Jump to:navigation, search
Wiki

IPSec HTTP connections

From Securepoint Wiki

















































De.png
En.png
Fr.png









HTTP/HTTPS connections via IPSec VPN

Last adaptation to the version: 12.6.4

New:
  • Updated to Redesign of the webinterface
notempty
This article refers to a Resellerpreview
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Applications HTTP Proxy


Introduction

HTTP/HTTPS requests are intercepted and processed by the HTTP proxy when Transparent Mode is enabled. ( For https requests, SSL interception must also be enabled.)
The HTTP proxy does not have to be configured in the client's settings.

If the HTTP/HTTPS server (destination of the HTTP/HTTPS request) can be reached via a VPN connection, these connections must be excluded from transparent mode, or the HTTP/HTTPS proxy must be adapted for the use of the VPN connection. This can be done either via an exception rule for transparent mode, or by setting the outgoing IP address of the HTTP/HTTPS proxy.


Scenario 1: Transparent exception rule

Applications HTTP Proxy  Area Transparent Mode Button Add transparent rule
If a VPN connection is to be excluded from transparent mode, a rule is added in the Transparent Mode tab.

Caption Value Description Add transparent rule UTMuser@firewall.name.fqdnApplicationsHTTP-Proxy UTM v12.6.4 IPSec-HTTP Transparente Regel hinzufuegen-en.png
Protocol: HTTP

HTTPS

 HTTP is selected as default settings
Type: Exclude Exclude is selected
Source: internal-network The internal network internal-network is selected
Destination: Destination IPSec network Select the network object that is reachable via the IPSec connection to the HTTP server
Click
Save und schließen
to apply these settings.
  • If an Include rule for HTTPS exists, an Exclude rule for HTTPS must also be created.


    • Scenario 2: Outbound proxy address

    If the HTTP proxy is to be customized for use with the VPN connection, go to Applications HTTP Proxy  Area General.

    Under
    General
     the following is entered:
    Caption Value Description HTTP-Proxy UTMuser@firewall.name.fqdnApplications HTTP-Proxy Log UTM v12.6.4 IPSec-HTTP Transparente Regel Allgemein-en.png
    Outbound IP address: 192.168.112.1 Enter the internal IP address of the firewall. This IP should be in the subnet defined in phase 2 of the IPSec tunnel.
    Click
    Save und schließen
    to apply these settings.


    Advantages and disadvantages of both scenarios

    Scenario 1: Transparent exception rule

    Advantages:

    • HTTP traffic is routed, the network of the remote terminal sees the IP address of the client


    Disadvantages:

    • The virus scanner in the HTTP proxy is not used for this connection

    Scenario 2: Outbound proxy address

    Advantages:

    • The HTTP request can be scanned by the virus scanner for malicious code


    Disadvantages:

    • The network of the remote terminal only sees the IP address of the proxy.
    • If there are rule and / or source routes for the network, the HTTP proxy is also affected by them
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/IPSec-HTTP&oldid=94890"