I found that simply having WhatsUp use a seperate port, then configuring Apache for Win32 with OpenSSL in a proxy mode solves this problem.
Have WhatsUp listen on something strange like port 81 or something. You could also setup IP security here and only let 127.0.0.1 have access to the page. This would ensure that everyone uses SSL only. Set up Apache to proxy port 443 (with an SSL certificate on Apache, which can be self signed by the way) to the WhatsUp port on the same machine (port 81 in our case). Then all requests would go to https://servername which would route everything transparently to port 81. So you get your SSL and it's easy (I think) to setup. I included a quick snap of my httpd.conf. Keep in mind you'll need more than this, this is just the specifics about the host and proxy stuff. How to setup Apache + SSL on Win32 ( it seems difficult at first, but actually really easy ): http://tud.at/programm/apache-ssl-win32-howto.php3 Partial httpd.conf: LoadModule proxy_module modules/mod_proxy.so LoadModule ssl_module modules/mod_ssl.so # Proxy Server directives. Uncomment the following lines to # enable the proxy server: # <IfModule mod_proxy.c> ProxyRequests On <Directory proxy:*> Order deny,allow Allow from all </Directory> # # Enable/disable the handling of HTTP/1.1 "Via:" headers. # ("Full" adds the server version; "Block" removes all outgoing Via: headers) # Set to one of: Off | On | Full | Block # ProxyVia On # # To enable the cache as well, edit and uncomment the following lines: # (no cacheing without CacheRoot) # # CacheRoot "/Apache/proxy" # CacheSize 5 # CacheGcInterval 4 # CacheMaxExpire 24 # CacheLastModifiedFactor 0.1 # CacheDefaultExpire 1 # NoCache a_domain.com another_domain.edu joes.garage_sale.com </IfModule> # End of proxy directives. <VirtualHost *:443> SSLEngine On SSLCertificateFile conf/ssl/wug-server.crt SSLCertificateKeyFile conf/ssl/wug-server.key ServerName wug.mydomain.com ServerAdmin [EMAIL PROTECTED] <Location /> Allow from all </Location> ProxyVia On ProxyPass / http://127.0.0.1:81/ ProxyPassReverse / http://127.0.0.1:81/ CustomLog logs/wug-access.log combined </VirtualHost> -Bill ---------------------------------------------------------------------- Subject: RE: [WhatsUp Forum] WUG and IIS Date: Mon, 8 Apr 2002 07:24:47 -0500 From: "Daniel Pothier" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Great question, We were also concerned that the information on our WUG web pages was too sensitive for this level of security. I would like to see Ipswitch go further in this area or, as you say, get out of it. =20 My company needs to be able to view this information remotely. Our solution: We have the web app restricted to a single IP address, internal on our network. This is a MetaFrame/Terminal Server with a NAT'd address and only ICA ports open. Our support staff and admins can log into this server and run IE to the WUG server. Alternatively, IE can be published with MetaFrame preconfigured to launch to the WUG app and a link to this embedded in a public web page. Both of these options give you the security of 128bit encryption and Windows Authentication. Works very well for us because we happened to have a spare Terminal Server for support staff. SSL would have been easier. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]=20 Sent: Sunday, April 07, 2002 10:56 PM To: [EMAIL PROTECTED] Subject: [WhatsUp Forum] WUG and IIS Dear WhatsUp Technicians and Afeccionados, Does IPSwitch make (or have they considered making) ISAPI filters for the WUG Web files? I would love to be able to browse WUG maps over the Internet but am not comfortable using a cleartext password scheme without SSL to access something as critical as network administration tools like WUG Web. It seems to me WUG might benefit from being built compatible with IIS - SSL and Windows Authentication being just one class of perk - and this kind of architecture could also free up the developers to focus on what WUG does well - network monitoring - leaving web server development to Microsoft. If anything like this is available, or if anyone has any ideas on workarounds for serving out WUG Web Maps in a more secure way, please let me know. Best, Robert Please visit http://www.ipswitch.com/support/mailing-lists.html=20 to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/ ---------------------------------------------------------------------- Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/whatsup_forum%40list.ipswitch.com/
