« E-Commerce and Online Sales – On The Rise | Home | BlackBerry Pearl 8100 Cell Phone Review »
SSL VPN How-To: SSL-Explorer On FreeBSD
By Mr.Mac | August 6, 2006
As with most small companies, there are two and a half factors that have great importance when evaluating a product for your own use. The first is the funcitionality of the product. Will it do what it’s supposed to do and do it well. The second factor is sometimes the first question…How much does it cost? And that “half” factor that I put out there is the frustration factor. All of these are related.How much does something cost? For this price, I get this functionality–OK. But also, for this price, I am getting a certain level of frustration in implementing the solution. A lot of times, when the frustration level increases, our willingness to increase what we’re willing to pay is affected. Any way, you see where this is going, and you haven’t come here to hear my less-than collegiate babbling about micro/macro economics of a small company.
So, on to the meat & potatoes…we looked over our situation and it’s a relatively simple problem. We have three people who need to access a file server, along with some other applications such as ssh and webmin. One of these people will ususally be local to the server, so they will be loving life. The rest of us, well, we need the simplest, secure and reliable connection to the server that we can get.
We looked at products like the SonicWall SSL-VPN devices. These are cool. They function nicely and the demo that SonicWall has on their site for this product really demonstrates how well it really does work. The problem with this solution is that while the frustration factor may be low, the price factor is too high. It’s very easy to be talking about hundreds, if not thousands of dollars to get a solution like this in place.
Next, we started to do some Googling to see what other options were available. We’re using a FreeBSD 6.1 server, so we started looking at options from within the ports collection. OpenVPN looked interesting, it’s also an SSL VPN, but it requires a client to be installed on the local workstation–not that any of that is a problem. It’s just not what we had in mind. While searching for more solutions, we came across SSL-Explorer.
The Getting Started manual was very easy to read and understand. It gave a very path to follow to get all of this going. And on top of that, the cost factor with this solution is elimated. The community version is free. Now, that obviously means that the frustration level must increase–and it did a bit.
I suggest going to their site and reading the Getting Started Guide if your interested in this as a solution for you or your company. It is a quick, but very informational read. You can find it here:
http://umn.dl.sourceforge.net/sourceforge/sslexplorer/Getting_Started_Guide.pdf.
There are some prerequisites before you can begin…namely ant and java. Both of these were available through the ports collection, so that is how they were installed. Ant was installed by going to /usr/ports/devel/apache-ant and running the command “make install clean”. There are a couple of things that you may be required to download, but, keep your eye on the install and it tells you exactly what needs to be downloaded, where it can be downloaded and where you need to place it for the ports install to work.
The other package you need to install is java. On our server, we used the Sun version of java which is at version 1.5. You can install it by going to /usr/ports/java/linux-sun-jdk15 and running “make install clean”. Just as with ant, it will be asking for a file that you need to download due to licensing issues. Do what the install asks and your prerequisites will be met.
I guess this is where I should mention that the Getting Started Guide for SSL-Explorer talks about setting up path statements. Don’t worry about this on FreeBSD. With ant and java installed through the ports, all of this is taken care of automatically.
The next step is getting SSL-Explorer installed. We downloaded sslexplorer-0.2.6-src.zip by going to their site, http://3sp.com/showSslExplorerCommunity.do, and clicking on the Download button in the top right corner. Get the file, unzip it, and it’s final resting place can be in /usr/local. Go to that directory, /usr/local/sslexplorer-0.2.6 and you will be set to do the install, exactly as it is described in their Getting Started Guide.
Once you finish the initial setup that is performed on the console, you will then be taken through a web-based step-by-step configuration. Once this is completed, you need to run the command “ant start” inside of /usr/local/sslexplorer-0.2.6. After a few seconds, it will be started and you should be able to direct your browser to https://yourip:443 and see the login page for SSL-Explorer. Go ahead, feel free to login and take a look around. There’s still a few more things you need to do to get it to startup automatically.
To get it to startup automatically when FreeBSD boots up, we took this approach. First of all, the command needs to be run from within the install directory. If you’re not there when the run the command, you simply get an error saying that it can’t find build.xml. So, here’s step 1. Go to /usr/local/etc/rc.d and create a new file called sslexplorer.sh and make sure you give it the proper permissions so it can be executed. Inside the file, you simply need just two lines of code:
cd /usr/local/sslexplorer-0.2.6
/usr/local/sslexplorer-0.2.6/ant start
The first line obviously gets you to the right place to run the command. The second line actually starts SSL-Explorer. DON’T STOP READING HERE!! THERE’S MORE….
The file above, by itself, will fail to run successfully. I don’t recall the exact error, but it speaks of ant not being a recognized command. This was also a rather simple fix. You need to add a symbolic link within the sslexplorer-0.2.6 directory that points to where ant really is. The following command will suffice, run from within the sslexplorer-0.2.6 directory:
ln -s /usr/local/bin/ant ant
Now, you have everything in place. When FreeBSD boots up, the sslexplorer.sh script is run, which moves you to the right place to run the command “ant start” which uses ant from another place through a symbolic link. Cool.
Now that installation is completed, it’s time to start playing with (I meant testing) the functionality of SSL-Explorer. The first thing I did was a Web Forward. This is relatively straight-forward. You simply tell it what site you want it to go to. This could be a local web site on this server, or any site within your LAN.
The next thing we tried was a bit tougher…setting up an SSL Tunnel for a specific port. We started with port 22 for SSH. Almost everything here is self-explanatory as well, but there were two things that threw me for a loop. The first thing asked for is the “Source”. I was confused. Source what? I spit and sputtered for a while and then figured out they wanted the Source Port that the client PC will use to connect to the tunnel. So, I set it for 22. The second thing that confused me was what address to point the SSH Client to on my laptop. I tried a few things–I won’t actually tell you how stupid I really was. I’ll just tell you what worked….point your SSH Client to 127.0.0.1 on port 22. Yahoo!!! It worked.
And finally, the most challenging of all–setting up a “Network Places” tunnel to connect to the Samba share. I’m not sure why this was so confusing, other than there was a little piece of information that wasn’t in text form anywhere in the manuals–it only showed up in a screenshot that demostrated connecting to an smb server. So, after configuring the tunnel to go to the following location, I was able to get this working:
smb://servername
Once this was in place, the username and password you use for logging into SSL-Explorer is passed along to Samba and you see your shares. If you’re like me, this is the time you’ll start cheering–just like when the Steelers won the superbowl (yes, we’re in Pittsburgh!!! Go Steelers!!!!)
Keep in mind that SSL-Explorer is more Internet Explorer friendly than FireFox friendly, unfortunately. When you’re logged in as a user, looking at the list of resources, the file shares that are available to you show up with a little folder on the right. When you click on it, Windows Explorer opens up and you see the shares like you’re used to seeing them. Or, you can click on the share name at the list of resources and it will open up the Internet-based file access if you don’t want to go through Windows Explorer.
For the most part, that’s the list of my adventures. It was a bit frustrating, but I must admit, I’ve run into much, much worse. On a scale of 1-10, 10 being the best, I would give the application a 9. The frustration level in getting past all the little hurdles–that gets a 6, meaning not too bad. And being able to access our files remotely over a Secure SSL VPN Connection –priceless.
Topics: Business, Networking, Reviews, Technology | No Comments »
Comments
You must be logged in to post a comment.
