shown below allows easy access to each section, this
allows any server-related configuration parameter to be amended at any time and each section
accessible in any order.
As new extensions are added that have configuration options a new tab is created for the appropriate
module. These configuration tabs are detailed in there own sections. Please refer to the appropriate
chapters for more information on individual tabs.
94
Configure Web Server
SSL-Explorer uses an in-built web server engine named Jetty to service HTTP/ HTTPS requests. All
communication through SSL-Explorer is secure and the only time the insecure HTTP protocol is ever
used is during the installation procedure because at this point, no secure SSL certificate has been
generated to facilitate the encryption of traffic.
During normal execution mode SSL-Explorer performs communication through the secure HTTPS
protocol. For further information on this section refer to the chapter titled, Configuring the Web Server
in the SSL-Explorer Installation Guide.
Web Server Interface

As the diagram below shows many of the configurable options listed are also available in the
installation wizard.
Configuration Parameters
It is not advisable to alter these settings without possessing prior knowledge of web-server tuning. The
defaults should suffice for most installations. Below details the basic configurable options and their
meanings:
• Port: HTTPS port, the default HTTPS port is 443 this should be sufficient for most
installations however if some other service relies on this port then another port can be
specified. If another is used be sure users add this specific port to the URL,
‘https://server.co.uk:port’
• Bind address: refer to section, ‘Reconfigure Listening Interface’.
• HTTP Port: The port number on which to listen for HTTP requests. Users cannot access the
main SSL VPN over HTTP, this service is available to extensions to add HTTP services and
to redirect users to the HTTPS server.
• Valid external hostnames: refer to section, ‘Reconfigure External Hostnames’.
• Invalid Hostname Action: What action to perform if an client connects from an invalid
hostname
• Disable Certificate Warning: Disable un-trusted certificate warning messages
95
Reconfigure Listening Interface
This option specifies which interfaces SSL-Explorer should listen on for incoming requests. The
Installation Wizard detects all available network interfaces on the machine.
These define all the interfaces by which external users can physically enter the machine and by default
‘All Interfaces’ is placed in the, ‘Selected Interfaces’ list box. All network cards within the machine
and any additional virtual interfaces created by various applications will be included.
Further information can be found in the SSL-Explorer Installation Guide in the chapter titled,
Configuring the Web Server.
To add a new interface from the ‘Available Interfaces’ list box use the ‘Add’ button to the right of the
‘Available Interfaces’ list box.
To remove an interface from the ‘Selected Interfaces’ list box use the ‘Remove’ button to the right of
the ‘Available Interfaces’ list box.
More information on using this selection process can be found in Selection Process.
Reconfigure External Hostnames

Any hostname entered into the ‘Valid External Hostnames’ list box enforces that only those selected
hostnames can access the SSL-Explorer server.
Hostnames placed in the, ‘Valid Hostnames’ list box will be the only external hostnames acceptable.
Any other URL will be asked to re-connect via a valid hostname. The given valid hostname must be
available from the local machine’s DNS list otherwise the second connection attempt by the client will
fail.
Further information can be found in the SSL-Explorer: installation Guide under the chapter titled,
Configuring the Web Server.
To configure a new hostname type in the name in the text box labeled, ‘Hostname’. To then add this
hostname use the ‘Add’ button to the right of the ‘Hostname’ text box. The hostname will then be
added to the list box labeled, ‘Valid External Hostnames’.
To remove a hostname from the list box use the ‘Remove’ button to the right of the ‘Hostname’ text
box.
More information on using this selection process can be found in Selection Process.
96
Configure Performance
The next tab in the interface list is the Performance tab. These parameters alter the way the system
performs. In most deployments the default values should suffice but if you are experiencing delays
using the system then altering these values could yield good results.
Performance Interface
The picture below shows the Performance page.
• Minimum Threads: Threads reserved for the web server. The Jetty server pools the number
of threads defined by this parameter. Too little and the system will have to wait for threads to
be free for use.
• Maximum Threads: The maximum number of threads to use before attempting to reclaim
system resources. Jetty’s maximum number is restricted by the Java runtime and operating
system. As a rough guide, assume one thread per VPN user.
• Max Idle Time: Threads that are idle for longer than this period are liable to be terminated
until the Thread pool size reaches the minimum thread size.
• Resource Persist Time: When the Jetty listener is low on resources, this timeout is used for
idle persistent connections. It is desirable to have this set to a short period of time so that idle
persistent connections do not consume resources on a busy server.
• Buffer Size: SSL-Explorer will use a buffer of this size to construct its reply to the client. A
larger buffer allows more content to be written before anything is actually sent, thus providing
SSL-Explorer more time to set appropriate status codes and headers. A smaller buffer
decreases server memory load and allows the client to start receiving data more quickly.
• Buffer Reserve: This variable defines the space reserved in the first buffer of a response to
allow a HTTP header to be written in the same packet. The reserve should be large enough to
avoid moving data to fit the header, but not too large as to waste memory.
• Requests per GC: If this is set greater than zero, then the system garbage collector will be
invoked after approximately this number of requests. For predictable response, it is often best
to have frequent small runs of the GC rather than infrequent large runs.
• Enable Request log: Request logs are a record of the requests that the server has processed.
When enabled logs will be written to <SSL-Explorer installation>/logs.
97
• TCP/IP No Delay: Turn on TCP/IP No Delay option to force all data to be flushed to the
network and not buffered
• Enable Statistics Log: Turn on webserver statistics log
• Statistics Log Update: Time in seconds for the periodic update of the webserver statistics
log.
Configure Proxies
The next tab in the interface list is the Proxies tab allowing proxy detailed to be configured.
A proxy server is an application that enables a client to make indirect network connections to other
network services. A client connects to the proxy server requesting a resource available on a different
server, the proxy retrieves the data whether across the internet, internal network or using its internal
cache.
Some SSL-Explorer services need to make external calls across the internet and the Installation Wizard
allows for the configuration of the SSL-Explorer instance to direct these external accesses through a
company proxy server if required.
‘Configure Proxy’ allows the reconfiguration of these details in the advent that a company introduces a
proxy policy or removes or even upgrades its current proxy server.
More information on proxy servers can be found in the, SSL-Explorer Installation Guide, in the
chapter titled, Adding External Proxy.
Proxy Interface
The picture below shows the Proxy Configuration page.
• Proxy Hostname: Hostname of the HTTP proxy server.
• Proxy Port: The port upon which the proxy server is listening for connections.
• Proxy Username: If the proxy server has a secure authenticating account on it then the
details of this account
• Password: The password for the associated authenticating username
Non-Proxied Hosts: Any host which should bypass the proxy server should be entered here for
example SSL-Explorer instance accessing a server that exists on the same machine may not need to go
through the proxy server; If so the target server should be keyed in here. Entries should be one per line
with no termination character. Wildcards such as ‘*.foo.com’ may be entered to exclude a range of
hosts.
98
Configure User Interface
This tab defines the configurable options which affect the user interface. Currently this span’s the
language selection options for the system, for instructions on internationalization please refer to the
SSL-Explorer: Resource Management Guide and the chapter titled Internationalization.
UI Interface
The screenshot below shows the interface.
• Automatically Connect to Extension store: When checked SSL-Explorer will
automatically connect to the 3SP application store whenever the application management
page is loaded.
• Allow user to select language: On the logon page and throughout the entire system a user
can change their language as when required. This is made available through the Language
Selection box to the right of the system. By checking this option the language selection box is
disabled and invisible to all users meaning that the default language must be used by all.
Checking this box activates the selection box and makes it visible to all users again.
• Default language: This sets the default language throughout the system.
• Retrieve Online Resources: When enabled, context sensitive links to online resources are
displayed on pages.
• Allow Open Webfolders in Firefox: When enabled, Firefox users will see the Open As
Webfolder action for network places. This requires that the Open as Webfolder firefox
extension is installed
99
Configure SSL
This tab defines how SSL is configured within the system.
SSL Interface
• Enforce Strict SSL Trust Mode: This option enforces strict security requirements on
outgoing SSL connections. All outgoing SSL connections should have a trusted SSL
certificate, either trusted by the default Java CA trust store or by the SSL-Explorer trust store.
If a server presents an untrusted certificate the connection will be terminated.
• Supported Protocols: The list of protocols supported by SSL-Explorer, nothing in the
selected Protocol box simply means that the default setting of all protocols is enabled.
• Supported Ciphers: The list of SSL ciphers supported by SSL-Explorer. If the selected
cipher list is empty then all available ciphers are supported, if you edit this list then ensure
that SSL_RSA_WITH_RC4_128_MD5 is selected as this is required by the SSL-Explorer
Agent.
Potential Compatibility Issues

Editing supported ciphers may cause compatibility problems with some older browsers
100
Configure Time Synchronization
This tab is not part of the default setup, the Time extension needs to be installed for this to appear. This
has been defined here only for the reason that it is a standalone page and has no other reference point
in the application.
Time synchronization allows SSL-Explorer to use NTP time servers to keep consistent time across the
application. By default SSL-Explorer is configured to use the time servers from the NTP pool project.
NTP pool is a dynamic collection of networked computers that volunteer to provide highly accurate
time via the Network Time Protocol to clients worldwide.
Time synchronization Interface

• Enable NTP Time Synchronization: Enable the use of NTP servers. Once checked the
listed NTP servers are used for time synchronization.
• NTP Servers: The NTP servers to use. The default servers in the list are part of the
pool.ntp.org domain www.pool.ntp.org.
• Update Interval: Enter the time in hours of how often you wish to update the system clock
• System Command: If SSL-Explorer does not support setting the time on the installed
platform natively, this parameter allows a super user to provide a command and argument to
perform action via a system call.
This is the final section that can be configured from the Server configuration page. The following
chapters continue with the remaining pages available from the top level System Configuration page
starting with resources.
101
Resources
Resources are the main entities a user of the system will want to access once the system is up and
running. Resources allow a user to access various parts of the system securely; they allow applications
to be executed and intranets to be accessed securely amongst other things.
This chapter details the basic configuration options available from the resources configuration page
covering the following sections:
• Interface
• Configurable Resources
• Network Places
• Web Forwarding
These pages are interacted through the standard configuration pages control which can be found under
the section titled, ‘Amending Configuration Parameters,’ in the ‘Management Console’ chapter.
Interface
The resources page is accessible from Management Console Æ System Configuration Æ
Resources.
The tabbed menu above each page and shown below allows easy access to each section, this allows
any configuration parameter to be amended at any time and each section accessible and in any order.
Configurable Resources
The resources configuration page allows the configuration of resources. As further resources are added
to an installation such as nEXT an associated configuration tab becomes available.
Each configuration tab for the resources highlighted above are detailed below.
Network Places
A network place resource enables the access of network resources such as files, folders and directories
securely. SSL-Explorer uses not only its own in-built interface to access network neighborhood
resources but is also compatible with Microsoft WebFolders allowing a more intuitive means of
accessing remote folders over the internet.
102
Network Places Interface
• Try current user (1st): When accessing a network resource which requires further
authentication SSL-Explorer will automatically use the user’s current username/ password.
• Try guest (2nd): If the user’s current authentication details fail SSL-Explorer will try to
authenticate using guest and anonymous credentials.
If both options fail the user is presented with a login box allowing the user to authenticate
manually.
Configuring Guest Authentication

Note Configuration of the guest account can be found under System Configuration Æ Windows
Integration.
103
Web Forwarding
On a conventional network, providing remote access to intranet websites is not straightforward as
intranet resources are not designed to be externally accessible and therefore are not resolvable using
the DNS system. It is for this reason that SSL-Explorer provides a web forwarding facility as a means
of allowing access to the internet as well as a corporate intranet securely. Administrators can publish
links to intranet resources for access in SSL-Explorer via a web forward.
SSL-Explorer’s web forwarding technology provides three techniques to create web forwards each
with its own unique characteristic:
• Tunneled Web Forward: This is a direct port-forwarded SSL tunnel to the remote site. This
method requires that the VPN client is launched upon the client system.
• Replacement Web Forward: Requests are retrieved from SSL-Explorer which retrieves the
content on the client’s behalf rewriting links so content is retrieved only from SSL-Explorer’s
inbuilt web server. Does not require the VPN client.
• Reverse Proxy Web Forward: All requests bound for the client are processed by a reverse
proxy beforehand who decides whether the request will be sent onto the requesting client.
Does not require the VPN client.
Web Forward Interface

The configurable parameters for web forwards affect all web forwards across the system, as can be
seen below these options are basic items defining the content downloaded from the target web forward
resource.
• Directory: When a webpage is loaded its content is cached to a temporary folder on the local
machine for quick access, this parameter defines the location of the temporary directory. As
the default setting shows during execution of a web-forward the %TMP% variable is taken
from the system variable TMP. This variable can be replaced either by a full directory location
or another environment variable.
• Max. Size per User: The directory above is created on a client machine; this parameter
defines how large that directory should be. The default of 10MB means that every user’s
cache will not exceed more than 10MB.
• Max. Objects per User: An additional limit is placed on the number of objects: html page,
image, CSS etc that can be stored. If the limit is exceeded either in terms of the directory size
or the number of objects (which is defaulted to 10000 objects) the system continues to make
cache new content making space by removing oldest cached objects.
• Max. age: The maximum number of minutes each cached item will be stored for. A value of
0 means store forever (or until logout)
104
• Clear on Logout: Checking this parameter clears the cached data once the user has logged
out of the system. The default value for this is checked, retaining cached information can take
up unnecessary space and compromises security by leaving behind traces of internet content
visited/ accessed
• Active DNS Host Format: The format of the unique Active DNS hostname used to access
reverse proxy web forwards
105
Microsoft Windows Integration
These configuration options allow advanced users to modify specific parameters related to using SSL-
Explorer in a Microsoft Windows environment.
The sections covered in this chapter are:
• Windows File Sharing
Windows File Sharing

SSL-Explorer accesses files and shares on Windows systems by using the standard Windows CIFS
protocol. This page allows modifications to be made to configurable items used by this protocol. Again
these parameters shouldn’t need to be modified but if so should be carried out by an advanced network
administrator who has prior knowledge of CIFS.
What is CIFS?
Common Internet File System (CIFS) is used for client/server communication within Microsoft
operating systems. It is designed to enable all applications, not just web browsers, to open and share
files securely across the Internet by defining a remote file-accessing protocol that is compatible with
the way applications already share data on local disks and network file servers.
CIFS is an enhanced version of Microsoft's cross-platform Server Message Block (SMB) protocol, the
native file-sharing protocol in the Windows operating system. Not intended to replace HTTP, CIFS
complements HTTP while providing more sophisticated file sharing and file transfer than older
protocols such as FTP.
SSL-Explorer and CIFS

SSL-Explorer integrates CIFS by using the JCIFS SMB client library which enables remote users
using SSL-Explorer to access shared files and directories on SMB file servers i.e. a Microsoft
Windows share in addition to domain and workgroups across the internet.
File Sharing Interface

The screenshot below shows the available parameters and there default values.
106
Details on the parameters can be found in the following section.
Configurable Parameters
• WINS Server Address: If a WINS server is in use the location of the server. Information on
WINS servers can be found in the section titled, What is WINS?
• NetBIOS Hostname: SSL-Explorer instance NetBIOS name can be declared if clients are
having trouble locating the instance. For more information on NetBIOS refer to the section
titled What is NetBIOS?
• NetBIOS Scope: A NetBIOS Scope ID provides an extended naming service; it is used to
isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope
ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The
NetBIOS scope ID on two hosts must match, or the two hosts will not be able to
communicate. If scope id is used it must be set using this property or name queries will fail.
• NetBIOS local Interface Address: The IP address of the local interface the client should
bind to for name queries if it is different from the default. More information on NetBIOS can
be found in the section titled, What is NetBIOS?
• NetBIOS Broadcast Address: Broadcast address is an IP address that allows information to
be sent to all machines on a given subnet rather than a specific machine for example if the
local host's IP address is 192.168.1.15, the broadcast address would likely be 192.168.1.255.
It may be necessary to set the broadcast address for certain network configurations because
the default of 255.255.255.255 may throw an error. More information on NetBIOS can be
found in the section titled, What is NetBIOS?
• LMHOSTS File Path: The path to an LMHOST file containing a map of IP addresses to
hostnames, refer to the chapter titled ‘What is the lmHosts File?’ for more information on
LMHOST file.
107
• NetBIOS Socket Timeout: Defaulted to 5 seconds this parameter restricts the datagram
socket used for name service querying. If after 5 seconds the unsuccessful socket connection
is closed.
• NetBIOS Retry Count: The number of times a name query should be attempted if no answer
is received. This is defaulted to 2.
• NetBIOS Retry Timeout: The duration in milliseconds that the client will wait for a
response to a name query. The default is 3 seconds.
• Local Interface Address: The IP address of the local interface the client should bind to for
name queries if it is different from the default.
• Disable Plain Text Password: Windows is capable of authenticating using plain text to
support old machines however plain text passwords should never be used and are disabled by
default.
• Response Timeout: The time period a client will wait for a request to be serviced from the
target server; the default value is 10 seconds.
• Socket Timeout: To prevent the client from holding server resources unnecessarily sockets
are closed after this time period if there is no activity. The default is 15 seconds.
• Resolve Order: This specifics which name resolution methods to enforce and in which order
with the first, in a comma separated list, being the first technique to use. If this fails the
second technique is instigated and so on. By default the system is expected to resolve in this
order, LMHOSTS,WINS,BCAST,DNS. The LMHOST file is interrogated if this is unable to
resolve the required machine then a WINS server is checked, after which a NetBIOS name
query will be broadcast on 255.255.255.255 or the address specified by the ‘NetBIOS
Broadcast Address’ parameter. Should this broadcast query fail, DNS would be queried. If the
DNS query fails, an unknown host error will result. For information on these techniques refer
to the sections below.
Only Methods Listed Are Used

If the ‘Resolve Order’ parameter does not include one of the methods for example WINS or
Note
LMHOST
these will not be attempted regardless of whether or not their associated configuration
parameters
have been set.
• Guest user: This relates to the ‘Try Guest User 2nd’ configuration parameter available within
Resources Æ Network Places. Whenever a network resource is accessed which requires
authentication setting the, ‘Try Guest User 1st’ to true will automatically supply this guest
username and password. For more information on this parameter refer to the chapter titled,
‘Web Forwarding’.
• Guest Password: This defines the password used for the guest account.
108
What is WINS?
WINS (Windows Internet Name Service) is a name resolution service that resolves computer names to
IP addresses. Using WINS, the computer name ‘ARIES’, for example, could be resolved to an IP
address that enables computers on a Microsoft network to find one another and transfer information.
The underlying application programming interface, or API, that enables WINS name resolution and
information transfers between computers is NetBIOS (Network Basic Input/Output System). The
NetBIOS API contains a set of commands that applications can use to access session-layer services.
WINS provides a distributed database for registering and querying dynamic computer name-to-IP
address mappings in a routed network environment.
A WINS server runs on a Windows NT Server–based computer and handles name registration requests
from WINS clients and registers their names and IP addresses. The server also responds to name
queries from WINS clients by returning the IP address of the name being queried.
What is the LMHOSTS File?

The LMHOSTS file is a static text-based file that assists (and is another method used for) remote
NetBIOS name resolution on computers that cannot respond to NetBIOS name-query broadcasts and
do not have a WINS or DNS server in place. It contains NetBIOS name-to-IP addresses mappings and
an example can be seen below:
192.9.200.1 TESTPC
192.9.200.20 NTSERVER#20
192.9.200.21 SAMBASERVER
Each line contains the IP Address and NetBIOS name.
The problem with LMHOSTS files is that you have to maintain them – every time a new resource is
added to the network the LMHOSTS files on all clients need to be updated. Although you can
configure clients to include information from a central LMHOSTS file or files you still have to update
that file and configure all the clients to use it. This is where WINS is advantageous since it acts as a
central database for maintaining NetBIOS name to IP address mappings. All you have to do is set up
the WINS server and configure your clients to use it (you can use DHCP to configure the clients with
the WINS server information, so that can be centrally maintained as well.)
What is NetBIOS?
To transmit WINS queries and other information computers use NetBIOS. NetBIOS provides an API
that allows computers on a network to communicate. When you install TCP/IP networking on a
Microsoft client or server, NetBIOS over TCP/IP is also installed. NetBIOS over TCP/IP is a session-
layer service that enables NetBIOS applications to run over the TCP/IP protocol stack. NetBIOS
applications, such as the command-line NET utilities, rely on WINS or the local LMHOSTS file to
resolve computer names to IP addresses.
It offers network applications a set of hooks to carry out inter-application communication and data
transfer. In simple NetBIOS allows applications to talk to the network.
NetBIOS frees the application from having to understand the details of the network including error
recovery.
Microsoft adopted NetBIOS in the late 1980s for their LAN Manager product and it found its way into
early versions of Windows and into Windows NT. It is still present today because many corporate
109
networks still have legacy (Windows 9x or Windows NT) machines which require NetBIOS to
function properly on a network. Since Windows 2000 however, DNS has become the default name
resolution method for Windows-based networks.
NetBIOS Names
NetBIOS names identify resources on a network, applications use these names to start and end
sessions. You can configure a single machine with multiple applications each of which has a unique
NetBIOS name which in affect is what SSL-Explorer VPN is, another windows networking client with
its own NetBIOS name, ‘a box within a box’.
NetBIOS Hostname
The NetBIOS Hostname configuration parameter defines the SSL-Explorer instance name allowing
clients to locate the instance. Again this shouldn’t need to be modified as SSL-Explorer’s use of the
JCIFS API automatically generates a unique dynamic NetBIOS name (if one has not been set) that
should be broadcasted to any WINS servers or central NetBIOS name database by the operating
system’s network configuration.
However a hostname can be reserved for the instance and in which case must be a unique name within
the entire source routing network consist up to 16 alphanumeric characters.
Correct NetBIOS Hostname

Note
If the defined name is incorrectly specified, JCIFS will not use the name and will continue to
generate
unique names that can be meaningless when looking through audit logs.
What is DNS?
WINS isn't the only name resolution service available you can also use DNS (Domain Name Service).
DNS is a name resolution service that resolves Internet host names to IP addresses. Using DNS you
can resolve the fully qualified domain name www.company.com for example to an IP address.
While WINS is used with NetBIOS applications DNS is used with Winsock applications that operate
over the TCP/IP protocol stack such as FTP or Telnet. DNS can be configured to work in conjunction
with WINS.
110
Security Options
The Security Options page allows the configuration of security related parameters. Security affects all
areas of the system and so this page divides the configurable items into their respective areas. The
section only covers those options available with the basic installation of SSL-Explorer. All other
option pages are detailed in their respective chapters. The chapters covered are:
• Initial Options
• Password Options
• Session Options
• Confidential Attributes
• Policy Options
• Logon Page
Initial Options
In the initial installation of SSL-Explorer the security options page only has a select number of options
available. These are shown below.
With the Enterprise Edition a plethora of further authentication modules become available and each
has their own configuration tab accessible from this page. Documentation on the configuration options
available for the additional modules can be found under the respective chapters for each module.
Password Options
This page contains all necessary information pertaining to the configuration of the password
authentication module. This is the default module that comes as standard with SSL-Explorer. With
enterprise edition the numbers of authentication modules available are increased considerably and each
adds an additional tab to this menu.
111
Password Options Interface
The diagram below shows the password option interface.
• Max Logon Attempts Before Lock: A value of zero disables this option; the default value is
3 logon attempts if after 3 attempts the account is temporarily locked.
• Max Lock Attempts Before Disable: The maximum number of temporary locks before the
account is permanently disabled. Use a value of zero to never lock accounts.
• Lock Duration: The default value is 300 seconds; all values are in seconds.
• Password Pattern: The definition of a password, how passwords for this instance must be
constructed. Details on Password patterns can be found below.
• Password Pattern Description: This description is shown to the user when defining a
personal password.
• Days before Expiry Warning: The default value is 21, after which the warning will be
displayed to the user informing them to change their password.
• Days before Expiry: The default is 28 days approximately one month after which the user
will be forced to change password.
Password Pattern
The structure of an account password is based on regular expressions and is defaulted to, .{5,},
which defines a password with a minimum size of 5 characters. This expression is detailed in the
diagram below:
112
The security function password structure is built around the Java ‘regular expression’ syntax. Any
valid expression will be accepted to parse passwords an example is given below:
Expression Meaning
X(n) X exactly n number of times
X(n,m) X between n and m
.[^\s]{n,m} Any character except white spaces with a length between n-m
\w[n,m] Word character [a-z,A-Z,_,0-9] between n-m
113
Session Options
Session options are security parameters used by the system to control how user sessions behave.
Session Options Interface

The diagram below shows the session options interface.
• Maximum Logon Cookie Age: Maximum age of the cookie that is used persist the logon if
the browser is closed. A value of -1 will mean that the user will have to logon everytime the
browser is opened.
• Multiple Sessions: Defines whether the same User can log on multiple times. Further details
can be found below.
• Verify Client Address: When checking logon state, verify the remote address of the request
against the address recorded at logon. This prevents re-use of logon cookies from other clients
• Lock Session on Browser Close: Enabling this option will force the user to provide their
password upon opening a new browser and returning to the site
Multiple Sessions
This option configures whether the same user is able to log into the system more than once
simultaneously. The option provides three alternatives depicted below.
As the diagram shows, the final ‘Single Session per User / IP Address’ is the most restrictive. This
setting will prohibit the same user from accessing the SSL-Explorer server more than once, locking
down the user so that he or she can open a single session from a single machine.
114
Confidential Attributes
Confidential attributes are used by the system to store personal information about the user such as
security questions which are used during authentication. These options configure how these attributes
are encrypted.
Confidential Attribute Interface

The diagram below shows the confidential attribute interface.
• Confidential Mode: Determines how the passphrase for the user's private key is established.
Attributes are stored by encrypting them with a user's public key so that they can only be
decrypted by the corresponding private key. With automatic the passphrase for the private key
is automatically configured as the users account password. If no account password has been
provided then it will be prompted for instead. When set to Prompt the user will be prompted
for the passphrase upon logon meaning that the passphrase will be independent of the users
password. Disabled will prevent the key being used at all, meaning confidential user attributes
will not be encrypted at all.
• Public Key Algorithm: The algorithm used to encrypt confidential user attributes.
• Mask Personal Answers: Checking this option hides the actual user responses with asterisk.
• Bit Length: Bit length of public/private keys used to encrypt confidential user attributes.
115
Policy Options
This page simply refines some of the access abilities for policies any particular policy related
configuration options are maintained within this page.
Policy Options Interface

The diagram below shows the policy options interface.
• Restrict Policies to Assigned Authentication Scheme: This option restricts the available
resources to those which are attached to the policies assigned to the authentication scheme
used at login
116
Logon Page
This page defines the logon preferences. All users are affected by the changes made to this page.
Logon Page Interface

The diagram below shows the logon page interface.
• Site Name: Define a specific name for the site. When a user is presented with the logon page
the title specified here is shown.
• Welcome Text: You can configure a custom title for the logon page. Leave this blank to use
the default internationalized SSL-Explorer title
• Logo: By setting an image here you can configure a custom logo for the logon page. Any
logon logo image must be placed in [SSL-Explorer_HOME]/conf/site/icons
• Message Type: The type of message icon to show. This icon as well as the following
message text I shown below the logon parameter.
• Message Align: Set's the alignment of the message text, options available are justify and
center
• Message: The message you wish displayed beside the message type icon.
117
Messaging
SSL-Explorer enables messages to be broadcast to user of the system in a number of ways. This
chapter aims to provide some background to messaging and then provides details on the available
options through SSL-Explorer. The sections covered are follows:
• Message Queue
• What is SMTP?
• Messaging Interface
• Configuration Parameters
Message Queue
The message configuration page affects the functionality available from the Message Queue page
available from Management Console Æ System Æ Message Queue. As the main page below shows
this functionality allows a privileged user the ability to create messages and have that message
broadcast to all or a select few members of the SSL-Explorer instance principal base.
What is SMTP?
POP3 (Post Office Protocol version 3) is used to handle email between email server and a local email
client like Microsoft Outlook. POP3 is used to authenticate credentials on the server and download
email that comes from across the Internet to the email server. The POP3 protocol is activated when the
client receives email as shown in the diagram below.
118
SMTP (Simple Mail Transfer Protocol) on the other hand is the protocol used for sending e-mail
messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send
messages from one server to another. In addition, it is used to deliver email from the email client to the
recipient's email server.
The email will stay on the recipient's email server until it is explicitly requested to be downloaded by
the recipient's email client over the POP3 protocol.
SMTP and SSL-Explorer

In order for the messaging functionality to be used successfully it requires the mail server address in
order to deliver the SMTP message.
Once the user has created the message to distribute SSL-Explorer sends the message using the SMTP
protocol to the mail server. Once received as above the mail clients will contact the mail server and
download the mail.
Messaging Interface
The screenshot below shows the available messaging configuration parameters which affect messaging
functionality.
With SSL-Explorer Enterprise edition a number of additional messaging related extensions can be
uploaded such as the one time password extension; any configurable parameters will be accessible
from this menu under an associated tab.
119
• Enable on Startup: When SSL-Explorer instance is started the email messaging service is
available to use, un-checking this option will disable message distribution via email when the
instance is restarted.
• SMTP Server: Messaging is performed in two ways, through active users running the VPN
client and via messages being broadcast as emails received by users email clients. To use the
email option the details of the SMTP mail server needs to be specified.
• Port: In addition to the above server being defined so to must be the listening port on the
server, by default mail servers listen on port 25.
• Login (HELO): HELO represents the SMTP HELO command some mail servers (usually
older servers) do not accept mail requests before a SMTP HELO command is sent. Clients
use HELO as the first request in every session. The HELO parameter requires the principal
host domain name for the sender, for example domainname.co.uk.
• Sender Address: This parameter specifies the host sending the message and will appear on
the Sender name when the mail is received by the user’s mail client.
Clickatell and SMS in Access Control

Note Configuration of Clickatell and SMS can be found in the Access Control guide under the OTP
Authentication section.
120
Basic Configuration
This section details the remaining areas listed under the configuration menu. These items allow
configuration of those items that directly affect user interaction for example, extension manager allows
an administrator to include additional functionality into the system, which affects what functions
become available to users much like SSL-Certificates which affect how users are authenticated against
the system.
Extension Manager
The chapters that follow detail the remaining functions available under the Configuration header in the
Management Console. These are: Extension Manager, SSL-Certificates, Replacements, User
Attributes and License Manager.
SSL-Explorer is not a static entity but an extensible application that continues to have functionality
added and one of the methods employed to extend the functionality is through extensions. These are
additional applications which can be installed on the SSL-Explorer VPN server to further enhance the
usability and experience of SSL-Explorer.
This chapter details the extension manager which manages these additional applications; the chapter
consists of the following sections:
• What are Extensions?

• Extension Manager Interface
• Install an Extension
• Updating an Extension
• Removing an Extension
• Upload an Extension
• Bespoke Application Extensions
By the end of this chapter the user should have a sound knowledge of extensions, the extension
manager and know how to install relevant applications and plug-ins required to meet business needs.
What are Extensions?

Extensions are used within SSL-Explorer to give you a quick, simple method to install new
functionality or upgrade the applications that you need from the software. New software components
may be installed onto the SSL-Explorer server via extensions and assigned to your users with the
greatest of ease.
Extensions may be classed as either one of the following two types:
• Plug-ins: These extend the functionality of the SSL-Explorer server. This can be in the form
of new services, new web pages, authentication components or beta versions of upcoming
new features.
• Applications: Applications extend the number of applications available to SSL-Explorer.
These applications are launched from the ‘My Applications’ page and run as separate
121
services. Examples of these would be SSL-Explorer’s range of proprietary lightweight remote
access applets supporting SSH, RDP, VNC, SFTP and Telnet.
Installation of Extensions
Extension files reside on the 3SP Extension Store – a publicly available store accessed from within
SSL-Explorer. When an extension is selected for installation the wizard contacts the remote Extension
Store and downloads the new extension file.
Plug-in extensions require the restart of SSL-Explorer to become active whereas applications generally
work instantly once downloaded.
The extension itself comes in the form of a zip file and is stored on the SSL-Explorer server locally
under <SSLEXPLORER_HOME>/conf/repository/archives, where
<SSLEXPLORER_HOME> refers to the SSL-Explorer home directory. The file is unzipped to the
applications folder, <SSLEXPLORER_HOME>/webapp/WEB-INF/applications. Each time
the server is restarted the system clears the content of the applications folder. The extension is
unzipped again from the repository folder and stored back into the applications folder.
Extension files
Note
These files should not be removed as they will affect the running of the SSL-Explorer
instance.
Anatomy of an Extension
All the contents of the extension to get it up and running make up the pieces of an extension file. For
example the PuTTY plug-in extension consists of the following files:
• extension.xml
• putty.exe
The most important file in the package is the extension.xml. Not only does this maintain a list of files
but it is also used by SSL-Explorer to understand how to run the file and identify whether any user
interaction is required to launch the application successfully.
Application extension
Note For application extensions the extension.xml file is replaced by an application.xml file whose
purpose is
much the same as the extension.xml.
The actual number of additional files varies greatly depending on the complexity of the extension.
122
Extension Manager Interface
The screenshot bellows the extension manager interface:
The page divides extensions in to tabs by type. In addition there are three tabs that provide other
information:
• Installed: This shows currently installed extensions
• Updateable: Extensions that have a new version available
• Articles: Articles that detail how to set up extensions that cannot be included in the extension
store for licensing reasons
Action Icons
The action icon performs a particular function on the associated extension; available actions for an
extension are:
Install extension
Update extension
Remove extension
123
Install an Extension
Step 1 Any extension that is available for installation will be visible from under the appropriate section tab
for example any remote access extensions will be listed as installable from the Remote Access tab, any
extensions related to access will be installable from the Access Control tab.
Choose an extension to install. The extension will have the install action icon against it.
Step 2 The system will proceed to download the extension from the extension store and install the
application. A progress bar similar to the one below shows the status of the download:
Some extensions may require the user to agree to the license.
124
Step 3 Once installed the extension will be available from the Installed tab. If an extension requires a restart
of the system the extension will have the inactive icon against it:
Also a restart message will be visible from the Warnings window in the events pane.
Once restarted the active icon will be visible against the extension:
The extension should be accessible from its defined location for example application extensions from
the applications menu.
Updating an Extension
Step 1 Any updates to extensions are visible and can be updated from the Updateable tab.
Step 2 Click the update icon against the chosen extension to update.
125
Step 3 The system starts to update the extension. A progress bar indicates how long the update will take. If
the system requires a restart a warning message will be shown indicating this in the events panel.
Removing an Extension
Step 1 An installed extension can be uninstalled from the Installed tab. Identify an extension to remove from
the Installed extension tab. Any uninstallable extension will have the delete icon against it.
Step 2 Clicking this a warning message is updated page as shown below:
Step 3 Select the associated remove action icon. A warning message is displayed to confirm the removal of
the extension.
The extension is removed and is added back to the list of available extensions.
Assigned Extensions
Note
Any application extensions assigned through the application shortcut page are also removed
from all
associated users.
Upload an Extension
Applications not available through the extension store can be uploaded manually. Many applications
can be made into an extension and through this step uploaded onto the SSL-Explorer server for use by
your users.
Step 1 Construct the extension in the appropriate manner. The basic content of an extension consists of the
following items:
Step 2
126
• Extension.xml: Which details the parameters required for the application, how to launch
the application, defines the required application files, registry information and application
execution procedures.
• Application files: All files required to execute the application must be collated.
This content should be stored in a directory and that directory compressed into a zip file.
For more information on constructing your own extensions, please refer to the Extensions section of
the 3SP Knowledge Base at 3SP.com.
Step 3 To upload the created extension, select ‘Upload Extension’ from the action pane.
Step 4 Enter the path of the extension zip file for the system to upload.
When the Upload button is pressed the system will upload the extension to the appropriate place
depending on the extension type.
• Plug-ins: These extensions usually require a system restart and will be loaded into the system
under the appropriate page for example, if the plug-in is a new authentication method this will
be visible within the ‘Authentication Schemes’ page.
• Applications: Extensions that are applications will be visible within the Installed tab under
extension manager as well as a selectable application within the ‘application shortcut’ pages.
Bespoke Application Extensions

So far we have concentrated on the extensions that come part of the extension store, supplied by 3SP
Ltd. SSL-Explorer however can accept any external extension and load it in this mean that an
administrator can also provide extensions for their user base of applications specific to their company.
You are not restricted by what SSL-Explorer provides or 3SP Ltd creates and adds to the extension
store but an administrator can create their own extensions for users to install. To find out how to
deploy bespoke extensions please refer to the 3SP knowledge base,www.3sp.com/kb , which contains
many articles on extensions and how to create them.
127
SSL Certificates
As part of the installation wizard an SSL certificate is configured this is then used for the purpose of
encrypted communication between server and client. This page enables the management of this and
other types of certificates that SSL-Explorer supports. This chapter details the certificate related
actions available to a user from importing new certificates and purchasing certificates, the following
sections are included:
• Revisiting Certificates
• SSL-Certificates Interface
• Creating a CA
• Purchasing Certificates
• Generating a CSR
• Importing a Certificate
• Exporting Keys and Certificates
By the end of this chapter the reader should have a sound understanding of certificates and be able to
manage certificates used by the SSL-Explorer instance. Further information can be found in SSL-
Explorer: Access Control Guide, chapter Authentication Schemes and
Revisiting Certificates
The SSL (Secure Sockets Layer) protocol is the standard method used in securing e-commerce
transactions. SSL defines two methods for securing sensitive information during an SSL session they
are encryption and authentication.
Encryption
The transmission of data should be secure so that no one can view the data that is being sent. Public
Key Infrastructure (PKI) is a methodology that allows secures data transmission by encrypting
information in a way that if the data is intercepted by a third party it cannot be understood. This topic
is explained in greater depth in Appendix I, but for the purpose of brevity we will just summarize the
core concepts here.
PKI relies on an entity creating two keys that are used to encrypt information. The keys are related to
one another by complicated mathematical formulae; but knowing the value of one of the keys will not
lead you to the other. In this concept, one key is kept secret (the private key) while the other is made
public (the public key).
This public key can now be used alongside standard encryption techniques to encrypt and secure
messages and the only way to decrypt the message is with the closely guarded private key.
Only the one with the private key can ever understand the message.
This is the basis for keeping SSL transmissions private.
While encryption is a powerful tool on its own it is an insufficient tool to give consumers the
confidence they need when performing e-commerce transactions.
128
Authentication
On the internet, any data passed between two computers travels via a public network and anyone with
the desire and know-how can potentially read it. A man-in-the-middle (MITM) attack occurs when a
hacker manages to ‘position’ himself between a victim and a resource, proxying the client’s personal
information to and from the resource and silently snooping on their personal data. The victim is
unaware that anything wrong is going on and in fact, may even be communicating with the hacker in
an encrypted manner although the hacker can see all transactions and may even be able to modify them
for personal advantage.
This shows that encryption alone is not enough the client should be confident that data received was
sent by the correct website to prevent such things as MITM attacks.
Secure internet communication is viable not only because encryption is used, but also because of
authentication of the website with which there is an encrypted session. In other words, you can verify
that the website is the one you intended to communicate with, and not an imposter who has launched
an MITM attack.
A web site is generally authenticated by an X.509 certificate.
SSL-Certificates
In cryptography, X.509 is an ITU-T standard for public key infrastructure. X.509 specifies, amongst
other things, standard formats for public key certificates and a certification path validation algorithm.
An X.509 certificate contains the following information:
• Information about the entity that owns the certificate.

• The owner’s public key.
• Data from a well-trusted third party confirming that all the information inside the certificate is
verified.
Web servers use certificates:
• To prove their identities to a client browser.

• To provide a public key to the browser so that it and the server may communicate securely.
X.509 certificates provide a mechanism on which an SSL session can be built. If an X.509 certificate
contains the relevant data to create an SSL session, it can be considered an SSL certificate.
Certification Authority
A web server must have a certificate that has been vetted by a trusted third party authority known as a
Certification Authority (CA). The CA vets the certificate to confirm the identity of the sender by
various means as examining business documents and that the sender is allowed to own this certificate
and that no forgery is taking place.
Only if the vetting process confirms the entity’s identity, the CA signs the certificate and adds its
identity to the ‘issuer’ field. By signing a certificate The CA signs the certificate by using its private
key so that someone who examines it will be assured that that CA validated the certificate’s
information.
129
Since the signing process requires possession of the CA’s private key, which is closely guarded, it is
not possible for someone to forge.
It is relatively easy to create your own certificate that claims to belong to another website. However
since a CA relies on public trust, it will not put its reputation on the line by signing a certificate unless
sure of its validity.
Trustworthy Certificates
In the same way that I could create a fake website certificate, e.g. ‘www.amazon.com’, I could also
then create a CA certificate issued from e.g. ‘VeriSign’ and sign my fake certificate with it. Would
this phony certificate then be accepted by a browser?
How does a browser know that a certificate is trustworthy?

When you use your browser to access a secure website, the remote web server attempts to use SSL to
secure the communication. The web server transmits its certificate to your browser and if the
certificate is trustworthy, the server switches to SSL mode and starts the secure session.
The browser checks that the certificate is valid and is properly signed. If so, it checks that the issuing
CA is trustworthy by comparing against the browser’s in-built certificates.
Browsers such as Internet Explorer, Mozilla and Opera come with root certificates pre-installed, so
that SSL certificates from certain vendors are pre-installed and can be verified instantly. If the
certificate is unknown then a message appears warning the user that the certificate may not be valid.
Without first possessing a CA’s private key you cannot create a fake certificate and attempt to fool the
browser in thinking the certificate has been signed by the real CA.
This is the real protection against MITM attacks.
SSL-Certificates Interface
The screenshot below shows the main certificates page.
The page displays certificates related to each keystore type. As can be seen above, the keystore pull-
down displays three different certificate types:
• SSL-Explorer Server Certificate: Certificates installed by the SSL-Explorer server for SSL
encryption of VPN sessions. Browsers connecting to the instance will receive this as proof of
authenticity.
• Trusted Server Certificates: These certificates are usually provided beforehand by trusted
vendors whose webserver SSL-Explorer may be expected to connect to at some point. The
certificate contains a public key to allow the client and server to secure the communication.
130
• Server Authentication: This certificate is used when the SSL-Explorer instance, acting as a
client, connects to another HTTPS server which requires authentication by the client through
the use of a private key.
• Client Certificate Authentication: This certificate is used by the client to authenticate itself
with SSL-Explorer. SSL-Explorer creates this certificate containing a private key which is
imported into the browser to authenticate itself with the server.
• SSL-Explorer CA: This certificate contains the public key used to sign all client certificates.
Action Icons
The action icons against each certificate perform functions on the associated certificate:
Export certificate
Export key
Certificate Actions
The action panel on the right of the page shows the actions that can be performed:
• Import Certificate or Key: Any further additions to the certificate database are imported
from this option.
• Purchase a Secure Certificate: Buy a discount SSL certificate through 3SP Ltd.
• Download CSR: Downloads the Certificate Signing Request for the server SSL certificate
currently in use in order to be sent to a CA for signing.
• Create CA: Create a new authority
131
Creating a CA
A Certificate Authority is required to be able to issue certificates to the clients. This process defines SSL-
Explorer as the authority to be able to issue and validate the client certificates that will be used to log into
the server.
An external authority can also be used; the only thing required by SSL-Explorer is the importing of the
private key part of the certificates issued by this authority for each client so that SSL-Explorer is able to
identify each client certificate being used to login with.
Step 1 From the Action menu select the Create CA action.
For a server which already has a CA this step will be replaced by the Reset CA action. In this situation
the CA does not have to be reinitialized each time.
Step 2 This action loads the Create CA wizard. This wizard guides the user through the steps required to
configure a CA for the system. Each certificate created for a user will be issued by this authority.
The information must all be completed. The information is then used to create a valid authority. The
stamp of authenticity is all based around the content that is provided here, it is recommended that
correct information be supplied.
The required information and their meaning are detailed below.
• Common Name: The name the certificate should be referred to.

• Location: Where the authority is based
• Organizational Unit: The department of the authority
• Company: The name of the company or entity to which the certificate should be registered.
Step 3 To encrypt this information and the subsequent generated private keys the certificate requires an
encrypting password.
132
Step 4 The strength of the private keys is next required. The stronger the size the more complex the keys.
Step 5 Finally a summary I shown of the certificate that is about to be created. Pressing the Finish button will
create the certificate else the he Previous button will go back to each step and allow amendments to
take place.
That’s it. The newly generated authority will be used to issue all client certificates. This CA can be
seen in the SSL-Explorer CA keystore.
133
Purchasing Certificates
Step 1 The ‘Purchase a Secure Certificate’ action goes to the ‘SSL Certificate Purchase’ page at 3SP.com.
3SP Ltd. uses InstantSSL as the certificate provider.
As can be seen below, 3SP.com provides the Super User with a list of certificates to buy.
Select the appropriate certificate.
134
Step 2 Select the URL. Once the purchase has been successful a URL is sent to the recipient’s email address
much like the one below.
https://secure.comodo.net/frontpage?reseller=y...
Inserting the URL into a browser opens the ‘Certificate Signing Request’ page from Comodo as can be
seen below:
Before this request can be processed a CSR needs to be generated through SSL-Explorer.
135
Generating a CSR
Step 1 Select the ‘Download CSR’ option available in the Action pane.
Convenience with 3SP.com Certificates

The generated CSR can be used from any certification authority although 3SP Ltd. provides
Note
a more
convenient and cost effective means of obtaining discounted certificates in partnership with
InstantSSL.
Step 2 The ‘Download CSR’ action takes the content from the unsigned certificate currently in use by SSL-
Explorer and produces a CSR. When ready the system makes the CSR available for download.
The file should be saved.
Remaining Steps
Note
The remaining steps detail how to continue the signing process via a certificate purchased
through
3SP.com. If an alternative certification authority was used, please follow their instructions
instead.
Step 3 Complete the signing request. Using a standard text editor open the downloaded CSR, copy and then
paste the content into the large text box as shown below.
136
Select Java Web Server as the ‘server software used to generate the CSR’ and select an appropriate
option from the last two questions. Select Next.
Step 4 Complete the remaining details. The registration process reads the unsigned certificate and populates
some details itself. The remaining required details must be completed.
Step 5 Once complete hitting the Next button takes us to the final step in the process confirmation of details.
137
From here InstantSSL will now validate the authenticity of the CSR. Depending on the type of
certificate that was chosen, the time spent by InstantSSL on validating the request will vary. For
example, an ‘Intranet SSL Certificate’ is the quickest to process in usually under an hour.
Step 6 If successful, InstantSSL will sign the certificate and return a zip file containing the signed certificate
and the necessary root certificates reading to be imported into the system.
Importing a Certificate
Step 1 Select ‘Import Certificate or Key’ from the Action menu.
Step 2 Next, select the ‘Input Type’. SSL-Explorer is able to import several types of certificate or key:
• A certificate purchased from 3SP.com: Use this if the certificate has been purchased from 3SP.com.
This speeds up the import process by automatically loading all the keys contained within received zip
file.
• A reply from a CA: A DER encoded certificate from a vendor other than 3SP Ltd.
• A root certificate for your web server’s CA: A root certificate to authenticate the issuer of your
installed certificate.
• A certificate from a server you wish to trust: Add a specific server’s signed certificate to the CA
certificate trust store to trust the server.
• A key for a server that requires client certificate authentication: A private key to perform client
authentication on outgoing connections in either PKCS2 or JKS format.
• A CA certificate for verifying Active Directory user certificates: A certificate from a CA used to
authenticate Active Directory users.
• A certificate you trust for client certificate authentication: Only the Super User can generate
internal certificates, use Active Directory certificates or trust a certificate. Importing a certificate
through this option will trust a certificate for use with client authentication.
Step 3 Load the appropriate file.
Step 4 The system provides a summary of the action about to be performed, selecting Back will allow the
details to be modified.
138
Once completed successfully the newly imported certificate will be visible from the main SSL
certificate page as below.
Exporting Keys and Certificates

If you need to retrieve the certificate or key for one that has been previously created then these can be
exported again from the system through the export actions available against each certificate. For
example if a certificate for an account has been lost then using these actions the certificate can be
retrieved.
To export a certificate simply select the export certificate action associated with the certificate.
To export the associated private key, select the export private key action.
139
Attributes
As with any large user management system, functionality that makes administration easier always
helps and user attributes is no exception to this rule. Its simplicity and global use make this a very
powerful piece of functionality. This chapter aims to details what user attributes are and how to make
the best use of them. The sections covered in this chapter are as follows:
• What are Attributes?

• Attribute Interface
• Creating Attributes
• Editing a Attribute
• Deleting a Attribute
• How to use Attributes
By the end of this chapter the reader should have a sound understanding of user attributes and know
how best to use them.
What are Attributes?

User attributes are simply attributes that perform a similar function to ‘environment variables’, and can
be created by a user and used throughout the system. SSL-Explorer comes with a set of default
attributes that cannot be removed these are used by the Personal Details Authentication module.
Security Questions
One of the default user attributes is placeOfBirth; all users have this attribute stored under the Security
Questions tab (User Console Æ My Account Æ Personal Details). Each user can populate this
attribute with their respective answer and when the Personal Details authentication module is used at
log-on and asks a user for their place of birth, the module merely looks to the value stored under this
attribute for each user logging into the system. If the attribute keyed in value matches that of the stored
placeOfBirth value authentication is successful.
For each user logging in the respective attribute is compared allowing for a single attribute to be used
by all users.
140
Applications
Attributes can be used with application shortcuts, an attribute can be created as below which defines a
hostname and a port number.
Here the attribute VNC Server is a defined by each user, specifying which server they wish to connect
to when using the VNC application shortcut.
The VNC application shortcut is configured to use this new attribute:
Whenever the application shortcut is executed, the system takes the current user’s vncServer attribute
and uses the value as the hostname to connect to.
Each user can define their own vncServer attribute to point to whichever server they wish to connect
to. Thus for every user the application shortcut works differently, connecting to a different server
without any further modification.
Web Forwards
The flexibility of user attributes also means they can be used in web forwards. An example is a web
site such as a support site which requires a form to authenticate users.
A standard username attribute cannot be used as the FORM has a drop-down list for user as opposed to
a text field.
So here a user attributes is defined which specifies the associated users ID. Two new attributes are
defined which are confidential to the user only and specify the Username Id for the user and their
password.
141
When the web forward is configured the attributes are added to the authentication parameters.
When the web forward is finally executed the supportId and supportPassword attributes are submitted
during authentication into the website. The FORM object takes the supportId and identifies the
username then takes the supportPassword as the associated password.
Instantly any user is able to access the support website using there credentials and this single web
forward.
Types of Attributes
The examples above all show the use of the user attribute where the attribute is assigned through the
${attr:attributeName} command. There is also another attribute type called policy attribute.
Unlike the user attribute which is assigned to each user this is assigned to a policy and is referenced by
the ${policyAttributes:vncHostname} variable.
Policy attributes once set are set for all users under the assigned policy. So a resource can be executed
under a different policy and have a different value for each policy.
Attribute Interface
The screenshot below shows the user attributes main page accessible from Management Console Æ
Configuration Æ User Attributes.
142
If you hover over an attribute (as with all resources) further information is shown in a pop-up:
• Name: Attribute name referenced wherever the attribute needs to be used

• Label: A more readable name for users to know what the attribute is for
• Category: Type of attribute and under what tab it should be stored in Personal Details
• Visibility: Whether the attribute can be managed by user or Super User or both
Actions Icons
The action icon performs a particular function on the associated attribute. Available actions for a user
defined attribute are:
Delete User Attribute
Edit User Attribute
Creating Attributes
Step 1 Select Create User Attribute from the action box at the top right of the page.
Step 2 The basic details of the attribute need to be completed first.
143
• Name: The name by which the system can reference the attribute.
• Description: Information about the attribute
• Class: Whether the attribute will be a user or policy based attribute.
o User: User attributes become associated with users. Each user will need the value
for this defined either by themselves or the super user
o Policy: This attribute is attributed to a policy instead. The value defined for this will
affect all users associated with the policy so this value only needs to be set once
Step 3 The attribute must now be defined. The screenshot below shows an attribute is made up of a number of
components.
• Type: The type of attribute.

• Visibility: The visibility of a user attribute is divided into 4 scopes:
o User or admin, use, view, override: This is the most relaxed level of visibility.
Both the Super User as well as a user can fully manage the attribute
o User use and view, admin change: Here the user is able to see the attribute, use it
where necessary but cannot change the value associated with the attribute
o User use, admin view or change: The user is restricted further by only being able to
use the attribute managed solely by the Super User
o User Confidential: The responsibility is reversed only the user has access to this,
the Super User cannot manage nor visibly see this attribute
• Label: The name by which users can reference the attribute
144
• Default Value: The default value, depending on the visibility this value can be altered by the
user or Super User.
• Category: The placement holder for the attribute, a new tab under Personal Details (User
Console Æ My Account Æ Personal Details) is created with this value as its title.
• Weight: The order of where it should be placed in the category if there is more than one
attribute under the same category. The higher the weight the lower down the list it will be
shown. Weight is defaulted to 0 by placing an attribute at the top of the list.
• Validation: The validation class to use. SS-Explorer comes with a set of default validators
for each type of attribute. Some validators come with parameters that can be altered:
o StringValidator: min and max length, trim blank spaces and even regEx or patterns
can be used
o IntegerValidator: min and max range values can be set
o BooleanValidator: nothing can be defined, the validator checks for true or false
only
Providing Specific Validators

Note You can use your own validation class here. Simply create the class, store it in a jar and add
this jar file to
[SSL-Explorer_HOME]/webapp/WEB-INF/lib.
• Type Option: You can also use this parameter to provide specific options to each type of
attribute.
o Text: for text attributes this parameter can be used to define the width that gets
displayed.
o Checkbox: you can specify a replacement name for the default true, false values.
o Text area: this parameter allows the dimensions of the text area to be displayed. By
specifying a number such as 30x2 will set the area to be 30 with by 4 height.
Step 4 Once complete, hitting the ‘Save’ button will store the attribute and it will be accessible from the user
attributes page.
If the attribute is a user attribute and set to be accessible by users then it will be available under User
Console Æ My Account Æ Attributes under the tab also titled that of the defined category
parameter.
145
If the attribute is a policy attribute then this will be visible under each policy. Editing a policy there
will be a tab as titled in the category field or if this was left blank, under the default Attribute tab.
146
Editing a Attribute
From the user attributes page select the Edit action against the required attribute, the ‘Edit User
Attribute Definition’ page will be shown. From this page the current details stored can be modified.
As the screenshot above shows the name cannot be changed.
Deleting a Attribute
The ‘delete’ action removes a user attribute permanently from the system. Selecting the Delete action
against a user attribute will result in a warning message.
Selecting Yes will remove the attribute from the system.
Fixed System Attributes

Note
User attributes created by the system such as those categorized under Security Questions
are required
by the system so cannot be removed nor edited; no available actions are associated with
these.
How to use Attributes

Once a user attribute has been created it can be used throughout the system, wherever dynamic
information can be loaded user attributes can be used.
147
A user attribute is referenced via the attr command whilst a policy attribute is referenced by the
policyAttr command. Below an example demonstrates how to set up a network place using user
attributes.
Step 1 The user attribute ‘myNetHome’ is defined and stored under the ‘Network Places’ category.
Step 2 The network place is then defined.
As highlight in the screenshot shows the path uses the ${attr:myNetHome} variable. When this
is executed the system replaces the ${attr:myNetHome} for the ‘myNetHome’ user attribute.
Step 3 Each user defines their ‘Network Home’ under the user attribute available from the Personal Details
page. As the highlight shows the user attribute is available under the newly available Network Places
tab as defined in the attribute definition page earlier.
That’s all there is to it. Every time the network place is launched, the system dynamically takes the
value of ‘My Network Home’ from the logged in user and replaces the ${attr:myNetHome}
parameter in the path. So for each user this will load their respective home share.
Session Variable
Another way to use dynamic parameters in the system is by using the session variable.
148
The session variable is used mainly when creating extensions, and it allows session information to be
used and not user attributes.
With the above example we could also have used session as oppose to the attr variable like
below.
The session variable refers to the values available during the course of the session. So as above the
system would replace this with the username being used in this current session. This means that if the
users home share on the network is named the same as the username used to log into SSL-Explorer (as
might be the case in an Active Directory environment) then this Network Place will work and the
home share of RobertsP would still be loaded.
The session variable can also be used to reference the user’s password; so in an example of an
application shortcut which requires both username and password we could use session:username
and session:password.
More information on this variable and the available parameters that are accessible will be available in
later releases of the documentation.
149
License Manager
With SSL-Explorer being an evolving product each new release brings with it further modules of
functionality. In order to use some of these features a valid license must be uploaded into the system.
This chapter details the License Manager which manages licenses in the system the chapter covers the
following sections:
• License Manager
• License Manager Interface
• Uploading a License
• Deleting a License
By the end of this chapter the reader should have an understanding of the License Manager and when
required be able to use the manager to upload licenses.
License Manager
The only licenses currently required for SSL-Explorer are for the Enterprise Edition of the product. In
this scenario, a license is automatically retrieved and uploaded into the License Manager. This license
will either be full or temporary for evaluation. In both cases the license and its purpose will be visible
from the License Manager.
Other than as a visible reminder of loaded licenses, the License Manager only really becomes effective
in rare occasions where a license has failed to automatically upload. In this situation a warning is
relayed to the user stating that they should contact 3SP Ltd. A new license will be sent which can then
be uploaded manually through the License Manager.
License Manager Interface

The License Manager is accessible from Management Console Æ Configuration Æ License
Manager.
150
Actions Icons
The action icon performs a particular function on the associated license. The only available action for
an installed license is:
Delete License
Uploading a License
Step 1 Select the ‘Upload License’ action available from the Actions frame on the right of the page.
Step 2 Choose the license file that needs to be uploaded.
Once selected pressing the ‘Upload’ button will load the license into the system. The new license will
be activated and will be visible from the main License Manager page.
Deleting a License
The ‘Delete’ action removes a user attribute permanently from the system. Selecting the ‘Delete’
action against a license will result in the removal of the license from the system. Any functionality
associated with the license will no longer be accessible.
151
Secure Node
The standard communication model for outgoing calls is for SSL-Explorer to simply make a direct
connection to the destination host. This paradigm does not suit all business needs. Secure node
provides an alternative routing framework. The framework registers interest from external clients and
enables them to instead route information for a particular host.
This chapter provides further information on this framework and ultimately information how a Super
User can administer and manage this framework.
The sections covered are:
• What is a secure node?

• What are Routes
• Installing Secure Node Client
• Secure Node Interface
• Create New Route
• Editing a Secure Node
• Editing a Route
• Deleting a Secure Node
• Deleting a Route
What is a secure node?

A secure node is a small Java written client that is installed on a machine. Once installed the secure
node registers itself with the SSL-Explorer instance and then sits idle. It is only when SSL-Explorer
requires its assistance does the client wake and begin performing its tasks.
What is its function?

A secure node’s purpose is to simply redirect traffic securely to a target host. As the diagram below
shows, secure node acts as a proxy directing traffic from SSL-Explorer to the remote system.
The administrator is thus able to configure an environment where there is no direct connection to the
end host. For example, a secure node can be installed on a remote network and connect back to SSL-
Explorer using the standard HTTPS port. With the configuration of routes an SSL-Explorer super user
can then setup resources that access services on the remote network without the need to open up a
single port on the firewall protecting the remote network.
152
This same process can be used to access resources inside the LAN from an SSL-Explorer server
residing in a DMZ.
In the diagram below SSL-Explorer sits in the DMZ with other internet facing servers. The DMZ is
secured from the internet with a firewall which only has port 443 open so that SSL-Explorer is
accessible. The link from LAN to DMZ is also secured by a firewall. The administrator creates a
resource e.g. a web forward to a CRM system; this requires a connection to the CRM service on the
LAN. Instead of opening another port on the firewall between the DMZ and LAN, the administrator
can position a secure node on the LAN side with a single port open which the secure node can receive
data on.
DMZ LAN
SSL SSL
CRM client
Secure node ‘dials’ into CRM System
SSL-Explorer SSL-Explorer to
Internet service tunnel requests
What are Routes

A route defines an endpoint host that is associated with a single secure node. A secure node can be
associated with a number of routes all of which define what endpoints a particular secure node can
connect to. When a connection takes place the system determines which secure node is associated with
the client’s desired route and contacts that secure node passing it all the traffic.
Visibility
Secure node is not something a user will actually see or select to use it is actually a background
process that takes over whenever a connection needs to go out SSL-Explorer to a remote system.
If the administrator has routes configured and a secure node installed the system will take advantage of
this and proxy the traffic through the secure node. A user will be unaware that a secure node is
proxying his or her traffic. When no secure node is installed, SSL-Explorer will continue to make
direct connections to its target host.
153
Secure node is strictly an administrator feature to help reassurance of security; its activation affects all
resources.
Compatible Resources
Currently not all resources work with secure node; Active Directory, LDAP and nEXT are
inappropriate and Network Places is currently incompatible. Those that are currently compatible are as
follows:
• Web Forwards
• Applications
• Tunnels
Installing Secure Node Client

Before any routing can begin the secure node client needs to be installed on a machine. This machine
should be sufficiently placed so that the destined routes can be reached. As the diagram above shows
the client is on a machine which is inside the secured LAN this allows the secure node to access any
resource inside the company network.
Step 1 Select the appropriate Download Client action from the secure node page (Management Console →
Configuration → Secure Nodes), this example uses the Windows client:
Step 2 The client file will need to be saved to an appropriate place. Once done the extracted file should be
executed.
Step 3 Once the wizard has started and the license agreed a destination folder of the secure node client needs
to be specified
Step 4 The next step is defining the secure node properties:
• Host: The host of the SSL-Explorer server to maintain communication with

• Port: The listening port of the SSL-Explorer server
154
• Authentication Method: Certificate or Password.
Certificates Supported
Note For tighter security a certificate can used instead of a simple password
• Username: Username of a user that can access secure node

• Certificate: If Certificate has been chosen as the authentication method then this will be
accessible. Browse to the appropriate certificate
• Password: If Password has been chosen as the authentication method then this will be
accessible. Key in the password associated with the user
• Confirm Password: Confirmation of above password
Step 5 Once installed the client needs to be started. This is run as a process and so for a windows you need to
start the SSL-Explorer Secure Node service (Control Panel → Administrative Tools → Services).
The secure node service will now be running. If successfully configured the client should successfully
register with the SSL-Explorer server and appear in the main secure node page.
155
Authorize Secure Node
Once a secure node has been created and has registered successfully with the SSL-Explorer instance in
order for it to be used and have routes assigned to it the secure node needs to be authorized.
Against the appropriate secure node select More… followed by the Authorize action.
Secure Node Interface

The main secure node page (Management Console → Configuration → Secure Nodes) provides
information on all successfully registered clients.
As you can you see above SSL-Explorer always comes with a default secure node which is the
standard node all traffic goes though. This is located on the actual instance itself.
Below this are all other newly registered secure nodes.
Action Icons
The action icons against each secure node performs functions on the associated secure node, their
respective objective is detailed below:
Delete secure node
Edit secure node details
Authorize secure node (More…)
Disable secure node (More…)
156
Create New Route
Step 1 For a secure node to work a route needs to be created. Select the ‘Create Route’ action as displayed
below:
Step 2 The Create Secure Node wizard will be initiated. The first step in the wizard requires basic
information for the route.
• Name: The name of the route

• Description: Details of the route
Step 3 The route itself needs to be defined.
• Host Pattern: The address of the route. Any traffic destined for this host will be proxied
through the selected secure node. Secure node doesn’t necessarily have to support only one
address a range can be defined for example if you want this route to be used for all requests in
a given domain *.domain.co.uk would be used.
• Port Pattern: Any specific host that should be identified
157
• Use Regex Pattern Match: By checking this regular expressions can be keyed into the host
pattern
• Continue if Secure Node is Offline: Selecting this will allow another secure node, which has
an equivalent route, to serve the request destined for this route. If there is a selection of routes
all with this flag set, the system will search through the list for a route which matches and
eventually if all routes happen to be offline fall back to the default secure node.
• Type: There are two types secure nodes Local and Remote
• Local: Connections are established from SSL-Explorer out to the secure node
• Remote: Connections are established from the secure node back to SSL-Explorer
• Secure Node: The secure node which will service this route should be chosen here. The list
of active secure nodes is available from the list
Step 4 Once all the necessary parameters are defined the wizard displays a summary. Selecting Next will
finish the creation of the route.
The newly created route will be visible from the main page under the appropriate tab Local Routes or
Remote Routes.
Enabling Routes
Even though the route maybe assigned to a secure node and the secure node authorize in order for the
route to be used by the secure node the route needs to be enabled.
To enable a route simple go to the appropriate route and choose enable from the More… button.
158
Editing a Secure Node
From the secure node page select the ‘Edit’ action against the required secure node the ‘Edit Secure
Node’ page will be shown. From this page the current description and assigned routes can be amended.
Editing a Route
From the appropriate route (local or remote) page select the ‘Edit’ action against the required route,
the ‘Edit Route’ page will be shown. From this page the current details can be amended.
Deleting a Secure Node

The ‘Delete’ action removes a secure node from the system. Selecting the ‘delete’ action against a
secure node (from the secure node page) will result in a warning message.
Selecting ‘Yes’ will result in the removal of the secure node. The route association will be removed.
Deleting a Route
The ‘Delete’ action removes a route permanently from the system. Selecting the ‘delete’ action against
a route (from the routes page) will result in a warning message.
159
Selecting ‘Yes’ will result in the removal of the route.
Secure Node Configuration

The configuration menu contains a few options to allow minor refinements to how secure node works.
• Connection Timeout: The maximum wait time before a connection is considered timed-out
• Require Authorization on Host Change: This should be set if a secure node needs
authorization when its host name has changed
160
Public Key Infrastructure
Public Key Infrastructure (PKI) is a security architecture that has been introduced to provide an
increased level of confidence for exchanging information over an increasingly insecure Internet.
Public-key cryptography uses a pair of mathematically related cryptographic keys where one key is
used to encrypt information and the other related key can decrypt that information.
• A public key: Made public and freely distributed.

• A private key: A corresponding (and unique) private key that is kept guarded.
Public key cryptography is used for the encryption/decryption and signing/verification of information.
Encrypting information ensures privacy by preventing unintended disclosure; signing messages
authenticates the sender of the message and ensures that the message has not been modified since it
was sent.
Encryption
In most scenarios the public key infrastructure comprises of two key pairs, one pair to encrypt and
decrypt messages between two parties and another pair used to authenticate the sender of the message.
We first briefly detail how the keys are used to encrypt and decrypt the messages.
Public Key
A sender wishing to send you secure information uses your public key to encrypt the information since
the public key can be made public it can be distributed amongst all necessary contacts.
In normal practice, the information being sent is not encrypted with public/private key algorithms
(asymmetric cryptography) instead it is encrypted using a secret key algorithm (symmetric
cryptography). Symmetric algorithms are much faster than public/private key algorithms. A random
session key is generated and used with the symmetric algorithm to encrypt the information. The public
key is still used however to encrypt only the session key only and both are sent to the recipient.
Private Key
The recipient takes the public key encrypted information and uses his corresponding private key to
decrypt the message. If the data is encrypted the recipient knows that the data was meant for them but
they cannot be certain who it’s from.
As above in normal situation the private key is used to decrypt the session key, and that key is used to
decrypt the actual information rather than the private key decrypting all the information.
Authentication
The PKI method not only provides certainty of data privacy but also assurance that the data has been
sent by the person who was meant to sent it and no MITM has occurred.
The second key pair ensures authentication of the data.
161
Private Key
To prove to the recipient the authenticity of the sender that they are the source of the information a
second private key is used to digitally sign the message (a digital signature). Unlike a typical
handwritten signature, this digital signature is different every time it is made. A unique mathematical
value, determined by the content of the message, is calculated using a ‘hashing’ or ‘message
authentication’ algorithm. Using the private key this value is then encrypted creating a digital signature
for the specific message.
This encrypted hash value is sent with the message and the public key can also be sent either as part of
the message or in a certificate.
Public Key
The receiver of a digitally signed message uses the correct public key to verify the signature by
performing the following steps.
1. The associated public key is used to decrypt the hash value calculated for the information.
2. Using the correct hashing algorithm the hash of the information is calculated, if certificates
have been used the appropriate algorithm will be specified.
3. The two hash values are compared if the values match, the receiver knows that the person
controlling the private key corresponding to the public key sent the information and that the
information has not been altered since it was signed.
4. If the public key was sent with a certificate the certificate is then validated with the CA that
issued the certificate to ensure that the certificate has not been falsified and that the identity of
the controller of the private key is genuine.
5. Finally, if one is available, the revocation list for the CA is checked to ensure that the
certificate has not been revoked, or if it has been revoked, what the date and time of
revocation were.
Public keys are stored within digital certificates along with other relevant information (user
information, expiration date, usage, who issued the certificate etc.). The CA enters the information
contained within the certificate when it is issued and this information cannot be changed. Since the
certificate is digitally signed and all the information in it is intended to be publicly available there is no
need to prevent access to reading it, although you should prevent other users from corrupting, deleting
or replacing it.
162
163
Access Control Administration
This section details how the system can be accessed, from creating user account to giving users access
rights to the system. Depending on what type of user database configured some functions are not
accessible.
By the end of this chapter the reader should have a strong understanding of how the access control
infrastructure of SSL-Explorer is built up and how it achieves such a strong level of access control
flexibility.
Introduction
Chapter covered a little access control theory as well as how SSL-Explorer deals with common
challenges. It includes the following sections:
• Overview
• Access Control Architecture
• Flexibility
Overview
SSL-Explorer is a complete SSL VPN solution that provides secure, authenticated and controlled
access to enterprise intranets, business applications and internal resources from virtually any modern
desktop or notebook device.
At the heart of SSL-Explorer lies its access control engine. This is responsible for the complete
management of all users from their initial log-on, right through to their exit from the system. More
importantly it secures control of user access to different areas of the internal network.
The engine is the key component in verifying a user accessing the system and determining the actions
that they may perform. Every action performed within SSL-Explorer is monitored by the access
control engine in real-time and, as the diagram depicts, it acts as the ‘guardian’ of the system.
164
System of Trust
By considering an SSL VPN solution, you are obviously intent upon allowing remote access to your
computer based assets or resources by other individuals or organizations. Some of these individuals
you will trust more than others. The concept of trust is a fundamental part of any secure system. As
such it is crucial for the security policy to cater for and control how that trust is granted, used and
revoked.
With trust playing such a significant part of remote access, SSL-Explorer has been designed to allow
for either ‘coarsely grained’ or ‘finely grained’ access control. This approach allows SSL-Explorer to
mirror more closely the actual trust relationships present in the real world. In conjunction with multi-
tiered authentication schemes, SSL-Explorer’s security model is much more advanced than those
offered by conventional VPN solutions.
Both the Community and Enterprise editions of SSL-Explorer are conceptually identical in their
approach although there is a significant difference in the number of authentication modules available
between the two editions.
Levels of Trust
Trust is administered in measures - the more trust a user has the more privileges they are granted.
Again the opposite is said for someone who has a lesser degree of trust and consequently is given a
lesser level of ownership and access.
SSL-Explorer follows this tried and tested pattern. With the access control framework, ‘super users’
are seen as the most trusted users, seeing as they control the SSL-Explorer instance. ‘Power users’ are
given a lesser measure of control. Finally the standard user has a lesser degree of trust and therefore
potentially the least level of access and responsibility.
Access Control Architecture

The SSL-Explorer access control framework has been designed to tackle the following main issues.
• Users and Groups: Each organizations view on users and groups is almost always different.
They do though share common behavior, e.g. ‘Add User/Group’ or ‘Delete User/Group’. It is
also likely that the organization’s user/group directory already existed prior to the
introduction of SSL-Explorer, for example an Active Directory domain or LDAP directory.
The variety offered by such choice invariably gives rise to a number of different approaches
and implementations.
165
• Resource Access: The intended outcome when implementing an SSL VPN solution is to
allow remote access to network-based resources. The number of types of network resource is
relatively varied and new methods are likely to appear. Each resource deployed can have very
different access requirements, such as read or write permissions. Any resource within the
system must be accessible by more than one user if so desired; the system should allow for
the sharing of resources.
• Resource Distribution: A resource created within the system must be easily made accessible
to those users that require it. Assigning resources on a per-user basis should be avoided
wherever possible.
• Resource Permissions: Resources can have a range of permissions to limit how they may be
assigned. When a resource is assigned to a user the user must be restricted to the set
permissions. For example, a super user may create a resource to administer creation and
assignment of application shortcuts only. This is assigned to a user who attempts to delete an
existing application shortcut, this operation will be declined.
In order to resolve the aforementioned issues the access control architecture relies on three key
entities:
• Principal: The intended ‘consumer’ of the resources, i.e. a user or a group.

• Resource: The networked resource, internal function or property item that the principal
wishes to utilize, e.g. a web-forward or the right to manage accounts.
• Policy: This is the relationship defined between the principal and resource. It is the
component that ensures that only the right people can perform the right action.
Utilizing this methodology, SSL-Explorer is able to maintain robust, secure, and flexible access
control architecture.
What is a Resource?
Within SSL-Explorer a ‘resource’ is defined as an application, utility, data source, or any other
privileged ability that when assigned will allow the user to conduct certain tasks. Think of it as the
endpoint, or objective that a user wishes to achieve. This could be something as simple as a user
accessing their email client to read their mail. In this case, the resource would be the email. Similarly,
an intranet website would also be classed as a resource – just as a network share would be. All
accessible stores of ‘informational value’ are deemed to be resources under this concept.
What is a Principal?
As already mentioned, the ‘principal’ simply refers to a user or group of users. The principal entity sits
at the other end of the access control chain. The process flow begins with this entity and ends with the
resource entity. In SSL-Explorer, these principals are only differentiated by the access rights they are
assigned.
166
What is a Policy?
A ‘policy’ is the glue by which all principals and resources within SSL-Explorer can cohesively work
together. As the diagram below shows, the means by which a principal entity has access to a resource
entity is through the policy and the means by which a resource entity becomes accessible is again
through the policy.
Policies represent SSL-Explorer’s form of trust. A high level of trust equates to a policy of greater
flexibility and responsibility; whereas a user with minimal trust may be assigned policies that grant
them fewer privileges.
A ‘power user’ of the system manages the SSL-Explorer server and thus must have a higher degree of
trust and consequently is granted a policy that covers a much greater scope of responsibility. The
opposite can be said for a standard user whose policy may only grant the bare essentials required to
allow them to perform their duties.
What is Permission?
A ‘permission’ is a special part of a policy. It adds the final level of control to the access control
framework. As we have seen, not only can we control what resources a principal can access, but with
this sub-element we can add a lower-level layer to control exactly the functionality a user can perform
on any given resource.
For example as the diagram below shows, the policy is associated with a resource but the permissions
on the resource only permit the associated principal to use the resource despite the resource itself
having further actions such as editing, assigning etc .
With permissions we are able to lock-down control to the actions of the resource itself.
167
Flexibility
As we have seen, SSL-Explorer offers a great deal of flexibility with its design. This allows it to
evolve as its environment changes. Should an organization decide to restructure, SSL-Explorer can
easily be altered to reflect those changes. As the user base begins to evolve and expand, the internal
representation of the user base can be visualized as a web of policies, interrelated and bound in all
directions as depicted in the diagram below.
168
Creating Accounts
Principals in their basic form refer to the users of the system upon which the services of SSL-Explorer
are delivered. Accounts are the means by which a principal is created within the system. An essential
process in building a robust and flexible system is defining what your principal base is.
This chapter details further what principals are and how SSL-Explorer manages these entities. This
chapter includes the following sections:
• Principal Types
• Super User Account
• Account Interface
• Create New Account
• Editing an Account
• Deleting an Account
By the end of this chapter the reader should have a sound understanding of principals and how to
model their required principal architecture successfully.
Principal Types
Principals at their lowest level represent a user, a consumer of the system. This is simply a user that
will access the system. This can be in the form of a standard remote user accessing the system to carry
out their work, to a ‘power user’ that maintains the system and creates users and organizes access
control etc.
Principals however go one step further than this definition by incorporating the concept of ‘groups’– a
collection of users gathered into a single entity due to some similarities.
More details on groups can be found in the chapter titled, ‘Creating Groups’.
Super User Account

The only default user embedded within SSL-Explorer is the super user. This user is the only user
created automatically by SSL-Explorer; if the user database has been defined as built-in the user has
the choice of providing authentication information for this user. If however the selection is anything
other than the built-in database, SSL-Explorer will load up the defined user list from within the
database and the administrator is expected to choose from this list.
All other accounts throughout the system’s lifetime are created by this super user and their purpose
defined by their attached policies.
Structured Account Network

A policy structure should be considered before creating any accounts. Categorizing accounts
into
169
policies as ‘Administrators’ or ‘Guest’ will encourage a more structured and organized
system. This is
often imperative as the user base grows.
The super user however is not categorised as a standard user infact the super user is calssified as the
administrator of the system only and not as a typical user. The super user is only made to install the
instance and perform configurations of the instance from then on the super user should delgate its
responsibilities out to other users of the system through access rights (Management Console →
Access Control →Access Rights).
Account Interface
The main accounts page provides information on all accounts present within the system.
Action Icons
The action icons against each account performs functions on the associated account, their respective
objective is detailed below:
Delete account
Edit account details
Enable account – only visible if account is disabled (More…)
Disable account – only visible if account is enabled (More…)
Unlock account after authentication failure (More…)
Furhter account related actions are added to the More... menu as and when new authenitcation related
extensions are added:
170
Unsupported Database
Note Actions as ‘Create’, ‘Edit’, ‘Delete’ will not be accessible if the chosen user databases does
not support
external modification by SSL-Explorer. To make such amendments the super user/
administrator must
access the user database directly.
Create New Account

Step 6 If a new account can be created the action pane will display the ‘Create New Account’ action as
displayed below:
Step 7 The ‘Create User Account’ screen will be shown as below:
The page requires certain information to create the user, these are detailed below:
• Username: This field defines the name to be used to log into the system
• Fullname: The name of the actual user responsible for this account. This name will be visible
in the account summary page.
• Email: A contactable email address.
• Enabled: If checked, once the account has been given a useable policy the account will
become active automatically.
171
Step 8 The created account can be assigned to a group. Enter the group name within the ‘Group Name’ field
and use the ‘add’ and ‘remove’ buttons to associate the account with the given group. Further
information on group selection can be found in the section below titled, ‘Assigning Groups’.
Step 9 Select Save to store the newly created account.
Cancellation of Account
Note
Selecting the ‘cancel’ button will terminate the account being created. This can be pressed at
anytime
and no account will be added to the system.
Step 10 Once the account has been saved the system will ask for a password for the new account.
A new password must be entered. In addition the ‘Force user to change password at next logon’ setting
ensures that the user make his or her password secure by forcing them to change it the first time they
logon to the system.
Selecting Save will save the password against the new account.
The newly created account should be visible from the main Accounts page.
Assigning Groups
Groups are loaded by the system from the underlying user database. If the database supports
modification to groups then the created account will be able to join a listed group.
For more information on which databases support group modification refer to the chapter in this
document on ‘Creating Groups’.
To add a user to a group with a user database that supports group modification, simply enter the name
of the group in the ‘Group Name’ text box and select the ‘Add’ button. The group will then appear
under the ‘Selected Groups’ list box.
If you wish to remove a user from a group, select the group name from the ‘Selected Group’ name list
box. Pressing the ‘remove’ button will separate the user from the group .The name will also have been
removed from the ‘Selected Groups’ list box. For more information on navigating the wizard refer to
the chapter titled, ‘System Navigation’.
Editing an Account
From the accounts page select the ‘Edit’ action against the required account and the ‘Edit Account’
page will be shown. From this page the current details stored about the account can be modified.
172
As the diagram above shows, the username cannot be modified.
Deleting an Account
The ‘delete’ action removes a user permanently from the system. Selecting the ‘delete’ action against
an account (from the accounts page) will result in a warning message informing that the user is about
to be deleted, as shown below.
Selecting ‘Yes’ will result in the removal of the account from the system. If this user is associated with
any policies these will also be removed along with all other associated links.
173
Creating Groups
Groups represent the alternative type of principal. Groups offer a more convenient type for larger
enterprises with a greater user base. This chapter details what a group represents and how SSL-
Explorer utilizes them. The sections included are as follows:
• What are Groups?

• Groups Interface
• Create New Group
• Editing a Group
• Delete Group
By the end of this chapter the reader should have a sound understanding of groups within SSL-
Explorer and how they can be used to provide structure to a user base.
What are Groups?

Principals define users in two forms: the singular being represented by a single account and the plural
being a collection of accounts.
Groups allow for a more structured approach to account management; allowing an administrative user
to categorize types of accounts under one heading as the diagram below shows.
Groups can be manipulated within the system as single entities but remember that all operations on the
group will affect all accounts within the group. For example, an SSL tunnel resource can be linked to a
single group and instantly every user within that group will be granted access to the attached resource.
174
Groups Interface
The diagram below lists the default groups.
Action Icon
The action icons perform a particular function on the associated group. Available actions for a group
are:
Edit group
Delete group
Create New Group

Step 1 If the user database allows for the inclusion of new databases then the ‘Create New Group’ action will
be visible from the event pane on the right of the page as shown below.
Step 2 The ‘Create Group’ page will open.
175
The only detail required is the name of the group. If the supplied name already exists in the system an
error message will be raised in the event pane.
Once a name has been defined simply add the accounts you wish to include in the group.
Selecting ‘Create’ will generate the group in the system for use. Selecting ‘Cancel’ will stop this
operation.
If created the group should now be visible in the Group Page and can be used as any other group to
assign accounts and policies to.
Editing a Group
From the group page select the ‘Edit’ action against the required group and the ‘Edit Account’ page
will be shown. From this page the current details stored about the group can be modified.
176
Delete Group
Step 1 To remove an existing group, select the ‘Delete’ action associated with the group from the main group
page.
Step 2 A warning message will appear similar to the one below.
To proceed with the removal of the group, simply select ‘Yes’.
177
Creating Policies
Polices are the main building blocks in SSL-Explorer’s access control architecture. They form the
bond between a principal and a resource. This chapter covers policies, from their purpose and usage to
their unique characteristics. The sections covered in this chapter are as follows:
• What is a Policy?
• Policy Interface
• Create Policy
• Editing a Policy
• Delete Policy
By the end of this chapter the user should have a sound grasp of policy management and should be
able to implement a structured policy framework.
What is a Policy?
On its own a policy is of little worth. However, by acting as a middle layer between two entities this
makes it very powerful tool. On one side it is able to organize principals by a common goal(s) and on
the other side it collates resources of a similar purpose. This approach helps provide order in a
seemingly unstructured environment.
Principal Pool
A policy does not have to have a resource attached to it instantly. Policies in fact can also be used to
simply group together a number of principals. As shown in the ‘Example Policy Structure’ section, the
‘London Policy’ is simply a holder of principals.
Stateless
A policy is linked to a resource and a principal. Both the resource and principal can be attached to any
number of policies, there is no such thing as exclusivity. By this token any single resource or principal
has no knowledge of any other resource or principal attached to the same policy.
178
Policy Interface
The policy screen displays a summary of available policies in the system.
It is from this screen that we can create, edit or even delete resources.
Action Icons
The action icon performs a particular function on the associated policy. Available actions for a policy
are:
Delete policy
Edit policy details
Create Policy
Step 1 Selecting the ‘Create New Policy’ action from the event pane on the right will start the ‘Create New
Policy’ wizard.
The system loads the ‘Create Policy Wizard’, and then the wizard guides the user through the steps
required to create a policy successfully. The steps included in the wizard are highlighted in the left
navigation pane as shown below.
179
Step 2 The wizard requires basic information pertaining to the policy to be created.
Required Information
Note
Mandatory fields are marked with a red dot ( ). Information must be entered for these fields.
The details required are listed below:

• Name: This required name will be displayed throughout the system. It will be seen and
accessed by those with the right permissions so a sensible name should be used.
• Description: The description field helps to provide further information as to the purpose
of the policy. It can be used to detail anything related to the policy and will be visible to
others where necessary.
Step 3 As mentioned earlier, a policy binds principals to resources. The next step in the wizard allows the
super user to select those principals that will be associated to the new policy.
To add an account simply use the selection buttons; ‘Add’ to add an Account to the ‘Selected
Accounts’ list box or ‘Remove’ to remove an Account. More details on this selection process can be
found in the section titled, ‘System Navigation.’
If the system’s user database supports groups then these too can be added in the same way as accounts.
For more information on groups please refer to the chapter titled, ‘Creating Groups’.
180
Principals are Not Mandatory
A policy by default is made up of resource(s) and principal(s) but neither is compulsory.
Policies can be
created without any principals defined and if the user so wishes these can be added later in
the ‘Edit
Policy’ page. Also, policies do not necessarily require resources either – if the need arises,
policies may
be used for the simple purpose of logically grouping principals together.
Step 4 Before creating the policy the wizard provides a short summary.
If any of the details require modification then selecting the ‘Previous’ button will allow any previous
step to be revisited and altered.
Once satisfied pressing the ‘Finish’ button will create the new policy. The new policy will now be
accessible from the main ‘Policy’ page.
181
Editing a Policy
By selecting the ‘Edit’ action icon besides the policy of concern (from the policy page) the ‘Edit
Policy’ page will be shown. From this page the current details stored can be modified.
Step 1 The tabs at the top of the page group the particular type of information, selecting each tab will allow
you to modify the appropriate content.
Step 2 To save any new changes click the ‘Save’ button at the bottom right of the page. If you wish to discard
changes simply select the ‘Cancel’ button.
Delete Policy
Step 1 To remove an existing policy, select the ‘Delete’ action associated with the policy from the policy
page.
To proceed with the removal of the policy, simply select ‘Yes’.
182
Creating Access Rights
The final piece in the policy chain is the resource. Once a policy has been created and principals
attached then these principals will require something to access – in this case a resource. Resources are
defined in the system as two types. This chapter explains both types, detailing what they are and how
to create these resources.
The sections included are as follows:
• What is a Resource?
• What are Access Rights?
• Access Rights Interface
• Creating an Access Right
• Editing Access Rights
• Delete Access Rights
What is a Resource?
Within SSL-Explorer a ‘resource’ is defined as an application, utility, data source, or any other
privileged ability that when assigned will allow the user to conduct certain tasks. This could be
something as simple as a user accessing their email client to read their mail. In this case, the resource
would be the email.
What are Access Rights?

Access rights are essential in creating a well organized system. As mention earlier the super user
should only be used to install SSL-Explorer and perform configuration fo the system from then on the
super user should create management users who are responsible for the daily uptake of the
management and running of the system.
An access right allows the super user to delegate an area of responsibilities to a policy.
Nearly all areas of the system can be delegated to different policies thus allowing the super user to be
disabled and not used other than for re-installation tasks or important configuration tasks.
All areas that can be managed are divided into their respective areas:
• Resource permissions: items that can be managed in this area are all resources such as web
forwards, profiles, network places and even areas within nEXT can all have their create, edit,
delete actions delegated out to a policy.
• System permissions: items that can be managed in this area that can be delegated are all
system resources such as policies, SSL-Certificates, authentication schemes, accounts,
auditing.
• Personal permissions: items that can be managed here are all personal resources such as
profiles, passwords, personal details, favorites, attributes.
183
Access Rights Interface
The access rights interface summarizes the currently available permissions.
The main page, shown above, provides information on the resource permissions currently available.
Action Icons
The action icon performs a particular function on the associated resource permission; available actions
are:
Delete resource permission
Edit resource permission
184
Creating an Access Right
Step 1 Select the type of access right from the action box.
The wizard guides the user through the steps required to create a resource entity in the system.
Step 2 The first step in the wizard is detailing basic information pertaining to the resource to be created.
Required Information
Note
Mandatory fields are marked with a red dot ( ). Information must be entered for these fields.
The details required are listed below:
• Name: This required name will be displayed throughout the system. It will be seen and
accessed by those with the right permissions and therefore a sensible naming convention
should be used.
• Description: The description field helps to provide further information to the purpose of
the resource. It can be used to detail anything related to the resource and will be visible to
others where necessary.
Step 3 Resource permission simply defines what resources a user can access. Within this step the page
allows the user to do just that.
185
Clicking on the down arrow on the ‘Resource type’ reveals all the available personal resources that can
be selected.
The first step is to select a resource from the list.
Once a resource has been selected Add those access rights you wish to provide permission to.
Step 4 As the policy structure states, a resource must belong to a policy. Without a policy the resource cannot
be accessed or used. This step in the wizard requires a policy for which the resource is associated with.
Available polices are displayed to the left hand side and selected policies, which will have the resource
assigned to them, to the right.
To add or remove policies simply highlight the policy in the appropriate box (to add select policies to
the left, to remove, select policies to the right) and use the ‘Add’ and ‘Remove’ buttons. Further
information on using these buttons can be found in the chapter titled, ‘System Navigation’.
Step 5 Before creating the resource the wizard provides a summary.
186
If you wish to alter any of the details select the ‘Previous’ button to revisit and alter any steps.
Once satisfied pressing the ‘Finish’ button will create the new resource.
The new resource will now be visible and accessible from the main ‘Resource Permissions’ page.
187
Editing Access Rights
By selecting the ‘Edit’ action icon against a resource permission, the ‘Edit Resource Permission’ page
will be shown. From this page the current details stored can be modified.
Step 1 The tabs at the top of the page group the particular type of information that can be edited; selecting
each tab will allow you to modify the appropriate content.
Step 2 To save any new changes click the ‘Save’ button at the bottom right of the page. If you wish to discard
changes simply select the ‘Cancel’ button.
Delete Access Rights

Step 1 To remove existing resource permissions, select the ‘Delete’ action associated with the resource
permission from the main resource permission page.
To proceed with the removal of the policy, simply select ‘Yes’.
188
Authentication Schemes
Authentication is the means of verifying a user’s identity; this can be in the form of a password or a
code\key. To allow for greater security SSL-Explorer uses authentication schemes to provide a
multiple staged authentication process. This chapter details authentication schemes, their purpose and
how to implement a scheme. The topics covered are:
• What is an Authentication Scheme?

• Authentication Scheme Interface
• Creating an Authentication Scheme
• Authentication Modules
• Password Authentication
• Personal Questions Authentication
• PIN Authentication
• OTP Authentication (using SMS or Email for delivery)
• SSL Client Certificate Authentication
• Public Key Authentication
• IP Authentication
• RADIUS Authentication
• Remote Client Authentication
By the end of this chapter the reader should have a sound understanding of authentication schemes and
how to implement a necessary scheme to meet their requirements.
What is an Authentication Scheme?

An authentication scheme is simply a container for any number of authentication modules, such as
OTP, Passwords, and Certificates. This approach means that multi-tiered authentication can easily be
implemented and even linked to existing authentication systems. The authentication scheme is then
used as the basis of the logon policy. SSL-Explorer allows for more than one of these schemes to be
created and used.
It is important to note that certain authentication modules can only be used by themselves that is they
can not be combined with other authentication modules. The following section titled Authentication
Modules describes any limitations pertinent to a module if any should occur.
When a user starts the authentication process they first have to enter a User ID. Once the User ID is
submitted to SSL-Explorer checks are made to determine the correct authentication method to be used.
This approach allows for different authentication methods to be used for different groups of users. For
example users attached to a Sales policy may only have to enter a User ID and password, whereas
Sales Management may be attached to a policy that uses a password and PIN authentication scheme.
The SSL-Explorer authentication schemes allow those wanting to build a single, double or even a
triple factored process to do so simply.
189
The first page presented to the user is as follows.
Once the username has been entered and the Login button selected the next screen in the authentication
process is displayed, see below. Each defined scheme is then made available to users at login as shown
in the highlighted text below:
Clicking the here hyperlink in the highlighted sentence will load the schemes page as below:
Any defined scheme is selectable and when selected with the Ok button the user is returned back to the
logon page with the selected authentication scheme activated.
190
Authentication Scheme Interface
All authentication schemes defined are visible from the Authentication Scheme page. Each of the
schemes is listed in its order of priority.
It is from here one can see the available actions associated with each scheme.
191
Action Icons
Delete policy
Edit policy details
Enable scheme
Disable scheme
Decrease priority of scheme
Increase priority of scheme
Creating an Authentication Scheme

For this example we will create a three tiered authentication process. It will be a scheme using the
Password module as a primary method, then PIN and finally Personal Questions.
Step 1 From the Authentication Scheme page select the only available action Create Scheme
Step 2 This starts the authentication scheme wizard. The First step in the wizard is defining the name for the
scheme its description as well as its priority. The priority value can be from 1 to 9999 and indicates the
order in which a scheme is to be handled. The lower the value the higher the priority.
Step 3 Next the modules required for the scheme must be chosen. From the left pane all installed
authentication modules are listed. Once an appropriate scheme is found press the Add button and the
module will be added to the list on the right. This process should be completed until all the necessary
modules have been added to the Selected Modules pane.
192
To reorder the modules chosen simply use the Up and Down buttons to adjust the order of a module.
Head Must be a Primary Module

At the top of the Selected Modules window there must be a module which can be a primary
module.
The system will not allow a scheme to be defined which does not have a primary module at
the top of
the list.
Step 4 An authentication scheme needs to be attached to a policy. This restricts which users can actually
access the scheme.
Step 5 The final step is the summary. The system presents the details provided. If you are happy with the
details pressing Finish button will result in the creation of the scheme.
The scheme will be visible from the main page. However the authentication scheme itself will not be
available at logon. Instead the scheme needs to be enabled.
Simply press the enable action besides the new scheme.
An enabled scheme will have the enable icon besides it:
193
Whereas a disabled scheme will have the disabled icon besides it:
Deleting an Authentication Scheme

To remove an existing scheme, select the Delete action associated with the restriction from the main
page. A warning message is raised, pressing 'Yes' will remove the scheme.
Authentication Modules
As already mention there are differences in the level of control available for the configuration of a
module. This section describes each of the modules within SSL-Explorer. There are significant
differences between the authentication modules available between the Community and Enterprise
editions of SSL-Explorer. These differences are shown in the following table.
Authentication Community/Enterprise Type

Password Community Primary/ Secondary
Client Certificate Enterprise Primary/ Secondary
IP Enterprise Primary
Public Key Enterprise Primary/ Secondary
PIN Number Enterprise Primary/ Secondary
Personal Questions Community Secondary
OTP (One Time Password) Enterprise Secondary
RADIUS Enterprise only Primary/ Secondary
The above table also shows what type an authentication module is. Type defines the order of the
associated module. A primary module defines that the authentication module is capable of accepting a
username and thus these types of modules should be placed first. Any module which has ‘primary/
secondary’ type can be placed as a primary module or a secondary module but any module which is
strictly typed as, ‘secondary’ can not be placed first in a scheme.
The authentication scheme system enforces this by disallowing a secondary scheme to be positioned at
the top of the chain.
A brief summary of the available modules, as of release of this document, are listed in the following
sections.
194
195
Password Authentication
This is the most commonly used authentication scheme. It is the simplest and easiest to configure and
is defined as part of the authentication modules that come part of both the Community and Enterprise
editions of SSL-Explorer. In fact it is also part of the default set of authentication schemes configured
with a brand new installation.
Both Default and Password and Personal Details rely on the Password authentication module; the first
as a single scheme the second as part of a two-factor scheme.
The length, format and expiration of passwords are all configurable, however initially these parameters
are defaulted and whenever the Super User creates an account a password must be attached.
Creating a Password
A password is assigned the first time a user is created. As the screenshot below shows the password
can be redefined the first time the user logs into the system by selecting the checkbox.
For further information on creating passwords refer to the chapter titled, Creating Accounts.
Modifying a Password
Once a password has been assigned to the account it can be altered at any time by both the Super User
from the Management Console and by the user through the User Console.
Management Console
Step 1 Choose the account you wish to edit from the Accounts page (Access Control → Accounts) by
selecting the associated More… button.
196
Step 2 A new set of actions becomes available. Selecting Set Password allows the Super User to change the
password for the account.
Step 3 From here a new password can be defined. In addition the checkbox at the bottom can be selected to
force the user to change their own password when they next log in.
197
User Console
This method is used by the user allowing them to securely modify their own password without any
intervention by the Super User.
Step 1 From the My Accounts section select Change Password.
Step 2 The user is now able to change their password from the Change Password page.
The user is expected to key in the original password as well before the change can occur.
By default the system will lock any user that fails authentication after three attempts and again disables
any user who has been locked out three times consecutively. These parameters are configurable and
are detailed in the section below.
Configuring Passwords
The configuration options can be accessed from System Configuration → Password Options. There
are a considerable number of parameters that should be understood as the Password authentication
module is commonly used as the default authentication scheme and tends to be found in most other
multi-factored schemes. The configuration parameters are detailed below:
198
The available options are detailed below.
• Max Logon Attempts Before Lock: A value of zero disables this option; the default value is
3 logon attempts, if after 3 attempts the account is temporarily locked.
• Max Locks Attempts before Lock: A value of zero disables this option; the default is 3
temporary locks, after which the account is permanently locked.
• Lock Duration: The length of time an account is locked; default value is 300 seconds.
• Password Pattern: The definition of a password, how passwords for this instance must be
constructed. Details on Password patterns can be found below.
• Password Pattern Description: This description is shown to the user when defining a
personal password.
• Days before Expiry Warning: The default value is 21, after which the warning will be
displayed to the user informing them to change their password.
• Days before Expiry: The default is 28 days approximately one month after which the user
will be forced to change password.
Password Pattern
The structure of an account password is based on regular expressions and is defaulted to, .{5,},
which defines a password with a minimum size of 5 characters. This expression is detailed in the
diagram below:
The security function password structure is built around the Java ‘regular expression’ syntax. Any
valid expression will be accepted to parse passwords an example is given below:
Expression Meaning
X(n) X exactly n number of times
X(n,m) X between n and m
.[^\s]{n,m} Any character except white spaces with a length between n-m
199
\w[n,m] Word character [a-z,A-Z,_,0-9] between n-m
200
Personal Questions Authentication
This is another commonly-used authentication module. Its simplicity and ease of use make this a
favorite choice amongst multi-factored schemes. In fact much like Password authentication, Personal
questions is also part of the default set of authentication schemes.
Since this is a secondary-only module it is the second stage module in the Password and Personal
Details scheme.
Personal authentication relies on pre-defined personal information about the user. A set number of
questions are managed by the system and when utilized the system takes a question and presents this to
the user. A comparison is made between the current answer and the preset answer; if a match is made
the user is authenticated.
This authentication method is a secondary option only and must work in conjunction with a more
secure module.
The system uses inbuilt user attributes to define and store a set of five questions as can be seen below.
These cannot be amended nor can a user add additional question to these.
Configuring Answers
Both the Super User and user are able to configure answers for these questions through the
Management Console and User Console respectively, but it mainly falls within the responsibility of the
user to provide secure and personal answers to each question, something that they will remember and
secure enough so that no other user can guess. The steps involved in configuring these are minimal
but have been detailed below nonetheless.
Management Console
The Super User can access the user’s personal details and alter these details if so required.
Step 1 From the ‘Accounts’ page (Access Control → Accounts) select the Edit action against the account to
edit.
Step 2 From the Edit Account page select the Security Questions tab.
201
Step 3 This displays the available personal questions and where necessary populated with answers. These can
be altered. When satisfied with the changes pressing the Save button will store the new answers.
User Console
It should be the users responsibility to manage and update their personal details.
Step 1 Open the ‘Edit Personal Details’ page from My Account → Personal Details
Step 2 Select the Security Questions tab
Once all the answers have been supplied pressing the Save button will store these for use during
authentication.
202
PIN Authentication
PIN authentication is something all users with a bank account will already be familiar with. Again this
is a standard authentication module and much like a password a user is expected to authenticate
themselves with their private number.
The PIN itself can be as long or as short as the Super User defines and alerts to change this value
periodically can also be configured.
When combined with an Active Directory user database, PIN authentication can prevent the locking of
user accounts by dictionary attacks1.
Modifying a PIN
Configuration of the PIN value itself can be performed by both Super User and User. Like any
authentication module the actions to configure the PIN value is only available once an authentication
scheme has been configured which has the PIN authentication module.
Below describes how to configure the PIN as both Super User, through the Management Console, and
User, through the User Console.
Management Console
The Super User can alter the PIN value; this is best used at the start to initialize the PIN for a user.
Step 1 From the Accounts page (Access Control → Accounts) select the More… button beside the account
to edit and select Change PIN.
1
Dictionary Attack – http://en.wikipedia.org/wiki/Dictionary_attack
203
Step 2 This will bring up the Set PIN page from where the PIN value can be configured.
Once a new PIN has been entered pressing the Save button will store the value.
User Console
The user should manage their PIN value and keep the PIN secure.
Step 1 From the User Console select Change PIN under the My Account section.
Step 2 The Change PIN page should be visible. From here the PIN value can be changed.
As can be seen above the user is expected to enter their original PIN value in first.
Once the PIN has been altered pressing the Save button will store the PIN for use when authenticating.
Configuring PIN
The configuration options can be accessed from System Configuration → Security Options → PIN.
As can be seen below there are a small number of parameters but these should be used sensibly. For
example defining a PIN size too great could leave users forgetting and failing authentication. Similarly
with expiration time, a value that is too short could cause users to become to predictable with their
new PIN numbers, i.e. incrementing the value by one upon each successive change.
204
The available options are detailed below.
• PIN Size: The default size of the PIN is 4 digits, this can be altered by this parameter, any
user authenticating must supply the exact number of digits defined.
• Allows user to set PIN: Checking this switch enables a user to define their initial PIN instead
of having the super user define a PIN for the user.
• Warn Number of Days: This defines at what point a warning message should be shown to a
user that their PIN is about to expire. This is defaulted to 21 days, after a PIN has remained
unchanged for this length of time the system will warn the user their PIN will expire.
• Expire in number of Days: This parameter defines the actual number of unchanged days a
PIN will expire. After the defaulted 28 days the PIN will no longer be acceptable as authentic.
205
OTP Authentication
OTP (One Time Password) authentication can be seen as an extension to Password authentication.
With Password authentication the configured password is used numerous times until a defined
expiration date is hit and the password needs to be changed. The expiration tends to be around a month
or so but with OTP authentication, the password can only be used once and once only - not only that,
the expiration of the password is measured in minutes and not days so even the OTP’s existence is
short lived.
OTP significantly strengthens the security of a system but it is recommended that OTP is added to a
multi-factored authentication scheme. The main reason for this is that an OTP is delivered to an
external device either a mobile phone or an email account – both items managed by users and out of
the control of SSL-Explorer thus can be viewed by unauthorized persons.
Currently any SMS or email-enabled device can receive OTPs, meaning that your passwords may be
sent by email to your inbox or by text messaging to your cell phone.
Using OTP consists of a number of steps highlighted below:
• Defining Recipient Details

• Configuring Service Provider
• Configuring Delivery Method
In addition above all these an authentication scheme should be enabled with OTP authentication
installed. Without this OTP options will not be accessible.
Once these have been configured the OTP authentication scheme can be enabled.
Using OTP authentication is quite simple; the steps below show you how:
Step 1 At logon select the OTP scheme.
The primary authentication module should be used as per usual and then after you will be asked for the
OTP Which will have been sent to either via email or SMS depending on what has been configured.
206
Step 2 The system will have already sent you an OTP either to your cell phone or email much like the
example below.
This should be keyed in.
If successfully entered the user is authenticated and given access to the system. If another
authentication module is added after OTP authentication then that authentication scheme is loaded and
authentication required.
It is as simple as that.
The sections provide details on configuration bullet points highlighted earlier. These are required to
get the OTP authentication module running correctly.
Defining Recipient Details

The OTP process needs to have the recipient’s details in order to send the one time password and have
it reach its destination. In this step we define the contact information in the form of both cell phone and
SMTP email address. Either of these can be configured however it is highly recommended that both
are configured.
Again like the above modules recipient information can be defined by both the Super User, through the
Management Console, and user through the User Console. However the user is unable to modify their
email address. This is strictly secure information that only the Super User can alter.
Management Console
The Super User is able to alter the user’s details however the user should be responsible for the
management of their details.
Step 1 Configuration of any personal information by the Super User is done through the Accounts page
(Access Control → Accounts). Select the edit action against the user that needs to be edited.
207
Step 2 If the cell phone details needs editing select the Contact Info tab that is visible from the Edit account
page.
The new cell phone number can be entered. When complete selecting the Save button will store the
cell phone number. It is this number that will be used by the OTP authentication process when sending
via SMS.
Step 3 If it is the email details that need to be entered then use the Details tab.
The email can be altered and when complete pressing the Save button with store the address. It is this
address that is used by the OTP authentication process when sending via email.
Unchangeable Email for External User Databases

Any system which relies on an external user database will be unable to alter the email details
as these
are read in from the external database. Modification to these will have to be done from the
external
database client.
User Console
The user should manage their contactable details. The steps below show how both cell phone number
can be configured.
Step 1 Select Personal Details from the Navigation Pane on the left (My Account → Personal Details). This
will load the Edit Personal Details page.
Step 2 From the Edit Personal Details page select the Contact Info tab. From the cell phone number can be
altered.
208
Once satisfied the new number can be saved by pressing the Save button. This number will be used by
the OTP process.
Configure Service Provider

Without a Service Provider defined the OTP authentication module is not accessible from the
Authentication Scheme wizard despite having been installed. The reason for this is that without a
configured service provider one time passwords have no transportation mechanism to deliver their
unique passwords.
Either transportation medium can be defined SMS or email or both. Configuration for both these
mediums can be accessed from the Messaging Configuration Page (System Configuration →
Messaging).
SMTP Transportation
Email relies on an SMTP mail server so the corporate email service should be sufficient. The
parameters required merely provide SSL-Explorer with details of the email server.
• Enable on Startup: When SSL-Explorer instance is started the email messaging service is
available to use. Un-checking this option will disable message distribution via email once the
• SMTP Server: Messaging is performed in two ways; through active users running the VPN
client and via messages being broadcast as emails received by users email clients. To use the
email option the details of the SMTP mail server need to be specified.
• Port: In addition to the above server being defined so must the listening port on the server.
By default mail servers listen on port 25.
• Login (HELO): HELO represents the SMTP HELO command. Some mail servers, usually
older servers, do not accept mail requests before a SMTP HELO command is sent. Clients
use HELO as the first request in every session. The HELO parameter requires the principal
host domain name for the sender, for example domainname.co.uk.
• Sender Address: This parameter specifies the host sending the message and will appears as
the senders address when the mail is received by the user’s mail client
209
SMS Transportation
SMS configuration is a little more complicated than email. For starters, before any configuration
details can be defined for the SMS message itself the provider details are required. Unlike email the
SSL-Explorer relies on an external SMS service provider called Clickatell.
Clickatell provides the required infrastructure to be able to transport SMS messages generated by SSL-
Explorer’s OTP module to cell phones not only not only locally but to cell phones around the world.
Step 1 To use SMS a Clickatell credit account needs to registered. To open an account with Clickatell
clicking on the warning message in the warning box to the right as shown below. This will open the
Clickatell take the user to the Clickatell site for registration.
Step 2 Once an account has been opened Clickatell will provide the required information necessary to
configure SSL-Explorer. Select the Clickatell tab in the Messaging Configuration page (System
Configuration → Messaging).
The provided information can be used to fill in the above form. Once all the information has been
entered selecting the Save button will store the Clickatell account information. These parameters will
be used by the OTP module when sending SMS messages.
Step 3 The final step with SMS is the configuration of the SMS message itself. From the Messaging
Configuration page (System Configuration → Messaging) select the SMS tab.
The parameters should be configured as appropriate. Once satisfied the Save button should be pressed
to save the information. The bullet points below detail these parameters.
210
• Number Visibility: This determines whether users can view and modify their cell phone
numbers.
• Originator: The sender of the SMS message. This is set as default to “SSL-Explorer”.
Whenever a password is sent the SMS message will be shown as coming from this sender.
• Enable on Startup: This setting selects whether the SMS messaging service is started upon
server start up. Un-checking this option will disable message distribution via SMS once the
Configure Delivery Method

The final stage in setting up a successful OTP authentication process is the configuration of the
delivery method.
As mentioned earlier OTP authentication can use either SMS or email to delivery its messages.
Depending on which service provider has been defined, as shown in the above section Configure
Service Provider, determines which delivery method should be chosen.
As can be seen above the available delivery options from the OTP configuration page (System
Configuration → Security Options → OTP) are either SMS or EMAIL. If SMS has been configured
as the transportation method then SMS should be chosen. If email has been configured as the
transportation method then EMAIL should be selected. If however both transportation methods were
configured then either can be chosen.
No OTP with Mismatched Delivery Method

If the delivery method differs from the configured service provider (SMTP or Clickatell) OTP
authentication will not be accessible from the authentication scheme wizard. The delivery
method and
the configured service provider must match. If there are no configurable details for what has
been
defined as the delivery method the system will disallow usage of the OTP module.
All the components have now been configured. OTP authentication is ready to be used.
Configuring OTP
The OTP authentication configuration parameters provide a way of modifying how the actual message
is produced. The parameters here work in conjunction with the parameters available from the Message
Configuration pages (System Configuration → Messaging). The parameters are accessible from
System Configuration → Security Options → OTP.
211
A brief description of each of the parameters follows:
• Mode: The OTP password can be defined to be sent to the recipient at logon time or prior to
logon.
• Method of Delivery: Whether to use SMS or SMTP
• Message Subject: The Subject entry for an email
• Message Text: The SMS text displayed alongside the password, the replacement string
‘%PASS%’ is replaced by the generated password.
• Expired Subject: The subject entry when sending expiry email notifications
• Expired Message: The main body of expiration notification message
• Password Length: The length of the generated password
• Max Logon Attempts: Number of logon attempts
• Password Expires (Hours): Expiration of the one time password in hours. This is used when
the Mode parameter is set to send password before login and expire. The default is 24 hours
after which the sent password will no longer be valid to use.
• Logon Grace(Secs): Expiration of the one time password in seconds. This is used when the
Mode parameter is set to send at logon. The default is 300 seconds after which the sent
password will no longer be valid to use.
• Scheduler Period: How often the scheduler should run to evaluate passwords
• Expiry Date Format: The format of the expiry date sent as part of a OTP message. The
formats used are those defined by the Java SimpleDateFormat class.
212
Client Certificates
SSL Client Certificate authentication can be seen as the next progression in the authentication
modules. It is more secure than the previous but requires more configuration. To some degree, client
certificate authentication is an automatic authentication process requiring minimal interaction from the
user. All the user is required to do is provide the password for the certificate the first time that it is
installed and that is it. Everything else is performed by the browser and server.
Strong Cryptography and the Law

This feature requires advanced cryptography software1 from Sun Microsystems that is not
installed with
the standard Java JRE/JDK. This software may be subject to restrictions depending on the
laws
regarding the import/ export of cryptographic software in your country and we unfortunately
cannot
distribute this with the standard SSL-Explorer distribution. Please see our SSL Client
Certificates Flash demonstration which will help guide you through the relatively simple
installation process.
A certificate is generated and validated before being imported into the client’s browser. When this
browser connects to SSL-Explorer the two begin instantly exchanging secure information to try and
identify one another. The browser uses this certificate as a means of authenticating itself to the server.
The server, aware of the provided certificate, is able to verify the client and automatically grant
authentication.
Since a unique certificate can be assigned to each User, Client Certificates can provide a very secure
means of access.
Unlike the previous authentication methods client certificates requires a bit more configuring but once
configured it no longer has to be configured again. The general process is highlighted below.
• Enable Authentication
• Creating a CA
• Creating Client Certificates
• Importing Certificate into Browser
Before all these however an authentication module should be available which has client certificates
included. Once these are all done using certificates is a simple process.
Step 1 All a Super User needs to do is enable the authentication scheme. As a user selecting this scheme will
force the browser to begin using the certificate to authenticate itself.
Adding a Primary Authentication Layer

The certificate is tied into the browser which means that anyone using this machine can log
into the
system as long as they know the certificate password. A primary authentication module
should be used
1
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0
http://java.sun.com/javase/downloads/index.jsp
213
in conjunction with client certificate authentication such as password authentication to tighten
access.
Step 2 Once the authentication process begins the Choose a digital certificate dialog will appear. Select the
appropriate certificate you wish to use then OK or Cancel if you do wish to use any.
Step 3 The only item of information required is the password used to encrypt the certificate. Once supplied
the system is able to safely authenticate the connecting client.
Step 4 If successfully a message is shown like below. Selecting like the one below is displayed.
This merely informs the user that they have successfully logged into the system. Selecting Login will
either go to the user’s main page or load the next authentication module.
The next sections detail the configuration steps highlighted above.
214
Enable Authentication
Regardless of whether certificate authentication has been configured already and all clients are all fully
equipped with their certificates, if the system has not enabled client certificates then client certificate
authentication will not work. In fact even if a scheme had been configured with client certificate
authentication the system would not allow the execution of the scheme. A message like below would
be shown if client certificates was selected.
Enabling client certificates is a very simple process.
Step 1 From the Security Options (System Configuration → Security Options) menu select the Client
Certificates tab.
Step 2 Set the ‘Mode of Operation’ to ‘Accept Certificates’
This is the switch that turns on client certificates
Step 3 Finally select the ‘Certificate Type’ you wish to use
• Internal: Internally generated certificates

• Active Directory: AD generated certificates
• Trusted: Imported certificates
• Any: All of the above
Once selected press the Ok button and the details will be saved. Client certificate authentication is now
enabled and the System is aware of which certificates will be used for authentication.
215
Creating a CA
A Certificate Authority is required to be able to issue certificates to the clients. This process defines SSL-
Explorer as the authority to be able to issue and validate the client certificates that will be used to log into
the server.
An external authority can also be used; the only thing required by SSL-Explorer is the importing of the
private key part of the certificates issued by this authority for each client so that SSL-Explorer is able to
identify each client certificate being used to login with. Further details on this can be found in the section
titled, Import a Trusted Certificate.
Step 3 The SSL-Certificate page provides all the required options for this process. From the available Action
menu to the top right select the Create CA action.
For a server which already has a CA this step will be replaced by the Reset CA action. In this situation the
CA does not have to be reinitialized each time. This entire process should only need to be done once only.
Step 4 This action loads the Create CA wizard. This wizard guides the user through the steps required to
configure a CA for the system. Each certificate created for a user will be issued by this authority.
The information must all be completed. The information is then used to create a valid authority. The
stamp of authenticity is all based around the content that is provided here, it is recommended that
correct information be supplied.
The required information and their meaning are detailed below.
• Common Name: The name the certificate should be referred to.

• Location: Where the authority is based
• Organizational Unit: The department of the authority
• Company: The name of the company or entity to which the certificate should be registered.
216
Step 5 To encrypt this information and the subsequent generated private keys the certificate requires an
encrypting password.
Step 6 The strength of the private keys is next required. The stronger the size the more complex the keys.
Step 7 Finally a summary I shown of the certificate that is about to be created. Pressing the Finish button will
create the certificate else the he Previous button will go back to each step and allow amendments to
take place.
That’s it. To see the newly generated authority that will be used to issue all client certificates from now
on select the SSL-Explorer CA keystore from the top pull-down menu.
The authority will be displayed.
The next step now is to create certificates for the users wanting to access the system.
217
Creating Client Certificates
Each client needs a certificate to log into the system. In particular, each client needs the certificates
generated by the newly created authority. It is these certificates that will be eventually imported into
the browser.
SSL-Explorer provides three ways in which certificates can be created.
• Inclusive
• Exclusive
• External
The first two methods use the recently created certificate authority while the last one allows the Super
User or administrator of the system the opportunity to use certificates generated by an outside
authority.
Each of these is detailed below.
Inclusive
This technique is the simplest method of generating certificates for the SSL-Explorer user population.
In fact this process generates certificates for the entire user population in one complete process. Be
warned though, certificate creation is extremely computationally expensive and this process can take a
long time, especially if you have many users and require a long key length.
Unlike the exclusive process detailed next this does not distinguish single users and instead creates a
certificate for everyone.
This doesn’t sound too convenient, but bear in mind users who don’t need a certificate will have one
generated for them anyway. For example in Active Directory (Active Directory with certificates is
detailed in the section titled Using Active Directory Certificates) if the entire directory has been
imported into SSL-Explorer all users even objects such as machines will have certificates generated.
Step 1 From the Accounts page (Access Control → Accounts) the Action list provides the Generate
Certificate action. This is a very quick way of creating certificates for all the accounts in the userbase.
Step 2 With all certificates a password is required to encrypt its content. Client certificates are no different.
As the image below shows SSL-Explorer allows a user defined password to be keyed in or a system
generated one can be used.
218
When satisfied with the password pressing the Create button will generate the certificates. Each user
will have their own certificate. All the certificates are compressed into a zip file.
Step 3 This zip file should be saved.
Once stored the Super User must provide each certificate to their respective user.
From here all that is needed is for the user to import these into their browser. This section is detailed
shortly. If you are happy with this technique and prefer using this to the other two then the remaining
two methods can be skipped and you can go directly to the section titled, Importing Certificate into
Browser.
Exclusive
This method also relies on the previously generated authority to issue the required certificate only
unlike the previous inclusive method this method produces certificates for single user’s only.
An individual user can be picked out and have a certificate generated for them. This instantly avoids
the unnecessary certificates generated by the inclusive method but has the problem of being effective
for only a single user. Meaning for more users the process will need to be repeated.
This is also a simple process to execute and is described below:
Step 1 From the Accounts page (Access Control → Accounts) select the More… button against the account
you wish to create a certificate for.
This opens the actions list, choose the Generate Certificate action.
219
Step 2 Much like the previous method the system generates the certificate and compresses this into a zip file.
This certificate should be sent to the appropriate user.
From here all that is needed is for the user to import this into their browser. This section is detailed
shortly. If you are happy with this technique and prefer using this to the other two then the remaining
method can be skipped and you can go directly to the section titled, Importing Certificate into
Browser.
220
Import a Trusted Certificate
This final method does not rely at all on SSL-Explorer or the authority to create client certificates.
Instead the certificate is expected to have been created externally. Here simply the public key part of a
certificate is imported into the system so that SSL-Explorer is able to authenticate any client
connecting with a certificate (the private key part) issued by the external authority.
Step 1 The actions for this process are located in the SSL-Certificate page. From here the visible action list
has an option called ‘Import Certificate or Key’. This should be selected.
Step 2 This opens the ‘Certificate and Key Import’ wizard. Here the certificate needs to be imported into the
system. Select the ‘A Certificate you trust for client certificate authentication’ option.
Step 3 The system now needs to locate the certificate file. SSL-Explorer can import X.509 v1, v2, and v3
certificates and PKCS#7 formatted certificate chains consisting of certificates of that type. The data to
be imported must be provided either in binary encoding format, or in printable encoding format (also
known as Base64 encoding) as defined by the Internet RFC 1421 standard.
Use the Browse button to locate the certificate file.
Once located pressing the Next button will import the file into the system.
221
That’s it. The newly imported certificate will be visible from the main SSL Certificate page using the
‘Keystore’ setting of ‘Client Certificate Authentication’ as shown below.
If you have a revocation list then it would be wise to specify the URLs for example
http://dc/CertEnroll/company plc.crl now in the CRLs list box available from System
Configuration → Security Options → Client Certificates.
Like the other two methods, all that remains now is the imported of the other half of the certificate into
the browser. This is explained in the next section.
222
Importing Certificate into Browser
The client certificate process is made up of two halves. One half is the server component and its
configuration which is what has been done so far. The other half is the client, or rather the browser end
of the process. The server is equipped with certificates and an authority, the authentication process
now requires that the client have its certificates ready too.
During the authentication process it is this client certificate that will be sent to the server. The server
will use the public key part of the certificate it has for the user to determine the authenticity of the
client certificate.
Each browser has different ways of importing a certificate but generally they all follow a similar
process. Below shows hoe to import a certificate, using Internet Explorer.
Step 1 From the browser open the certificate management process. In Internet Explorer, the Certificate
Manager can be accessed from Tools → Internet Options.
Step 2 Once in the process the next step is to trigger the importing procedure. The certificate will need to be
located and its associated password supplied.
Step 3 If the correct file and password have been supplied it is simply a matter of informing the browser to
accept and import this file. A summary is then shown detailing the file about to be imported and where
it will be located. Pressing the Finish will complete the process.
223
Step 4 The newly imported certificate should be visible from the browsers main certificate view. This is the
Certificate Manager window.
Now that the certificate has been imported all that remains is connecting to SSL-Explorer with client
certificate authentication. The system should instantly exchange and authenticate the certificates
between browser and server. Once authenticated a message should appear like the one below
informing the user that the certificate has been accepted and they have been successfully authenticated
through client certificate.
224
225
Using Active Directory Certificates
So far we have looked at how certificate authentication can be achieved when certificates are
generated by SSL-Explorer itself. In one scenario, we also explained how a certificate generated by an
external authority can be uploaded into SSL-Explorer to be able to validate externally generated client
certificates.
In this section we will now show how to use certificate authentication with an Active Directory
environment from both the server and client side.
In much the same way as before Active Directory has a server and client component. SSL-Explorer is
given an externally generated CA certificate to authenticate clients with and clients are given
certificates to authenticate themselves with. The certificates however are not generated by SSL-
Explorer but rather by the Active Directory service known as CertServ.
In much the same way as Import a Trusted Certificate, SSL-Explorer plays no part in the generation
of any certificates; it is merely given the required authenticating certificate and told to use this to
authenticate incoming client connections.
In order to use SSL-Explorer with Active Directory certificates a number of pre-requisites must be
fulfilled:
• SSL-Explorer must be configured with an Active Directory user database

• A CA certificate to authenticate client certificates must be available
• Microsoft’s Certificate Service should be running and be accessible
Only when these items are satisfied should you continue.
Server-side Configuration
Step 1 The first task is the importing of the CA certificate which will be used by SSL-Explorer to authenticate
the client certificates with. From the SSL-Certificate (Configuration → SSL Certificates) page select
the ‘Import Certificate or Key’ action from the Actions list
Step 2 This starts the Import Wizard. From here the ‘A CA Certificate for verifying Active Directory User
Certificates’ option should be selected.
226
Step 3 The wizard asks for the certificate file. As per the pre-requisite you should already have a CA
certificate file prepared. This should be located using the Browse button.
Step 4 Once found the system presents a summary of the certificate file about to be imported. If correct
pressing Finish will import the file into the System.
Step 4 If you have a revocation list then it would be wise to specify the URLs for example
http://dc/CertEnroll/company plc.crl now in the CRLs list box available from
System Configuration → Security Options → Client Certificates.
That completes the server side of the process. Now all that remains is the client side.
227
Client-side Configuration
Now that the server end is complete all that remains is the creation of AD client certificates. Windows
2000 Certification Service installation adds a virtual directory called CertSrv pointing to
%systemroot%\System32\CertSrv. It is this service client’s need to access to request
certificates over an intranet. When requiring a client certificate each user needs to generate their
certificate from CertServ by going to the URL http://<Certificate Authority
server>/CertSrv.
Step 1 From CertServ select the Request a certificate task.
Step 2 The next step asks for the certificate type, the User Certificate type should be chosen
Step 3 Lastly, the strength of the key encryption needs defining. As mentioned previously the stronger
strength the more secure the keys.
Step 4 Unlike the internal Client Certificate option CertSrv can automatically install the newly created client
certificate. Selecting Install this certificate imports the certificate into the user’s browser.
228
This generated certificate is instantly imported into the browser and can be viewed through the
standard certificate manager option within your browser.
As long as the certificate type has been configured to use Active Directory (Enable Authentication)
everything is ready to use.
When client certificate authentication is triggered at logon the system and browser will authenticate the
client using the Active Directory certificates and Active Directory CA authority configured in this
section.
Configuring Client Certificates

The client certificate configuration parameters are minimal; they can be accessed from System
Configuration → Security Options → Client Certificates. These have already been defined in the
opening chapter but are here again for consistency.
The parameters merely turns client certificate authentication on or off. This overrides the
authentication scheme, so even if there was a scheme defined with client certificates it would not be
useable until client certificates has been enabled.
The parameters are detailed below.
• Mode of Operation: There are two modes of operation, Disabled, which turns off the use of
certificates and Accept Certificates which allows the use of certificates.
• Certificate Type: The type of certificate the system can accept can be either: Internally
generated certificates against a built-in database, Active Directory certificates, externally
Trusted certificates imported into the system and finally Any which configures the system to
accept any form of certificate.
• Validity Period: The duration the certificate is valid for.
• Bit Length: The length of the private key
• CRLs: Any URLs which maintain a list of revoked certificates.
229
Public Key Authentication
Public key authentication is one of the most secure of authentication methods; not so much because of
its secure authenticating process, but rather the authenticating identity used in the process can be stored
on a removable USB key device.
Having a hardware medium which maintains the identity file adds a dimension of security standard
authentication processes do not have. No longer do passwords have to be juggled in someone’s head or
written down on a piece of paper but can be carried around and taken away with the user.
When the user accesses the system to login with public key authentication a random ticket is generated
by the system. It is this ticket or token that is used to authenticate the user. The client side private key
is used to sign the ticket. This ticket is then sent to the server. On receipt the server uses the
corresponding public key to validate the signature against the token. If the signature is valid the user is
then successfully authenticated.
This process can only take place if the user has their identity available and if that identity is stored onto
a removable USB key then only the person with that USB key can actually log in to the system.
Unwarranted attempts are futile as the identity file is unique to each user.
Configuring public key authentication is a simple two step process. All that is needed is an
authentication scheme with public key authentication and then providing each user with their identity
file, this step is detailed in the next section Identity Creation. From here all a user needs to do is log
into the system.
Step 1 The identity authentication scheme should be selected at logon.
Step 2 The public key authentication method automatically begins to search for identity files across all the
external drives including C:\<HOME> where HOME represents the users home drive. Any files found
are collated together. Using the Use a known identity option the user can then proceed to select the
appropriate identity he or she wishes to use. The corresponding passphrase must also be supplied.
If however the identity file is stored anywhere else the system will be unable to locate this file. The
user will have to use the Use an identity file option and manually locate the file.
230
If successfully the user will be logged into the system, simple as that.
Identity Creation
An identity is the entity which uniquely defines the user it is associated with. The identity is used to
sign the ticket the system produces at log on. To secure the identity even further it is highly
recommended that once an identity is generated it is stored on the user’s USB key.
An identity can be created both by the Super User, from the Management Console, and the user from
the User Console. In this section we detail both processes.
Management Console
The Super User can initialize the identity for a user and can continue to reset the identity. Depending
on the company’s strategy the Super User can be responsible for all identity renewals.
Step 1 From the Accounts page (Access Control → Accounts) press the More… button against the user. The
action list is shown, select the Set Identity action.
Step 2 The system asks for a Passphrase to encrypt the identity. When a passphrase has been supplied
pressing the Generate button will create an identity encrypted by the passphrase
231
Step 3 The system provides the identity in a zip file. This should be stored on to a secure location and the
identity files extracted and given to the appropriate user. It is highly recommended that the user store
the identity file onto a USB key for greater security.
It is this created identity that will be used to authenticate the user during public key authentication.
User Console
The user can also configure there own identity. In fact the Super User, by using ‘Reset Identity’ can
force users to create their own identities.
Step 1 The navigation panel to the left shows the selection of actions that can be performed by the user. Select
the Update Identity action.
Step 2 This takes us to the Update Identity window. From here the user’s identity can be updated. As a
security measure the user must also provide their account password.
The system requires the new passphrase associated with this new identity. Once satisfied pressing the
Generate button will create the new identity file.
Step 3 As before the identity is stored within a zip file. This should be stored, the identity file extracted and
stored on a USB key.
That’s all there is to it. When the user logs into the system, it is this identity the authentication module
will ask for.
232
Reset Identity
Here the Super User can force each user to define there own identity when they first logon with public
key authentication. Selecting this when a new account is created is a great way to encourage users to
configure and manage their identities and other security passwords.
Must be Two-Factored Scheme

For reset to work correctly public key authentication must be in a scheme with at least two
authentication modules in and public key must not be positioned as the primary module.
This action is exclusive to the Super User.
Step 1 From the Accounts page (Access Control → Accounts) press the More… button against the user you
wish to reset an identity for. From the action list select the select the Reset Identity action.
Step 2 The system displays a warning message clarifying the action about to be performed. Pressing Yes will
continue with the reset.
That’s all there is to resetting the identity.
Step 3 Now when the next logs into the system they will be presented with the first authentication method and
if successful the second authentication method, public key, will not ask for an identity but rather force
the user to generate a new one much like before.
233
Much like before the identity will need to be safely stored on a secure medium as a USB key. The user
will be logged into the system and will now posses a new identity which will need to be presented the
next time they log in.
234
Configuring Public Key
The Public Key configuration page can be accessed from System Configuration → Security Options
→ Key Authentication. There is only one configurable parameter and is detailed below.
• Allow User to Create Initial Identity: The Super User has the option of creating an identity
for SSL-Explorer’s user base from the Edit Accounts page; this option however alleviates this
need by forcing the users themselves to create their own identity files at login time. If the user
chooses key authentication the system will force the creation of an identity.
• Enforce Password Security Policy: Enforce that passphrase conforms to the password
policy under System Configuration → Security Options → Password Options.
Import Identity
This function allows for an already existing key to be imported into SSL-Explorer as a user public key.
This action can be performed by any users who have account editing privileges.
When SSL-Explorer looks on a device, such as a USB key, it tries to find the public key. This key
should be in the root directory of the device in a sub-folder called “.sslexplorer-ids”. So in order for the
external device to operate as required the public key file must always be in this folder for example,
E:\.sslexplorer-ids\myPublicKey.pub.
Step 1 From the Accounts page (Access Control → Accounts) press the More… button against the user you
wish to reset an identity for. From the action list select the select the Import Identity action.
This then displays the following page.
235
Step 1 Simply locate the *.pub file that you wish to import using the file system Browse button.
Step 2 Once the file is chosen simply use the Upload button to import the identity.
That’s all there is to it.
236
IP Authentication
IP authentication is the only authentication that requires no input from the user at logon. Since it relies
on the physical address of a client machine as oppose to the user, IP authentication is able to determine
the validity of a user even before the logon page is displayed.
IP authentication ties the user to a specific IP address.
During logon if an endpoint has been configured as denied an error message will be shown in the
events pane. The only way to log into the system using the same account is from the attributed IP
address.
Creating a Restriction
Once an authentication scheme has been defined with IP authentication all that you need to do is
assign a valid IP address to each user.
Step 1 From the accounts page edit a user you wish to assign an IP address to.
Step 2 From the Attribute tab enter a valid IP address. It is this IP address that will be looked at when the user
logs in, if the user and IP do not match the user can not log into the system.
To allow a user to login using any machine then use the default value of, *.*.*.*
237
RADIUS Authentication
SSL-Explorer Enterprise makes available the RADIUS authentication module allowing SSL-Explorer
to integrate with a corporate RADIUS authentication server.
The RADIUS authentication method (Remote Authentication Dial In User Service) is known as an
AAA (authentication, authorization and accounting) protocol. It allows for a RADIUS server to be
queried by SSL-Explorer in order to validate a user’s logon request.
As the RADIUS server is outside of the control of SSL-Explorer, certain actions will not be available
such as ‘create’ or ‘edit’. This also has an effect on how this module is used in an authentication
scheme. As a username and password are supplied it can be used as either a primary or secondary form
of authentication. It can also be combined with other modules, but of course care should be taken to
ensure that the selected modules within an authentication scheme are compatible.
The pre-requisite for this authentication method is:
• Operating RADIUS server
The server must be available and be populated with all users that will be used for authentication, after
all SSL-Explorer is merely interfacing with the results of the server and plays no part in the
management of the server content.
Once the scheme is activated all that is required before login should be used is the configuration of
SSL-Explorer to locate the server, configuration information can be found in the section titled
Configuring RADIUS.
Once everything has been configured properly the user will be able to select RADIUS as the
authentication scheme to use.
When the user’s authentication details are supplied SSL-Explorer forwards these onto the RADIUS
server. The authentication result returned determines whether the user is authenticated into the System
or not.
238
Configuring RADIUS
The configuration parameters are vital to the success of the scheme. If any of these parameters are
incorrect SSL-Explorer will be unable to communicate with the RADIUS server. So it is imperative
that these are understood and used correctly. The parameters are accessible from System
Configuration → Security Options → RADIUS as shown below.
• RADIUS Server: This refers to the hostname or IP address of the RADIUS server.
• Authentication Port: The port on the RADIUS server to use to service authentication
queries.
• Accounting Port: A port address on the RADIUS server pertaining to all accounting traffic.
• Shared Secret: If the RADIUS server requires, enter the RADIUS server's shared
password/key here.
• Authentication Method: The authentication method to use to communicate with the
RADIUS server itself.
• Time Out: The number of seconds to wait for a response from the RADIUS server before
failing.
• Authentication Retries: The number of authentication attempts allowed before the account
is locked out.
• RADIUS Attributes: Special attributes to be sent to the RADIUS server as part of the
authentication process.
• Username Case: Define what case is sent to the RADIUS server
• Expect Challenge: Expect an initial challenge from the RADIUS server (i.e. user does not
provide password prior to first RADIUS Access request)
239
Remote Client Authentication
In addition to the Default and Password and Personal Details authentication schemes that come pre-
configured as part of SSL-Explorer two further authentication schemes are available, WebDAV and
Embedded client.
These consist of single modules that cannot be edited nor removed. There purpose is to support remote
access to resources protected by SSL-Explorer but bypassing the SSL-Explorer front-end, for example
in situations where embedded access needs to be made through a bespoke application and not through
SSL-Explorer.
By default these are turned off and should only be enabled when required. Each scheme is detailed
below.
WebDAV
WebDAV is a set of extensions to the HTTP protocol which allow users to collaboratively edit and
manage files on remote web servers. WebDAV enables clients on PCs or Macs to access files and
folders on a server in much the same way as on the desktop, while actually residing on a remote server
being accessed over the Internet.
As the diagram above shows, in order to access remote files across the internet the desktop must be
running a WebDAV client such as Windows Explorer. The remote location must be running a
WebDAV server to make the remote directories accessible and as the diagram depicts SSL-Explorer
runs its own WebDAV server so directories on the remote machine can be accessed through SSL-
Explorer.
The WebDAV authentication scheme when enabled allows external applications to access the
WebDAV server using username password authentication regardless of which schemes SSL-Explorer
has configured. If this is disabled then WebDAV resources may only be accessed when launched from
directly from SSL-Explorer’s Network Places page. Any shortcuts created on the user’s Windows
desktop or in Windows Control Panel Network Places will not work.
Embedded Client
The Embedded VPN client is a Java API provided by 3SP Ltd. which gives external applications the
ability to create secure tunnels to hosts protected by SSL-Explorer. This allows an external application
to bypass the general interface processing of SSL-Explorer and tunnel through SSL-Explorer to the
remote servers for secure communication.
Similarly to WebDAV, the authentication scheme allows the access of SSL-Explorer resources
through the embedded client using username and password regardless of what SSL-Explorer has
240
configured as its authentication schemes. If this is disabled then clients connecting in through the
embedded client API will not be able to access any resources through SSL-Explorer.
Hardware Token Authentication

SSL-Explorer: Enterprise Edition contains a range of advanced features that allow for strong multi-
factor authentication measures using hardware token devices. Technologies such as RADIUS and SSL
client certificates may be combined with advanced hardware authentication devices from vendors such
as Aladdin, SafeNet or RSA, amongst a plethora of others.
Two-factor, or multi-factor authentication is considered to be ‘strong authentication’ today and this

methodology combines the principle of ‘something you know’ with ‘something you have’. In terms of
SSL-Explorer usage, your users know their username/password, and may also have a hardware
authentication key fob.
This is considered ‘strong authentication’ because in order to compromise the system, an attacker must
get access to the user’s password along with the physical authentication device that the user carries.
Given that most intrusion attempts are conducted from remote locations, this makes the job of an
intruder much more difficult.
We do not recommend the use of weak authentication methods such as password-only. SSL-
Explorer’s authentication methods are designed in such a way that you can layer them as you see fit.
For example if you really wanted to, with SSL-Explorer you could configure SSL client-certificate,
OTP over SMS, password, PIN and SecurID authentication to protect entry to your system. However
you might find that after a little while your users no longer want to talk to you!
In this chapter we will cover the setup and authentication processes involved with these products.
• SafeNet iKEY 2032 Configuration

• Aladdin eToken PRO Configuration
• RSA SecurID Authentication Manager
• VASCO Digipass Token Configuration
• SafeWord Configuration
SafeNet iKEY 2032 Configuration

This product takes the form of a small USB key device that is small enough to be carried as part of a
bunch of keys on a chain. It uses SSL client certificate authentication to present a certificate to SSL-
Explorer, making textbook use of the ‘something you know, something you have’ security
methodology by combining a secret passphrase with the certificate on the device.
The SafeNet iKey 2032 requires a special utility (CIP Utilities) installing on the client PC and this
software deals with certificate management as well as performing tasks such as requesting passphrase
when connecting to secure websites such as SSL-Explorer. When the device is inserted into the USB
slot, the client software loads the certificate into the Windows Certificate Store where it may be
accessed by the client’s browser and presented to SSL-Explorer.
241
In order to set up SSL-Explorer to use the SafeNet iKey 2032 for authentication, we need to do the
following things, some of which have already been covered in previous chapters. Please follow the
links to sections that cover the tasks in more detail.
• Configure SSL client certificate authentication in SSL-Explorer

• Create SSL client certificates to authenticate your users. Either:
o Generate SSL client for your users using the built-in SSL-Explorer CA or:
o Import existing SSL client certificates purchased from an existing CA
• Configure an authentication scheme that uses SSL client certificates
• Import these certificates into each device using the CIP Utilities software
• Issue devices to your users
SafeNet CIP Utilities

The first thing you are likely to want to do is to create a passphrase on each of your USB devices. This
is an additional layer of security that is used in addition to the certificate itself. This means that an
unscrupulous individual will not be able to use the key if found or stolen, without first knowing this
passphrase.
242
Importing SSL Certificates into the Devices
Next you will want to import the certificate generated from SSL-Explorer onto the key.
You will be prompted for a *.p12 file. This refers to the format of the certificate file that is generated
by SSL-Explorer. Select the relevant certificate for this user’s key and select OK.
243
You will then be prompted to enter the password for the certificate – this is the password that was set
when the certificates were generated in SSL-Explorer. Once the correct password has been entered, the
certificate is imported and you can view its details in the right hand column.
You will next want to right-click on the certificate and choose ‘copy certificate to the system’. This
will copy the certificate to the Windows Certificate Store, but this is useless without the corresponding
private key which always remains on the USB device.
And that’s the key configured. Since SSL-Explorer knows which certificate to associate with each
user, we should now be able to try connecting using our new SSL Client Certificate scheme. You will
244
notice that you are prompted by the browser to select an SSL client certificate to present to SSL-
Explorer.
As an additional step of the authentication process, you will be prompted by the CIP Utilities software
to enter your iKey passphrase in addition to this.
245
Once this is entered successfully, the authentication process is complete.
246
Aladdin eToken PRO Configuration
Similarly to the SafeNet iKey, the Aladdin eToken PRO makes use of SSL Client certificate
authentication to present a digital certificate to the SSL-Explorer server. The only real difference from
the perspective of the administrator is the eToken software itself that requires installing manually on
the client PCs.
We will begin with the standard Aladdin eToken PRO device that uses SSL client certificate
authentication. The main steps are as follows:
• Configure SSL client certificate authentication in SSL-Explorer

• Create SSL client certificates. Either:
o Generate SSL client for your users using the built-in SSL-Explorer CA or:
o Import existing SSL client certificates purchased from an existing CA
• Configure an authentication scheme that uses SSL client certificates
• Import these certificates into each device using the eToken Properties tool
• Issue devices to your users and start using them!
Using eToken Properties

Aladdin eTokens can be managed quite easily using a software tool named eToken Properties. This
tool can detect Aladdin devices that can be connected using the USB port and is used to initialize, set
passwords and import certificates onto the devices.
Insert the device into the USB port and launch eToken Properties and you will be presented with a
dialog similar to the following:
247
The first thing you will probably want to do is set a password on your devices. The standard password
set on factory initialized devices is 0123456789. Hit ‘change password’ and set the password to
something more secure.
A password complexity meter is provided to give you an indicator of how secure your password is. As
is often the case, a combination of uppercase letters, numerals and punctuation marks help to create
stronger passwords.
Next you will need to import the SSL client certificate onto the device. On the ‘certificates & keys’
tab, select ‘Import Certificate’ and then choose ‘Import Certificate from File’.
248
Select the P12 file and open it. You will then be prompted for the passphrase.
When the passphrase is entered successfully, the certificate is imported onto the device.
And that’s it. The device has been configured with the key, and now all that remains to be done is to
test the authentication process works with SSL-Explorer. Try connecting to your SSL-Explorer VPN
server.
249
When you try connecting to the VPN server, you will be prompted to select the certificate you wish to
present to the SSL-Explorer server.
Select the appropriate certificate and hit OK. You will then be prompted to provide the eToken
passphrase that you set in eToken Properties.
250
Hit OK and access is granted!
251
RSA SecurID Authentication Manager
RSA SecurID is probably the most well known hardware token-based authentication method. SSL-
Explorer: Enterprise Edition is able to make use of SecurID authentication using the RADIUS feature
to provide communication between the RSA server and SSL-Explorer.
When combined with Active Directory user database this method is especially powerful as account
management may be centrally managed with both SSL-Explorer and RSA Authentication Manager
reading accounts from your Active Directory domain.
To configure RSA SecurID authentication with SSL-Explorer you will need to do the following:
• Configure an Authentication Scheme that uses RADIUS authentication as one of the

authentication stages
• Add an Agent Host Record for the SSL-Explorer server in order to allow communication
between SSL-Explorer and the RSA server
• Add the SSL-Explorer server as a RSA RADIUS client
• Import tokens and add users
• Test the authentication process
Optionally you may wish to:

• Synchronize your Authentication Manager’s accounts database with your Active Directory
domain controller
Configuring an Authentication Scheme that uses RADIUS

The first thing necessary to support SecurID is to configure an authentication scheme that will use
RADIUS. Later we will configure SSL-Explorer to talk to the SecurID RADIUS authentication
server.
Firstly, browse to Configuration → System Configuration → Security Options → RADIUS and

configure the RADIUS dialog similarly to as following.
252
RADIUS Properties
• RADIUS Server – Enter the IP address of the RSA Authentication Manager RADIUS server
• Authentication Port – This is the port the RADIUS server is listening to for authentication
requests.
• Account Port – This is the port the RADIUS server is listening to for accounting requests.
• Shared Secret – This is a password that requires setting on both SSL-Explorer and the
Authentication Manager.
• Authentication Method – This should be set to PAP (Password Authentication Protocol)
unless otherwise instructed.
• Time out – Seconds to wait for a response from the server before timing out upon
authentication.
• Authentication Retries – Number of times to reattempt a timed-out authentication request.
Next, you will need to browse to Access Control → Authentication Schemes and configure a new
authentication scheme that includes the RADIUS authentication. Create a new scheme, similarly to
the one below.
Next you will need to assign authentication methods to the scheme. Add ‘Password’ and also add
‘RADIUS’ to create a scheme with Password authentication as the primary method and RADIUS as
the secondary method. Click Next.
253
Next choose the policies to assign this authentication scheme to. For the purposes of this example,
we’ll use the ‘Everyone’ policy to assign to all users.
Review your settings and click Finish to create the new policy.
That’s the authentication scheme completed.
254
Add an Agent Host Record for the SSL-Explorer server
Next you will need to create an Agent Host Record to allow the SSL-Explorer server and the RSA
Authentication Manager to communicate with each other. This is done from within the Authentication
Manager Control Panel software.
Start the RSA Authentication Manager (named ‘RSA Authentication Manager Host Mode’ on the
Microsoft Windows Start Menu).
Select Add Agent Host from the Agent Host menu. You will need to enter the values for your SSL-
Explorer VPN server, such as network address. Set all other parameters similarly to as follows:
That’s it.
255
Add the SSL-Explorer Server as a RADIUS client
In RSA Authentication Manager, go to the RADIUS → Manage RADIUS Server. You will need to
have assigned at least one token to the administrative user at this stage.
The RADIUS manager displays a dialog similar to the following.
You will now need to add a new RADIUS client, select the RADIUS Clients node and select Add from
the toolbar. Fill out the dialog similarly to as follows and click OK.
Your server is now added as a RADIUS client and can talk to RSA Authentication Manager.
256
Importing and Assigning Tokens to your Users
Unless you have already done so, you will need to assign tokens to your users. Since both RSA
SecurID and SSL-Explorer support Active Directory authentication, you can either configure Active
Directory support in both and use your existing user account database or create accounts in the Built-in
databases of RSA Authentication Manager and SSL-Explorer. We will assume that you have already
decided on your user database strategy at this point.
To import a token, select Token → Import Token in RSA Authentication Manager.
The token is imported
Now you will need to assign imported tokens to your users. Locate your user from the User → Edit
User and choose the ‘Assign Token’ button.
257
Choose select token from list. The Select Token dialog is displayed.
Click OK and the user will be assigned the RSA key fob.
258
Test the Authentication Process
Now that RADIUS authentication is configured, you will want to try out authentication using your
RSA key fob. Since we have Password and RADIUS methods in our authentication scheme, you will
need to enter username, password and your SecurID one-time-password. This demonstration assumes
that this scheme is set as the default.
Enter your username when prompted
The second stage prompts you for password – this is the password to the user database you have
currently configured, e.g. Active Directory.
If the password was accepted, the second password prompt will be shown. This prompt asks for the
OTP displayed on the key fob.
• If you configured the key fob with a PIN, e.g. ‘4567’, you will need to enter this followed by
the SecurID token code displayed on the device. For example, if the device displays
‘441370’ and your PIN number is ‘4567’; you should enter ‘4567441370’ in this field.
• If you do not have a PIN, simply enter the code displayed on the device.
259
When successfully authenticated, you will be presented with the Favorites page!
260
Synchronization with Microsoft Active Directory
It is possible to synchronize RSA Authentication Manager’s account database with that of your Active
Directory server which uses the LDAP protocol. To do this, you will need to configure an ‘LDAP
synchronization’ in Authentication Manager. This will periodically retrieve a list of accounts from the
Active Directory LDAP schema and update your account list.
You should be familiar with the conventions of specifying LDAP queries before attempting this
configuration, but we will demonstrate an example of a basic LDAP synchronization.
In the Authentication Manager, select User → LDAP Users → Add Synchronization.
We will configure a synchronization that will retrieve all LDAP objects with a class of ‘user’ from an
organizational unit within the LDAP schema, named ‘Employees’. You will need to enter information
similar to as follows. This job is set to run every minute just so that we can quickly see whether the
values we have entered are correct.
261
Click OK, and wait a minute for the job to be run. Go back to your list of LDAP synchronizations and
you should see a status message similar to ’10 User(s) Updated’ as in the picture below – our users
have been imported successfully.
And that’s Active Directory configured. Your users can now be assigned tokens in the normal way in
Authentication Manager.
You’ll most likely now want to set up Active Directory authentication within SSL-Explorer to take
advantage of the centralized account management that this approach offers. You can find more
information on this in SSL-Explorer: Getting Started Guide under the chapter Data Management.
262
VASCO Digipass Token Configuration
SSL-Explorer can be configured to authenticate to a VASCO server using the RADIUS feature of the
product. Note that VASCO does not currently include a RADIUS server with their product, therefore
you will need to use an external RADIUS server (e.g.Free RADIUS) to provide the RADIUS
component of this solution.
To configure Digipass token authentication with SSL-Explorer you will need to do the following:
• Configure an Authentication Scheme that uses RADIUS authentication as one of the

• Configure the RADIUS server in VACMAN Middleware
• Add the SSL-Explorer server to VACMAN as a RADIUS client
• Create Users in VACMAN Middleware
• Import Digipass Tokens into VACMAN Middleware
• Assign Digipass Tokens to users
Configure the RADIUS server in VACMAN Middleware

In VACMAN Middleware, log on to your VACMAN server, expand the server tree and right click on
the RADIUS server’s node.
Select ‘New RADIUS Server’ to create the new server.
263
Enter the relevant properties for the RADIUS server on your network and click OK.
The VACMAN Server service may need to restart and you might need to log onto the server again.
Once this is complete the new RADIUS server details are listed under the RADIUS Server node.
264
Add the SSL-Explorer Server to VACMAN as a RADIUS client
In order for the SSL-Explorer server to talk to the VACMAN server via RADIUS, it will need to be
configured as a RADIUS client.
Click ‘Create’ and the new RADIUS client will be created.
265
Create Users in VACMAN Middleware
You will need to create some users in the VACMAN Middleware server in order to authenticate them
using the Digipass devices.
Right click on the ‘Users’ node and select ‘New User’.
The new user dialog appears. Enter the relevant details and click ‘Create’.
266
The new user is created and appears in the user list.
Importing Digipass Tokens to VACMAN

In order to authenticate your users using Digipass tokens, you will firstly need to import them into
VACMAN Middleware. You can do this as follows.
Right click on the Digipass node and select ‘Import Digipass’
An import dialog will appear. You will now need to import the Digipass import file (a *.dpx file) for
the relevant keys.
267
Enter the 32 character hexadecimal number into the ‘Key’ field.
Click ‘Import All Applications’ to import all records. You can alternatively pick just the relevant
applications you wish to import by selecting ‘Import Selected Applications’. Click ‘Close’ when done.
The import proceeds and you will see the imported tokens in the Digipass item list.
268
Assign Digipass Tokens to Users
The last step of the Digipass configuration is to assign the Digipass tokens to the relevant users within
VACMAN Middleware. This can be done similarly to the following:
Locate the relevant Digipass token in the Digipass list in the server tree. Right-click on the token and
select ‘Assign’.
Enter the username in the ‘User ID’ field and click the ‘Find’ button to search for the user.
269
Select the relevant username and click ‘OK’. The token will be assigned the Digipass token.
Test the Authentication Process

Now that RADIUS authentication is configured, you will want to try out the authentication process in
SSL-Explorer using your Digipass key fob.
Enter your username when prompted.
270
The second stage prompts you for password – this is the password to the user database you have
currently configured, e.g. Active Directory.
If the password was accepted, the second password prompt will be shown. This prompt asks for the
OTP displayed on the key fob.
If you configured the key fob with a PIN, e.g. ‘4567’, you will need to enter this followed by the token
code displayed on the device. For example, if the device displays ‘157252 and your PIN number is
‘4567’; you should enter ‘4567157252’ in this field.
When successfully authenticated, you will be presented with the Favorites page.
271
SafeWord Configuration
SSL-Explorer can be configured to authenticate to a SafeWord server using the RADIUS feature of the
product. Note that SafeWord requires an Active Directory database and Internet Authentication Server
(IAS) installed on the Domain Controller.
To configure SafeWord authentication with SSL-Explorer you will need to do the following:
• Install and configure the SafeWord Server

• Configure an IAS
• Create an Authentication Scheme that uses RADIUS authentication as one of the
Installing SafeWord
Start the setup from the CD.
Click Yes to get latest updates if required, which will then download.
Enter the serial number and click OK.

More files will download from the update server and the installation starts.
272
Click Next.
Click Yes.
273
Click Next.
Click the top option, then Next.

Visual C++ redistributable installs and more update files are downloaded.
274
Safeword Server and Active Directory Management Console should already be ticked. Scroll down
and tick IAS (RADIUS) Agent. Click Next.
Click Next.
275
Click Next. More updates downloaded and the files start installing. This can take a while.
Change the ports is required and enter Encryption and Signing keys. Click Next.
276
Confirm the domain or re-enter the domain if incorrect. Click Next. More files will install.
Click Yes
Click Finish.
277
Configuring SafeWord
Start Active Directory Users and Computers.
Expand the domain, you should see a Safeword Folder, click on this.
Enter an administration password to be used with Safeword and click OK

A web page will also appear asking for a new password for the User Center.
278
Enter a new password and click Submit.
Back in AD Users and Computers, click on Import/Backup/Restore under Safeword.
Click Browse under Import Tokens, browse to the import file on the CD provided with the tokens.
Click Import.
279
You should now have tokens listed in the Tokens section. Now we can assign tokens to users.
Bring up the properties screen for a user you want to assign a token to and select the Safeword tab.
Enter the token serial number and an option PIN code if you wanted to use one. Click Apply, where
the lower part of the properties page becomes active. You can choose here to enter a passcode from the
token to test that it is working ok. If this test fails try again. If it still fails, you should be able to fix it
by clicking Re-Sync.
280
While in the user properties, go to the Dial-in tab and tick Allow Access under Remote Access
Permission.
Configuring IAS
Start the Internet Authentication Service management console and create a new RADIUS client that
points to your test client.
281
For the client Vendor, choose RADIUS standard and enter a shared secret.
Using a tool such as NTRadPing, test the RADIUS response.
282
Enter the server name, port 1812 and the secret key. Enter the username to test against and the
passcode generated by the token (followed by the PIN if that option was set). Click Send and if
working, you should see an Access-Accept response.
Configuring SSL-Explorer
Go back to IAS and create a RADIUS client that points to the SSL-Explorer server address.
283
In SSL-Explorer, go to System Configuration->Security Options and click the RADIUS tab. Enter the
IAS server address, shared secret. Set the Authentication Method to CHAP and click OK.
Go to Authentication Schemes and create a new Scheme. Give it a meaningful name such as RADIUS,
or Safeword. Select Password (primary) and RADIUS (primary) to set Safeword as a 2 layer
authentication (You could choose RADIUS on its own if required, just note that if SSL-Explorer
requires the User's password for anything, it will prompt for it).
284
Move the RADIUS scheme to the top if this is to be the default scheme.
Now test the login via SSL-Explorer, which should now work.
285
Resource Management
Resources are the key entities that a user of the system will interact with. Without such things, a user
has no means of using or gaining any benefit from the system – it is the resources that provide the
‘value’ in an SSL VPN. This section covers the basics of resources; what they are, how they are used
and finally ends with what types are available.
Introduction
.Sections covered in this chapter are as follows:
• What are Resources?

• Resource Wizards
• Available Resource
What are Resources?

The main purpose a user will use SSL-Explorer is to access the corporate network usually from a
remote site, be it from a remote branch office or from a clients site. Securely allowing users into SSL-
Explorer is just one side of the remote access solution. Once logged in, the user must have a means of
actually interacting with items within the corporate network such as network drives, files and
applications and this is where resources fit into the picture.
As the diagram below shows resources are the means by which a user interacts with the trusted
network.
Some resources such as Network Places allow a user to interact with shares on the network. Other
resources as Web Forwards allow users to interact with company intranet websites. Each resource
provides a different way to access and interact with the remote network, from running remote
applications to creating secure VPN tunnels.
It is the Super User’s responsibility to create these resources and provide a secure working
environment for the remote user population. Without the right configuration of resources, accessing
areas of the corporate network remotely would be at the least difficult and in the worst case,
impossible.
The Super User is also responsible for the management and configuration of resources. As the
corporate network evolves so to must the resources which access the network. As further company
security policies are put in place not only must the network change to suit but so to must the SSL-
Explorer resources.
286
The user console is the page from which the users are able to access these resources for use. Resources
are listed under the Resources bar to the left of the page and can also be added to a user’s Favorite
page. Administering resources however is done through the Management Console.
Resource Wizards
Every resource is created through an intuitive wizard. The wizard directs the Super User in defining
the appropriate steps in the correct order. As the screenshot below shows, the navigation pane
highlights all the necessary steps to complete the action.
Some of these steps can be skipped and then redefined as required through the Edit Resource pages
later. Also any step can be re-attempted by simply clicking on the appropriate step in the Navigation
Pane.
Available Resources
SSL-Explorer defines a number of resources; each provides a specific function in interacting with the
instance and the corporate network. Resources that can be used are listed below:
• Web Forward: Provides secure intranet and internet access

• Network Place: Provide network file system access
• Application: Deployment and execution of Java applications
• SSL-Tunnel: Configure SSL tunnels for special tasks such as remote support
• Profile: User environment configuration
• Network Extension: A virtual network adaptor that provides secure access into the SSL-
Explorer network
287
Each chapter is dedicated to one of these resources covering everything from creating to managing the
resource.
Executing a Resource
All executable resources follow a similar set of steps when being executed, these are detailed below.
Step 1 From the user console find the resource to execute. Against this resource will be the execute button
Step 2 When pressed the execute button needs a policy in which the resource should be executed. The
execute button lists all the policies the resource is connected to, selecting one will execute the resource
using any policy attributes associated with the chosen policy.
If the resource page is set to show icons as oppose to listing resources the user will see something
similar to the image below
To execute a resource simply press the correct icon. The resource will execute in the first policy the
user has been assigned to, usually everyone.
Step 3 The resource should now execute opening the required window if necessary.
288
SSL-Explorer Agent
Many commonly used applications from email clients to CVS clients typically operate using unsecured
protocols to facilitate the exchange of data. To the casual home user this is usually not a worry,
though to the corporate user this is a critical vulnerability and one that leaves a business open to all
manner of threats from password sniffing to full-blown industrial espionage.
Thankfully with modern encryption protocols like SSL, data from these applications can be
“tunnelled” inside SSL packets. In the case of SSL-Explorer, this is achieved through the use of the
SSL-Explorer Agent – a small program that can intercept data transmitted by the insecure application,
encrypting said data and transmitting the secure form over the wire. At the receiving end the SSL-
Explorer server decrypts this data and forwards it to the appropriate destination within the trusted
network.
With SSL-Explorer, you have the ability to lock down your network, leaving just a single port open on
your firewall. Most traffic that would normally operate on other ports can be tunnelled through the
HTTPS port 443 into your network.
• What is the SSL-Explorer Agent?

• Starting the SSL-Explorer Agent
• Stopping the SSL-Explorer Agent
• Executing Resources from Agent
What is the SSL-Explorer Agent?

With SSL Explorer comes a small SSL-Explorer Agent. This Agent is a Java application that works in
conjunction with your SSL-Explorer session to provide SSL-tunneling and application launching
facilities provided by the SSL-Explorer server.
The Agent is launched by a small Java applet placed on all pages that require access to the VPN client.
You only need to launch the client once per SSL-Explorer session.
The Agent is an essential tool for providing a secure tunnel for some of the resources detailed later in
this chapter. When required the resources automatically starts the agent. However the agent can also be
started manually in which case any resource requiring the use of the tunnel will not need to start the
agent.
Communication with Browser

The SSL-Explorer Agent listens on a number of ports in the 65500+ range. This is normal behavior.
The Agent is actually also a HTTP server and uses these ports to communicate with your web browser.
All outbound network communications are sent through the HTTPS port 443.
289
Precautions
It is important to remember that the agent will provide a secure tunnel into your network until it is
closed or times out due to inactivity. Your users must make sure that they log-off from their SSL-
Explorer sessions. It is not wise to allow such a session to remain open and unattended even for a
short period of time. The agent will timeout any tunnel that is inactive for a configurable period of
time.
Starting the Agent

Click the Start Agent button from the top navigation pane.
This instructs the client to start the agent. A warning message will be displayed as below.
The next sets of dialogs are security warnings verifying the client and the agent itself. These warnings
should be accepted.
Step 1 Once all the security messages have passed the agent will be started and if communication with
the server is successful the agent will be ready. The agent icon in the top navigation bar will
change colour much like the image below.
In addition a pop up will appear by the taskbar and an agent icon will be visible from the taskbar itself.
A final reminder that the agent is up and running successfully will be in the form of information in the
event pane.
Any resources relying on the agent will only execute once the agent is active.
290
Stopping the Agent
In order to stop the SSL-Explorer Agent simply click the active Agent icon as shown below.
This will stop the agent. It will also change the agent icon back to indicate that it is inactive as shown
below.
Nothing else is required to stop the SSL-Explorer agent.
Executing Resources from Agent

Once the agent is started you can execute any resource assigned to you from the directly from the
taskbar icon. Clicking the right button the agent icon will present a list of resources that can be
executed directly from the agent without having to go through SSL-Explorer.
By opening the Tunnel Monitor one can view any tunnels that are created through the life of the agent
and if so wish can kill any running tunnels.
291
Web Forwards
Web forwards provide a secure way of remotely accessing a company’s intranet resources and as such
are an essential tool in helping reduce the risk of unauthorized access to the corporate network. This
chapter covers all the essentials to allow a super user to manage these resources, from what a web
forward is, how they work to managing them. Web forwards come in three types tunneled, reverse and
replacement this chapter details each and when best to use each type.
• What is a Web Forward?

• Technical Overview
• Web Forward Interface
• Creating a new Web Forward
• Editing a Web Forward
• Deleting a Web Forward
• Outlook Web Access and Mail Check
By the end of this chapter the reader should have a good understanding of web forwards and how to
use them.
What is a Web Forward?

Simply put, web forwards redirect HTTP traffic. By creating a web forward the publisher can make an
internal web resource accessible to the outside world – without ever having to publish the resource on
to the World Wide Web.
Take for example a company intranet or an internal web-based application. Without web forwards
users can only access these resources internally within the LAN. Trying to access these remotely
would mean having to publish these on the internet. Making a company’s sensitive internal resources
available over an un-trusted publicly accessible network leaves the system vulnerable to attacks.
Web forwards reduce these vulnerabilities by publishing web forwards on a VPN. The elimination of
the resource from the internet instantly minimizes the chances of the internal network being
compromised. When accessing the web resource users have to sign in to SSL-Explorer through strict
authentication techniques. During the course of the session the communication channels are secured
through SSL and then to further enhance security SSL-Explorer’s policy framework can restrict those
that can even access the web forward.
292
Technical Overview
SSL-Explorer provides three ways in which a web forward can be created these are:
• Tunneled: Suitable for static intranets

• Replacement proxy: Suitable for web applications which use absolute URLs with minimal
JavaScript
• Reverse proxy: Suitable for web applications which use relative URLs and tend to be more
complex than those for replacement proxy
Each one is briefly described below.
Tunneled Web Forwards

A tunneled Web Forward uses the SSL-Explorer Agent. If not already installed the agent is
downloaded to the client machine. The agent acts as an agent for the client browser handling all
necessary transaction to provide a secure connection to the target resource. The communication link
between browser and agent is the only line that is not encrypted.
Unlike reverse and replacement web forwards the content of the HTTP traffic are not altered at all. No
content is changed from the moment it leaves the client to the response that is received, SSL-Explorer
acts a dumb proxy providing no functionality. This web forward performs the same functionality as a
standard SSL-Tunnel.
The unique feature is that no content is processed. However if the target site has links to other sites and
are selected then those pages will step out of the secure SSL Tunnel boundary and will not be securely
accessed.
Replacement Proxy Web Forwards

A replacement web forward, unlike the tunneled forward, does not rely on the SSL-Explorer agent.
Despite this the communication link both to and from the intranet resource remain encrypted due to the
browser and SSL-Explorer.
The SSL-Explorer server retrieves the web page on behalf of the connecting client. Information
received by SSL-Explorer is processed by the replacement engine which is in stark contrast to the
tunneled Forward. The data is stripped of certain information and new information is added to the
transmission, all links within the page are replaced to point back to the SSL-Explorer server. The
transmission is then encrypted or left unencrypted depending on the target server HTTP/ HTTPS.
The responses are again preprocessed by the replacement engine before being securely sent back to the
client.
This processing means that any additional links attached to the web resource are handled by the web
forward. As long as the web forward remains open all pages are processed and remain secure. So for
293
example a web application that opens up various pages or goes off to various other sites will continue
to be processed by the forward.
Reverse Proxy
Reverse proxy like replacements does not rely on the SSL-Explorer agent and again despite this the
communication link remains encrypted due to the browser and SSL-Explorer.
Unlike replacement web forwards the content is neither altered from the moment it leaves the client to
the response that is received, SSL-Explorer acts as a reverse proxy server for the target client.
Unfortunately if the target site has links to other sites and are selected then those pages will not be
secured.
Web Forward Interface

The main web forward page lists the available forwards. This page is located under Management
Console → Resource Management → Web Forwards
294
The main page details which policy a web forward is associated with, the type of the web forward and
the category of the web forward.
Only those web forwards associated with a user’s policy are visible from the user console under User
Console → Resources → Web Forwards.
Action Icons
The action icons against each web forward performs functions on the associated web forward, their
respective objective are detailed below:
Delete web forward
Edit web forward details
Execute resource (User Console)
295
Creating a new Web Forward
Step 1 Select the Create Web Forward action.
Step 2 Select the type of web forward you wish to create.
Step 3 Once selected the web forward wizard will open. All web forwards follow the same wizard process as
below.
296
Step 4 The first step in the wizard is to provide details of the resource itself, the name and description of the
resource.
The final web forward can be set as a favorite resource which will make this resource accessible from
the favorite’s page.
Step 5 The second step defines the resource itself. For each web forward the required content differs. These
are detailed below.
Configuring a Tunneled Web Forward

This web forward requires the least amount of information. All the wizard requires is a valid URL the
authentication step is skipped.
The wizard provides a mechanism to use built-in system parameters these are detailed a little more in
the Create Replacement Proxy step next.
Once done pressing the Next button will take you to the next step in the wizard, which is detailed in
step 6 below.
297
Configuring a Replacement Proxy Web Forward
Replacement details require two sets of information; the first is the basic information of the web site.
• Destination URL: The URL of the site you wish to access

• Encoding: This overrides the encoding of the HTTP response; this should be left as default
unless otherwise informed by 3SP support.
• Restrict to hosts: This restricts what hostnames the user can access. Any user accessing the
site can access only the URL hostname and any hostnames listed in this box. If the list is
empty then no restrictions apply, if the hostname specified is the hostname of the URL then
users can not access any pages located outside of the hostname.
Replacement Variables
Note
The ${} indicates that replacement variables can be included in the resource definition. Click
this icon
will load the available variables that can be used. The session variables are values taken
from the
current session. The attr variables are values taken from user defined attributes.
The second part of information required is the authentication details.
Authentication
Replacements and reverse proxy can not only access a site or an application but can also authenticate
the user accessing it. When the web forward connects to the URL the additional information provided
here are passed in to the site automatically authenticating the user.
Depending on the type of authentication type you select in the dropdown the appropriate parameters
are listed.
The wizard provides two types of authentication FORM and HTML authentication.
298
• Form Type: The type of form authentication to use, in most circumstances POST will be
used to post the parameters listed in the Form Parameters box to the site. NONE disables
form authentication and relies on HTML authentication only.
• Form Parameter: Specific form parameters for authentication should be provided here.
These parameters map to the parameters on the form. As the example above pre,
ixPerson, sPassword are all form parameters for this application. During
authentication these will be passed into the form with the provided values. As
sPassword=${session:password} shows replacement parameters can also be used,
we have used a session parameter for the form’s password field. The ixPerson parameter
is the index list for forms username dropdown list, 6 is the index of the given username, when
executed the form will lookup username 6 from the dropdown list.
• Preferred scheme: The type of HTML authentication to be used, BASIC, NTLM, DIGEST,
NONE.
• Username: The authenticating username for HTML authentication, each scheme uses this
value in different ways.
• Password: The associated password.
Depending on the site whichever authentication method is required by the server those details will be
passed forward.
Once completed pressing the Next button will proceed to the next step in the wizard, this is detailed in
step 6 below.
299
Configuring a Reverse Proxy Web Forward
As with replacement proxy this also requires two types of information, the basic URL information and
the authentication details however unlike other web forwards this is broken into host-based proxy and
host-based proxy.
Path-Based Reverse Proxy
• Destination URL: The URL of the site you wish to access

• Paths: Each additional path that needs to be proxied is added here. Web applications such as
Outlook Web Access require more paths than the one in the target URL, in the example
above the OWA web forward sets a target of
http://mail.server.co.uk/exchange and then adds 2 further paths /exchange,
/exchweb. To deal with this, you add each path that should be proxied to this filed. This
would then proxy any URLs that begin with
http://mail.server.co.uk/exchange, and
http://mail.server.co.uk/exchweb
• Encoding: This overrides the encoding of the HTTP response; this should be left as default
unless otherwise informed by 3SP support.
Host-based Reverse Proxy
• Active DNS: This enables sites that are at root of a server to be used by the web forward, as
mentioned in the note above sites at root generally cannot be used by the reverse proxy web
forward. Enabling this parameter is not enough, a wild card entry on your networks DNS
server must be configured so that any lookups for active*.3sp.co.uk point to the SSL-
Explorer server. When the web forward is launched a fake hostname prefixed by active and
300
suffixed by 3sp.co.uk is generated (e.g. active32432432424.3sp.co.uk) and
used by the client browser to access the reverse proxy. SSL-Explorer is able to see this
hostname and use the number embedded to look up the associated web forward. More
information can be found in the 3SP knowledge base1.
• Host Header: This is another method used by the reverse proxy engine to determine whether
a site should be proxied. A specific hostname can be set for a site this requires that the
hostname defined resolves to the SSL-Explorer server. The browser will be redirected from
the standard SSL-Explorer URI to this host header. More information can be found in the 3sp
knowledge base.
No Target Site at Root of Server

Note
Ordinarily target sites you wish to use with reverse proxy cannot exist at the root of their
server. e.g.
http://www.example.com is invalid whereas
http://www.example.com/salesportal
would be acceptable. Active DNS can be used to override this action.
The second part of information required is the authentication details.
Authentication
Replacements and reverse proxy can not only access a site or an application but can also authenticate
the user accessing it. When the web forward connects to the URL the additional information provided
here are passed in to the site automatically authenticating the user.
Depending on the type of authentication type you select in the dropdown the appropriate parameters
are listed.
The wizard provides two types of authentication FORM and HTML authentication.
1
3SP Knowledge Base – http://3sp.com/kb
301
• Form Type: The type of form authentication to use, in most circumstances POST will be
used to post the parameters listed in the Form Parameters box to the site. NONE disables
form authentication and relies on HTML authentication only.
• Form Parameter: Specific form parameters for authentication should be provided here.
These parameters map to the parameters on the form. As the example above pre,
ixPerson, sPassword are all form parameters for this application. During
authentication these will be passed into the form with the provided values. As
sPassword=${session:password} shows replacement parameters can also be used,
we have used a session parameter for the form’s password field. The ixPerson parameter
is the index list for forms username dropdown list, 6 is the index of the given username, when
executed the form will lookup username 6 from the dropdown list.
• Preferred scheme: The type of HTML authentication to be used, BASIC, NTLM, DIGEST,
NONE.
• Username: The authenticating username for HTML authentication, each scheme uses this
value in different ways.
• Password: The associated password.
Depending on the site whichever authentication method is required by the server those details will be
passed forward.
Once completed pressing the Next button will proceed to the next step in the wizard, this is detailed in
step 6 below.
Step 6 Once the web forward has been successfully configured the next step is the assignment of the resource
to a policy. The appropriate policy should be added to Selected Policies box.
302
Step 7 In the final step the wizard presents a summary of the web forward.
Pressing the Finish button will end the wizard and create the web forward. This newly created web
forward will be visible from the main web forwards page and executable by those in the assigned
policy.
303
Editing a Web Forward
From the web forwards page select the Edit action against the required web forward and the Edit Web
Forward page will be shown. From this page the current details stored about the web forward can be
modified.
Deleting a Web Forward

The Delete action removes a web forward permanently from the system. Selecting the delete action
against a web forward will result in a warning message informing that the web forward is about to be
deleted, as shown below.
Selecting Yes will result in the removal of the resource from the system. If this web forward is
associated with any policies this link will also be removed along with all other associated links.
304
Outlook Web Access and Mail Check
One of the many features available from the Enterprise Edition of SSL-Explorer is the mail check
feature. This presents to the user an instant view of his or her email account status directly through the
user console without having to start their email client to check for new email. This feature can be used
to check for email (and launch your web mail client) on any mail server that supports the POP3/IMAP
protocols, including Microsoft Exchange.
The mailbox icon is visible from the user console and shows the status of new or any unread messages.
Clicking the refresh button also instantly checks the mail account and provides an instant update of its
status and clicking the mailbox itself will open a new window to the mail account.
Configuration of this relies on a web forward. The following provides basic steps on how to configure
the mail check feature.
Step 1 Install the SSL-Explorer Mail Check extension from the Extension Manager. Further instructions on
installing extensions can be found in the SSL-Explorer: Configuration Guide.
Step 2 Create a web forward that connects to the mail server and check that it works correctly. In the
screenshot below I have created an Outlook Web Access (OWA) web forward. No username or
password has been specified in the configuration. When I execute this I am prompted for
authentication.
Step 3 Configure the mail check configuration parameters from Management Console → System
Configuration → Messaging → Mail Check.
In the screenshot I have specified the OWA web forward that I configured in step 2. The mail check
feature requires this to access the mail server. Also the mail protocol has been specified and the
hostname of the mail server. Further information on these parameters can be found in the SSL-
Explorer: Configuration Guide under System Configuration.
Step 4 The final step involves the configuration of personal details for each user from the user console. For
each user the mail check tab becomes accessible from User Console → Personal Details → Mail
Check.
305
The Mail Check extension will automatically try and log onto the mailserver with the current users
SSL-Explorer credentials. If these are different, then each user needs to provide their mail
authentication details on this screen. In addition the default mail folder (e.g. ‘inbox’) can be specified
if needed.
Active Directory Accounts Auto Configured

Note
If the system has been configured to use Active Directory and the mail accounts also uses
the same
Active Directory authentication credentials, the mail check extension will automatically use
the user’s
Active Directory credentials to authenticate the user’s mail account. There is then no need for
users to
provide authentication details in the mail check tab under personal details.
The mail check feature uses the web forward and the details defined in the mail check configuration
page to connect to the mail server. It is from here it takes the individual users authentication details to
connect to their account and retrieve mail details.
Step 5 Once all the user details have been provided the user should log back into the system. The mailbox
icon will be visible in the top right of the main window.
Clicking on the mailbox will open a window to the mail account of the user without the need for
authentication.
306
Network Places
Network places are another vital tool against defending unwarranted access to the corporate network.
By configuring a network place within SSL-Explorer, this allows a user to securely access the
company network without compromising the integrity of the network. This chapter covers the basics of
network places and moves right through to managing these resources.
• What is a Network Place?

• Network Places Interface
• Creating a new Network Place
• Editing a Network Place
• Deleting a Network Place
• Web Folders Windows Access
• Enterprise Drive Mapping
By the end of this chapter the reader should have a firm grasp on network places and how best to use
them in particular the means in which a simple network forward can be integrated into a user’s familiar
Windows environment.
What is a Network Place?

A network place is a versatile resource that provides remote users with a secure Web interface to the
corporate network. A remote user can browse network shares, rename, delete, retrieve and even upload
files just as if he or she was connected in the office connected to the network.
In particular network places provide remote users that have appropriate permissions to browse
Microsoft SMB file shares, SAMBA file systems configured on UNIX and even FTP or SFTP file
systems. In addition network places also provide support for web folders and Enterprise Drive
Mapping.
Web Folders
Web Folders is a web authoring component that is included with Internet Explorer 5. It enables the
management of files on a WebDAV server by using a familiar Windows Explorer or My Computer
interface.
WebDAV is a protocol that extends HTTP to define how basic file functions such as copy, move,
delete, and create folder are performed over the internet. Using a WebDAV client as web folders a
remote user can access the company network through the standard Windows Explorer interface
without actually needing to log into the SSL-Explorer.
SSL-Explorer has an inbuilt WebDAV server which provides WebDAV clients secure access to
required file systems.
307
Network Places Interface
The main network place page lists the available shares. This page is located under Management
Console → Resource Management → Network Places
The main page details which policy a network place is associated with and the available actions
associated with each.
Only those network places associated with a user’s policy are visible from the user console under User
Console → Resources → Network Places.
Action Icons
The action icons against each network place performs functions on the associated network place, their
respective objective are detailed below:
Delete network place
Edit network place details
Execute resource (user console)
308
Creating a new Network Place
Step 1 From the main network places page the action menu in the top right presents the only available action
which is, Create Network Place. Selecting this begins the creation wizard.
Step 2 The first step in the wizard as with any resource is the name and the description of the required
resource. This will be displayed on the main network places page.
This particular resource can be added to the favorite page if so desired for ease of access.
Step 3 The next step requires the definition of the URL alongside any additional parameters. Selecting the
Type
This can be of the following:

Windows Network: Windows source anywhere on a visible network
Local File: Source connected to the client machine
FTP: FTP filesystem
SFTP: SFTP filesystem
Jar Archive: A jar file. When executed network places opens up a window into the extracted
Jar
Tar Archive: A Tar file. When executed network places opens up a window into the
extracted Tar
Zip Archive: A zip file. When executed network places opens up a window into the
extracted zip
Automatic: This allows the user to type in single URLs for any type of filesystem and it will
successfully connect to the right type of system. For example all the following URLs can be
used:
o SMB share: smb://[username:password@]server/share
o SMB share: \\server\share
309
o Local share: file://<path> (for Windows use forward slash)
o Local share: <path> (for Windows use forward slash)
o FTP share: ftp://username:password@server[port]/folder
o FTP share: ftp://server/folder
Step 4 Depending on the type chosen a list of parameters are shown and need completing.
• Host: Hosrname of source filesystem

• Port: Port of source filesystem
• Path: Specific path that needs to be accessed on the host
Note The ${} indicates that replacement variables can be included in the resource definition. Click
this icon will load the available variables that can be used. The session variables are values
taken from the current session. The args variables are values taken from user defined
attributes.
• Username: Username if the location is protected. If this is to be used by all users then the
replacement variables should be used such as ${session:username}. For more information on
attributes and replacement variables refer to the User Attributes Chapter in SSL-Explorer:
Configuration Guide.
• Password: Password for the username
FTP Default Passive

Note FTP can initiate connections in passive and active mode. By default all ftp URI’s will be
connected to
their host using passive mode as this is the most secure and most common mode used.
However if you
wish to connect to a server in non-passive mode simply add ?passive=FALSE to the end of
the URI
as in ftp://ftp.server.com?passive=FALSE.
310
Step 5 In addition to defining the path a network place resource requires its access permissions
defining. This will restrict what access rights will be available on the file share when a user
executes the network place. The available permissions are as follows:
• Show hidden: Show all files and folders including hidden files
• Read Only: All files folders are visible but they can only be viewed
• Show Folders: Show only folders
• No Delete: All files and folders are visible and all file management actions can be performed
except deletion of any files
A combination of these can be chosen.
The final step is defining a drive letter for the network place. This feature is only part of enterprise
drives and allows a share to be mapped to a drive letter. Once mapped the user is able to access the
network share through Windows Explorer no longer needing to connect to SSL-Explorer to see the
content.
• Drive: Select a drive to map to this network place. Refer to the section titled Enterprise Drive
Mapping
Step 6 Once the network place has been defined the final step is in the defining which policy this network
place should be associated with. Any user not linked to this policy will not be able to access the
network place.
Step 7 The wizard provides a summary of the wizard, pressing Finish completes the process and creates the
new resource.
That’s all there is to it. The newly created network place will be visible from the main network place
page.
311
File Management
When a network place is executed the file system is opened in a new window. The window displays
the content of the file. All the content from here and below can be managed; files removed, uploaded
and even deleted as if you were connected directly to the file system.
Depending on what permissions were selected during the configuration of the resource depends on
what actions are available to the user.
The full list of available actions against each file is listed below.
Delete selected file or folder
Rename selected file or folder
Copy selected file or folders
Cut selected file or folder
Paste content of clipboard to selected folder
Zip folder and store it to a locally accessible file system
In addition to these action icons the actions available in the Actions pane in the top right of the
window also perform these functions as well as the ability to Upload files and return back to the top
folder (Home).
312
Editing a Network Place
From the network place page select the Edit action against the required resource and the Edit Web
Forward page will be shown. From this page the current details stored can be modified.
Deleting a Network Place

The Delete action removes a network place resource permanently from the system. Selecting the delete
action against a network place will result in a warning message informing that the resource is about to
be deleted, as shown below.
Selecting Yes will result in the removal of the resource from the system. If this network place is
associated with any policies this link will also be removed along with all other associated links.
Web Folders Windows Access

When using Windows XP and Internet Explorer you can take advantage of Microsoft Web Folders to
access your file resources.
Web folders are a great tool for remote working and once set up accessing a share is simply a matter of
clicking an icon and entering a Windows username and password when prompted. Much simpler than
using a cryptic combination of SSH port forwarding and Terminal Services.
Web folders use the WebDAV server that is embedded into SSL-Explorer. So any web folder
configured must go through SSL-Explorer’s WebDAV server else the share cannot be seen by the
client operating system.
For security SSL-Explorer only allows web folders to be mapped to existing network places. If a
network file system has not been configured through network places in SSL-Explorer then the web
folder cannot be mapped to the desired location. This enforces the policy restrictions; if a user does not
have a policy which allows them to access a given network place then they can neither create a web
folder to it.
313
The steps to create a web folder are listed below.
Step 1 The required file system should already exist within SSL-Explorer as a network place.
The network place should be configured to access the appropriate share. It is the name used here that
will be used by SSL-Explorer to lookup the configured URI.
Step 2 From Windows access My Network Places.
Step 3 Under the Network Tasks pane select Add a network place.
314
Step 4 This starts the Add network place wizard.
Step 5 The wizard will briefly search for information about service providers and will then present you
with the following screen. Select Choose another network location and click next.
Step 6 Now you need to enter the fully qualified domain name to your SSL-Explorer server.
315
Above the SSL-Explorer is https://remoteServer.co.uk and my network place as named in
network places on the system is Public.
When executed web folders will locate communicate with the WebDAV server at
remoteServer.co.uk. It will then request the URI for a network place named Public. It is this
URI that will then be mapped to the web folder.
Step 7 The web folders client will attempt to connect to the resource and you will be prompted to enter your
authentication details.
Step 8 After successful authentication the client will ask for a new name for this network place.
316
Step 9 Windows has successfully created the web folder. Windows Explorer opens and searches for
resources. You may be asked to accept a certificate as part of the process – this is normal and ensures
that your data is encrypted across the wire using SSL.
In My network places a new shortcut is created.
317
This shortcut can be moved to the desktop so that all a user needs to do to access the shared folder is
double-click this icon and enter your Windows logon information.
318
Enterprise Drive Mapping
SSL-Explorer enterprise comes with the Enterprise Drive Mappings plugin. This adds the ability for a
user to create a network place and assign it a drive letter.
The effect of this is that once the SSL-Explorer Agent is running the drive becomes available under the
user's Windows Explorer and like any other drive listed in Windows Explorer this drive can be
accessed and any content accessible for the lifetime of the SSL-Explorer Agent.
How does this differ from WebDAV?

WebDAV is limited to what file types it can support, certain files require specific WebDAV support
added to them in order to be accessed while others are not accessible at all. With Enterprise Drives any
file as long as it supports random access can be accessed and are fully modifiable, this means word
documents, notepad documents, development files such as java files or files from IDEs like eclipse can
all be accessed, modified and saved.
Not only that but WebDAV supports only local buffering, any file needing to be edited WebDAV will
download a local copy and it is this copy that is edited. Once editing is complete WebDAV uploads
this back to the server. With Enterprise Drive Mappings any file can be edited and can be edited in the
traditional local buffered mode or also via streaming mode where the file is edited from the source.
319
Configuring Drive Mapping
There are a number of configuration parameters that can be altered to make Enterprise Drive Mapping
more suitable for your environment. These can be accessed from System Configuration → Windows
Integration → Drive Mapping and are detailed below.
• Debug: Enable debugging for drive mappings. This should only be set if asked by SSL-
Explorer support staff.
• Debug Flags: Flags for the above debug option.
• Streaming Threshold: The size at which files are streamed. Streaming maintains an open file
on the remote filesystem. A zero value means files are always streamed.
• Always Stream Files: The file extensions that should always be streamed.
• Never Stream Files: The file extensions that should never be streamed.
• Block Size: The block size used when reading data from the remote file system. Altering this
value can affect the efficiency of file accessing, the default value should be ample for most
environments.
• Block Timeout: The number of seconds before a timeout exception is thrown when reading
streamed blocks of data from the remote file system. A timeout exception will cause
unexpected results and as such this setting is only used when the remote file system becomes
unresponsive. It is not recommended. that you change this value unless instructed to do so by
3SP support.
• Total Size: The total amount of disk space displayed for a drive's volume information
• Free Size: The amount of free space displayed for a drive's volume information
• Size Format: The format to use in a drive's volume information
320
Applications
This function of SSL-Explorer allows for the publishing of applications that are to be either
downloaded or launched by clients via the SSL-Explorer server. The benefits of being able to
distribute resources in this way are mainly linked with the reduced costs of distributing applications
and dependant software. Note that applications can not be created unless a valid Extension has been
installed within the SSL-Explorer server.
This section will cover:
• What is an Application Shortcut?

• Applications Interface
• Publish a new Application
• Edit an existing Application
• Removing an Application
• Additional Application Configurations
What is an Application Shortcut?

An Application shortcut allows for the publication of an application via the SSL-Explorer server. This
means an application can be distributed very easily to authorized clients. This prevents the need to
install specific application software on each client. In order for an application shortcut to function it
requires the following information:
• Shortcut Identity
• A valid Extension type
• A valid Application shortcut configuration
• Associated Policy
By using this approach SSL-Explorer can be used to deploy a variety of applications as shown in the
diagram below.
321
In the diagram the remote clients will access the SSL-Explorer instance which makes applications
available to the remote user. What applications are available to each remote use depend on the policies
they are linked to.
The other major component to an application is the extension that is associated to it. The extension is
in essence the method of connection to be used to gain access to the application. If no extensions are
installed then no application shortcuts can be created. Some of the extensions distributed by 3SP are
bullet pointed below, details on configuring these can be found by clicking on the hyperlink:
• UltraVNC
• Linux rdesktop command
• Microsoft RDP Client
• NX Client for Windows
• PuTTY for Windows
• Remote Desktop Protocol (RDP)
• TN5250 AS/400 Terminal Emulator
• Virtual Network Computing (VNC)
Extensions can be also created manually, this as well as addition information is detailed further in the
following documents.
• SSL-Explorer: Getting Started Guide

• SSL-Explorer: Configuration Guide
• Knowledge Base Articles
322
Applications Interface
The main Applications page provides information on all Applications present within the system.
By hovering over any resource a pop-up is loaded that provides valuable information on the details of
each resource, in this instance the key information is detailed below:
• Name: The name of the Application shortcut.

• Type: The Extension type.
• Description: Further details on the resource
Action Icons
The action icons against each Application shortcut performs functions on the associated Application
shortcut, their respective objective is detailed below:
Delete Application shortcut
Edit Application shortcut details
Execute resource (user console)
Publish a new Application

In order to demonstrate the publishing of a new application this section will detail the steps required to
install the UltraVNC Extension.
UltraVNC is an easy to use, fast and free software that can display the screen of another computer (via
internet or network) on your won screen. The program allows you to use your mouse and keyboard to
control the other PC remotely.
A second version of the UltraVNC extension is available. This second version can used to connect to
computers via a VNC Repeater.
License: It is free and open source software released under the GNU General Public License.
Official Site: http://www.ultravnc.com/
323
Step 1 First select Applications from the Resource Management section of the Management Console. This
displays the following screen.
Step 2 On a fresh install there will be no application records present. In order to publish a new application
click the Create Application Shortcut link as shown below.
This starts the Create Application Wizard. A graphic of the first page follows.
Step 3 In this screen the type of application extension is defined. The wizard behavior changes for step three.
This is due to each application type having potentially different requirements for operating
information. UltraVNC is used in this example but the other application types are covered later in this
section. Select Next.
324
This screen allows for the entry of the application details. A brief description of each of the fields
follows.
• Name: The name to be used to identify the Application shortcut.

• Description: A description of the Application shortcut.
• Add to favorites: A checkbox that if selected will add the application shortcut to the
favorites of the appropriate accounts.
Step 4 When the fields have had the desired values entered simply click the Next button. This advances to the
following wizard page (General Tab).
As already mentioned, depending on the application type a different Application Options screen will
be presented. In this instance UltraVNC is being used. Each of the options available on the different
tabs is explained below.
General Tab
Each of the options is described briefly below:
• Hostname: Hostname of the remote VNC server that is being connected to.
• Port: The Port on which the remote is listening. If the VNC server uses Display Numbers
instead of Ports, simply add 5900 to the Display Number to get the Port Number.
• Password: The Password for the remote VNC server. This is usually a maximum of 8
characters.
325
Display Tab
• Full Screen: When enabled the remote desktop session will take up the entire screen.
• Display Scale: Magnify or reduce the display area of the remote desktop.
• Disable Status Bar: Disables the Status Bar when connecting to a WinVNC server.
• Disable Hot Keys: Disables the WinVNC Hot keys.
• Disable Toolbar: Disables the UltraVNC Toolbar.
• View Only: Local mouse and keyboard input is disabled.
• Cursor Type: Displays a specific type of cursor in the display window.
o No Cursors: Local systems current cursor type.
o Dot Cursor: A small dot as the remote cursor.
o Normal Cursor: Displays the remote cursor.
Mouse Tab
• Emulate 3 button mouse (2 button click): Pressing the left and right mouse button at the
same time emulates a middle mouse button click (i.e. LMB + RMB = MMB).
• Swap Mouse Buttons: Swaps the functions of the left and right mouse buttons.
326
Protocol Tab
• Colour Scheme: Alters the color scheme of the display.

• Share the Server with other viewers: Allows other VNC viewers to connect, view and
control the remote desktop.
• Compression Level: The level of compression to be used when supported by a particular
form of encoding. The lower the number the less compressed which has a saving against
processor time.
• Do not transfer Clipboard contents: This prevents the contents of the Clipboard from being
transferred to the remote client/viewer.
• Encoding: Allows the selection of encoding types for the session.
327
Advanced Tab
• Level of Logging: Change level of log output. Use higher numbers to aid debugging.
• Output Console: Display log output on the console.
Once the application options have been entered click the next button to advance to the next page.
Step 5 This page allows for the configuration of policies to be applied against the new application record.
Policies can be added, removed or even configured from his page. When all relevant policies have
been applied click the Next button which displays the following page.
328
Step 6 This is simply a summary page detail key information. If all information on this page is correct press
the Finish button to advance to the final wizard page as shown below.
Step 7 Clicking the Exit Wizard button returns to the main applications page where the newly created
applications record is present.
That is it. This shortcut can now be executed and the configured resource will connect to the remote
machine.
329
Edit an existing Application
Step 1 To edit an existing application navigate to the applications screen (Management Console →
Resource Management → Applications). A list of existing applications is displayed as shown below.
Step 2 To edit an application just click the Edit action against the application to be altered.
This will then show a tabbed screen where values can be changed for all of the associated information
against an application. In the following example an UltraVNC application type is shown.
Step 3 Clicking the Save button will store the altered values and redisplay the applications screen. Selecting
the Cancel button will not alter any values and return to the application screen.
330
Removing an Application
Step 1 To remove an existing application navigate to the applications screen (Management Console →
Resource Management → Applications). A list of existing applications is displayed as shown below.
Step 2 To remove an application select the Remove action against the application to be removed.
The following screen is presented.
Step 3 Selecting No will cancel the action and return to the application screen. Selecting Yes will remove the
application and return to the main application screen.
331
Additional Application Configurations
As already discussed there are a number of types of application that can be created. This section shows
the Application Configuration screen(s) for each of these types. A brief description of each of the
fields present is also included.
Linux rdesktop
rdesktop is a Remote Desktop Protocol (RDP) client for most Unix-like systems such as BSD and
Linux. rdesktop works by interacting with Microsoft Terminal Services.
Linux rdesktop supports all features of RDP, including mapping local drives and printers to the remote
computer. For a full list of features please visit the projects main site.
Operating Systems: Unix variants such as BSD and Linux.

Official Site: http://www.rdesktop.org/
• Hostname: The Hostname of the remote RDP server.

• Port: The Port on which the remote RDP server is running (defaults to 3389).
• Domain: The Windows domain name to use for authentication.
• Username: The Windows username to use for authentication.
• Password: The Windows password to use for authentication.
• Color depth: Number of bits per pixel to use. The lower the number the less colors are
available. 16bpp for example has 65536 colors available.
• Full screen: The remote desktop will take up the entire local desktop.
332
Microsoft RDP Client
Remote Desktop in Windows XP Professional provides remote access to the desktop of your computer
running Windows XP Professional, from a computer at another location. Using Remote Desktop you
can, for example, connect to your office computer from home and access all your applications, files,
and network resources as though you were in front of your computer at the office.
This Microsoft RDP Client only supports the features of RDP that can be executed from the command
line.
Operating Systems: Windows 2000; Windows 95; Windows 98; Windows ME; Windows NT;
Windows Server 2003; Windows XP.
License: Microsoft License
Official Site: http://www.microsoft.com/
• Hostname: The hostname of the remote RDP server.

• Port: The port on which the remote RDP server is running (defaults to 3389).
• Width: If full screen is not selected this will set the width of the remote desktop in pixels.
• Height: If full screen is not selected this will set the height of the remote desktop in pixels.
• Full screen: If enabled the remote desktop will take up the entire display.
• Console Session: Connects to the Windows console desktop.
333
NX Client for Windows
The NoMachines wide range of free NX clients is a lightweight means to carry with you all the power
of your office workstation.
For a full list of features please visit the projects main site.
Operating Systems:
License: NoMachine NX Products License
Official Site: http://www.nomachine.com
General Tab
• NX Server Hostname: The hostname of the server which is running NX.

• NX Server Port: The port number on which the NX server is listening. Because NX uses
SSH this will normally be 22.
• NX Public Key: Each NX server uses public key authentication to validate the initial
connection. There is only one key per server.
• NX Username: The name used for authentication on the NX server.
• Session: This defines the type of session. Session can be Unix, Windows or VNC.
• Desktop: Allows for the selection of the remote desktop type to use. For example Gnome or
KDE.
• Connection: Enables the selection of the speed of the network connection. Possible values
are Modem, ISDN, ADSL, WAN or LAN.
• Display Size: Defines the size of the display window.
334
• Custom Width: When using the custom display size this value will set the display width in
pixels.
• Custom Height: When using the custom display size this value will set the display height in
pixels.
Advanced Tab
• Disable no-delay on TCP connection: Selecting this option will disable the no-delay setting
when using TCP connections.
• Disable ZLIB stream compression: Selecting this option will disable the ZLIB stream
compression for a connection.
• Enable SSL encryption of all traffic: Allows the session to be encrypted using SSL.
• Cache in memory: Sets the amount of cache to be used in memory.
• Cache on disk: Set the amount of cache to be used on the disk..
Environment Tab
335
• Use font server: Allows the use of a font server.
• Font Server Host: The hostname of the font server to be used.
• Font Server Port: the connecting port of the font server.
XDM Desktop Options Tab
These settings are used if the Desktop field is set to use XDM. Each of the options is described briefly
below:
• XDM Settings: Specifies how the XDM settings are collected.

• XDM Display Host: The hostname of the XDM Display Server.
• XDM Display Port: The port the XDM Display Server connects on.
Custom Desktop Options Tab
These settings are used if the Desktop field is set to use Custom. Each of the options is described
briefly below:
336
• Application: Allows the user to select how the desktop is launched.
• Run the following command: Runs the entered command at startup but only if the option is
selected in the application field.
• Virtual Desktop: Sets either a fixed display or a moveable window.
• Enable the X agent encoding: Enables X agent encoding in the desktop.
• Enable taint of X replies: This option when enabled will short-circuit simple replies on the
X client side in single application mode.
Windows Session Options Tab
• RDP Hostname: The hostname of the Windows systems being connected too.
• RDP Domain: The domain of the target system.
• RDP Authentication: The method of authentication to be used.
• RDP User: Specifies the name to be used if “Show Windows logon Screen” is selected in the
RDP Authentication field.
• Run an Application at Start-up: Allows an application to be launched when a connection is
made.
• Run the following Application: Runs the enter Application path at start-up if the previous
option is true.
337
VNC Session Options Tab
• VNC Hostname: The Hostname of the system being connected to.

• VNC Display Port: The Display port number that is used.
338
PuTTY for Windows
PuTTY is a client program for the SSH, Telnet and Rlogin network protocols.
These protocols are all used to run a remote session on a computer, over a network. PuTTY
implements the client end of that session: the end at which the session is displayed, rather than the end
at which it runs.
In really simple terms: you run PuTTY on a Windows machine, and tell it to connect to (for example)
a Unix machine. PuTTY opens a window. Then, anything you type into that window is sent straight to
the Unix machine, and everything the Unix machine sends back is displayed in the window. So you
can work on the Unix machine as if you were sitting at its console, while actually sitting somewhere
else.
Some features of PuTTY are:
• The storing of hosts and preferences for them for later use.
• Control over the SSH encryption key and protocol version.
• Command-line SCP and SFTP clients, called "pscp" and "psftp" respectively.
• Control over port forwarding with SSH, including built-in handling of X11 forwarding.
• Full XTerm, VT102, and ECMA-48 terminal emulation.
• IPv6 support
• Public-key authentication support
For a full list of features please visit the projects main site.
License: MIT licence

Official Site: http://www.chiark.greenend.org.uk/~sgtatham/putty/
• Hostname: The Hostname on which the SSH server is running.

• Port: The Port on which the SSH server is using. Defaults to the normal SSH port number of
22.
• Username: Username used to authenticate with the SSH server.
339
Remote Desktop Protocol (RDP)
RDP is the remote access protocol that underpins Windows Terminal Services and Windows XP
Remote Desktop Connection.
• Hostname: The Hostname on which the RDP server is running.

• Port: The Port that the RDP Server is using. Defaults to 3389.
• Domain: The Windows domain name used for authentication.
• Username: The Windows user name used for authentication.
• Password: The password used for the authentication process.
• Bandwidth Saving: Enables the use of the Bandwidth saving mode.
• Fullscreen (Java 1.4+): When enabled this will display the remote desktop on the entire
display area of the local desktop. Java 1.4 or higher must be present for this to work.
• Screen Width: Defines the width of the remote desktop as long as full screen mode is not in
use.
• Screen Height: Defines the height of the remote desktop as long as full screen mode is not in
use.
• Keyboard: Keyboard language code.
• Start Program: A program to start running upon connection.
340
TN5250 AS/400 Terminal Emulator
An emulator allowing connections to AS/400 machines.
• Hostname: The hostname running the terminal emulator.

• Port: The port being used by the terminal emulator.
341
Virtual Network Computing (VNC)
VNC software makes it possible to view and fully interact with one computer from any other computer
or mobile device anywhere on the internet.
This extension uses the TightVNC variation of the VNC protocol.
Official Site: http://www.tightvnc.com
• Hostname: The Hostname of the remote system running a VNC server.

• Port: The VNC Display port to be used.
• Password: The VNC Password.
• Operate in a separate window: This will open this connection in a new display window if
one is already open.
• Restricted colors to 8 bits: Restricts the display to only use 8 bit colors.
• View only: Disables the mouse and keyboard allowing only the viewing of the connection.
• Show Controls: Displays a toolbar containing the VNC controls.
• Share desktop: Shares the connection with other clients on the same VNC server.
• Defer screen updates (in ms): Use this option to set the number of milliseconds between
each screen update.
• Defer cursor updates (in ms): Use this option to set the number of milliseconds between
each cursor update.
• Defer update requests (in ms): Use this option to set the number of milliseconds between
each update request.
342
SSL-Tunnels
SSL Tunnels allow for ad-hoc connections to be made between networked computers. The following
items are covered in this section.
This section will cover:
• What is an SSL Tunnel?

• SSL Tunnels Interface
• Create a new SSL Tunnel
• Edit an existing SSL Tunnel
• Remove an existing SSL Tunnel
What is an SSL Tunnel?

An SSL Tunnel is simply a connection between two TCP enabled components. All of the data
transmitted over a tunnel is encrypted using the SSL protocol. This is done the same way as other
tunnelling technologies.
For example, a user may wish to create a secure tunnel to a TCP/IP enabled database that exist the
other side of an SSL-Explorer server. First of all, an administrator configures a new SSL-Tunnel that
uses 63389 as its source port and mysql.mycompany.com:3389 as the destination. The user may
then activate this tunnel and then specify localhost as the hostname and the 63389 as the port and
all traffic with then be secured.
You may use the same technique for a number of different applications and protocols. A common use
of tunnels is to secure the SMTP / POP protocols used for email access. In short, anything that uses
TCP/IP client / server architecture will usually be able to be secured in this manner.
Tunnel Types
Tunnels come in two types:
• Local: A local forwarding is where the client acts as the listening device.
• Remote: A remote forward is where the client acts as the listening process. Here the roles are
reversed and it is the remote target that acts as the listener of any communication request. The
practical implication of this is that a remote user can connect to a central company networked
SSH server and use it as a go between to access another client machine within that network.
343
SSL Tunnels Interface
The SSL-Tunnels page is accessible from Management Console Æ Resource Management Æ SSL
Tunnels as shown below
The main SSL Tunnels page provides information on all tunnels present within the system.
Action Icons
The action icons against each SSL-Tunnel performs functions on the associated tunnel, their respective
objective is detailed below:
Delete SSL Tunnel
Edit SSL Tunnel details
Execute resource (User Console)
344
Create a new SSL Tunnel
Step 1 To create a new SSL Tunnel first click the “Create Tunnel” action from the SL-Tunnel main page.
This will then start the wizard, the first page of which follows.
• Name: The name to be used to identify the SSL Tunnel.

• Description: A description of the SSL Tunnel.
• Add to favorites: A checkbox that if selected will add the SSL Tunnel to the favorites of the
appropriate accounts.
Step 2 Once all the relevant values have been completed simply click the Next button. This will show the
following page.
• Source Interface: The interface the local server will listen on. This can be any valid local IP
address. For example, it could be your network IP address in which case you would connect
to <hostname>.co.uk in this case other external hosts will be able to connect to you via your
hostname. This replaces the original allow external hosts parameter. It could also be 127.0.0.1
in which case the local loopback address localhost will be used. In this case only you can
connect using localhost or 127.0.0.1. It could also be blank in which case it will listen on
both.
• Source Port: The port number to use with the source interface. The port on which the client
agent creates a server that is connected via the tunnel to the destination on the SSL-Explorer
345
network. This can be any port number (over 1024 on UNIX based systems) and is the number
that should be used when configuring the client application. For example, if you were
connecting a tunnel from port 60025 to an SMTP server running on port 25 on the host
mail.mycompany.com, the source port is 60025
• Destination Host: The name of the host that forms the other end of the tunnel.
• Destination Port: The port number of the host that forms the other end of the tunnel. The
port on which the SSL-Explorer server creates a server that is connected via the tunnel to the
agent which then is in turned connected to the client application (a server of some kind, VNC
server for example – in this case people on the SSL-Explore would be able to use a VNC
viewer to display and control the remote desktop e.g. this would run on port 5900).
• Auto. Start: A checkbox that is disabled as default. When checked this will automatically try
to start the tunnel for the duration of the SSL Explorer server session.
• Type: This drop down box supports the values Local and Remote. A local SSL Tunnel type
allows for local connections only. The Remote option will allow for connections to the
remote clients network.
following page.
summary page.
Step 5 If the summary information is all correct simply click the Finish button. This will show the final
wizard page.
346
Step 6 Finally click on the Exit Wizard button to close and exit the wizard. The newly created SSL Tunnel
will now be displayed on the main page.
In addition to this a new item will become available from the User Console as shown below
(Navigation is: User Console Æ Resources Æ SSL Tunnels).
SSL Tunnels require the SSL-Explorer Agent to be running in order to operate correctly. More
information is available on the SSL-Explorer Agent in the Configuration Management document.
347
Edit an existing SSL Tunnel
Step 1 To edit an existing SSL Tunnel navigate to the SSL Tunnels screen (Management Console Æ
Resource Management Æ SSL Tunnel). A list of existing SSL Tunnels is displayed as shown below.
Step 2 To edit an SSL Tunnel select the Edit action the SSL Tunnel to be altered.
This will then show a tabbed screen where values can be changed for all of the associated information
against an SSL Tunnel.
Step 3 Clicking the Save button will store the altered values and redisplay the SSL Tunnels screen. Selecting
the Cancel button will not alter any values and return to the SSL Tunnels screen.
348
Removing an SSL Tunnel
Step 1 To remove an existing SSL Tunnel navigate to the SSL Tunnels screen (Management Console →
Resource Management → SSL Tunnel). A list of existing SSL Tunnels is displayed as shown below.
Step 2 To remove an SSL Tunnel just click the Remove action against the SSL Tunnel to be removed.
After pressing the Remove button the following screen is presented.
Step 3 Selecting No will cancel the action and return to the SSL Tunnels screen. Selecting Yes will remove
the SSL Tunnel and return to the main SSL Tunnels screen.
349
Profiles
Profiles configure the general working environment for a user. The system provides two areas of
control and they are the session and SSL-Explorer agent properties. This chapter covers all that is
needed to use and manage profiles from creating to configuring them.
• What is a Profile?
• Profiles Interface
• Creating a new Profile
• Editing Profile Parameters
• Editing a Profile Description
• Deleting a Profile
By the end of this chapter the reader should have a good understanding of profiles and how best to
configure them to suit their own environment.
What is a Profile?
Simply a profile provides a means for a Super User or user to alter the general working environment of
the system. Modification is encapsulated into two distinct areas those that affect a session and those
that affect the SSL-Explorer Agent.
The SSL-Explorer Agent is an applet that tunnels data from insecure applications. The agent intercepts
the data and encrypts transmission. The agent is mainly used by resources as SSL-Tunnels and Web
Forwards further information on the agent and resources can be found in the SSL-Explorer: Resource
Management Guide.
The session parameters affect how the active session behaves and includes such things as session
inactivity timeout which defines how long a user can sit idle before being automatically logged out.
Profiles can be accessed and configured by both the Super User and the user, however only the user
can configure the system default profile. User’s themselves, if given the permission to do so (refer to
the Permissions chapter in SSL-Explorer: Access Control Guide), can create and manage their own
profiles.
Profiles are a great way for users to configure an environment based upon where they are accessing the
system from. For example a user might configure a ‘home’ profile which is configured for use when
working from home. Another might be to create a profile called ‘On-site’ which could be used for
when the user is on a customer site.
350
Profiles Interface
The main profiles page lists the currently configured profiles. This page is located under Management
Console → Resource Management → Profiles.
The main page details which policy a profile is associated with.
If a user has been given the permission to maintain profiles only those profiles associated with a user’s
policy are visible from the user console under User Console → Resources → My Profiles.
Action Icons
The action icons against each profile performs functions on the associated profile, their respective
objective are detailed below:
Delete profile
Edit profile name and description details
View or edit profile parameters (More…)
351
Creating a new Profile
Step 1 From the main profiles page select the Create Profile action in the Action pane in the top right of the
page.
Step 2 The first step in the wizard is the naming of the resource. Provide an appropriate name and description.
The profile itself when created has to be based on an exiting profile. All the current parameters set
within this base profile are copied into the new profile. The Base on profile parameter should be used
to select an appropriate profile to use.
Step 3 The next step is associating this profile to a policy. Select the appropriate policy.
Step 4 In the final step the wizard presents a summary of the profile.
352
Pressing the Finish button will end the wizard and create the profile.
As you will have noticed the configuration of the profile has not be done. The profile takes on the
properties of the base profile. To configure this profile further the edit profile parameters action must
be selected. This is detailed next.
353
Editing Profile Parameters
From the profiles page select the Configure action listed under the More… button against the required
profile. The Edit profile page will be shown.
From here the Session and Agent properties can be altered. Selecting the appropriate icon will take the
user to the edit page for that area.
Each area is detailed below.
Editing Session Details

The session edit page is shown below.
Web server
• Session inactivity timeout: Number of minutes a user may sit idle before the system logs the
user out automatically
• Compression: Data received will be compressed. This has an affect on processor power but
delivered data quickly.
Note
The ${} indicates that replacement variables can be included in the resource definition. Click
this icon
will load the available variables that can be used. The session variables are values taken
from the
current session. The args variables are values taken from user defined attributes.
354
User Interface
• Enable tool tips: This enables SSL-Explorer tips to be shown where necessary
• Special effects: Enable or disable special window effects.
• Theme: There is only one theme provided with the default installation called default. New
themes can be added later when offered by 3sp from the extension store. The user can also
manually change the look and feel of the SSL-Explorer user interface.
A theme has three parts:

1. CSS: used to change fonts, colours, borders, a few images etc
2. Images: Each theme can have its own set of images
3. Layouts: These allow a user to radically change the user interface very easily. Using
layouts a user can change the positioning of items for example the default left hand
menu could be moved to run across the top of the page. However these don’t allow
the alteration of the main content area for each page.
The best way to create your own company theme is to copy webapp/theme/default
and webapp/WEB-INF/theme/default to another folder such as
webapp/theme/myTheme and webapp/WEB-INF/theme/myTheme respectively
and edit the content.
Images are easiest to change followed by CSS and finally layouts.
• Default user console resource view: The default view type to use when listing resources in
the user console
• Date format: In which format should dates be used in the system
• Clock type: Select the type of clock you wish to display, this clock is visible in the event
pane.
‘Client’ displays the clients local time, ‘Server’ displays the servers time and ‘Disabled’
prevents the clock from being displayed.
355
Editing Agent Details
Agent Configuration
• Keep-Alive interval: Because the agent does not have a permanent connection to SSL-
Explorer as HTTP is stateless, a heartbeat is required to inform SSL-Explorer is alive. If SSL-
Explorer fails to receive this heartbeat then all open connections are closed.
• Shutdown interval: When an agent is being shutdown either by logging off or clicking the
agent shutdown button a message is sent to the agent to shutdown. If SSL-Explorer does not
receive a de-registration request from the agent within this configured interval SSL-Explorer
takes it upon itself to clean up any unnecessary connections tunnels, objects etc.
• Registration sync timeout: When the agent is launched the agent applet downloads and tries
to start the agent. The applet then waits for the agent to connect to SSL-Explorer and send
registration request. If this is not received within this allotted time then the applet is informed
and an error is raised.
No Requirement to Adjust Parameters

Note
The heartbeat, registration and shutdown intervals shouldn’t be altered unless you are
working with a
slow network or old hardware.
• Start automatically on logon: Start the agent automatically whenever a user logins
• Browser command: Command to launch browser, leave blank for automatic
• Web forward inactivity timeout: If a web forward has been inactive for the given duration
close the connection
• Tunnel inactivity timeout: If a tunnel has been inactive for the given duration close the
connection
• Debug: Enable logging, logs will be held on the client machine under
<User_home>/.sslexplorer/applications/Agent/cpn-client.log
356
• Force basic agent: Force the use of the basic SSL-Explorer agent. This is supported on all
Java platforms and versions from 1.1 upwards (including the Microsoft JVM) and is a smaller
downloaded that the more full featured agent
• Clear cache directory on exit: Enabling removes the SSL-Explorer Agent from the client’s
computer on shutdown. Disabling leaves the SSL-Explorer Agent files will be left inside a
hidden directory enabling a faster start up time on next use.
• Display information popups: Enabling this shows messages when the agent is performing
an actions in a popup. Disabling this removes these popups and lets the agent to operate
silently.
• Cache directory: The location for storing downloaded applications and other resources. This
directory is maintained within the users home directory.
• Remote tunnels require confirmation: Enabling will force the user to accept any remote
tunnel connections. Disabling will automatically create connections.
• No session timeout if active: This prevents the user session from timing out if the agent is
running regardless of whether the agent has any open tunnels
• Localhost address: The address to use when SSL-Explorer needs to connect to the loopback
address on the client. For example, this may be set to 127.0.0.2 as a work-around for
connection problems when using the RDP extension on Windows XP SP1
Agent Proxy Configuration
• Type: Type of proxy server, this can also be configured to use whatever proxy the browser is
using.
• Hostname: The hostname of the proxy server
• Port: Port number of proxy server
• Username: If proxy server requires authentication this will be the username provided.
Leaving this blank will force authentication when the agent connects to the proxy.
• Password: Associated with the above username
• Domain: Authenticating domain if proxy server uses Windows authentication.
• Preferred authentication: If authentication is used the preferred authentication method can
be configured.
357
Editing a Profile Description
From the profiles page select the Edit Profile Description action against the required resource and the
Edit profile page will be shown. From this page the name and description and to which policy the
profile is assigned can be altered.
Deleting a Profile
The Delete action removes a profile permanently from the system. Selecting the Delete action against
a profile will result in a warning message informing that the profile is about to be deleted, as shown
below.
Selecting Yes will result in the removal of the resource from the system. If this profile is associated
with any policies this link will also be removed along with all other associated links.
358
Network Extensions
The SSL-Explorer Network Extension (nEXT) is a feature which provides users with full network
connectivity allowing them to upload download files and even mount drives as if they were on the
local network. The feature works on Linux and Microsoft Windows 2000, XP and 2003 operating
systems.
This chapter covers everything a Super User will need to know to set-up, deploy and administer the
nEXT extension and furthermore it provides details on how a user can get the benefits out of the
service.
The sections included are:
• What is nEXT?
• Network Extension Interface
• Configuring the Server
• Configuring the Client
• Additional Configuration
• Running the Service
• Creating Bridged Configuration
• Sample Scripts
By the end of this chapter the reader should have a good understanding the nEXT extension from
knowing the benefits to creating, using and deploying a successful nEXT deployment.
What is nEXT?
The SSL-Explorer Network Extension’s plug-in provides an OSI layer 2 or 3 secure network
extension, providing an easy-to-configure network interface which has minimal maintenance
overheads.
As part of the Enterprise Edition, SSL-Explorer nEXT is a plug-in to SSL-Explorer that provides full
network connectivity to the connecting client. Meaning that a user gains access to the company
network and may perform remotely all of the standard functions as adding new drives, moving files etc
as if they were connected sitting in their actual office. Once installed, a Super User is able to configure
any number of virtual network interfaces on the server and allow full network access to the SSL-
Explorer user population.
SSL-Explorer nEXT consists of two components: the server-side component which opens up interfaces
and the client-side component which connects to these interfaces. It is through these connections that
data is transmitted and received between both parties.
359
As the diagram below shows in affect nEXT creates a tunnel between two networks.
Each separate network remains to work independently on its own subnet but in addition a new subnet
is created by nEXT - in this example, 192.168.70. The home network server has to hop from one
subnet to the other to communicate between the nEXT server (and the corporate network) and the
home network. The single clients are not connected to any home network and so run the nEXT client
independently. Each has two network addresses, their standard internet address and the new nEXT
address on the 192.168.70 subnet.
The nEXT plug-in is not a full ‘clientless’ solution since it needs to install network virtual devices on
each client’s operating system. However all configuration data is maintained on the server so any
changes to these is pushed down to client when it connects. Once installed, its operation is quite
transparent to the user.
Typical Scenarios
There are a couple of typical connection scenarios that this document will address.
• The Road Warrior: One of the more common requirements of a VPN solution is to provide
connectivity to employees out in the field. These users may want access to the company’s
Local Area Network to upload files, read email and use VOIP to make calls from their
laptops.
The Remote Office: Another common requirement of a VPN solution is to connect two offices
together.
360
System Requirements
The nEXT extension requires a certain level of resources available on both the SSL-Explorer server as
well as the client machines that will be installing the client software and so to successfully run nEXT
the following requirements should be met:
Server System
• Microsoft Windows 2000, XP or 2003 Server
• SSL-Explorer 0.2.4
• SSL-Explorer Enterprise Edition
OR
• Linux 2.4 or higher with integrated TUN/ TAP driver
Client System
• Microsoft Windows 2000, XP or 2003 Server
OR
• Linux 2.4 or higher with integrated TUN/ TAP driver
Requires Administrative Account to Install Service

In order to install and run the SSL-Explorer: nEXT service on your client machines, you will
require the
use of an account with administrative permissions in Windows. Once the service is installed,
a regular
user can launch nEXT configurations from Windows system tray.
Network Extension Interface

The Network Extension interface can be accessed from the Access Control section of the Management
Console.
A number of actions are available against each server and client component these are detailed in the
next section.
361
Action Icons
The icons are split into those available for a client and those available for a server interface, where
necessary hyperlinks have been provided to allow direct access to information on the action. It is
recommended however that the process of configuring and executing the nEXT service successfully
that the entire process should be followed in order, from the Configuring the Server section onwards.
Client Icons
Launch Client Configuration. Refer to Connecting Client
Install Windows Service. Refer to Windows Service
Add Windows TAP driver Install Client TAP Driver
Delete Windows TAP driver
Compile Linux Client Connecting Client
Edit Client Configuration
Remove Client Configuration
Server Icons
Start Network Extension Starting Server Interface
Add Windows TAP driver Install Server TAP Driver
Delete Windows TAP driver
Edit Server Interface
Remove Client Configuration
362
Configuring the Server
Before we can begin configuration of the plug-in it must first be installed. As with any other plug-in,
you will need to use the Extension Manager for this operation unless already installed with the full
Enterprise Edition release.
For this particular extension the SSL-Explorer server will need restarting before nEXT can be used.
For Linux servers the nEXT extension files are compiled on the operating system, GCC and GCC-C++
should be installed on the server for successful compilation. If compilation does fail SSL-Explorer will
report this when the Super User logs back in.
Avoiding Recompilation with Server Restart

Note Each time a Linux SSL-Explorer instance is restarted it searches for a nEXTserver binary in
$SSLX_HOME/bin directory. If this is not found then a compile of the binary is performed
and the output copied to $SSLX_HOME/bin directory. A compile is only performed again
when the Network Extensions version has changed.
A compiled binary from another server can be used by copying the binary to
$SSLX_HOME/bin directory and checking the 'Do not compile' parameter under System
Configuration → Resources → Network Extensions. If this is not set the system will re-
compile and not use the copied binary.
If the system is not compiling the binary itself then at each version change take a newly
compiled version and copy to $SSLX_HOME/bin, failure to do so may result in problems as
the binary may not be compatible with the latest version of the plug-in.
The basic steps that need to be carried out for a successful server side implementation is as follows:
• Configuration of the server interface

• Installation of the TAP driver
Both these steps are covered below.
Step 1 The first step in the process is the creation of a server interface. The server interface is a virtual
network adapter that resides on the operating system that hosts your SSL-Explorer server. This virtual
adapter (typically called a TAP device) provides the connection between your LAN and your VPN
clients.
363
Step 2 This opens the Network Extensions main page. From the Action list in the event pane choose
whichever actions is appropriate Create Bridged Interface or Create Routed Interface action.
• Bridged: A bridged interface essentially involves combining an existing Ethernet interface

on your server with a virtual TAP interface, placing them together under the umbrella of a
single bridge interface
Benefit of Bridged Interface

Note One of the benefits of using a bridged interface is that a connecting client can obtain an IP
address from the LAN subnet.
• Routed: A routed interface involves creating a separate subnet for VPN clients; each
connecting client receives an IP address from the VPN subnet and not an IP address from the
LAN.
This requires some additional network configuration, setting up routes on your gateway and
ensuring that the operating system hosting SSL-Explorer is acting as a router
Benefit of Bridged Interface

Note One of the benefits of using a routed interface is that Routing is more scalable and efficient
than bridging.
Overall bridging and routing are very similar, with the major difference being that routed interfaces
will not pass IP broadcasts across the VPN, but a bridged interface will.
Step 3 To create an interface a number of details are required, firstly the name and description of the interface
Secondly the ‘Interface Settings’ need to be configured.
364
The parameters are as follows:
• Network: Network address for this subnet in CIDR format. In the screenshot above a private
subnet of 192.168.70.0/24 has been created. This is the same as using 192.168.70.0 with a
subnet mask of 255.255.255.0 which will provide 256 hosts (254 useable addresses as
192.168.70.0 is the network address and 192.168.70.255 is the broadcast address).
• IP Address: IP address assigned to the first from the defined subnet. By default the server
will be assigned the first available IP address in the subnet range which in the above example
would be 192.168.70.1.
• Max Clients: Maximum number of concurrent clients that can connect to this subnet. This
figure is also affected by the number of concurrent users you have licensed for SSL-Explorer:
Enterprise Edition.
Step 4 If you have chosen to create a routed interface then the routing tab will need completing.
• Published Network: This box contains a list of the published networks for this server
interface. A published network is any network which you want clients connecting to this
interface to have access to. In the example, we have added the 192.168.0.0/24 subnet which is
the main LAN that clients will need to access.
• MTU: The ‘Maximum Transmission Unit’ for Ethernet frames.
• Route between clients: If checked clients on the VPN will be able to communicate with
other clients on the same VPN.
• Publish client networks to other clients: The client configuration page allows the
publication of networks published by connecting clients. By default these networks are not
accessible by other clients. However by checking this box these published networks become
365
accessible by other clients. This will also require the above option, Route between clients to
be checked also.
Step 5 For advanced users select the command tab to configure any required up and down commands.
Up Commands: A command that will be executed once the interface has started. In the screenshot
above the comments in speech marks will be displayed with the $IPADDR variable being replaced for
the actual IP address. Any command executable from a script file is useable. In fact the commands
listed here are themselves executed from a temporary script file. Much like the $IPADDR token there
are a number that can be used, these are listed below.
Option Description
${IPADDR} The IP address of the interface
${DEVICE} The name of the TAP device created by the ifconfig

command.
${NETADDR} The network address for this interface
${SUBNET} The subnet mask for this interface
${CIDR} The CIDR string for this interface
${MTU} The MTU of the interface
${BADDR} The broadcast address of the network
• Down Command: Similarly to the ‘Up’ command parameter, only these commands will be
executed when the interface is stopped.
Step 6 Once configured, pressing the Save button will store these parameters. The newly created interface
will now be visible from the main page.
The main page displays the current status of the interface and the available options that be performed
on the associated interface.
The final step is the installation of a corresponding TAP driver on the server to service the new
interface this is detailed in the next section.
366
DHCP Configuration
When a nEXT client connects to the server, DHCP is used to retrieve the IP address they will be
assigned. The parameters configured in the DHCP tab are pushed to the client to allow it to configure
necessary components such as DNS servers, WINS servers and, NTP servers.
The configurable items are detailed below:

• Address Pool Start Address: Start address of the DHCP address assignment, only IPs in this
range will be allocated by nEXT.
• Address Pool End Address: End of the DHCP address assignment
• Domain name: Set connection-specific DNS Suffix, this is used to search domains when a
FQDN is not provided, i.e. hostname rather than hostname.company.co.uk.
• Primary DNS: Set primary domain name server IP address.
• Secondary DNS: Set the secondary DNS server IP address.
Defining Flush and Register Commands for Windows

If you have problems resolving the DNS server set the clear DNS cache command,
ipconfig
/flushdns and the DNS registration command, ipconfig /registerdns, to the client
Up
command pane in the client configuration window.
• Primary WINS: Set primary WINS server IP address (NetBIOS over TCP/IP Name Server).
• Secondary WINS: Set the secondary WINS server IP address.
• NBDD server: Set primary NBDD server IP address (NetBIOS over TCP/IP Datagram
Distribution Server)
• NTP server: Set primary NTP server IP address (Network Time Protocol).
• NBT type: Set NetBIOS over TCP/IP Node type. Possible options:
367
1 = b-node (broadcasts)
2 = p-node (point-to-point name queries to a WINS server)
4 = m-node (broadcast then query name server)
8 = h-node (query name server, then broadcast)
• NBS Scope-Id: Set NetBIOS over TCP/IP Scope. A NetBIOS scope Id provides an extended
naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose
of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes
with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is
appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two
hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use
the same computer name, as they have different scope IDs. The Scope ID becomes a part of
the NetBIOS name, making the name unique.
• Disable NBT: Disable NetBIOS over TCP/IP.
These parameters can be accessed for use in the Commands tab also. The relevant replacement
variables are detailed below.
Option Description
${DOMAIN} Domain name
${PRIMARY_DNS} Primary DNS IP
${SECONDARY_DNS} Secondary DNS IP
${PRIMARY_WINS} Primary WINS IP
${SECONDARY_WINS} Secondary WINS
${NTP} NTP server
${NBDD} NBDD server
${NB_SCOPE_ID} NetBIOS scope Id
368
Install Server TAP Driver
A TAP driver is virtual network kernel driver that simulates an Ethernet network device. Whereas
ordinary network devices are directly backed by physical hardware; data sent to/from a virtual TAP
device is forwarded to/from applications i.e. SSL-Explorer. To the operating system, the process is
transparent and acts in an identical manner to a secondary physical network adapter.
Microsoft Windows 2000 / XP/ 2003

Windows does not come preconfigured with a TAP driver and so it must be installed.
Step 1 Log into your machine using an administrative account.
Step 2 The tap driver is installed form the SSL-Explorer server. So the second step in this process is to log
into the management console on the server instance requiring the TAP driver installation.
Step 3 From the server interface listing select the ‘Install Windows TAP Driver’ action.
Multiple Server Interfaces

Note
For each new network you wish to extend to a new TAP driver will need to be installed on the
server to
service that network.
This will begin downloading files from the server on to the client machine.
Step 4 As the SSL-Explorer nEXT TAP driver is currently unsigned a warning will appear. Select Continue
Anyway to install the driver.
Warning Message
Note
369
The warning message will appear for every instance of the TAP driver you have installed this
could be
multiple times. Continue pressing Continue Anyway until the driver installation is complete.
Step 5 Once complete press Ok to complete the installation process.
That’s all there is to installing a Windows TAP driver.
Linux
Most Linux distributions come with an integrated TUN/TAP driver.
Step 1 Firstly, make the device node.
mknod /dev/net/tun c 10 200
Step 2 Add to /etc/modules.conf
alias char-major-10-200 tun
Step 3 Load TUN/TAP driver
modprobe tun
That is all there is to configuring the server-side of the nEXT plug-in. The next section details the
client side which must also be configured.
370
Configuring the Client
The client side follows a similar premise to the server interface configuration:
• Client configuration
• Installation of the TAP driver
Both these steps are detailed below.
Step 1 From the Network Extensions page select the appropriate client configuration action. A client
configuration is seen as a single client connecting the nEXT server whereas a routed client can be seen
as a external network connecting to the nEXT server.
Step 2 This will start the ‘Create Client Configuration’ wizard. The first step requires the name of the
configuration and description.
Checking the Add to favorites add this to the clients favorite’s page.
Step 3 The next step requires the interface configurations defined.
371
• Server Interface: the server configuration to use. This should be the interface that was
configured earlier.
• IP Address: Optionally you can specify an IP address to bind to this client configuration.
• Device Name: Optional you can also specify a device name associated with the TAP
network driver.
Step 4 If you have chosen to create a routed client configuration then you can configure any routing
information in this step.
• Published Network: a list of the published networks for this client interface. A published
network is any network which you want clients connecting to this interface to have access to.
In the example above I have made the client side LAN, 192.168.70.0/24 visible to the server.
• MTU: The ‘Maximum Transmission Unit’ for Ethernet frames.
Step 5 The next step for both configurations allows any up and down commands to be defined.
Step 6 Select the policy this resource should be attached to. Adding this to the ‘Everyone’ policy ensures that
the entire user population will have access to this client.
372
Step 7 The final step displays the summary of the configuration. If you are happy with the configuration
select the Finish button to create the resource. The newly created client will be visible from the main
Network Extension page.
The next step is the installation of a TAP driver to route requests from the client machine to the
corresponding TAP driver on the server; this is detailed in the next section.
Install Client TAP Driver

A TAP driver is virtual network kernel driver that simulates an Ethernet network device. Whereas
ordinary network devices are directly backed by hardware network adaptors data sent to and from TAP
device are forwarded to and from applications i.e. SSL-Explorer.
Microsoft Windows 2000 / XP/ 2003

Windows does not come preconfigured with a TAP driver and so it must be installed.
Step 1 Make sure the ‘User console install actions’ checkbox is checked in the nEXT configuration page
(System Configuration → Resources → Network Extensions.
Step 2 Log into your machine using an administrative account.
Step 3 The TAP driver is installed form the SSL-Explorer server. So the next step in this process is to log in
to the user console with the client machine you wish the TAP driver to be installed on.
Step 4 From the correct client configuration select the Install Windows TAP driver action.
373
Multiple Server Interfaces
Note
Each client TAP driver is tied to a TAP interface on the server at runtime. If you wish to be
able to access
multiple TAP drivers on the server then multiple TAP drivers on the client should also be
installed – one
for each network (which should have a corresponding TAP driver installed on the server) you
wish to
access.
This will begin downloading files from the server on to the client machine.
Step 5 As the SSL-Explorer nEXT TAP driver is currently unsigned a warning will appear. Select Continue
Anyway to install the driver.
Warning Message
Note The warning message will appear for every instance of the TAP driver you have installed this
could be
multiple times. Continue pressing Continue Anyway until the driver installation is complete.
Step 6 Once complete press Ok to complete the installation process.
374
That’s all there is to installing a Windows TAP driver. The client is now configured.
375
Additional Configuration
Before we can actually start the server interface a few external items for the server need to be
configured:
• Configuration of necessary routes

• Enabling IP routing on the server
These are detailed below.
In order for the machines on the new subnets created through nEXT to operate successfully with the
VPN the routes need to be configured on the published networks. As a minimum the VPN network
should be added to routes on those machines clients may require access to over the VPN.
Where SSL-Explorer is the Default Gateway

Note
If the SSL-Explorer server is the default gateway for your network adding the VPN network
will not need
to be added to these routes.
Local routes
If the SSL-Explorer server uses the LAN IP address 192.168.0.10 with the VPN subnet being
192.168.70.0.
To add routes across the LAN execute the following command on the machines clients should be able
to access:
• Linux: route add –net 192.168.70.0 netmask 255.255.255.0 gw 192.168.0.10

• Windows: route –p add 192.168.70.0 mask 255.255.255.0 192.168.0.10
The machines will be aware of the VPN and thus be able to respond to requests from the subnet IP
addresses.
If all machines needed to see the subnet then these commands would need to be executed on all
machines.
Global routes
An alternative is to add the route to the default gateway. In this way all machines will instantly be able
to see the subnet through the default gateway. For example if we have a default gateway of
192.168.0.1 we need to execute the route command to route all 192.168.70.0/24 traffic to the SSL-
Explorer server on 192.168.0.10.
• route add –net 192.168.70.0 netmask 255.255.255.0 gw 192.168.0.10
376
When a client tries to access a machine on the new subnet it will not be able to locate the IP address.
Instead it will go to the default gateway which will then direct the machine to the SSL-Explorer server
which has visibility of the subnet. In the local routes example the default gateway is not configured
and so if a machine has no knowledge of the subnet the machine is unreachable.
Enable Server IP Routing

IP routing is a set of protocols that allows data to travel across multiple networks from source to
destination. By default this is disabled and needs to be enabled on the SSL-Explorer server.
Microsoft Windows
To enable routing the IPEnableRouter value in the registry must be set to ‘1’.
Step 1 Run regedit.exe
Step 2 Locate the IPEnableRouter parameter from the registry. This should be located under
HKEY_LOCAL_MACHINE
\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Step 3 Change the value from ‘0’ to ‘1’.
Linux
Run the following command:
• echo 1> /proc/sys/net/ipv4/ip_forward
Since Linux does not use a registry, this should be added to your startup script to save from having to
execute this command every time you restart the operating system. How this is configured depends
upon your flavor of Linux, to achieve this on a Fedora Core installation you can add/edit the following
line in /etc/sysctl.conf.
• net.ipv4.ip_forward = 1
377
Running the Service
Now that both client and server have been configured all that remains is the starting of each
component.
Starting the Server Interface

Step 1 From the Network Extensions page select the Start Interface action against the appropriate server
interface.
Step 2 The status of the interface should change to ‘Started’ as shown below.
Connecting Client
The client can be executed from the user console in one of two ways:
• Win32 direct
• Linux Client
• Command line
Both of these are explained below.
Win32 Direct
This is launched directly from the Network Extension page in the user console. Since the process will
start the TAP driver, the user logged in to the client machine must have Administrator privileges and
must also have the TAP driver installed.
Step 1 From the Network Extension page select the Start Client Configuration action against the
appropriate client configuration
Step 2 This will start the client, in the taskbar the TAP driver icon will appear.
378
While nEXT attempts to establish a connection the icon will flash briefly.
Once a connection to the server has been established the icon will stop flashing indicating the
connection has been established. The new nEXT network will be available to use.
From Windows Explorer you should now be able to access the drives of those machines on the nEXT
network.
Routes are not immediately published on Microsoft Windows systems

Note
Due to restrictions imposed by Windows networking, the VPN routes are not immediately
published
when the nEXT client is launched. Expect to wait around 10-15 seconds after launching the
client
before the routes are published and the nEXT VPN client is fully usable.
Linux
The Linux client can only be downloaded and compiled straight from the Network Extension page as
the system is unable to execute the client. Instead the client user will have to manually take the
compiled file and run the client as a command line executable. Details on this can be found in the
Command Line Client section.
Step 1 You will need to have GCC, GCC-C++ and OpenSSL installed on the system before compilation can
be performed
Avoid Moving Compiled Binaries

It is recommended that you do not attempt to move compiled binaries across Linux Platforms
as the
C++ runtime support may be different even on same versions of Linux.
Step 2 From the Network Extension page select the Compile Linux Client action against the appropriate
client configuration.
Step 3 The system will begin downloading the client. Once completed you will receive a notice.
379
Step 4 Once the client has been built you can move it to somewhere appropriate on your system and configure
platform scripts to install it as a service.
To run the command please refer to the section below, Command Line Client.
Command Line Client

From the action menu in the user console the user can actually download the nEXT client executable
(nEXTClient).
The executable comes with a host of options applicable to both Windows and Linux. In both cases
running the client will require Administrative/root privileges to allow the client to start the TAP
drivers.
The command line options available are as follows:
Switch Switch alternative Description

-h --hostname SSL-Explorer server hostname (required)
-P --port Port on which SSL-Explorer resides (default=443)
-c --config Client configuration identifier
-u --username Connecting user's username (prompt if not given)
-p --passsword User's password. (prompt if not given)
-i --ip Request the given ip address from the server
-m --mtu Override the client configuration's MTU setting
-C --console Force log output to the console
-f --logfile Alternate path to applications log file
-l --loglevel Defines the log level
-r --reconnect Reconnect if the connection is lost
-I --interval Interval between reconnect attempts (in seconds)
-o --option Set a system option for example ifconfig.path=/usr/sbin
-a --frames Log frame information (requires INFO debug level)
-F --certfile Client certificate file for authentication (PKCS12)
A script should be created to save having to retype the command every time you wish to start the
client. Below are two examples:
• nEXTclient -h <hostname> -u <username> -C –r

• nEXTclient –h <hostname> –F <certificate file>.p12 –p
<certificate password>
The <certificate file> needs to be a standard P12 certificate obtained from the SSL-
Explorer CA and <certificate password> its associated password. For further
information on certificates refer to the Access Control Guide chapter titled Authentication
Schemes
Windows Client nEXTPass.exe

Note
As part of the Windows Client zip file there is an executable called nEXTPass.exe. This
enables a user to
380
encrypt a password for use by the service (i.e. password entered in registry settings) or
either of the
Windows clients.
Usage:
nEXTPass <unencrypted password>
For example nEXTPass.exe enter_10 outputs an encrypted string

TY2MTM2ZWYzNGY5OTMyMzVmNTkz. This can then be used when running the command line
client, nEXTclient.exe –h sslexplorer –u majid –p
TY2MTM2ZWYzNGY5OTMyMzVmNTkz.
Users can also use this to encrypt the passphrase of their client certificate if using client
certificates.
Windows Service
A Windows Service action is available from the Network Extension main page that allows the
configuration of the nEXT client as a Windows service on the client machine. Again Administrative
privileges are required to install the service but once installed any user can use the service.
Step 1 From the Network Extension page in the user console click the Install Windows Service icon against
the appropriate client configuration.
Step 2 Once successfully installed, a dialog will appear. Press ‘OK’ to accept the message.
Step 3 The service is installed but requires configuration. To configure the service run regedit.exe and create
the following key if not present:
• HKEY_LOCAL_MACHINE\Software\SSL-Explorer nEXT
Step 4 Set the log level. Two values can be attributed to this key: ‘logFile’, an absolute path to a file to log to,
and ‘logLevel’, either INFO or DEBUG. Add these if required.
381
Step 5 To configure a connection, create a subkey under the key. The key can have any name assigned to it.
In the example below the key has been named ‘Office’.
Step 6 In the new key add an ‘args’ string value and add the arguments that need to be passed into the nEXT
client executable. Above you can see the arguments for username, password and hostname are used.
Step 7 If you wish the nEXT configuration to auto start on boot up you need to create another value here, a
new DWORD value named autostart. Its value should be set to 1.
Step 8 That’s it, the final step is to start the service from Service Control Panel (Control Panel →
Administrative Tools → Services). The SSL-Explorer nEXT service will have been installed
previously through the Network Extension page.
When the service is started the nEXT icon should appear in the taskbar as before while the connection
is being made. The networks should be accessible once the service has established a connection.
382
Creating Bridged Configuration
In this scenario the SSL-Explorer server will be configured with a bridged server interface.
Creating the Server

When using Ethernet bridging, the first task is to create the Ethernet Bridge. The Ethernet Bridge must
be setup before SSL-Explorer is started. Unfortunately there is no portable method of creating the
bridged interface so each operating system has its own method.
Windows
This configuration requires Windows XP or higher on the bridge side as Windows 2000 does not
support bridging, however a Windows 2000 machine can be a client on a bridged network.
Ensure that you have at least one spare TAP driver installed on the SSL-Explorer server. Rename this
to “tap0” or any other name of your choosing. Next select tap0 and your ethernet adapter with the
mouse, right click, and select Bridge Connections. This will create a new bridge adapter icon in the
control panel.
Edit the TCP/IP properties on the bridge adapter and set to the IP address of your SSL-Explorer server.
It is not possible to use DHCP as the IP address must be known to SSL-Explorer.
Your bridged connection has now been created and you can proceed to configuring SSL-Explorer
Linux
First, make sure you have the bridge-utils package installed. On Fedora Core this can be installed using
the command yum install bridge-utils
Create a new file in $SSLX_HOME/bin called bridge-start.sh. Paste in the contents of the
sample script below Sample Scripts and set the br, tap, eth, eth_ip, eth_netmask, and
eth_broadcast parameters according to the physical Ethernet interface you would like to bridge.
Make sure to use an interface which is private and which is connected to a LAN which is protected
from the internet by a firewall. You can use the Linux ifconfig command to get the necessary
information about your network interfaces to fill in the bridge-start parameters.
Now run the bridge-start script. It will create a persistent tap0 interface and bridge it with the
active Ethernet interface.
If the file is not executable the execute the command, you can use the same command to make
bridge-start.sh and network-bridge scripts executable.
chmod 755 bridge-start.sh
Do the same for the bridge-stop.sh script Sample Scripts, ensuring that you edit the content to
reflect the device names entered into bridge-start.sh.
Now run the bridge-stop.sh script, this should remove the persistent tap interface and remove
the network bridge.
383
These scripts should be configured to start upon system boot. An example script is provided that has
been tested on Fedora Core installation. Simply create a new file in /etc/rc.d/init.d called
network-bridge and past in the contents. Assuming you have named the files above as suggested
you should only need to edit the location of SSLX_HOME if it differs from your installation.
Save this file and then execute the command chkconfig –add network-bridge
This should make it available as a service to start on run levels 3, 4 and 5. You can test this by
executing the command service network-bridge start
Configuring SSL-Explorer Bridged Server

Now that you have configured the OS with a bridge you can create the SSL-Explorer server
configuration item.
Step 1 Enter a name and description for your server interface
Step 2 Now select the Interface tab, in the Network field enter the subnet of your LAN, in this example its
192.168.1.0/24. Next enter the IP address of the SSL-Explorer server, this should be the same IP
address that you configured on the network bridge. Finally, set the Device Name field to the tap
adapter name that is included in the network bridge, in this example its tap0
384
Step 3 Unless you have some specific commands you want executing when the interface comes up or goes
down you can skip the Commands Tab. Now select the DHCP tab and enter an IP range for the VPN
clients, this should be within your LAN’s network scope and NOT part of any existing DHCP range in
the LAN. It is also important to enter your LAN’s domain name and DNS server information
You can now save the interface configuration
385
Step 4 The next step is to create a client configuration. At this stage we are going to setup a simple client
configuration that allows single clients to connect and obtain a LAN IP address
Step 5 Next, ensure that the Server Interface in the dropdown is the bridged interface we created previously.
You can leave the IP address and Device name fields empty as they are not required in this
configuration.
Step 6 Finally you may want to enter some up commands to ensure that DNS is updated on the client
correctly, in the UP commands enter
ipconfig /flushdns
386
ipconfig /registerdns
This will ensure that any previous DNS entries are removed and that the TAP interface of the client is
registered with the operating systems DNS service.
If you want to force your user's internet traffic through SSL-Explorer you could also add the
following:
Route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1
Route delete 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1
Sample Scripts
bridge-start.sh
#!/bin/bash
#################################
# Set up Ethernet bridge on Linux
# Requires: bridge-utils
#################################
# Set this to the root of your SSL-Explorer installation

SSLX_HOME=/opt/sslexplorer
# Define Bridge Interface

br="br0"
# Define list of TAP interfaces to be bridged,

# for example tap="tap0 tap1 tap2".
tap="tap0"
# Define physical ethernet interface to be bridged

# with TAP interface(s) above.
eth="eth0"
# Define the IP settings for the bridged interface

# NOTE: this must match the IP address assigned to
# the SSL-Explorer server interface
eth_ip="192.168.1.61"
eth_netmask="255.255.255.0"
eth_broadcast="192.168.1.255"
for t in $tap; do
${SSLX_HOME}/bin/nEXTserver --mktun $t
done
brctl addbr $br

brctl addif $br $eth
for t in $tap; do
brctl addif $br $t
done
for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done
ifconfig $eth 0.0.0.0 promisc up
ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast
387
bridge-stop.sh
#!/bin/bash
####################################
# Tear Down Ethernet bridge on Linux
####################################
# Set this to the root of your SSL-Explorer installation

# Define Bridge Interface

br="br0"
# Define list of TAP interfaces to be bridged together

tap="tap0"
ifconfig $br down

brctl delbr $br
for t in $tap; do
ifconfig $t down
${SSLX_HOME}/bin/nEXTserver --rmtun $t
Done
network-bridge
#!/bin/bash
# chkconfig: 345 50 26
# description: Network Bridge
#
# An init script to start and stop the Network Bridge
case "$1" in
start)
echo "Starting Network Bridge"
./${SSLX_HOME}/bin/bridge-start.sh
;;
stop)
echo "Stopping Network Bridge" ./${SSLX_HOME}/bin/bridge-stop.sh
;;
restart)
$0 stop
sleep 1
$0 start
;;
*)
echo $"usage: $0 {start|stop|restart}"
;;
esac
exit 0
388
Virtual Hosts
SSL-Explorer is able to host more than one domain on the same server this is known as virtual hosting.
This chapter details what virtual hosting is and how you can configure your SSL-Explorer instance to
host multiple domains.
• What is Virtual Hosting

• Virtual Host Interface
• Creating a new Virtual Host
• Editing a Virtual Host
• Deleting a Virtual Host
What is Virtual Hosting

Virtual hosting provides direct access to a destination without the need of logging into SSL-Explorer.
In addition it means users without accounts can also benefit from this feature as virtual hosting does
not consider accounts.
SSL-Explorer simply takes the host header provided and redirects this to the defined destination. The
only thing that needs to be performed outside of SSL-Explorer is that any source hostname needs a
DNS entry to be mapped to SSL-Explorer.
Virtual Host Interface

The main virtual host page lists the available virtual hostings currently setup. This page is located
under Management Console → Resource Management → Virtual Hosts
389
Action Icons
The action icons against each entry performs functions on the associated virtual host, their respective
Delete virtual hosting
Edit virtual hosting
Creating a new Virtual Host

Step 1 Select the Create Virtual Host action at the top right of the page.
Step 2 Provide the basic details for the virtual host
• Name: Name that will be shown in the main window.

• Description: The description for the virtual host
Step 3 The next bit of information necessary is the actual virtual host information
390
• External Hostname: The host header that needs to be redirected. Any traffic directed at this
host will be controlled by this virtual host resource.
• Internal Hostname: The actual destination of where this traffic should be directed to.
Step 4 As a final step a DNS entry needs to be made that will map the external hostname hostname,
timebooking.co.uk, to the SSL-Explorer instance. This creates the initial link between the host and
SSL-Explorer without this entry the workstation will try and resolve timebooking.co.uk and not find
any site.
Editing a Virtual Host

From the virtual host page select the Edit Virtual Host action against the required resource. The edit
page will open allowing the data to be edited.
Deleting a Virtual Host

The Delete action removes a virtual host permanently from the system. Selecting the Delete action
against a virtual host will result in a warning message informing that the resource is about to be
deleted, as shown below.
391
Selecting Yes will result in the removal of the resource from the system.
392
Microsoft Exchange 2003 RPC/ HTTPS
This resource is not actually visible from the navigation menu on the left. Yet it provides a valuable
feature which is not directly used through SSL-Explorer. RPC/ HTTPS allows you to connect to your
Exchange server from an Outlook 2003 client in native mode. Unlike POP/SMTP, this means that all
mail is held centrally rather than being downloaded to each client. This chapter details further this
feature and covers the following chapter:
• What is this Resource?

• Configuration
• What is Outlook Mobile Access?
What is this Resource?

This extension provides a pass-thru proxy for Outlook RPC over HTTPS traffic. It is in no way a
replacement for a front-end HTTPS server in a normal Exchange HTTPS topology, but is instead a
facility to allow SSL-Explorer to become the internet facing proxy for your Outlook users, allowing
both SSL-Explorer and Exchange HTTPS over a single open port on the company firewall.
Being part of the SSL-Explorer framework means this benefit’s from the policy based security, access
to this service is provided by way of authorized SSL-Explorer policies.
What is RPC/HTTPS?
RPC over HTTP allows Microsoft Outlook clients to access Microsoft Exchange server over the
internet. The MAPI protocol usually uses RPC to make calls to the Exchange server using TCP, but
here we are able to tunnel Outlook RPC requests inside an HTTP session.
The RPC over HTTP Proxy networking component extracts the RPC requests from the HTTP request
and forwards the RPC requests to the appropriate server. The advantage of this approach is that only
the RPC proxy server has to allow access from the Internet. Back-end Exchange servers do not have to
allow access from the Internet.
1
‘Article Technical details of using RPC over HTTP to access exchange from an Outlook client’ Microsoft TechNet
393
Configuration
Configuration is broken into two parts, the server and the client. This document assumes that the
Exchange administrator has already configured the Exchange server to accept RPC calls over HTTP.
For further information on how to configure this please refer to the Microsoft website or to this site
http://www.kuhnline.com/index.php?id=51.
This chapter however does detail how to configure a new mail account to use SSL-Explorer as a proxy
to communicate with the configured RPC/HTTPS Exchange server.
Pre-requisites
• Trusted Certificate: SSL-Explorer must have a trusted certificate installed or alternatively
each client must trust the SSL-Explorer certificate by adding it to the Internet Explorer trusted
certificate authorities’ store.
• HTTPS Proxy hostname: The HTTPS proxy configured within Outlook must match that of
the certificate used by SSL-Explorer. If the SSL-Explorer server is setup with a trusted
certificate for the host vpn.sslexplorer.com then this must be entered exactly into
Outlook configuration for HTTPS otherwise Outlook will not connect to the SSL-Explorer
server.
• NTLM Authentication: The RPC proxy will only work with Outlook Clients that
authenticate over NTLM.
Configuring SSL-Explorer as a RPC Proxy

Step 1 From the Extension Manager (Management console → Configuration → Extension Manager)
install the SSL-Explorer Outlook RPC/HTTPS extension. Once installed the extension should be listed
in the installed extensions tab.
Step 2 A new tab under Configuration → System Configuration → Resource titled Outlook should be
visible.
From here the mail server can be defined the associated port as well as the type of backend server
HTTPS or HTTP. In addition all policies that have access to this feature can be added. To add a policy
simply select the available policies from the RPC/HTTPS policies list.
394
Any policy not part of the Selected Policies window those attached users will not have the ability to
use Outlook over HTTPS.
Client Configuration
The final step in the configuration is that of the email client Outlook. Each user can either add an a
new profile to an existing account or as the following details, a new email account is created. Either
way the main steps are the same detailed here are relevant to both.
Step 1 From control panel, access the mail setup by selecting the mail icon.
Step 2 From mail setup access Email Accounts
Step 3 Select Add a new email account from the wizard options.
395
Step 4 Under server type select ‘Microsoft Exchange Server’
Step 5 Under the Exchange server settings step select the newly configured Exchange server and the name of
your new mailbox.
396
Step 6 From the same window select More settings. From the first window under the Connection tab check
the Connect to my exchange mailbox using HTTP box.
Step 7 Selecting the Exchange proxy settings button opens a final window in which the FQDN of the SSL-
Explorer server should be keyed into the Use this URL to connect to my proxy server for Exchange
parameter. Also under the Proxy authentication settings select NTLM Authentication.
397
That’s all there is to configuring the client.
Once Outlook is started, if SSL-Explorer has not been configured to use the same Windows account as
what the user is logged in with, the system will prompt for the SSL-Explorer authentication
credentials. After which if the user is recognized as a valid user of the RPC/ HTTPS resource SSL-
Explorer will enable communication between Outlook and the mail server over HTTPS.
398
What is Outlook Mobile Access?
Exchange 2003 provides a new feature called Outlook Mobile Access (OMA). OMA allows users to
access Exchange data by using mobile devices. This browse application is similar to Outlook Web
Access but much lighter weight and meant to be viewed on today’s latest cell phones.
Configuring SSL-Explorer as a OMA Proxy

Step 1 Setup the exchange properties as per RPC Client Configuration.
Step 2 Under the Outlook tab (Configuration → System Configuration → Resource) you can define which
policies should be able to access mail through there mobile devices.
Simply Add the appropriate ones from the OMA policies list. Any policy not part of the Selected
Policies window those attached users will not have the ability to use Outlook Mobile Access.
Step 3 Finally to access mail from a mobile device simply connect your mobile to the following address:
https://<servername>/oma
399
Internationalization
Internationalization extends the accessibility of your SSL-Explorer installation by providing a
mechanism to provide a user base with different translated versions of SSL-Explorer. This chapter
details all that is needed to translating SSL-Explorer, and covers the following sections:
• What is Internationalization?
• Internationalization Interface
• Creating a New Translation
• Editing a Translation
• Activating a Language
• Translate Extensions
• Share Language
• Deleting a Translation
• Language Selection
By the end of this chapter the reader should have a firm understanding of how to translate SSL-
Explorer and how it can benefit an organizations multilingual global user base.
System Configuration Options

Note For details on the configuration options available for internationalization refer to the SSL-
Explorer
Configuration Guide
What is Internationalization?
The internationalization feature provides to the user a method to take the content of SSL-Explorer and
translate this into a language of their choice that may not be currently supported by the current SSL-
Explorer product. You may also use this feature to create your own company-specific version of SSL-
Explorer, with customized messages that are more relevant to your organization and working practices.
This mechanism means that SSL-Explorer is able to cater for a wider array of users. For example if
your enterprise’s user base spans a number of countries and continents, you now have the ability to
provide translated versions of the same system to all users,.
SSL-Explorer can be altered specifically to a company’s language needs providing a more user
friendly environment of the system where users are not struggling to understand the system.
3SP extends this translation process further by providing a mechanism to submit your translations to
3SP for possible inclusion in a future release. All users can then benefit from these community-created
submissions.
400
Internationalization Interface
The main internationalization page lists the available shares. This page is located under Management
Console → Resource Management → Internationalization.
The main page details which languages have been installed and which of these is currently activated.
Action Icons
The action icons against each language performs functions on the associated language, their respective
Delete inactivated language
Edit a inactivated language
Download language (More…)
Translate extensions (More…)
401
Language Status
A language can have one of three states, depending on the state the language can either be edited for
translation, deleted from the system or neither of these two actions can be performed until the language
is set to the appropriate state. These states and their rules are listed below:
State Can language be edited? Can language be deleted?

Default
Inactivated
Installed
Creating a New Translation

Step 1 From the main page the action menu in the top right presents the only available action which is, Create
New Language. Selecting this begins the creation process.
Step 2 The first step is provide information regarding the new translation.
• Predefined language and country: This requires the locale for the new language. In this
example I am using the ‘French – Canada’ language.
• Base language: This provides a list of currently installed language. Selecting one loads the
content of the language into the new translation.
• Name: The name will be shown on the main page and by all users in the Language Selection
box so it is essential that a sensible name is used.
Select the Save button to store the new translation.
That’s it. The new language will be visible from the main internationalization page.
As you can see above any newly created language is Inactivated, to activate it the content needs to be
translated. This is done through the Edit action icon.
402
Editing a Translation
Step 1 The language which needs translating new or old must not be currently in use. From the main window
set the language to Inactive (refer to the section titled Action Icons to do this).
Step 2 From the internationalization page select the Edit action against the required resource, this will start
the edit translation wizard.
The first step in the wizard is selecting the category to translate.
The translation wizard breaks the required sentence which need translating into logical groupings
based on the area they appear in. As can be seen from the screenshot above the Categories column lists
all the different areas of the system from Installation Wizard right through to the individual enterprise
plugins.
The first step is to choose the area you wish to translate.
Step 3 Selecting a category lists the available sentences in the column to the right.
403
As the screenshot above shows, the certificates category has been selected. The associated sentences
are listed.
The column listing the sentences is split into two equal columns. The column to the left shows the
actual original English text whilst the right column shows the translated equivalent, in this example the
translation is in French.
Sentences not translated in English

Note
Those sentence that have yet to be translated their equivalent translated sentence in the
right-hand
column are shown in English. As each sentence is translated the English is replaced.
Step 4 The purpose of internationalization is to translate each sentence. To modify a sentence, press the
Modify button.
The original sentence is shown above. The text box to the left is used to enter the new translation.
Depending on the sentence a number of rules may be required. An example of these would be a
sentence requiring a dynamic parameter. The instructions to cater for such sentences are detailed in the
information box to the right.
To save the sentence press the Save button.
404
To move to the next sentence without going back to the previous page (Step 2) simply press the Next
button.
To move back to the sentence above the current one without going back to the previous page (Step 2)
simply press the Previous button.
That’s all there is to it. Once satisfied that all sentence have been translated simply press Cancel and
select the next category to translate.
Translation State Saved

Note The system stores the current state of the translations so it is not essential that all sentences
in a
category or even all categories must be translated in one session. The system saves the
currently
translated sentence, the same user or a new user with the correct permissions can continue
on
translating in a later session.
Activating a Language
Once all the sentences have been modified for users to use the language it needs to be activated.
From the edit page (Step 2 in the wizard) simply press the Activate button at the bottom of the page.
All Sentences Must Be Translated

For a sentence to be installed for use there must not be any empty sentences. All sentences
must be
translated whether temporarily to English or the new translation.
This will step the state of the language to Installed in the main page.
The new language will instantly be accessible from Language Selection box.
All users with permissions to choose a language will see this new language.
Translate Extensions
Step 1 Once a language is installed its extensions can be translated. To translate the extensions of a newly
installed translation select the More... button against the selected language and choose Translate
Extension.
405
The page lists all extensions currently being edited and those currently installed.
Step 2 To edit a new extension select the Translate New Extension action from the action menu to the right.
Step 3 This produces a list of currently installed extensions. Anyone listed can be translated. Select the
extension that you wish to translate.
Step 4 The newly selected extension appears in the extension list.
To begin translating simply select the edit action against extension.
Step 5 From the translation page follow the same principle as with the standard edit action, selecting the
modify button against each sentence allows the sentence to be translated.
406
If all sentences are completed selecting the Activate button will install the extension.
The translated extension will only be accessible once the core language has been selected from the
Language Selection box. Once the core language is loaded the system then loads any installed
extensions associated with this language, in this example it will include the mail check extension.
407
Share Languages
Once you are satisfied with a translation and have installed it you can download the language as a
packaged zip file and share it with other SSL-Explorer users.
Step 1 Against the installed language simply select the download action
Step 2 The system compresses all the necessary data into a zip file which needs to be downloaded and saved.
If the download does not start simply press the Here link in the dialog above.
Step 3 Translations you wish to share with the SSL-Explorer community need to be sent to
support@3sp.com.
Deleting a Translation
The Delete action removes the resource permanently from the system. Selecting the delete action
against a language will result in a warning message informing that the resource is about to be deleted,
as shown below.
Selecting Yes will result in the removal of the resource from the system.
Language Selection
During logon and throughout the system the language selection box is visible to the right of the
interface.
This box allows the current translation of SSL-Explorer to be altered. Using the pull down box any
installed languages are visible. Selecting one changes the current language instantly.
408
Once a language has been translated and its state set to Installed the translation will become visible
from this box.
Various restrictions on this are available; refer to the chapter titled Configure User Interface in the
SSL-Explorer: Configuration Guide for more information.
409
System Functions
This section introduces the final section in the menu tree the System section. System encapsulates
functionality that affects the instance as a whole from functions such as shutting down the server to
viewing the status of the system.
Auditing
The audit module is exclusive to the SSL-Explorer: Enterprise Edition. This powerful reporting tool
allows for the real-time capture and analysis of user and system events. This ranges from items such as
starting and stopping the system through to specific user events such as creating a favorite.
This section details how to:
• Auditing Interface
• Initializing the Auditing Module
• Creating a New Report
• Running One-Off Reports
• Checking Audit Report Integrity
• Uploading a Report Template
• Changing Recorded Events
Auditing Interface
The main auditing page lists the currently stored reports. This page is located under Management
Console → System → Auditing.
The main page details which languages have been installed and which of these is currently activated.
Action Icons
The action icons against each language performs functions on the associated language, their respective
410
Delete inactivated language
Edit a inactivated language
Execute report
Copy Report (More…)
Translate extensions (More…)
Initializing the Audit Module

Before any reporting can be performed the Audit Module must first be initialized. This module can
also be run at anytime after configuring the Audit Module. This will remove all previously captured
audit information so care should be exercised when using this function.
Step 1 Select Auditing from the System menu.
If the Audit module has not been initialized the first item shown is the initialization wizard.
The first step requires an Audit Seed. This is simply a passphrase that is used to secure the contents of
the audit logs, this helps prevent tampering.
Step 2 The next step allows the selection of the events to monitor. By default all events have been selected. If
you should wish to remove any of the selected events just highlight the item you wish not to record
and press the 'remove' button. Once all the events that are to be recorded are selected click the 'next'
button. This will display the following page
411
Step 3 Next.the archiving options are defined.
• Archive Directory: This is an absolute path or a relative path of the SSL-Explorer Audit
archive directory. This is where any archives are physically stored.
• Minimum Recorded Months: This is the minimum amount of months that archives will
be kept for.
• Day to Archive: The significant day of the month that the Audit Archive is to be
performed.
• Time of Day to Archive: The time of the day that the Audit Archive is to be performed.
Step 4 Finally the configurations details are summarized, pressing Finishing will save the auditing details.
The main page for auditing should now be loaded each time the auditing menu item is pressed.
412
Creating a New Report
Step 1 In the main page select the Create Audit Report action from action menu
Step 2 This presents the report creation page.
All tabs contain specific information to the report, each can be configured. For example dates can be
defined in the Date tab. Below the report has been configured to report on the weeks auditing results.
Those who can run this report can also been defined through normal policies by selecting the policy
tab.
413
Step 3 Once saved this report should be visible from the main page
These reports can be executed over and over again by pressing the execute icon against the appropriate
report. Predefined dates such as 'Last Week and 'Last Month' are run relative to the current date.
414
Running One-Off Reports
Not all reports need to be created beforehand before they can be executed, auditing allows reports to
created on the fly and just run immediately.
Step 1 Select the Run Audit Report action from the action menu
Step 2 From here items for the report can be configured such as date ranges.
Also items like the events you wish to record.
415
Step 3 Once configured simply press the Run Report button.
This will generate the report and allow it to be downloaded. When the file download dialog appears
simply save or open the file.
The report should visible once opened as below.
416
417
Checking Audit Report Integrity
This option checks the integrity of the audit report and determines whether the report has or has not
been tampered with.
Step 1 From the main page simply select the Check Audit Integrity action.
This requires the seed for the audit report to check against.
Once the seed has been entered simply press the Check button to begin the validation process. The
amount of time this will take will depend on the size and number of Audit files to be checked. Once
the files have been checked the following page will be displayed if no inconsistencies were found.
Alternatively, if inconsistencies were found the following page is displayed. This page will also show
the first record that was found to be incorrect. This will help in determining how and when the
inconsistency occurred.
418
Uploading a Report Template
The default reporting templates can be overridden for more specific presentation requirements. To do
this a template has to be previously created.
Step 1 Select the Upload Report Template action from the action pane.
The next step is to locate and upload the required template into the system. Pressing the Browse button
will list the local system directories.
The filename refers to a zipped directory containing the appropriate report files.
Simply press the Upload button. This will load the new report template into the system.
419
Changing Recorded Events
The events that are selected to be recorded by the system can be modified if required. This is done by:
Step 1 Select the Change Recorded Events action from the main page .
This displays the current list of events.
Step 2 Use the event selection tools to move events from available to selected.
420
Status
Status provides vital information pertaining to the current instance from sessions currently active
within the system as well as hardware details on which the connected instance is running.
• Session Information
• Status Information
• nEXT Clients
• Outlook Client
Session Information
All users logged into the system are made visible from this page.
As with all resources hovering over a user provides further information on the user.
Pressing the LogOff button against the user will disconnect his session.
Status Information
System information provides hardware information to the user such as the specification of the server
being used, the operating system its running on etc.
421
nEXT Clients
From here we can see who is connected to the instance through nEXT. Much like the user sessions
each session can also be terminated.
Outlook Client
Much like the nEXT client page this shows a list of outlook sessions connected via this instance. Again
these can be terminated.
422
Message Queue
The message queue is used to configure and deliver messages to all users of the System. Depending on
the delivery system a message can be sent to online as well as offline users. This chapter provides
information on how to enable an appropriate delivery system as well as how to send messages.
The sections covered are as follows:
• What is the Message Queue

• Message Queue Interface
• Enabling a Delivery System
• Sending a Message
• Clear Message Queue
What is the Message Queue

Message queue gives a privileged user the ability to create messages and have that message broadcast
to all user. SSL-Explorer provides two delivery mechanisms: Agent which can send messages to users
who are currently online and Email which sends messages to anyone online or not through email.
The functionality is flexible enough to allow messages to be sent not only to all principals but
individual principals too.
For further information on messaging and configuration of the delivery systems please refer to the
chapter titled Messaging in the SSL-Explorer: Configuration Guide.
Message Queue Interface

Messaging is accessible from the Message Queue page available from Management Console Æ
System Æ Message Queue.
As shown above messages can be delivered either as an SMTP email or via the SSL-Explorer Agent.
In addition to this below the delivery system window is the message queue window which lists the
status of any messages sent.
423
Enabling a Delivery System
The two main delivery systems are email and the SSL-Explorer agent. To enable either one simply
click on the appropriate system to toggle it on or off.
Any messages sent via the agent will appear on screen whilst the user is online. If the agent is not
running the message will not be received by the user.
Email on the other hand does not rely on any agent but instead sends the message directly to the user’s
email address.
Sending a Message
Step 1 To send a message select the Send Message action from the action box in the top right of the screen.
Step 2 Enter the details of the message.
424
Step 3 Select the recipients of the message. Select the recipient tab and choose who must receive the message.
Recipients can be selected in a number of ways, through policy, or individual accounts and even roles
if supported.
Step 4 Once done hit the Send button. The message will be send through the chosen delivery system. The
newly created message will be visible from in the delivery queue from the main page.
Clear Message Queue

If messages are being sent quite regularly the status queue can get quite full. The message queue can
therefore be cleared if so desired.
Simply select the Clear Message Queue action from the action box to the right.
The system will ask for clarification of the action before clearing out the queue.
425
Shutdown
Certain actions within SSL-Explorer require the instance be restarted before a new additions can be
activated such as some extensions. It is from this page that the system can be shutdown.
• Shutdown the Instance

• Restarting the Instance
Shutdown the Instance

Step 1 To shutdown SSL-Explorer simply select the Shutdown SSL-Explorer option.
Step 2 Select a delay time, after this time the instance will be shutdown.
Step 3 Select the Ok button. From here the system will begin counting down and when the delay has been
achieved the instance will shutdown.
The server will need to be manually restarted.
Restarting the Instance

Step 1 To shutdown SSL-Explorer simply select the Restart SSL-Explorer option.
Step 2 Select a delay time, after this time the instance will be restarted.
426
Step 3 Select the Ok button. From here the system will begin counting down and when the delay has been
achieved the instance will be restarted.
The server will come back online after a few minutes with any changes that required restarting
operational.
427
428

SSL-Explorer Administrators Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SSL-Explorer Administrators Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Security from 3SP

SSL-Explorer: Administrators Guide

• Installing a test/production SSL-Explorer server.

• Knowledge Base Articles

Icons used in this manual are as follows:

Alert important information that requires special attention

You can access the 3SP Ltd. Website at this URL:

We appreciate your comments.

Obtaining Technical Assistance

Restrict access to the Super User account

Super User Access

Listing All Items

Amending Configuration Parameters

Basic Technology Overview

IPsec vs. SSL VPN

To summarize, SSL-Explorer is a fully-featured, end-to-end SSL-VPN without the added expense or

• SSL-Explorer: Community Edition - SSL-Explorer: Community Edition is an entry-level

• SSL-Explorer: Enterprise Edition - The Enterprise Edition is designed for those

Specifically this chapter will cover:

Source: Kindly submitted to 3SP Ltd. by Simon Drake.

Behind the DMZ

• Any applicable statutory requirements or compliance regulations.

The following installation method is for advanced users only.

Accessing Environment Variables in Windows

• Windows: set JAVA_HOME=<Java install directory>

Also add the environment variable for ANT_HOME:

• Windows: set ANT_HOME=<Ant install directory>

• Windows: set PATH=%PATH%;%ANT_HOME%\bin

• Windows: set PATH=%PATH%;%JAVA_HOME%\bin

<SSL-Explorer Installation directory>/ ant install

SSL-Explorer on Microsoft Windows XP with Service Pack 2

To configure SSL-Explorer to run as a service, issue the following command:

Step 2 Change directory to the location of your SSL-Explorer RPM package.

Step 6 Run the SSL-Explorer configuration utility as follows:

You should select Yes.

Installation Wizard can be Skipped

Upgrading from 0.1.16 to 0.2.x

Renaming Old Installation

Step 8 Once completed the SSL-Explorer instance can be restarted.

Determine Service Status

• Red Hat: service sslexplorer status

• Red Hat: service sslexplorer start

• Red Hat: service sslexplorer stop

Step 4 From the current server copy the <SSL-Explorer_HOME>/conf folder

Step 7 Start the SSL-Explorer server on the new server

Step 8 Log into the new instance as Super User

Step 10 Restart the service

• Protecting Private Data

Protecting Private Data

What is an SSL Certificate?

Use Current Certificate

Create New Certificate

Keystore and Certificates

Each configurable parameter is detailed:

• Hostname: The hostname of the SSL-Explorer server running the instance.

All the information is required to generate an un-trusted SSL certificate.

Certificate Generated when Wizard Completed

Each configurable parameter is detailed:

• Type: The certificate can be either JKS or PKCS12

• What is Active Directory?

Further to this how to configure the following databases:

• Configure User Database Interface

What is Active Directory?