Page 1 of 1
WAPT server accessibility from outside
Published: October 2, 2020 - 8:02 AM
by Guillaume_ccfd
Hello everyone,
Due to COVID-19, like many others, I'm having to find solutions for my remote users who are experiencing various issues (such as VPN problems).
Some of my users don't have a VPN or need a script run on their machines. However, to make this possible, I would need to make my WAPT server accessible from the outside.
I therefore have a few questions:
- Have any of you already made your WAPT servers accessible from the outside?
- What security measures should I implement?
- Do you have any recommendations?
Thank you in advance and have a good day.
Re: WAPT server accessibility from outside
Published: October 9, 2020 - 11:15 AM
by nliaudat
1) Create a DNS server in your domain, for example, wapt.consoto.com
2) You need to set up a reverse proxy on your firewall pointing to your local WAPT server. (wapt.consoto.com => wapt.lan.consoto.com)
3) Create a wapt-remote-repository package
Code: Select all
def install():
print('Change repository url for remote access')
inifile_writestring(WAPT.config_filename,'global','repo_url','https://wapt.consoto.com/wapt')
print('Change server url for remote access')
inifile_writestring(WAPT.config_filename,'global','wapt_server','https://wapt.consoto.com')
def uninstall():
print('Restore repository url')
inifile_writestring(WAPT.config_filename,'global','repo_url','https://wapt.lan.consoto.com/wapt')
print('Restore server url')
inifile_writestring(WAPT.config_filename,'global','wapt_server','https://wapt.lan.consoto.com')
Re: WAPT server accessibility from outside
Published: October 15, 2020 - 3:23 PM
by dcardon
Hello Guillaume_ccfd,
Guillaume_ccfd wrote: ↑Oct 2, 2020 - 8:02 AM
Hello everyone,
Due to COVID, like many others, I'm forced to find solutions for my remote users who have various problems (such as VPN issues).
Some of my users don't have a VPN or would need a script run on their machines. However, for this to be possible, I would need to make my WAPT server accessible from the outside.
So I have a few questions:
- Have any of you already made your WAPT servers accessible from the outside?
- What security measures should I take?
- Do you have any recommendations?
Thank you in advance and have a good day.
Since you are on the enterprise version, the best option is to activate a reverse proxy with client certificate validation for added security: see.
https://www.wapt.fr/fr/doc/waptserver-i ... ation.html
With this configuration, only machines registered on the server can access the server and download their packages.
Denis
Re: WAPT server accessibility from outside
Published: November 2, 2020 - 9:09 AM
by Guillaume_ccfd
Hello,
thank you!
This will allow us to better intervene at the stations in our park while ensuring safety.
Re: WAPT server accessibility from outside
Published: November 3, 2020 - 11:57 AM
by cfargues
Hello,
to add to the answers already given, we've written a specific article on the subject with instructions on how to manage workstations without a VPN (or with VPN issues).
https://www.tranquil.it/comment-gerer-d ... avec-wapt/
Stay safe during lockdown!
Camille
Re: WAPT server accessibility from outside
Published: Dec 20, 2021 - 10:20
by Guillaume_ccfd
Hello,
I just checked, and when I access my WAPT server URL, I get a 401 error. However, when I enter the URL /wapt/waptagent.exe, I can successfully download the WAPT agent, and therefore I could install it from a machine that is not part of our organization (with a potential security risk later on).
Have I missed a step in the configuration/documentation?
Re: WAPT server accessibility from outside
Published: Dec 20, 2021 - 10:31
by florentR2
If you enable Kerberos or authentication registration options, only a PC authorized by the domain or by you can register
Re: WAPT server accessibility from outside
Published: February 18, 2022 - 09:36
by StocksM
One more comment about this: as I've already mentioned, it could be the fault of your antivirus software (if you have one), the fault of the program or software you're using, or it could be blocked by your ISP. You can always check your IP address to see if it has changed at
https://www.packvpn.com/adresse-ip and then you'll find where the problem lies.
Re: WAPT server accessibility from outside
Published: March 3, 2022 - 4:45 PM
by dcardon
Good morning,
By default, the WAPT server configuration corresponds to an internal configuration, and the following URLs are not certificate-protected:
Code: Select all
location ~ ^/(wapt/waptsetup-tis.exe|wapt/waptagent.exe|wapt/waptdeploy.exe|sync.json|rules.json|licences.json)$ {
add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
add_header Pragma "no-cache";
root "/var/www";
}
If you expose it internally, you can protect these URLs by source IP, or block them entirely, but you will need to deploy the executable from another source in that case.
Sincerely,
Denis