SSL WEB Application

Raf
Raf Posts: 2
First Comment
edited April 2021 in Security
Hello!
I have an USG40 behind a natted router on my WAN with IP 192.168.100.1
I have moved https from port 443 to 44443 to have less "noise" on log file :)
I have a Tomcat  server on my LAN1 side http://192.168.10.20:9099/csa/
I have configured SSL Application with these parameters:
Server Type "Web Server"
Name: "MYTomcatApp"
Entry Point:  "/csa/"
I have also tried to omit the optional entry point BUT when I connect with SSL VPN user, and I start the "MYTomcatApp" I obtain this result: (from ANY browser)

Bad Gateway

The proxy server received an invalid response from an upstream server.

Additionally, a 400 Bad Request error was encountered while trying to use an ErrorDocument to handle the request.

In the log file I see only this:

7    2019-04-26 11:18:13  info    SSL VPN        web application MYTomcatApp has been accessed. sent=958 rcvd=141 [count=4]
   
8    2019-04-26 11:17:54    info    SSL VPN        User user1 has accessed web application MYTomcatApp [count=2]


What I miss to configure?
I tried also with others web servers in my LAN but with same results.
Thank you in advance











Accepted Solution

«1

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2019
    Hi @Raf
    Your configuration should be correct. 
    For resolving this issue I will send you private message to get more detail information.
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Raf

    The revers proxy mode is coding by Java. Since Java have some of security concern.

    So many browser may not support any more.

    We would like to suggest you use full tunnel mode(SecuExtender) for this scenario.

  • Raf
    Raf Posts: 2
    First Comment
    Yes, I do .
    Thanks
    Raffaele
  • Hi,

    we are currently facing the same problem but we can't solve it, can you please tell us the procedure?


    Thank you 

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,026  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @ADIATIC

     

    As @Zyxel_Stanley previous mentioned


    We would like to suggest you use full tunnel mode(SecuExtender) for this scenario.

    By using SecuExtender, you can build up tunnel to the device, then you can login to your server.

    Here is the step to setup SSL VPN on USG with SecuExtender to login.

    Go to Configuration > VPN > SSL VPN > Access Privilege > Add SSL VPN rule

    Add user for SSL VPN 

    Add IP range for SSL VPN

    Select User/Group 

    Enable Full Tunnel Mode for SSLVPN tunnel

    Assign IP Pool for SSL VPN rule

    Select the Network to allow user to access.

    Test result


  • SyoSilIT
    SyoSilIT Posts: 3
    Friend Collector First Comment
    edited August 2020
    thanks, I already got SecuExtender to work 100% but I thought the idea for SSL applications was that you could add a user in the router to access in internal website without the SecuExtender. E.g. For instance, allow a client to access a bug tracking system internal to your network...?

    Thaks, JSA
  • Zyxel_Emily
    Zyxel_Emily Posts: 1,278  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    If you're using SecuExtender (full tunnel mode) to establish SSL VPN to USG/ZyWALL, you don't need to configure SSL application.
  • SyoSilIT
    SyoSilIT Posts: 3
    Friend Collector First Comment
    edited February 2021
    Agree but maybe I am on a computer where I cannot run the full SSL VPN application then this feature would be very handy. In the scenario that I am in then I cannot run the SSL VPN in full tunnel mode or do SSH or anything. This feature would solve my problems but it seems like it has been left behind for years and it is not updated to meet the standards of current browsers. Why not just remove it?
  • Zyxel_Vic
    Zyxel_Vic Posts: 281  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @SyoSilIT
    Thanks for your suggestion and yes we're considering the same idea since it is deprecated now days. 

Security Highlight