SSL VPN
Reply
Trusted Contributor
stine
Posts: 437
Registered: ‎05-05-2008
0

Re: Discussion on change url possibilities

In your example, you used =cvs.   If the user shouldn't have access to this resource, you should block it.   If they do have access to it, why should it matter if they bookmark it using the non-obsfucated path?   If it's because you reserve the right to change the url ever two weeks and are tired of having to update your users' bookmarks, then you have a user problem.

 

 

I had a similar issue.  I sent my users a link to the signin page and some of them opened the url...and then bookmarked it, meaning that their computer now had /dana-na/url_4......  and when I made changes, the url changed to url_5  and their bookmarks were no longer valid, even though the url in my original email remained valid.

Theodore E Van Iderstine
Stream Networks
+1 678 373 4200 x125
JNCIA-ER (expired), JNCIA-SSL (ditto)
Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: Discussion on change url possibilities

The users are not changing the links; they are changing a value in their address bar.

While I understand what you are saying, there is currently no way to do this. The appliance is for secure access to the network & resources you define. It is not possible to control the browser; the SA system is not a new browser but a secure access gateway. I think the idea is great, but not something it does at this time.
Contributor
minifig
Posts: 10
Registered: ‎04-19-2012
0

Re: Discussion on change url possibilities



stine wrote:

In your example, you used =cvs.   If the user shouldn't have access to this resource, you should block it.   If they do have access to it, why should it matter if they bookmark it using the non-obsfucated path?   If it's because you reserve the right to change the url ever two weeks and are tired of having to update your users' bookmarks, then you have a user problem.


Actually: I stumbled upon the fact that a user can change this value in the address bar and get somewhere. A value that they themselves should not be able to guess. I did not expect that an SA would allow this.
But I agree: blocking what they should not be able to see is best because they could get to the same place by following the links on other pages.
Contributor
minifig
Posts: 10
Registered: ‎04-19-2012
0

Re: Discussion on change url possibilities


zanyterp wrote:
The users are not changing the links; they are changing a value in their address bar.

While I understand what you are saying, there is currently no way to do this. The appliance is for secure access to the network & resources you define. It is not possible to control the browser; the SA system is not a new browser but a secure access gateway. I think the idea is great, but not something it does at this time.

Controlling the browser is not necessary. Controlling what is accepted in the SA is better.

Maybe something for a future version then.

Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: Discussion on change url possibilities

The control through the SA is the ACL; anything else is browser control.
However, it is an interesting idea that you can work with your SE about a feature enhancement
Contributor
minifig
Posts: 10
Registered: ‎04-19-2012
0

Re: Discussion on change url possibilities


df wrote:

Its no different then giving a link to a file share in Windows Explorer.  I can change the folder names in there, and if you don't control it with ACLs, then they will have access to everything.


I've been thinking about the analogy with the file shares:

- suppose you create a share on a server: \\server\share.

- a normal user (not an administrator) changes the given share to \\server\users in Windows Explorer.

- what would you expect from Windows to do?

     1) grant access to the folder 'users' on the server with the ACL's you've set on the users folder? Even if the share \\server\users does not exist?

     2) Do not grant access at all.

 

Option 1 is what happens on the SA. Option 2 is what Windows does.

 

Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: Discussion on change url possibilities


minifig wrote:

df wrote:

Its no different then giving a link to a file share in Windows Explorer.  I can change the folder names in there, and if you don't control it with ACLs, then they will have access to everything.


I've been thinking about the analogy with the file shares:

- suppose you create a share on a server: \\server\share.

- a normal user (not an administrator) changes the given share to \\server\users in Windows Explorer.

- what would you expect from Windows to do?

     1) grant access to the folder 'users' on the server with the ACL's you've set on the users folder? Even if the share \\server\users does not exist?

     2) Do not grant access at all.

 

Option 1 is what happens on the SA. Option 2 is what Windows does.

 



Unless you have an ACL allowing it, the same will happen on the SA and deny access, as it should as you have not given permission for that new location to be seen. Explorer/Windows _does not_ prevent the user from trying to conect to a different location in the address bar.

Contributor
minifig
Posts: 10
Registered: ‎04-19-2012
0

Re: Discussion on change url possibilities


zanyterp wrote:

minifig wrote:

df wrote:

Its no different then giving a link to a file share in Windows Explorer.  I can change the folder names in there, and if you don't control it with ACLs, then they will have access to everything.


I've been thinking about the analogy with the file shares:

- suppose you create a share on a server: \\server\share.

- a normal user (not an administrator) changes the given share to \\server\users in Windows Explorer.

- what would you expect from Windows to do?

     1) grant access to the folder 'users' on the server with the ACL's you've set on the users folder? Even if the share \\server\users does not exist?

     2) Do not grant access at all.

 

Option 1 is what happens on the SA. Option 2 is what Windows does.

 



Unless you have an ACL allowing it, the same will happen on the SA and deny access, as it should as you have not given permission for that new location to be seen. Explorer/Windows _does not_ prevent the user from trying to conect to a different location in the address bar.


Well, the SA does allow access (see first post).

And the Explorer does not prevent the user from trying to change the location, but the server who holds the share does. You absolutely cannot access a directory on a server that's not shared. The SA allows you to get to websites that you did not define as bookmarks.

Moderator
zanyterp
Posts: 2,317
Registered: ‎11-19-2007
0

Re: Discussion on change url possibilities

I have not seen explorer be able to prevent a user from using the address bar to attempt changing where they are connected against and apologize for that; the only behavior I have seen is the same as the SA: the user can type whatever they want in the address bar; the ACLon the server then determines if access should be allowed or not.

 

The bookmarks are just that: shortcut links to internal resources. If the user knows how to try and access other URLs by manipulating something external to the SA system, the browser address bar, there is nothing to restrict them from trying. The ACL you configure on the unit will do the actual allow or deny.

 

back to the windows analogy, you can access locations that are not shared by using the hidden link on the <x> drive (e.g. C$, D$, Z$). if the user knows the full internal path, thety can type it in the address bar in explorer and connect. the server ACLs will then allow or deny access.

 

that is an interesting point on that the IVE allows non-bookmark access (same as the hidden share path access in windows) and might be something that you should bring up with your account team to have an option created to enforce bookmark-only access. i do not know the feasibiity of this as there are items that rely on external manipulation of the URLs....but if this option was created, it would require specific enablement. i cannot think of a way that this could be done, but that does not mean it can't; only that I cannot, at this time, visualize a way that would allow this type of functionality.

 

in any event, the ACL for web access should restrict access only to where you want users to connect, regardless of how the user attempts to connect

Contributor
minifig
Posts: 10
Registered: ‎04-19-2012
0

Re: Discussion on change url possibilities


zanyterp wrote:

I have not seen explorer be able to prevent a user from using the address bar to attempt changing where they are connected against and apologize for that; the only behavior I have seen is the same as the SA: the user can type whatever they want in the address bar; the ACLon the server then determines if access should be allowed or not.

 

back to the windows analogy, you can access locations that are not shared by using the hidden link on the <x> drive (e.g. C$, D$, Z$). if the user knows the full internal path, thety can type it in the address bar in explorer and connect. the server ACLs will then allow or deny access.



I did not state that explorer on the client can control what you type in the address bar.  I stated that the server that you want to access does.

 

For the Windows analogy: you can only access those (default) administrative shares if you are an administrator. These are not accessible for a common user.

 

But I'll leave it at that now. It seems I'm the only one who thinks that fiddling with an obfuscated link should be allowed by an SA.

Contacting my account team to solve this and make an option out of it that seems to be considered as usefull by members here is not going to happen.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.