Jump to:navigation, search
Wiki

IPSec HTTP connections

From Securepoint Wiki





notempty
Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty
Der Artikel für die neueste Version steht hier

notempty
Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht

























































HTTP/HTTPS connections via IPSec VPN

Last adaption: 02.2023

New:
  • Layout adjustment and screenshots updated
  • Addition to HTTPS
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 → Applications →HTTP-Proxy

Introduction

HTTP/HTTPS requests are intercepted and processed by the HTTP proxy when Transparent Mode is enabled. ( For https requests, SSL interception must also be enabled.)
The HTTP proxy does not have to be configured in the client's settings.
If the HTTP/HTTPS server (destination of the HTTP/HTTPS request) can be reached via a VPN connection, these connections must be excluded from transparent mode, or the HTTP/HTTPS proxy must be adapted for the use of the VPN connection. This can be done either via an exception rule for transparent mode, or by setting the outgoing IP address of the HTTP/HTTPS proxy.

Scenario 1: Transparent exception rule

→ Applications →HTTP ProxyTab Transparent Mode Button Add transparent rule
If a VPN connection is to be excluded from transparent mode, a rule is added in the Transparent Mode tab.

Caption Value Description
Protocol: HTTP

HTTPS

 HTTP is selected as default settings
Type: Exclude Exclude is selected
Source: internal-network The internal network internal-network is selected
Destination: Destination IPSec network Select the network object that is reachable via the IPSec connection to the HTTP server
Click Save to apply these settings.
  • If an Include rule for HTTPS exists, an Exclude rule for HTTPS must also be created.

    • Scenario 2: Outbound proxy address

    If the HTTP proxy is to be customized for use with the VPN connection, go to → Applications →HTTP ProxyTab General.

    Under
    General
     the following is entered:
    Caption Value Description
    Outbound IP address: 192.168.112.1 Enter the internal IP address of the firewall. This IP should be in the subnet defined in phase 2 of the IPSec tunnel.
    Click Save to apply these settings.

    Advantages and disadvantages of both scenarios

    Scenario 1: Transparent exception rule

    Advantages:

    • HTTP traffic is routed, the network of the remote terminal sees the IP address of the client


    Disadvantages:

    • The virus scanner in the HTTP proxy is not used for this connection

    Scenario 2: Outbound proxy address

    Advantages:

    • The HTTP request can be scanned by the virus scanner for malicious code


    Disadvantages:

    • The network of the remote terminal only sees the IP address of the proxy.
    • If there are rule and / or source routes for the network, the HTTP proxy is also affected by them
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/IPSec-HTTP_02.2023&oldid=91074"