Lotus.BlueGeek.fr :: notes and SSL VPN from cyberoam

Category inotes
Hi all,

I am trying to deploy lotus inotes to my users.

So we used a cyberoam ssl vpn that do redirection to lotus inotes (iwaredir).

The cyberoam ssl vpn does work well and show me my server redirection: http://192.168.x.x wich is the lotus domino server with inotes.

in inotes web redirect, (iwaredir.nsf), we set the redirection to resolved and set the servername to http://192.168.x.x

if i try this localy, everything is working: http://192.168.x.x show me the iwaredir.nsf redirection, then my mailbox. (we are using web site rule to map 192.168.x.x to 192.168.x.x/iwaredir.nsf)

if i try this through the ssl vpn, the cyberoam rewrite the url to something like: https://server.cyberoam.name/corporate/CRSSL/http/192.168.x.x/iwaredir.nsf

and the iwaredir.nsf show well then....blank page when it has to load: https://server.cyberoam.name/corporate/CRSSL/http/192.168.x.x/mail/mymail.nsf?OpenDatabase.

but this is not really a blank page. If i look in the source of the page, there are some code in it with many url rewritting.

I do not really know what to set to make it work with ssl vpn.

it seems that inotes does not like url rewritting.

Maybe there is aconfiguration to do for proxy redirection on inotes...

Comments

1 - Why proxy Inotes with your VPN? I have a similar config, but we use Citrix Access Gateway. I'd just set up a reverse proxy (I use'd apache) and allow clients to access it directly via ssl.

Posted by Keith Taylor At 21:29:19 On 17/05/2010 | - Website - |

2 - Looks to me that this could be an authentication problem that you are facing .

Is that server configured with LTPA ?

If so check if there is anything going on during the request of the mailbox .

Use these debug settings in the server ini

debug_sso_trace_level=3

just my two cents

Posted by Kurt de Feyter At 19:18:28 On 18/05/2010 | - Website - |

3 - Might have something to do with enhanced Inotes security in 8.5.1 fp1 (checks for a "approved" http referer), but most likely the http rewrite causes problems anyway.

My situation: On a Cisco ASA SSL VPN INotes displayed, but random errors occured (no body, missing from/to).
We had to use "smart tunneling" and not ordinary http to get Inotes to work (regular Notes app with std HTML/JavaScript/CSS was not a problem).

Check if your firewall/VPN have similar functionality as Ciscos "smart tunneling".

Posted by ErikT At 21:14:11 On 18/05/2010 | - Website - |

4 - Hi all.

thanks for the help.

We use an ssl vpn because it was more simple to configure. And an apache reverse proxy could be killed with a simple command line in few second (slowloris).

we do not want to expose domino server to internet, so we use an ssl vpn.

i will try the debug sso trace. thanks.

for smart tunneling, i do not know but i can not remenber to have seen it.

for the approved http referer, i already put that on notes.ini with no changes:
iNotes_WA_Security_RefererCheck=0

the redirection is working perfectly on the local lan.
Yhis is just this crappy ssl vpn that is doing url rewritting to my mind and inotes does not like it.

thanks again for help, i will try.

Posted by benoit At 22:09:38 On 18/05/2010 | - Website - |

5 - Hi all.

i tested the debug sso trace but nothing more. no logs, no warning...

there is no smart tunneling on the cyberoam, only a split tunneling or full tunneling, do not know what it does.

one thing i notice:
in the source code of the blank page generated after the connexion, there is this entry:
window.EFp='"/corporate/CRSSL/http/webserver/iNotes/Forms85.nsf/iNotes/Proxy/.....

to my mind, the cyberoam rewritting is corrupting the web redirect of inotes and generate wrong url.

maybe we can configure this somewhere, bu i do notknow where.

Posted by benoit At 15:34:41 On 20/05/2010 | - Website - |