+ Post New Thread
Results 1 to 6 of 6
MIS Systems Thread, ePortal and reverse proxy (Sonicwall SSLVPN) in Technical; Hi all, happy new year Is anyone here using ePortal with a reverse proxy? We've been doing so through a ...
  1. #1

    Join Date
    May 2007
    Location
    Southampton
    Posts
    93
    Thank Post
    7
    Thanked 4 Times in 4 Posts
    Rep Power
    15

    ePortal and reverse proxy (Sonicwall SSLVPN)

    Hi all, happy new year

    Is anyone here using ePortal with a reverse proxy? We've been doing so through a Sonicwall SSL-VPN appliance quite happily up until now, but after updating to the latest version of ePortal it just won't display right. The page layout is kind of jumbled up. Connecting straight to the ePortal web server works fine however so it's not an installation issue.

    Does anyone have any ideas?

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Do you really need to use a reverse proxy? Officially I believe the supported browsers are a bit of a mixed bag, as IE7 is supported, but not IE8 or FF3.5, yet in my experience it works fine in all three.

    Have you raised a support request?

  3. #3

    Join Date
    May 2007
    Location
    Southampton
    Posts
    93
    Thank Post
    7
    Thanked 4 Times in 4 Posts
    Rep Power
    15
    The reverse proxy is kind of an additional security layer for people accessing remotely. It forces ePortal through a SSL connection and will only allow access if an authorised AD account is used. People connecting from inside the school network access the ePortal server directly which works fine.

    I haven't logged a support request because it isn't really an ePortal fault. Although the problem was caused by something changed in the latest version, ePortal still works if used in the way that is intended.

  4. #4

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    Have you looked at using the Application Offloading feature?
    This is a simple way of "Bypassing" the reverse proxy function.
    By using the header information the SSL-VPN can simply pass thru your request directly to the backend server. A bit like port forwarding but without changing the ports!

    Say your SSL-VPN was sslvpn.myschool.co.uk you set up an application forward to eportal.myschool.co.uk using HTTP/HTTPS

    The SSL-VPN will either service the login or pass it through to the target server.

    Useful for tunneling iPhones through your Sonicwall to your exhange box when you only have a single IP from your Grid Provider.

    Im not saying it will work with all backend servers but it works with Exchange 2003 and Sharepoint and Sonicwall say 2007/2010 support will come soon.

  5. #5

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    I don't reverse proxy, just reverse NAT and enable SSL enforcement.

  6. #6

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    Quote Originally Posted by powdarrmonkey View Post
    I don't reverse proxy, just reverse NAT and enable SSL enforcement.
    Does this not expose your eportal server directly to your public IP address?
    Sure, SSL will keep the login and traffic encrypted but are your external users authenticating with AD or EPortal?
    If this is hosted on a LAN side web server (even through NAT) should you not be providing two factor authentication or be iPsec'ing your external clients?

    As NUTSO says the SSL-VPN appliances sit between the target server and the user and allow additional policies to be applied such as browser type, source addressing etc as well as Radius Integration or RSA Keys.

    Surely using just reverse NAT and SSL might be fine if you can trust the machine that the client is accessing from?
    What if the remote client uses a compromised public PC to access your EPortal from?
    (I recently saw complementary Internet cafe PC's in a popular hotel chain had been fitted with USB Keylogging devices!) Public PC's should not be trusted for any purpose that requires a password to be entered!

    I can understand using simple security on stuff that has no alternative such as OWA especially in this I must have it now from anywhere society but on the schools MIS is this enough?

    Whilst reverse NAT is a neat way to hook up the XBOX or Homeserver through your home ADSL to allow securish access to these devices they are not likely to contain sensitive data belonging to others which is what the MIS system is likely to hold.

    Don't get me wrong, what you are doing works and there are worse ways of doing it but I'm just wondering if it's enough in a public sector environment?

SHARE:
+ Post New Thread

Similar Threads

  1. Nginx Reverse Proxy
    By clarky2k3 in forum Web Development
    Replies: 5
    Last Post: 3rd December 2009, 02:43 PM
  2. RM EasyLink reverse Proxy Solution
    By KWIK in forum Windows
    Replies: 0
    Last Post: 11th March 2008, 03:26 PM
  3. Replies: 0
    Last Post: 2nd November 2007, 09:58 AM
  4. Reverse Proxy and Moodle
    By wesleyw in forum How do you do....it?
    Replies: 3
    Last Post: 11th June 2007, 01:49 PM
  5. reverse proxy ajax apps
    By CyberNerd in forum Web Development
    Replies: 3
    Last Post: 15th June 2006, 07:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •