Start a new topic
Implemented

Web Pages over Secure Gateway

Possibility to open / use web pages over the Secure Gateway connections.

So that you don't need to make a VPN for viewing a webpage / management page of a device on a client / other location.

With the Secure Gateway that would be awesome that's not an option now: 


3 people like this idea

This feature is in the Windows version of Royal TS but having it in the TSX version would be so sweet!


1 person likes this

Hi everyone,


we've just released a new WebKit plugin beta update which includes experimental(!) Secure Gateway support.

You can get the beta here as usual.


Please be aware that this implementation will definitely not work under all circumstances since it basically only translates the URL we give to the underlying WebKit engine. We don't translate any absolute URLs that might be embedded in a website.


Feedback very welcome!


thx,

felix


1 person likes this

@Kay: Like previously mentioned, Chrome is off limits at the moment. Rest assured that if a new framework or library for Chrome integration on the Mac comes around, I'll be the first to give it a shot. ;)


1 person likes this

Even though this feature seems far away from TSX, I just wanted say that I'd need it too.


1 person likes this

In Royal TS for Windows you need to switch to the Chrome plugin. Then you will see the Secure Gateway configuration. You also need to check the option "Use dedicated engine" on the Engine page and configure the proxy settings to use the Secure Gateway. We will soon post a detailed blog article.


1 person likes this

Now i have looked into royltsx and i have one idea more.

If actions for automated replacing of url and use automated local forwarding through secure gateway is little much complicated then is possible to add tunnels feature into secure gateway for making permanent tunnels.

Example:

From example before i made my self permanent tunnel in secure gateway 12345:10.10.10.2:443.

In web page properties should only be check field with label "uses permanent rules in secure gateway" and select field with secure gateways list.

Ok, now im out with ideas ;)


Have a nice day boys.

Hi Josef,


I'm not quite sure I understand your suggestion.

Creating the port forward/tunnel is not the problem. The problem is getting all resources of a web page to use that tunnel instead of a direct connection.

For instance, a website might be hosted on 192.168.0.1, however resources defined in the actual HTML page, like images, javascript, css, etc. might use a completely different IP address/host and so wouldn't be affected by the tunnel.


cheers,

felix

Hi Felix, good to know that you have hands on it.  Yes, I understand SOCKS and problem with Mac Safari. But other side, why you need socks? Yes, its much easy to implement this, but it is possible to make it without SOCKS with only LOCAL forwarding. I mean this can help so many people, that this can be implemented.


Simple Flow Example:

I'm with pc in segment 192.168.0.0/24 (can only ssh to 10.10.10.1 ) 

1. Create Secure Gw (to 10.10.10.1)

2. Create WebPage with url  https://10.10.10.2 (no hostnames, (have not exactly looked how are translated names over proxy)) and with secure gateway 10.10.10.1

3. Starting WebPage

4. royaltsx makes in Secure Gateway LOCAL forwarding so: 12345:10.10.10.2:443  (12345=free random port, https=443 only if is not defined :port in URL) [for http is same logic]

5. royaltsx replaces https://10.10.10.2 with https://127.0.0.1:12345 and opens webpage through secure gw.


Cons:

- maybe it is functional only with IPs ( i mea for admins is it not so big problem)

- it is not possible to use sites that are actively using more than one ports in web solution (in http redirects) - for example you are on 127.0.0.1:34355 and is comming redirect to 10.10.10.2:8080


What you mean about it?


With best Regards

Josef Svitak

Hi Stefan,

is it planned / possible even to implement a Chrome browser engine plugin on OSX as well?

I'm using the Chrome plugin for it's ability to use a specific proxy for a specific web connection, but sharing these configs with colleagues on OSX obviously fails currently. It would be nice if this would be portable as well (in particular since Chrome and its framework is certainly available on OSX as well - it's not like we're asking for an IE engine on OSX :) )

 

Hi, it looks that my message before is not arrieved into forum.

And one more Hi for Felix  Deimel (i hope we can solve this as before two years saving problem).


Ok i can shorten this:

When is not socks available (or not easy to implement on Mac), then why not use only LOCAL forwarding.

Example:

I'm in 192.168.0.0/24 and my jump server is 10.10.10.1.

I need to go to 10.10.10.2

I create secure gw 10.10.10.1

I create webpage with address https://10.10.10.2 and check to use secure gateway 10.10.10.1

I start webpage 10.10.10.2

Royaltsx create local forwarding (https=443 only if is not another port  in URI :<PORT>) 12345:10.10.10.2:443

Royal opens web page with replaced URI: https://127.0.0.1:12345


Cons:

- It uses only IP addresses

- web apps with redirect functions can make trouble, or can be disfuctional, but 99% pages for administration are ok, i use local forwardig more than 15 years. Automation can be very helpfull.


With best regards

Josef Svitak

Hi Zoltan,


the Chrome engine we're using is provided by a 3rd party vendor who puts in a lot of effort to make the Chrome engine "embeddable". To my knowledge, such an engine does not exist on macOS and would be a huge effort. So for now, I guess the Safari engine is the only thing we can use on macOS.


Regards,
Stefan

Josef,


you're right in that it would be trivial to add basic Secure Gateway support for web sites. We could add this basically tomorrow. However, this would only work in cases where the web site is programmed to not include any absolute URLs and doesn't access any resources on other hosts. So IMHO this is of limited use and hard to explain to customers why it only works in some cases. It also means that if the initial page for instance is configured "properly" (not includes any absolute URLs) it would look good to the customer but if another page of the same web app has an absolute link embedded that particular resource then wouldn't load. Which would lead to one page working properly while another won't load at all, the next one loads the html but since the css is referenced absolutely it doesn't load, and so forth. Basically it's not transparent to the user why one page loads perfectly fine while the next one doesn't. Not a good user experience.


The problem with proxies in Apple's WebKit API is not that it's "hard" to implement. The problem is that an API to specify a custom proxy host simply doesn't exist. The WebKit components always use the proxy settings specified at system level (System Preferences - Network - Advanced - Proxies).


cheers,

felix

Stefan,


Is that why we can't have this feature on TSX, because it uses WebKit as opposed to the Chrome plugin? :(

On macOS using WebKit, there's currently no way to support SOCKS proxy configurations. That's why we currently cannot support this scenario on macOS.

 Ok, first, just started using the Secure Gateway feature in Royal TSX 3.0 last week, and it has become my new best friend.  :-)  So thank you for this feature.  For SSH, VNC, and RDP, it is incredibly easy to setup.


Then today I thought about trying to get at a webpage via similar means, only to find that's not possible.  I'd like so add "yet?" *wink wink*


Ok, seriously, adding that would be very nice, considering Royal TSX supports webpages, and I can see lots of use cases, such as what Kay mentioned (notably if VPNing in isn't even an option).  So I'll add my name to list of folks who would love to see this on the Mac version.

Login or Signup to post a comment