Web servers tab

This section groups the servers configured for access to web resources.

Adding a web server

To add a web access server, the procedure is as follows:

  1. Click on Add.
  2. Web server name: enter a name for this server (the field cannot be left empty. Allowed characters: numbers, letters, spaces, -, _, and dots.)
  3. Destination server: select or create the object representing the server.
    This server’s configuration then appears. The various settings are explained below.
Destination server This field allows specifying the object corresponding to the server that the user will be able to access.

WARNING
Make sure that you use an object whose name is identical to the FQDN name of the server it refers to. If this is not the case, (e.g. object name: webmail, FQDN name: www.webmail.com), Firewall queries to this server may be refused.

Port The port on the server accessible to the user can be specified in this field. Port 80 is defined for HTTP.
URL: access path This URL enables going directly to the specified page.
URL used by SSL VPN Link calculated based on 3 fields: Destination server, Port and URL: access path. (Example: http://destination server/URL: access path).
Name of the link on the user portal The defined link appears on the Stormshield Network web portal. When the user clicks on this link, he will be redirected to the corresponding server.

Advanced configuration

Do not rewrite URLs in the group

Selecting a host group enables the URL whitelist for this group.

 

Only links that the SSL VPN module has rewritten can be accessed through SSL VPN. If, on an authorized site, there is a link to an external website whose server has not been defined in SSL VPN configuration, the authorized site will not be accessible via SSL VPN.

If the whitelist has been activated, it will enable access to URLs which have not been rewritten.

For example, for webmail SSL VPN access, if you wish to allow users to quit the SSL VPN by clicking on the links contained in their e-mails, you need to add a whitelist containing “*”.

WARNING
If the user clicks on a link in the whitelist, it will no longer be protected by the Stormshield Network SSL VPN module.

Don't show this server on the user portal (access via another server only) All servers configured in SSL VPN are listed on the Stormshield Network authentication portal by default. However, it may be necessary for servers to be accessible only through another server, so in this case, the option Don't show this server on the user portal has to be selected. When this option is selected during the configuration of a server, this server can be accessed via SSL VPN, but will not be on the direct-access list. A link to this server is needed in order to access it. An application can use several servers but have only one entry point, so only one link in the menu of the portal.
Deactivate NTLM Some web servers may request authentication before the transfer of data between the server and the user. This method can be disabled for servers that do not support this authentication method for traffic passing through the firewall.
Rewrite \"User-Agent\" field (force OWA compatibility mode) The “User-Agent” field in the header of an HTTP request contains the identifier for the web browser used. For example, on Internet Explorer: Mozilla/4.0 (compatible; MSIE 6.0 ...). Rewriting the “User-Agent” value therefore allows modifying the HTTP request in such a way that it gives the impression of coming from a different browser type.

This option is particularly useful in basic mode of Outlook Web Access (OWA). In fact, OWA in premium mode (a very advanced mode), uses Webdav, an extension of HTTP. Since not all types of network equipment support these extensions (the SSL VPN module on firewalls supports OWA in premium mode), the transmission of such traffic may give rise to compatibility issues, especially on the internet. Instead of all users (internal and external) having to use a more basic mode of OWA, the option Rewrite User-Agent enables using “premium” OWA internally (compatibility with premium mode is easy to obtain) and using “basic” mode by passing through SSL VPN (for mobile users, via internet). Since “old” web browsers do not support these extensions, OWA therefore automatically operates in basic mode when it encounters the “User-Agent” on these browsers.
Rewrite OWA Premium mode specific code If this option has been selected, you will enable the specific rewriting rules that allow supporting Outlook Web Access in premium mode.

Lotus Domino Web Access version 7.0.4 runs through SSL VPN tunnels. There is therefore no need to enable specific rewriting rules that would allow supporting Lotus Domino web applications.

Alternative URLs for this server (alias)

Server alias Aliases allow indicating to the SSL VPN module that the server is known by several names and/or IP addresses. If a mail server is defined as the object “webmail.intranet.com” to which the alias “192.168.1.1” is assigned, the user will be redirected to the mail server whether he visits the link “http://webmail.intranet.com“ or “http://192.168.1.1”. Clicking on Add will display a line that allows you to add a new alias.

Adding an OWA web server

The SSL VPN module on Stormshield Network Firewalls supports OWA (Outlook Web Access) Exchange 2003, 2007 and 2010 servers.

Premium mode is based on web technologies such as html, css and javascript but also on Microsoft proprietary technologies such as htc, xml and activeX.

In Exchange 2003, the links are absolute links, regardless of whether they are in HTML pages, javascripts, in XML data, or in XSL sheets, such as “http://www.company.com/index.htm”.

It is therefore possible to add HTTP servers (with specific preset options for perfect compatibility with OWA) to the list of web-access servers.

To add an HTTP server-OWA, the procedure is as follows:

  1. Click on Add.
  2. Select OWA Web server 2003 (Premium mode) or OWA Web server 2007 – 2010 (premium mode).
  3. Indicate a name for this server (the field cannot be left empty. Allowed characters: numbers, letters, spaces, -, _, and dots.)

Pre-entered options for OWA 2003 premium servers are:

  • HTTP port,
  • URL: access path field indicating "exchange",
  • Selected Enable URL whitelist checkbox,
  • Do not rewrite URLs in the category indicating "vpnssl_owa",
  • Deactivate NTLM field,
  • Rewrite OWA Premium mode specific code field,

On OWA 2007-2010 servers, the following fields are pre-entered:

  • HTTP port,
  • URL: access path field indicating "owa",
  • Enable URL whitelist field indicating "vpnssl_owa" as the URL category,
  • Rewrite OWA Premium mode specific code field,

Other options that have not been entered have to be configured in the same way as for a “normal” web-access server.

Adding a Lotus Domino web server

The SSL VPN module on Stormshield Network Firewalls supports Lotus domino servers.

An HTTP server can be added to the list of web access servers with certain options specifically pre-entered for compatibility with Lotus Domino.

The procedure for adding an HTTP-Lotus Domino server is as follows:

  1. Click on Add.
  2. Select Lotus Domino Web server.
  3. Indicate a name for this server (the field cannot be left empty. Allowed characters: numbers, letters, spaces, -, _, and dots.)

The following field is pre-entered option for Lotus domino servers: HTTP port.