You are here

Secure FTP with SSL VPN

First of all you need a valid license for Airlock SSL VPN Module. For a trial license, contact airlock-sales@ergon.ch.
For improved security, you should pre-authenticate all FTP users by using your own or the Standard Airlock Authentication Service (sold separately).

FTP through an SSL VPN tunnel is only possible when using passive FTP. For our setup we will use FileZilla FTP Server in the current version 0.9.40.

Setup and configure FileZilla Server

Setup Airlock SSL VPN

  • open the Airlock Configuration Center and select "Application Firewall" > "SSL VPN"
  • select "ON" to enable the SSL VPN configuration page
  • choose an Interface and bind an IP address and a port to it
    Note: When you connect from a location where the outgoing ports are controlled by a firewall, you may need to use a common port like 443 to be able to connect to your SSL VPN Endpoint. When you use the same IP on a Virtual Host, you may already assigned this port there!
  • also select the corresponding certificate
    Note: For test purposes you can continue with the default "test.certificate".
  • below add the following two channels:

    Channel1:

    Channel name = FTP_command
    Authorized roles = ftpFor test purposes or if you don't want to preauthenticate the users, just let this field empty.
    Client IP:Port = 127.0.0.1:21
    Back-end IP:Port = <IP or hostname of your FTP Server>:21

    Channel2:

    Channel name = FTP_data
    Authorized roles = ftpFor test purposes or if you don't want to preauthenticate the users, just let this field empty.
    Client IP:Port = 127.0.0.1:<port you configured on the FTP Server for passive FTP>
    Back-end IP:Port = <IP or hostname of your FTP Server>:<port you configured on the FTP Server for passive FTP>

SSL VPN Applet settings

  • download the SSL VPN Module from here
  • deploy it via Airlock Configuration Center "Expert Settings" > "Add-on Modules" to the onboard Tomcat server
  • for further configuration instructions consult the SSL VPN manual found in the SSL VPN Module ZIP file or download the manual from here

Attention: Don't forget do configure the right endpoint in the index.html file as described in the manual, e.g.
<param name="SslVpnEndpoint" value="192.168.50.187:443">

Virtual Host

  • on the Airlock Configuration Center under "Application Firewal" > "Reverse Proxy" add a new "Virtual Hosts" with e.g. the following settings


  • also select the corresponding certificate
    Note: For test purposes you can continue with the default "test.certificate".
  • if you want to redirect all users which connect with http to use a https connection, add the following "Path Redirect" under "Advanced":
    Redirect path
    :            [http]/(.*)
    Redirect destinationhttps://192.168.50.186/$1

SSL VPN Mappings

  • on the Airlock Configration Center "Application Firewal" > "Reverse Proxy" add a new mapping by clicking the "+"
  • on the "Mapping Templates" popup select "SSL VPN"
  • the two mappings "SSL_VPN" and "SSL_VPN-CFG" should be created and connected to the Back-end Group "Local_Add-on_Modules"
  • enter "sslvpn" as "Restricted to roles"For test purposes or if you don't want to preauthenticate the users, just let this field empty.
  • connect the mappings with the corresponding "Virtual Host"

If you don't want to preauthenticate the users, the whole setup is done and you can now activate and test the new configuration. In this case, skip the next two Authentication Steps and continue with the last Step, see section "Test".

Authentication

If you have a license of the Airlock Authentication Service, you can configure the following test/demo authentication:
Attention: The follwing authentication settings should only be used for test and/or demonstration purpose. Every input for username and password leads to a successful authentication.

For a productive environment, you should authenticate against LDAP, RADIUS or any other supported user directory.

Configure the authentication.properties file:

  • download the Airlock Authentication Service from here
  • extract and open the auth.war file with WinRAR or any other compatible archive tool from the downloaded ZIP file
  • edit the file authenticator.properties found in WEB-INF/classes/ inside the auth.war
  • configure Authentication Service in a way that every FTP User gets the credentials "ftp" and "sslvpn", thus add/change the following settings:
    20.action=setControlCookie
    20.command=SET_CREDENTIALS
    20.value=ftp:600,sslvpn:600
  • go to the Airlock Configuration Center "Expert Settings" > "Add-on Modules", the Tomcat manager will be opened
  • upload the auth.war in the section "WAR file to deploy"

Authentication Mapping

  • on the Airlock Configration Center "Application Firewal" > "Reverse Proxy" add a new mapping by clicking the "+"
  • on the "Mapping Templates" popup select "Authentication Service"
  • the mapping "Authentication" should be created and connected to the Back-end Group "Local_Add-on_Modules"
  • connect the mappings with the corresponding "Virtual Host"

Test

Open the Domain or IP of the Virtual Host in your Webbrowser. If you decided to use a preauthentication on Airlock, the login screen should be displayed. Login with any username and password. After login the SSL VPN applet should be loaded.
Open the FileZilla FTP Client and connect to "localhost" (use Port 21). Use the username and password which was configured on the FileZilla FTP Server at the begin of this tutorial.
Please verify that traffic is send over both SSL VPN channels to be sure you are connected over Airlock.

Knowledge Base Categories: