WAPT server accessibility from outside

Questions about WAPT Server / Requests and help related to the WAPT server
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Locked
Guillaume_ccfd
Messages: 24
Registration: June 11, 2020 - 4:42 PM

October 2, 2020 - 8:02 AM

Hello everyone,

Due to COVID-19, like many others, I'm having to find solutions for my remote users who are experiencing various issues (such as VPN problems).

Some of my users don't have a VPN or need a script run on their machines. However, to make this possible, I would need to make my WAPT server accessible from the outside.

I therefore have a few questions:

- Have any of you already made your WAPT servers accessible from the outside?
- What security measures should I implement?
- Do you have any recommendations?

Thank you in advance and have a good day. ;)
High
nliaudat
Messages: 29
Registration: August 8, 2019 - 8:31 AM

October 9, 2020 - 11:15

1) Create a DNS server in your domain, for example, wapt.consoto.com
2) You need to set up a reverse proxy on your firewall pointing to your local WAPT server. (wapt.consoto.com => wapt.lan.consoto.com)
3) Create a wapt-remote-repository package

Code: Select all

def install():

    print('Change repository url for remote access')
    inifile_writestring(WAPT.config_filename,'global','repo_url','https://wapt.consoto.com/wapt')

    print('Change server url for remote access')
    inifile_writestring(WAPT.config_filename,'global','wapt_server','https://wapt.consoto.com')

def uninstall():

    print('Restore repository url')
    inifile_writestring(WAPT.config_filename,'global','repo_url','https://wapt.lan.consoto.com/wapt')

    print('Restore server url')
    inifile_writestring(WAPT.config_filename,'global','wapt_server','https://wapt.lan.consoto.com')
High
User avatar
dcardon
WAPT Expert
Messages: 1929
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

October 15, 2020 - 3:23 PM

Hello Guillaume_ccfd,
Guillaume_ccfd wrote: Oct 2, 2020 - 8:02 AM Hello everyone,

Due to COVID, like many others, I'm forced to find solutions for my remote users who have various problems (such as VPN issues).

Some of my users don't have a VPN or would need a script run on their machines. However, for this to be possible, I would need to make my WAPT server accessible from the outside.

So I have a few questions:

- Have any of you already made your WAPT servers accessible from the outside?
- What security measures should I take?
- Do you have any recommendations?

Thank you in advance and have a good day. ;)
Since you are on the enterprise version, the best option is to activate a reverse proxy with client certificate validation for added security: see. https://www.wapt.fr/fr/doc/waptserver-i ... ation.html
With this configuration, only machines registered on the server can access the server and download their packages.
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
Guillaume_ccfd
Messages: 24
Registration: June 11, 2020 - 4:42 PM

November 2, 2020 - 9:09 AM

Hello,

thank you!

This will allow us to better intervene at the stations in our park while ensuring safety.
High
User avatar
cfargues
Messages: 28
Registration: May 19, 2016 - 3:12 p.m.
Contact :
Contact cfargues

November 3, 2020 - 11:57 AM

Hello,
to add to the answers already given, we've written a specific article on the subject with instructions on how to manage workstations without a VPN (or with VPN issues).
https://www.tranquil.it/comment-gerer-d ... avec-wapt/

Stay safe during lockdown!

Camille
Camille FARGUES,
Account Manager
High
Guillaume_ccfd
Messages: 24
Registration: June 11, 2020 - 4:42 PM

December 20, 2021 - 10:20

Hello,

I just checked, and when I access my WAPT server URL, I get a 401 error. However, when I enter the URL /wapt/waptagent.exe, I can successfully download the WAPT agent, and therefore I could install it from a machine that is not part of our organization (with a potential security risk later on).

Have I missed a step in the configuration/documentation?
High
florentR2
Messages: 100
Registration: February 13, 2020 - 5:23 PM

December 20, 2021 - 10:31

If you enable Kerberos or authentication registration options, only a PC authorized by the domain or by you can register
High
User avatar
StocksM
Messages: 1
Registration: January 27, 2022 - 10:50 AM

February 18, 2022 - 09:36

One more comment about this: as I've already mentioned, it could be the fault of your antivirus software (if you have one), the fault of the program or software you're using, or it could be blocked by your ISP. You can always check your IP address to see if it has changed at https://www.packvpn.com/adresse-ip and then you'll find where the problem lies.
High
User avatar
dcardon
WAPT Expert
Messages: 1929
Registration: June 18, 2014 - 09:58
Location: Saint Sébastien sur Loire
Contact :
Contact dcardon

March 3, 2022 - 4:45 PM

Good morning,

By default, the WAPT server configuration corresponds to an internal configuration, and the following URLs are not certificate-protected:

Code: Select all

   location ~ ^/(wapt/waptsetup-tis.exe|wapt/waptagent.exe|wapt/waptdeploy.exe|sync.json|rules.json|licences.json)$ {
        add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
        add_header Pragma "no-cache";
        root "/var/www";
    }
If you expose it internally, you can protect these URLs by source IP, or block them entirely, but you will need to deploy the executable from another source in that case.

Sincerely,

Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
High
Locked

Return to "WAPT Server"


  • To go further with WAPT