“Web servers” tab

This section groups the servers configured for access to web resources.

The number of web servers that can be configured varies according to the appliance model:

Model Max. no. of HTTP servers Max. no. of other servers

SN150, SN160w, SN200 , SN210w, SN300, SN310

U30S, U70S

64

64

SN510, SN500, SN710, SN700

U150S, U250S

128

128

SN910, SN900, U500S,U800S

256

256

SN2000, SN2100, SN3000, SN3100, SN6000, SN6100

512

512

Adding a web server

To add a web access server, the procedure is as follows:

Click on Add then select one of the suggested servers. A screen containing server names will appear.

Enter a name for this server. (The field can be left empty. Allowed characters: numbers, letters, spaces, -, _, and dots.)

This server’s configuration then appears. The different parameters are explained below.

 

Destination server

The object corresponding to the server accessible to the user can be specified in this field.

WARNING

Make sure that you use an object whose name is identical to the FQDN name of the server it refers to. If this is not the case, (e.g. object name: webmail, FQDN name: www.webmail.com), Firewall queries to this server may be refused.

Port

The port on the server accessible to the user can be specified in this field. Port 80 is defined for HTTP.

URL: access path

This URL enables going directly to the specified page.

URL used by SSL VPN

Link calculated based on 3 fields: Destination server, Port and URL: access path. (Example: http://destination server/URL: access path).

Name of the link on the user portal

The defined link appears on the Stormshield Network web portal. When the user clicks on this link, he will be redirected to the corresponding server.

Advanced properties

Enable URL whitelist

Only links that the SSL VPN module has rewritten can be accessed through SSL VPN. If, on an authorized site, there is a link to an external website whose server has not been defined in SSL VPN configuration, the authorized site will not be accessible via SSL VPN.

 

If the white list has been activated, it will enable access to URLs which have not been rewritten through the field Do not rewrite URLs in the category. For example, for webmail SSL VPN access, if you wish to allow users to quit the SSL VPN by clicking on the links contained in their e-mails, you need to add a whitelist containing “*”.

WARNING

If the user clicks on a link in the whitelist, it will no longer be protected by the Stormshield Network SSL VPN module.

Don't show this server on the user portal (access via another server only)

All servers configured in SSL VPN are listed on the Stormshield Network authentication portal by default. However, it may be necessary for servers to be accessible only through another server, so in this case, the option Don't show this server on the user portal has to be selected. When this option is selected during the configuration of a server, this server can be accessed via SSL VPN, but will not be on the direct-access list. A link to this server is needed in order to access it. An application can use several servers but have only one entry point, so only one link in the menu of the portal.

Deactivate NTLM

Some web servers may request authentication before the transfer of data between the server and the user. This method can be disabled for servers that do not support this authentication method for traffic passing through the firewall.

Rewrite \"User-Agent\" field (force OWA compatibility mode)

The “User-Agent” field in the header of an HTTP request contains the identifier for the web browser used. For example, on Internet Explorer: Mozilla/4.0 (compatible; MSIE 6.0 ...). Rewriting the “User-Agent” value therefore allows modifying the HTTP request in such a way that it gives the impression of coming from a different browser type.

 

This option is particularly useful in basic mode of Outlook Web Access (OWA). In fact, OWA in premium mode (a very advanced mode), uses Webdav, an extension of HTTP. Since not all types of network equipment support these extensions (the SSL VPN module on firewalls supports OWA in premium mode), the transmission of such traffic may give rise to compatibility issues, especially on the internet. Instead of all users (internal and external) having to use a more basic mode of OWA, the option Rewrite User-Agent enables using “premium” OWA internally (compatibility with premium mode is easy to obtain) and using “basic” mode by passing through SSL VPN (for mobile users, via internet). Since “old” web browsers do not support these extensions, OWA therefore automatically operates in basic mode when it encounters the “User-Agent” on these browsers.

Rewrite OWA Premium mode specific code

If this option has been selected, you will enable the specific rewriting rules that allow supporting Outlook Web Access in premium mode.

Lotus Domino Web Access version 7.0.4 runs through SSL VPN tunnels. There is therefore no need to enable specific rewriting rules that would allow supporting Lotus Domino web applications.

 

Alternative URLs for this server (alias)

Server alias

Aliases allow indicating to the SSL VPN module that the server is known by several names and/or IP addresses. If a mail server is defined as the object “webmail.intranet.com” to which the alias “192.168.1.1” is assigned, the user will be redirected to the mail server whether he visits the link “http://webmail.intranet.com“ or “http://192.168.1.1”. Clicking on Add will display a line that will allow you to add a new alias.

Adding an OWA web server

The SSL VPN module on Stormshield Network Firewalls supports OWA (Outlook Web Access) Exchange 2003, 2007 and 2010 servers.

“Premium” mode can only be used in Windows with Internet Explorer 5 and higher. It is based on web technologies such as html, css and javascript but also on Microsoft proprietary technologies such as htc, xml and activeX.

In Exchange 2003, the links are absolute links, regardless of whether they are in HTML pages, javascripts, in XML data, or in XSL sheets, such as “http://www.company.com/index.htm”.

It is therefore possible to add HTTP servers (with specific preset options for perfect compatibility with OWA) to the list of web-access servers.

 

To add an HTTP server-OWA, the procedure is as follows:

Click on Add then select OWA Web server 2003 (Premium mode) or OWA Web server 2007 – 2010 (premium mode). The following screen appears:

Enter a name for this server. (The field can be left empty. Allowed characters: numbers, letters, spaces, -, _, and dots.)

The preset options for an OWA 2003 premium server are: HTTP port, the field URL: access path with "exchange" indicated, the field Enable URL whitelist enabled, the field Do not rewrite URLs in the category with the URL group “vpnssl_owa” indicated, the field Deactivate NTLM and the field Rewrite OWA Premium mode specific code.

 

For an OWA 2007-2010 server, the pre-entered fields are: HTTP port, the field URL: access path with "owa" indicated, the field Enable URL whitelist with the URL category “vpnssl_owa” indicated, and the field Rewrite OWA Premium mode specific code.

Other options that have not been entered have to be configured in the same way as for a “normal” web-access server.

Adding a Lotus Domino web server

The SSL VPN module on Stormshield Network Firewalls supports Lotus domino servers.

An HTTP server can be added to the list of web access servers with certain options specifically pre-entered for compatibility with Lotus Domino.

 

The procedure for adding an HTTP-Lotus Domino server is as follows:

Click on Add then select Lotus Domino web server.

Enter a name for this server. (The field can be left empty. Allowed characters: numbers, letters, spaces, -, _, and dots.)

The following field is pre-entered option for Lotus domino servers: “http” port