v-one and proxy servers - is it possible?
From: Henchey, Jean (jeannie_at_mitre.org)
Date: 07/03/03
- Previous message: wailakig: "Re: Sonicwall Remote Admin Question"
- Next in thread: Henchey, Jean: "Re: v-one and proxy servers - is it possible?"
- Reply: Henchey, Jean: "Re: v-one and proxy servers - is it possible?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 03 Jul 2003 17:23:48 -0400
Hello -- Is it possible to do this with an HTTP/HTTPS proxy? I'll do my
best to explain...
I'm working on a project to connect remote users, via v-one, through a
private proxy server to a peer network, to webservers (http and https
service). The v-one piece currently exists.
A remote user is on his home network and wants to use http and https
servers that may ONLY be accessed through a proxy server. The remote
user connects to the Internet via an ISP and v-one. The user will
access a webserver that uses http (welcome pages) and https (web-based
applications). Users primarily need an https tunnel from their home
workstation to the target webserver. This proxy server functions as a
boundary protection device between two peer networks (acme.com and
foo.com). Foo.com controls the LDAP server that allows acme.com users
into their network. No IP flow is permitted through the proxy server,
so it should allow GET and CONNECT requests to pass through.
The remote user authenticates, gets his ACL, and joins his corporate
network (acme.com). He is permitted to communicate with the netscape
proxy server. The user starts his browser and types
http://www.foo.com/. The interconnect looks like this.
user on remote network ->
v-one ->
corporate intranet (acme.com) ->
netscape proxy server (+ ldap authentication) ->
a separate, private intranet (pass port 80 or 443) ->
distant webserver (http and https to www.foo.com)
Here's the catch: The separate, private intranet (foo.com) does not
want to reveal its internal addressing scheme, domain information, or
anything to acme.com. All the traffic intending to pass through the
netscape proxy server should only be checked against the hostname or IP
in the URL. There is _no need_ to validate any information in the URL
to v-one. There is _no need_ to check the URL hostname/ip information
against any source like DNS or /etc/hosts.
The user has permission to access the netscape proxy server's IP address
in his ACL (thanks to the v-one machinery on the acme.com network).
The netscape proxy server can handle http proxy, https tunnel, and https
reverse proxy configurations. This proxy server uses an ldap server,
also in the dmz, to authenticate users' connections from acme.com to
foo.com.
My understanding is that v-one routes network traffic.
I've also read that v-one is not an application-layer architecture. If
this is the case, then the idea of using v-one to connect from home into
the separate, private intranet webserver is impossible.
Is there any way -- maybe with an add-on product?? -- to allow users
into the distant webserver?
Thank you very much for taking the time to read this post. I'm really
stuck and appreciate your help.
Jean
- Previous message: wailakig: "Re: Sonicwall Remote Admin Question"
- Next in thread: Henchey, Jean: "Re: v-one and proxy servers - is it possible?"
- Reply: Henchey, Jean: "Re: v-one and proxy servers - is it possible?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
