We forward the thick client through the SSL tunnel with encryption in accordance with GOST
- Tutorial
Hello, Khabrovchans! 
Today we want to talk about the benefits of SSL VPN technology and the practice of working with the Stonesoft SSL gateway. The article will describe the configuration of this solution for forwarding a fat client (using the example of 1C Accounting well known to many) through the HTTPS protocol using GOST encryption algorithms. This will allow our beloved chief accountant to work remotely with the 1C database via an encrypted channel directly from the dacha, we can quickly connect a couple of hundreds of small offices scattered throughout the country to the system, and our organization can fulfill the requirements of the legislation on protection of, for example, personal data.
The article describes a way to securely publish client-server applications via the Web, guided by which, you can organize remote access to virtually any corporate resource.
So, let's see how SSL VPN can make our life easier and save time and nerves. I see no reason to describe the technology, so as not to bother the advanced reader with dry technical information. You can refresh your knowledge of SSL VPN here . We will dwell on the practice of use and think about why SSL VPN is so good in comparison with the classic IPSec VPN.
The essence of SSL VPN technology is as follows: the client connects via port 443 to the gateway, which in turn initiates a connection to a remote server (in our case, it is 1C), like a proxy server.
Firstly, it is convenient. You can organize access to any service / resource from any user device from any place where there is Internet. No need to install any VPN clients, configure them, as in the case of using IPSec VPN, just enter the address in the browser, authenticate and work. The user will be able to get remote access to the corporate resource even through public or guest Wi-Fi, as Port 443 is open in almost all networks.
Secondly, it is simple. Just for everyone. You don’t have to explain to theaunt accountantto the user that in order to gain access to some resource he needs to find the VPN client icon in the tray, right-click on it, select the gateway address from the list, click “Connect”, enter the login and password (again, hello IPSec VPN). Just for administrators, as no need to give the user a working laptop for business trips with an installed and configured VPN client, antivirus and other corporate software.
Thirdly, it is safe. There are many security mechanisms that an SSL VPN gateway can apply to a client. The two main mechanisms are authentication and encryption. Authentication methods and means can be selected very different: by login / password, RADIUS, certificates, one-time passwords, integration with Active Directory and many others, depending on the chosen SSL VPN solution.
Encryption is also for every taste, it all depends on the vendor. For example, Stonesoft SSL, which we will consider in this article, offers us to choose from the following algorithms: AES, DES, 3DES, RC2, RC4 and, in the Russian version, GOST 28147-89, which is very pleasing to our state. regulators. Since we live in Russia and do not violate the laws, the presence of certificates of conformity of FSTEC and FSB for this product allows us to significantly expand its scope.
You can also highlight such interesting protection mechanisms as checking the end device of a user for compliance with security policy and deleting traces of the session at the end of the connection (cookies, URL history, cache data and temporary files).
The task is as follows: to organize secure access to the 1C server using the HTTPS protocol using GOST encryption from the laptop of an accountant who likes to relax and work in the country. In fact, we will forward a thick 1C client that works on its “ports” (1540 TCP, 1560-1591 TCP), through port 443 TCP.
Below we consider 2 options for connecting through an SSL VPN gateway:
To implement these scenarios, a stand was assembled in the laboratory:
ME stands for emulation of work via the Internet: only port 443 TCP is open on the external interface
and NAT is configured on the SSL VPN gateway interface.
As can be seen from the diagram and rules on the ME, there is no external access to the 1C server (security first!).
I will not describe the process of installing firmware with GOST support on the SSL VPN gateway and its initial configuration, all this can be found on the Internet and guides . So we agree that we have pure Stonesoft SSL with the installed CritiPro CSP crypto libraries, generated keys, imported gateway certificates and a trusted Certification Authority.
Below are the certificates of the Stonesoft SSL gateway and user issued on the test Certification Authority.
SSL VPN Gateway Certificate:
User Certificate:
Configuring SSL VPN Gateway can be divided into the following steps:
Below is a detailed description of the settings with screenshots.
First, configure user authentication. We chose the following scheme: authentication by certificates issued only by trusted CAs without reference to any user repository. Those. if the user has a certificate issued by the CA, which the gateway considers trusted, then the user can authenticate. So, go to https://10.30.0.213:8443/ and get to the administration console of the Stonesoft SSL gateway.
Go to the Manage System - Authentication Methods tab .
Add a new method - click Add Authentication Method ... , select the User Certificate type , give the method a name and select the CA that will be used for this type of authentication.
By default, not every user can authenticate, but only the user whose account is known to the gateway. For our scheme, we need to add a new attribute for the created authentication method: click Add Extended Property ... , select the Allow user not listed in Any User Storage attribute and set the attribute value to true .
That's it, the new authentication method is ready, for applying the changes click the Publish button . This is probably the most important button when working with Stonesoft SSL, do not forget to reap it every time you change something.
Now you need to publish the resource so that it is available to the user on the application portal of the SSL VPN gateway. First, consider Option # 1: 1C-client connects to the 1C server and works with the database in the DBMS.
The process of creating and publishing a resource can be described as follows:
We go to the Manage Resource Access - Tunnel Resources tab , click Add Tunnel Resource Host ... Fill in the resource name, IP address and ports on which we want to access the 1C server.
Now you need to create an item in the application portal. We go to the Manage Resource Access - Tunnel Sets tab , click Add Tunnel Set and fill out the name, select the icon that will be visible to the user (you can choose from ready-made ones or upload your own), in the Link Text field we write the text that will be displayed under the icon.
In the next step, we need to tell the SSL VPN gateway what traffic to wrap in SSL, for this we add a dynamic tunnel, for which we click Add Dynamic Tunnel to the Set ...and from the drop-down list in the Resource field, select the host with the 1C server. All other fields are automatically filled in accordance with the properties of the resource that we have selected.
Now the most crucial moment, you must correctly write the command that will be executed on the client PC, automatically starting the 1C client with the required parameters for connecting to the server. I have it as follows: «the C: \ Program Files \ 1cv8 \ 8.3.1.531 \ bin directory \ 1cv8c.exe» /S«10.30.0.238\1c » . It is worth remembering that if there are several users, then everyone must have the same path to the executable file. If this is not possible for some reason, then the Startup Command field can beleave empty, then 1C client will have to be started manually and specify all parameters after opening the resource on the application portal.
After all the steps, click Publish.
Now we can check what happened. We launch the browser, write in the address bar https://ssl.sglab.ru/ and see a window with a certificate selection.
After authentication, we get to the application portal.
Click on 1C and see how the Access Client loads , the command that we wrote in the Tunnel Set properties is launched and, as a result, the 1C: Enterprise client starts and connects to the server.
At the time of connection, you can look at the logs on the ME and make sure that everything works through HTTPS.
Now let's set up another scenario - the user clicks on the 1C icon on the application portal and gets access to the folder with the database on the 1C server.
We go to the gateway administration console, go to the Manage Resource Access - Standard Resources - File Sharing Resources - Microsoft Windows File Share tab and click Add this Standard Resource .
We fill in the name of the resource, the IP address of the 1C server, the name of the folder with the database to which public access is open, select the icon for the application portal and write the display name.
Actually, that's all. Do not forget to post the changes to the portal.
Now from the client PC we again go to https://ssl.sglab.ru/ and click on the created Base 1C icon .
After which we see the folder with the base 1C.
Further, everything is simple and clear - we add a new infobase in the 1C client, specify the path \\ 10.30.0.238 \ 1cbase and work with it over a secure channel via HTTPS.
Thus, we configured the SSL VPN gateway for remote work with the 1C server in two versions over the channel encrypted by GOST algorithms and allowed our users to work safely with corporate resources through thick clients.
That's not all Stonesoft SSL VPN is capable of. The given configuration will not be difficult to “tune” to your needs.
We hope you find this article useful. In the future, we plan to continue to share our experience in the field of information security with the hawkers. We welcome questions and suggestions in the comments.
Thank you all for your attention!
newmaxidrom
Today we want to talk about the benefits of SSL VPN technology and the practice of working with the Stonesoft SSL gateway. The article will describe the configuration of this solution for forwarding a fat client (using the example of 1C Accounting well known to many) through the HTTPS protocol using GOST encryption algorithms. This will allow our beloved chief accountant to work remotely with the 1C database via an encrypted channel directly from the dacha, we can quickly connect a couple of hundreds of small offices scattered throughout the country to the system, and our organization can fulfill the requirements of the legislation on protection of, for example, personal data.
The article describes a way to securely publish client-server applications via the Web, guided by which, you can organize remote access to virtually any corporate resource.
What is SSL VPN
So, let's see how SSL VPN can make our life easier and save time and nerves. I see no reason to describe the technology, so as not to bother the advanced reader with dry technical information. You can refresh your knowledge of SSL VPN here . We will dwell on the practice of use and think about why SSL VPN is so good in comparison with the classic IPSec VPN.
The essence of SSL VPN technology is as follows: the client connects via port 443 to the gateway, which in turn initiates a connection to a remote server (in our case, it is 1C), like a proxy server.
Firstly, it is convenient. You can organize access to any service / resource from any user device from any place where there is Internet. No need to install any VPN clients, configure them, as in the case of using IPSec VPN, just enter the address in the browser, authenticate and work. The user will be able to get remote access to the corporate resource even through public or guest Wi-Fi, as Port 443 is open in almost all networks.
Secondly, it is simple. Just for everyone. You don’t have to explain to the
Thirdly, it is safe. There are many security mechanisms that an SSL VPN gateway can apply to a client. The two main mechanisms are authentication and encryption. Authentication methods and means can be selected very different: by login / password, RADIUS, certificates, one-time passwords, integration with Active Directory and many others, depending on the chosen SSL VPN solution.
Encryption is also for every taste, it all depends on the vendor. For example, Stonesoft SSL, which we will consider in this article, offers us to choose from the following algorithms: AES, DES, 3DES, RC2, RC4 and, in the Russian version, GOST 28147-89, which is very pleasing to our state. regulators. Since we live in Russia and do not violate the laws, the presence of certificates of conformity of FSTEC and FSB for this product allows us to significantly expand its scope.
You can also highlight such interesting protection mechanisms as checking the end device of a user for compliance with security policy and deleting traces of the session at the end of the connection (cookies, URL history, cache data and temporary files).
What we have and what we want
The task is as follows: to organize secure access to the 1C server using the HTTPS protocol using GOST encryption from the laptop of an accountant who likes to relax and work in the country. In fact, we will forward a thick 1C client that works on its “ports” (1540 TCP, 1560-1591 TCP), through port 443 TCP.
Below we consider 2 options for connecting through an SSL VPN gateway:
- 1C-client works with 1C server on ports 1540 TCP, 1560-1591 TCP, 1C base is stored in the DBMS installed on the same server
- 1C-client works directly with the database, which is located in the shared folder
To implement these scenarios, a stand was assembled in the laboratory:
- Server 1C: Windows Server 2008 R2 x64, MS SQL 2008 R2 Express, 1C 8.3.1.531
- Client: Windows XP SP2, client 1C 8.3.1.531, CryptoPro CSP 3.6
- Firewall (ME): Stonesoft FW / VPN 5.4.3.9685
- SSL VPN gateway: Stonesoft SSL 1.5.200.2002 kc1 GOST, for the client is available at https://ssl.sglab.ru/
- Certification Authority: CryptoPro Test Center
ME stands for emulation of work via the Internet: only port 443 TCP is open on the external interface
and NAT is configured on the SSL VPN gateway interface.
As can be seen from the diagram and rules on the ME, there is no external access to the 1C server (security first!).
Configure SSL VPN
I will not describe the process of installing firmware with GOST support on the SSL VPN gateway and its initial configuration, all this can be found on the Internet and guides . So we agree that we have pure Stonesoft SSL with the installed CritiPro CSP crypto libraries, generated keys, imported gateway certificates and a trusted Certification Authority.
Below are the certificates of the Stonesoft SSL gateway and user issued on the test Certification Authority.
SSL VPN Gateway Certificate:
User Certificate:
Configuring SSL VPN Gateway can be divided into the following steps:
- Configure user authentication
- Publishing resources to the SSL VPN gateway application portal
- Option No. 1: 1C-client works with 1C server on ports 1540 TCP, 1560-1591 TCP
- Create a tunnel resource
- Creating an object in the application portal
- Option number 2: 1C-client works directly with the database, which is located in the shared folder
- Create a standard resource
- Option No. 1: 1C-client works with 1C server on ports 1540 TCP, 1560-1591 TCP
Below is a detailed description of the settings with screenshots.
Configure user authentication
First, configure user authentication. We chose the following scheme: authentication by certificates issued only by trusted CAs without reference to any user repository. Those. if the user has a certificate issued by the CA, which the gateway considers trusted, then the user can authenticate. So, go to https://10.30.0.213:8443/ and get to the administration console of the Stonesoft SSL gateway.
Go to the Manage System - Authentication Methods tab .
Add a new method - click Add Authentication Method ... , select the User Certificate type , give the method a name and select the CA that will be used for this type of authentication.
By default, not every user can authenticate, but only the user whose account is known to the gateway. For our scheme, we need to add a new attribute for the created authentication method: click Add Extended Property ... , select the Allow user not listed in Any User Storage attribute and set the attribute value to true .
That's it, the new authentication method is ready, for applying the changes click the Publish button . This is probably the most important button when working with Stonesoft SSL, do not forget to reap it every time you change something.
Publishing a resource. Option number 1
Now you need to publish the resource so that it is available to the user on the application portal of the SSL VPN gateway. First, consider Option # 1: 1C-client connects to the 1C server and works with the database in the DBMS.
The process of creating and publishing a resource can be described as follows:
- Creating a host (in our case, this is a 1C server)
- Linking to the SSL VPN Gateway Application Portal
We go to the Manage Resource Access - Tunnel Resources tab , click Add Tunnel Resource Host ... Fill in the resource name, IP address and ports on which we want to access the 1C server.
Now you need to create an item in the application portal. We go to the Manage Resource Access - Tunnel Sets tab , click Add Tunnel Set and fill out the name, select the icon that will be visible to the user (you can choose from ready-made ones or upload your own), in the Link Text field we write the text that will be displayed under the icon.
In the next step, we need to tell the SSL VPN gateway what traffic to wrap in SSL, for this we add a dynamic tunnel, for which we click Add Dynamic Tunnel to the Set ...and from the drop-down list in the Resource field, select the host with the 1C server. All other fields are automatically filled in accordance with the properties of the resource that we have selected.
Now the most crucial moment, you must correctly write the command that will be executed on the client PC, automatically starting the 1C client with the required parameters for connecting to the server. I have it as follows: «the C: \ Program Files \ 1cv8 \ 8.3.1.531 \ bin directory \ 1cv8c.exe» /S«10.30.0.238\1c » . It is worth remembering that if there are several users, then everyone must have the same path to the executable file. If this is not possible for some reason, then the Startup Command field can beleave empty, then 1C client will have to be started manually and specify all parameters after opening the resource on the application portal.
After all the steps, click Publish.
Now we can check what happened. We launch the browser, write in the address bar https://ssl.sglab.ru/ and see a window with a certificate selection.
After authentication, we get to the application portal.
Click on 1C and see how the Access Client loads , the command that we wrote in the Tunnel Set properties is launched and, as a result, the 1C: Enterprise client starts and connects to the server.
At the time of connection, you can look at the logs on the ME and make sure that everything works through HTTPS.
Publishing a resource. Option number 2
Now let's set up another scenario - the user clicks on the 1C icon on the application portal and gets access to the folder with the database on the 1C server.
We go to the gateway administration console, go to the Manage Resource Access - Standard Resources - File Sharing Resources - Microsoft Windows File Share tab and click Add this Standard Resource .
We fill in the name of the resource, the IP address of the 1C server, the name of the folder with the database to which public access is open, select the icon for the application portal and write the display name.
Actually, that's all. Do not forget to post the changes to the portal.
Now from the client PC we again go to https://ssl.sglab.ru/ and click on the created Base 1C icon .
After which we see the folder with the base 1C.
Further, everything is simple and clear - we add a new infobase in the 1C client, specify the path \\ 10.30.0.238 \ 1cbase and work with it over a secure channel via HTTPS.
Conclusion
Thus, we configured the SSL VPN gateway for remote work with the 1C server in two versions over the channel encrypted by GOST algorithms and allowed our users to work safely with corporate resources through thick clients.
That's not all Stonesoft SSL VPN is capable of. The given configuration will not be difficult to “tune” to your needs.
We hope you find this article useful. In the future, we plan to continue to share our experience in the field of information security with the hawkers. We welcome questions and suggestions in the comments.
Thank you all for your attention!
newmaxidrom