Author Topic: [SOLVED] Zentyal client can't access mail sites / HTTPS problem?  (Read 14890 times)

solarwinds

  • Zen Apprentice
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Hello all, how do I allow clients to access mail sites? right now my clients cannot load to login page of yahoo mail, google mail, and etc on any web browsers. is there something wrong with my configuration? I'm using http proxy transparent. i already created https service with port 443 and allowed it on firewall but I cant still access mail sites. Any help is much appreciated.
Thanks!


Great minds think alike.
^_^
« Last Edit: October 13, 2011, 07:51:48 am by christian »

nicolasdiogo

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 263
  • Karma: +3/-0
  • a pessimist, but trying out optimism
    • View Profile
    • BrainPowered Business Intelligence Consultancy - UK
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #1 on: August 18, 2011, 10:41:44 pm »
you say that you are having problems with port 443 and that you have already created and enabled a service for this port.

so it is difficult whatelse to suggest besides to:

logs > configure logs >
enable firewall

and leave it running for a couple of hours and then query the logs

Nicolas


www.brainpowered.net


my opinions and suggestion expressed on this forum are my own as a user.
please note that i am not part of the Zentyal Development Team

www.brainpowered.net - supporting open-source Business Intelligence in Europe

solarwindz

  • Zen Apprentice
  • *
  • Posts: 47
  • Karma: +0/-1
    • View Profile
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #2 on: September 14, 2011, 09:25:53 am »
thanks for the reply. yes it is hard. even the logs don't show anything about my https access. it only listed all http visited sites. T_T
"Great minds think alike"

christian

  • Guest
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #3 on: September 14, 2011, 10:00:53 am »
May I suggest you try with non transparent proxy, ensure you can access using proxy and then if it works, and if you do need transparent mode, review again and again  what you did in term of firewall rules.

nicolasdiogo

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 263
  • Karma: +3/-0
  • a pessimist, but trying out optimism
    • View Profile
    • BrainPowered Business Intelligence Consultancy - UK
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #4 on: September 14, 2011, 01:15:15 pm »
could you also check your server logs for packets that have been dropped

Code: [Select]
cat /var/log/kern.log | grep -i  dpt=443
if nothing is returned - please try
Code: [Select]
cat /var/log/kern.log | grep -i  drop
the above command should show any packets dropped with HTTPS (443) as their destination

i have just checked my installation - while running proxy in transparent mode it is all fine
when switch the firewall rule for HTTPS to 'deny' for internal networks - my logs start getting message on both Zentyal Firewall log and /var/log/kern.log

let us know if there is any news
my opinions and suggestion expressed on this forum are my own as a user.
please note that i am not part of the Zentyal Development Team

www.brainpowered.net - supporting open-source Business Intelligence in Europe

solarwindz

  • Zen Apprentice
  • *
  • Posts: 47
  • Karma: +0/-1
    • View Profile
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #5 on: September 15, 2011, 03:52:10 am »
Hello Christian,
Yes Sir, I tried using proxy on browser and it worked. But when on transparent mode, i can just visit the sites but it will be loading all day until the request times out and turns everything to white screen. ^_^

Hello nicolasdiogo,
Even the logs don't show anything while on transparent mode. It only shows my http requests whether dropped or not.



But I found out something. Using network commands on CLI did the trick. After adding proper default routes on the CLI, I can then access all the mail sites. But the problem is, everytime "network module" is reloaded, default routes i added thru CLI disappears. Is there something wrong with my Zentyal configuration, or is there anything I missed?

Thanks for the reply!

"Great minds think alike"
« Last Edit: September 15, 2011, 03:54:28 am by solarwindz »
"Great minds think alike"

christian

  • Guest
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #6 on: September 15, 2011, 07:22:51 am »
I tried using proxy on browser and it worked. But when on transparent mode, i can just visit the sites but it will be loading all day until the request times out and turns everything to white screen.

Sorry, I simply not understand what you mean here  :-[
so, if I take it as "it works in non transparent proxy mode", then:
- why not using this mode?
- it shows that you made something wrong with your "workaround via firewall for HTTPS" implementation

solarwindz

  • Zen Apprentice
  • *
  • Posts: 47
  • Karma: +0/-1
    • View Profile
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #7 on: September 15, 2011, 09:32:43 am »
Yes Sir,

Thanks a lot for your reply.
We need transparent mode. Our clients here are not all IT literate. Therefore, we should use our information systems to work more efficiently and easy for the users. I mean like no brainer thing, just connect to our access points or switches and puff, coco crunch, internet is ready.

So I need help on how to serve internet, transparent proxy mode, without manually configuring gateways and network stuffs via CLI.

Firewall? so does it mean I need to allow the port "3128" on zentyal firewall?


^_^

"Great minds think alike."
"Great minds think alike"

christian

  • Guest
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #8 on: September 15, 2011, 09:48:08 am »
Thinking that, in order to keep infrastructure efficient, it has to be transparent is a common mistake, from my standpoint.
Trying to minimize actions client side (because there is most of the time much more clients than server) is very obviously the main objective.

Then, coming back to proxy: HTTP works smoothly in transparent mode. You are not able, for some reason I don't understand, to set up the workaround via firewall as described in documentation.
May I suggest you have a look at this:
http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign

It doesn't answer to your question but will explain some basics, I hope.

solarwindz

  • Zen Apprentice
  • *
  • Posts: 47
  • Karma: +0/-1
    • View Profile
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #9 on: September 15, 2011, 10:22:27 am »
Ok, will check now. I appreciate much your help. Indeed, clients should have the least action, this is what customer service is all about. ^_^ Has anyone ever told you you're a hero? hehehe..

"Great minds think alike"
"Great minds think alike"

solarwindz

  • Zen Apprentice
  • *
  • Posts: 47
  • Karma: +0/-1
    • View Profile
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #10 on: September 15, 2011, 10:32:49 am »
Whew. nice documentation. What am I missing here? Everytime the network module reloads, gateways disappear. Currently I have 3 wans, 2 static and 1 pppoe. Checking inside zentyal thru cli, without the gateways, clients don't have internet. Adding the gateways manually on cli, voila, client have internet access following the transparent http proxy filtering and firewall rules. Why do the gateways disappear? Is adding the gateways manually on the CLI the correct way to serve internet access to clients?

"Great minds think alike"
"Great minds think alike"

nicolasdiogo

  • Forum Moderator
  • Zen Samurai
  • *****
  • Posts: 263
  • Karma: +3/-0
  • a pessimist, but trying out optimism
    • View Profile
    • BrainPowered Business Intelligence Consultancy - UK
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #11 on: September 15, 2011, 10:55:46 am »
by saying
Quote
Everytime the network module reloads, gateways disappear

have you defined a gateway on Zentyal? as per docs
http://trac.zentyal.org/wiki/Documentation/Community/HowTo/GatewaySetup#a3.2.Gatewaysandloadbalancing
my opinions and suggestion expressed on this forum are my own as a user.
please note that i am not part of the Zentyal Development Team

www.brainpowered.net - supporting open-source Business Intelligence in Europe

christian

  • Guest
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #12 on: September 15, 2011, 10:59:08 am »
Still targeting as light as possible client administration, clients should rely on DHCP. So you need to ensure, once, that clients network is set to use DHCP.
Then you have to set up DHCP server which will provide default gateway, DNS, IP address stuff. Centrally managed, easy and efficient  8)

solarwindz

  • Zen Apprentice
  • *
  • Posts: 47
  • Karma: +0/-1
    • View Profile
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #13 on: September 16, 2011, 07:43:59 am »
Yes Sir, Gateways are defined correctly in the Zentyal GUI, documentation is so detailed and very helpful for an average person to understand. I'm also kind of a Linux dude so i kinda check on CLI also. Why are the default gateways not showing when i issue the command, "route" ? Using transparent http proxy, my clients do not have internet access unless i add the default gateways manually thru CLI. But not using transparent proxy, even the default gateways are not showing on CLI "route" command, clients have internet access.

With regards to clients, we already have dhcp server providing network stuffs including Zentyal as gateway. So this should be not a problem at all for a Network Administrator.

Any forms of help are much appreciated!

"Great minds think alike."
"Great minds think alike"

christian

  • Guest
Re: Zentyal client can't access mail sites / HTTPS problem?
« Reply #14 on: September 16, 2011, 08:31:16 am »
What you describe is perfectly normal: in transparent proxy mode, proxy IP address MUST be client default gateway.
Therefore if there is any problem with gateway definition client side, transparent proxy will not work. This is as simple as this.

Then real question is "why are clients not getting this default gateway value?"

Would you mind sharing "/etc/network/interfaces" for one of these clients, share screen copy of your DHCP configuration (Zentyal side) and finally once lease is renewed, share content of "route" command?

So far, you only wrote "yes it's well configured everywhere" (kind of) but if there is something wrong you even do not suspect, best way is to share what you did.  ;)