Anywhere Access

Discuss and get help configuring CacheGuard Network Firewall
Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Anywhere Access

Post by Douglas » 17 Feb 2018 10:11

I’m trying to use Windows Server 2016 Anywhere Access which uses ports 80 and 443. When the server’s internal NIC was connected to our internet router it worked fine, including with the Certificate. Now that I have moved to CG between the LAN and internet, what do I need to do to get it working again?

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Anywhere Access

Post by david » 17 Feb 2018 16:42

Hi,

If your Windows Server is placed behind your CG (and probably on the same LAN as CG's Internal LAN) you have two possibilities to allow an access to your Windows Server from the Internet:

1- Using CG as a network firewall only and allow TCP on ports 80 and 443 with the following rules:

Code: Select all

firewall external add InternetToWS1 allow tcp any rweb 10.0.10.11 80
firewall external add InternetToWS2 allow tcp any rweb 10.0.10.11 443
In the above example we suppose that your Win Server has the IP address 10.0.10.11.

2- Using CG as a HTTP/HTTPS reverse proxy and SSL terminator for Web services running on your Windows Server. To configure your CG as a reverse proxy for Web services running on your Windows Server please use the following rules :

Code: Select all

tls add MyService
mode rweb on
rweb site add myservice.example.com http 192.168.155.1
rweb site add myservice.example.com https MyService 192.168.155.1
rweb host myservice.example.com add 10.0.10.11
In the above example we suppose that:
a) Your public HTTP/S service is called myservice.example.com.
b) Your Windows Server has the IP address 10.0.10.11.
c) Your CG is configured with the 192.168.155.1 external IP address.
d) MyService is the name of the TLS object associated to https://myservice.example.com.

Please note that if you define a reverse website with both HTTP and HTTPS protocols (as in the example above) all HTTP traffic will be forwarded to the HTTPS website. This means that no HTTP access will be available from the Internet to your Windows Server.

Finally prior to use the apply command you need to initialize your TLS object by either importing your existing certificate(s) and private key or by generating a new certificate/key pair. Please post all your questions about TLS on the freshly created section called [CONFIGURE SECURITY FEATURES / Configure TLS objects] (at viewforum.php?f=21).

I hope the I answered your question.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Anywhere Access

Post by Douglas » 17 Feb 2018 19:23

Hi David
I'm trying option 1 to start with (learn to walk before I run) but will need to use option 2 ultimately. Thanks for those details.
I've replaced my server's IP below and entered your first line via CLI
"firewall external add WSAA allow tcp any rweb 10.0.1.11 80"
but getting "Error 56 This is not a valid destination network interface"
Did I need to do something else before this?

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Anywhere Access

Post by Douglas » 17 Feb 2018 19:36

Apologies, I missed the "rweb" from what I typed and the command you provided is fine.

I've enabled cut & paste to my VM Console but still can't paste to the admin@cacheguard> prompt.
Is that possible and if so how?

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Anywhere Access

Post by david » 17 Feb 2018 22:32

I think that without having additional tools (such as VMware tools) installed in your VM, the copy/paste would not work with the CG console. But we don't allow the installation of those tools.

As a workaround I suggest that you activate the SSH administration service and connect to your CG appliance using an SSH client. Therefore the copy/paste will work in the same way as for any other window in your environment. To activate the SSH administration service please use the following commands:

Code: Select all

admin ssh on
apply
Under Windows, PuTTY (https://www.putty.org/) is known to work properly with CG.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Anywhere Access

Post by Douglas » 18 Feb 2018 15:40

Thanks David, that solves the "copy/paste" challenge nicely.

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Anywhere Access

Post by Douglas » 18 Feb 2018 16:18

I confirm the Windows Server 2016 Essentials is on the same LAN as the CG’s internal NIC.
Working with your option 1 above and that code applied, I have done an nmap scan of CG’s external NIC and the only ports open are 22 and 8090, not 80 and 443.

Following is the relevant extract from Textual Configuration

firewall external RUN RWW [on] allow tcp any any 10.0.10.11 80
WSAA [on] allow tcp any rweb 10.0.10.11 443

What am I missing?

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Anywhere Access

Post by david » 18 Feb 2018 21:49

With the option 1 it's normal to do not have the 80 and 443 ports open on CG's external interface because when the rweb mode is not activated (as with the option 2) CacheGuard is not listening on those ports. But if you scan your Windows Server (10.0.10.11) from a machine placed in front of CG's external side (ie. on the external LAN or on the Internet) you should view those ports as open. Actually your network should look like this:

(@) --- [InternetRouter] ----- (192.168.155.1) [CG] (10.0.10.254) ----- (10.0.10.11) [WindowsServer]

I assume that you probably configured your Internet router to forward ports 80 and 443 to CG's external IP address. Isn't it? While you might forward ports 80 and 443 to your Windows Server IP address (10.0.10.11) which is placed on the internal LAN. If such a port forwarding (destination NAT) is possible on your Internet router please do not forget to add a static route to the network 10.0.10.0/255.255.255.0 via CG's external IP address on your Internet router. Before testing from the Internet it can help to connect your scanner machine to the external LAN, add a static route to the network 10.0.10.0/255.255.255.0 via CG's external IP address on it and then proceed with the port scan.

The caveat is that if your Internet router is a basic DSL router, port forwarding to IP addresses other than directly connected internal machines may not be possible. Furthermore, sometimes those routers do not allow you to configure static routes. If this is your case, you can configure the port forwarding on your Internet router to forward ports 80 and 443 to CG's external IP address and in turn configure CG to port forward ports 80 and 443 to your Windows Server IP address (10.0.10.11). To do so please use the following commands:

Code: Select all

firewall external add InternetToWSHTTP allow tcp any rweb 10.0.10.11 80 nil 10.0.10.11 80
firewall external add InternetToWSHTTPS allow tcp any rweb 10.0.10.11 443 nil 10.0.10.11 443
Please let us know if this could help to resolve your configuration issue.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Douglas
Posts: 55
Joined: 15 Feb 2018 12:04

Re: Anywhere Access

Post by Douglas » 19 Feb 2018 08:41

Thanks again David, I'm learning more about CG.
My internet router has a DMZ that allows me to allocate the external IP of CG to bypass the firewall and NAT of that router. So no port forwarding necessary on the internet router. Is that correct and sensible?
Yes my nmap scan was from a PC in the external network, not the internet. The scan reports the ports as “filtered” which I guess is CG giving hackers as little information as possible. Is there a setting in CG to temporarily report port status as “open” or “closed”?
After applying the forwards you advise above, from the external network, 192.168.155.1:80 and https://192.168.155.1 still give me nothing, whilst 192.168.155.1:8090 is fine to get to the WebGUI.

User avatar
david
Posts: 157
Joined: 08 Aug 2015 20:38

Re: Anywhere Access

Post by david » 19 Feb 2018 10:26

If your Internet router has firewall capabilities, it's always better to use it as a first security layer and connect the external interface of CG to its internal zone (LAN) and not to its DMZ zone (especially if your router uses a technology other than Linux). In so doing you get two security layers and you reinforce your security at the IP level.

If you connect the external interface of CG to your DMZ router and its Internal interface to your LAN while your Windows Server and Internet router are both connected to the same LAN, you create an asymmetric routing which is not really appreciated by a stateful firewall such as CG and then you get a routing problem. I suspect that your issue comes from your routing configuration and not from CG's firewall.

Also in your previous post you mentioned that you are trying to access http://192.168.155.1 and https://192.168.155.1 from a machine placed on the external network. What happens if you try to access http://10.0.10.11 and https://10.0.10.11? Please remember that with the option 1, CG is not listening on those ports but only acts as a router/firewall with NAT capabilities.

I think that the simplest solution is that you chain your Internet router with CG as follows and do not use the router's DMZ.

(@) --- [InternetRouter] ----- (192.168.155.1) [CG] (10.0.10.254) ----- (10.0.10.11) [WindowsServer]

If my understanding of your network topology is not correct, please feel free to share a L3 network diagram including IP addresses with us so we can help you more to implement CG in your networks.

Best Regards,
David Jan
CacheGuard Technical Team
https://www.cacheguard.com

Post Reply