DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Can't log in to SSL web proxy (2860ac)

  • maxwellhadley
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
14 Feb 2016 20:00 #85358 by maxwellhadley
Can't log in to SSL web proxy (2860ac) was created by maxwellhadley
Hi,

I've set up a user account, user group, and SSL web proxy to let me securely access a web page on my LAN from the Internet. I've enabled the https server under 'Allow management from the internet' on the System Maintenance >> Management page. I'm using the default port 443 for this. I can now log in to the admin account remotely (using https), but I can't log in at all using the user credentials I created for the purpose. As far as I can tell, I have followed the procedure in the manual, but no joy. There don't seem to be any application notes on this particular facility, only on the Java client/SSL VPN, which is not what I'm trying to do.

Can anybody help, please?

Max

P.S. firmware version is 3.8.2_VT2

Please Log in or Create an account to join the conversation.

More
15 Feb 2016 12:13 #85360 by piste basher
Replied by piste basher on topic Re: Can't log in to SSL web proxy (2860ac)
Anything to do with this? http://www.draytek.co.uk/support/guides/kb-forwarding-tcp443

Please Log in or Create an account to join the conversation.

  • maxwellhadley
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
16 Feb 2016 21:28 #85380 by maxwellhadley
Replied by maxwellhadley on topic Re: Can't log in to SSL web proxy (2860ac)
Not that problem. I can reach the router login page, and log in successfully as admin, just not as a web proxy user.

Please Log in or Create an account to join the conversation.

  • maxwellhadley
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
01 Mar 2016 21:54 #85526 by maxwellhadley
Replied by maxwellhadley on topic Re: Can't log in to SSL web proxy (2860ac)
I raised a ticket with Draytek about this, and between Chris and myself we found out the problem:


  • It is not necessary to enable Internet management of the router to use SSL VPN, despite what the manual implies. However, if you do enable both functions, they must be on different ports. If not, the management login takes precedence. You get a warning dialog about this, but it is rather erratic, sometimes warning you when there is in fact no clash. The management login page will also show the control to set the user group, even though that is not relevant to router management users

  • From VPN and Remote Access >> Remote Access Control Setup, check Enable SSL VPN Service

  • From SSL VPN >> General Setup, select the port and certificate you want to use

  • From SSL VPN >> SSL Web Proxy, configure the LAN web page(s) you want to access, and the connection method (I used 'SSL')

  • From SSL VPN >> Remote Dial-in User, enable the account (and set the idle timeout); check 'SSL Tunnel' as the allowed dial-in type; set the subnet to the subnet where the LAN web page is located; and enter the username and password

  • From SSL VPN >> User Group, create and enable a group; check 'SSL Web Proxy', and the web pages you wish the group members to access; check 'Local User DataBase' and add the user account(s) you want to place in the group

And that appears to work. I think I became confused because the master enable for SSL VPN functions is not found in the SSL VPN section of the main menu. I had got hold of the wrong idea that it was enabled by enabling Internet management. Also somehow my dial-in user account had got itself removed from the relevant group. I don't know how that happened, and I haven't been able to duplicate it.

Please Log in or Create an account to join the conversation.

More
20 Mar 2016 14:06 #85687 by takeo_ischi
Replied by takeo_ischi on topic Re: Can't log in to SSL web proxy (2860ac)
I agree; the whole menu layout for these functions is confusing.

One other thing which wasted my time but (helpfully!) isn't documented anywhere, is that it isn't possible to log onto the SSL VPN locally; it will say wrong username/password. As such, you'll need to test from an external connection.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami