Open-AudIT

Hey,

Some of our computers in our office are actually setup behind a firewall from the rest of the office, running on one of our customer's LAN. As such, we can't audit them from our 'open audit server' per se. I did not want to expose our Open-Audit installation to the world either, so I decided to use our reverse-proxy server and expose JUST the relevant "add" page so audit.vbs could submit its changed. Simple enough, right? I should also mention here that our reverse proxy server is used to server HTTPS content, using our own "root", self-signed certificate. It's only for us, so no reason to give any money to Verisign for this.

Turns out the submit code in audit.vbs doesn't like these certificate errors. To fix this, I had to change the following code:

[code]
if online = "yesxml" then
url = non_ie_page
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
Call objHTTP.Open("POST", url, FALSE)
objHTTP.setRequestHeader "Content-Type","application/x-www-form-urlencoded"
if utf8 = "y" then
objHTTP.Send "add=" + urlEncode(form_total + vbcrlf)
else
objHTTP.Send "add=" + escape(Deconstruct(form_total + vbcrlf))
end if

' if verbose = "y" then
' WScript.Echo(objHTTP.ResponseText)
' end if
end if
[/code]

to

[code]
if online = "yesxml" then
url = non_ie_page
Set objHTTP = WScript.CreateObject("MSXML2.ServerXMLHTTP.3.0")
objHTTP.SetOption 2, 13056 ' Ignore all SSL errors
objHTTP.Open "POST", url, False
objHTTP.setRequestHeader "Content-Type","application/x-www-form-urlencoded"
if utf8 = "y" then
objHTTP.Send "add=" + urlEncode(form_total + vbcrlf)
else
objHTTP.Send "add=" + escape(Deconstruct(form_total + vbcrlf))
end if

if verbose = "y" then
wscript.Echo "XML sent to server: " & objHTTP.status & " (" & objHTTP.statusText & ")"
end if
end if
[/code]

That's it. (The change looks scarier than it is -- it's just two lines, really, but I've also changed the output to show the status response from the server, which was sorely missing)

Hope this helps someone out there.

Steph

I like this idea, how exactly does the reverse proxy work, (what is it, and how have you limited access to just the OA add page).

I assume the change you have made doesn't break the standard submit dialog, in other words I can use it universally, i.e. both locally and through the proxy.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

That seems to work a treat... added at SVN 951.

I would still like to know how your reverse proxy idea works though.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

[quote="A_Hull"]That seems to work a treat... added at SVN 951.

_________________
Edoardo

[quote="ef"][quote="A_Hull"]That seems to work a treat... added at SVN 951.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

[quote="A_Hull"][quote="ef"][quote="A_Hull"]That seems to work a treat... added at SVN 951.

_________________
OA Deployment:
Windows 2003 with XAMPP install
80 Windows Servers
250 Windows workstations (mixed XP and 2000)
5 MACs
Multiple printers, switches, routers, firewalls, and other servers (ESX, AIX etc.)

If I dont receive confirmation this second change works for both cases, I may have to revert back to the previous version, as this works for most of us.

Meantime, SVN 952 contains the second change, try it please..

If I haven't had a reply by mid day tomorrow, I will revert back... seems fair to me.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

In my case, the current SVN works also for a OA site on XAMPP without SSL.

_________________
Edoardo

I'm using Xampp with SSL and it works fine, but we still need to know it works with SSL on IIS6 (2K3 SP2) and a wildcard self-signed certificate, as per Steph's original post. Well Steph ?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

Hello,

Sorry should've checked back sooner, didn't actually expect anyone else to try it out.

No, using the original line does not work in all cases. It would work (for me) ONLY if I had already imported the offending certificate, in which case my change is irrelevant since there would be no errors in the first place. Since I did not want to force the import of the certificate, particularly for VMs on my LAN, I went this route. I'm sure we can get it to run, I just need to be able to repro the problem here...

Were you running in verbose mode, ef, or anyone else that ran into problems? What was the status message returned?

As for how the reverse proxy is setup:

<my dev machine> | <reverse-proxy apache2 server> | firewall | da weeb

my dev machine is running XAAMPP, with the default settings (probably some self-signed SSL as well).
the reverse-proxy apache2 server only serves HTTPS traffic, and I've got a reverse proxy set up to only serve the "add" pages:

[code]
ProxyPass /openaudit/admin_pc_add_1.php https://salma/openaudit/admin_pc_add_1.php
ProxyPass /openaudit/admin_pc_add_2.php https://salma/openaudit/admin_pc_add_2.php
ProxyPass /openaudit/admin_nmap_input.php https://salma/openaudit/admin_nmap_input.php
ProxyHTMLURLMap https://salma/openaudit/ /openaudit/

<Location /openaudit/>
RequestHeader set Front-End-Https "On"
# Turn off deflate requests...
RequestHeader unset Accept-Encoding
</Location>
[/code]

The reverse proxy is very rough, and the add_1.php comes up without images. I don't mind/care, as all my audits have been going through the add_2.php page. It's also a bit "out there", people from NZ could be adding computers to our setup this way, but I'm still in the exploratory phase. Once I've got everything working as I want, I'll dump the MySQL database from my dev box, setup a VM to run OA on, and reload the contents of the MySQL there. I then just update the reverse proxy to point to this new VM, and all my audited PCs are none-the-wiser.

I'll try the current SVN tonight, hopefully, and report back.

Steph.

As I feared, current SVN version does not work with my setup. Not surprising, though

Here's what I propose:

audit.config:
[code]
...
printer_detect = "y"
software_audit = "y"
uuid_type = "mac"
UseServerXMLHTTP = "y"
[/code]

audit.vbs:
[code]
Dim sql
Dim comment
Dim net_mac_uuid

Dim UseServerXMLHTTP

'
' (AJH) Moved the file read-write-append constants to here, they were defined much later.
[/code]

[code]
if online = "yesxml" then
url = non_ie_page

if UseServerXMLHTTP <> "y" Then
Set objHTTP = WScript.CreateObject("MSXML2.XMLHTTP")
Else
Set objHTTP = WScript.CreateObject("MSXML2.ServerXMLHTTP.3.0")
objHTTP.SetOption 2, 13056 ' Ignore all SSL errors
End If

objHTTP.Open "POST", url, False
[/code]

This of course avoids the problem, but I cannot fix what I cannot reproduce . If ef can debug why ServerXMLHTTP doesn't work on his setup it would be even better.

Steph

[quote="srouleau"]This of course avoids the problem, but I cannot fix what I cannot reproduce . If ef can debug why ServerXMLHTTP doesn't work on his setup it would be even better.

_________________
Edoardo

I have no issue with either method, however if we could avoid yet another config entry that would be nice.

If we cant find a one size fits all solution, we could have the script try method 1, and if it fails, method 2, that way we needn't worry about having to add new config lines. Every time I add another config option, it seems to break everybody else's setup, so I am trying to do so sparingly.

If this is not a workable solution, then by all means, add the new config option.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]

ef, can you try using "MSXML2.ServerXMLHTTP.6.0" instead of .3.0?

I'm running this on a XP SP2 w/o XML 6. From what I'd read XML3 was the preferred fallback by MS, since it was installed, and updated, on every Windows box from Win2k SP4 onwards.

I tried last night to do a 'fallback' but I'll admit that my vbscript are sorely lacking. Stuff like:

[code]
On Error Resume Next
Dim objHTTP
Set objHTTP = WScript.CreateObject("...)
if objHTTP = Nothing Then
Set objHTTP = ...
End If
[/code]
And for some reason it would report everything as "Nothing" and nothing would get done. Dunno if you're allowed to do multiple 'Set' in vbscript or not. Someone with more vb-skillz and some time should probably do something like:

MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.3.0
MSXML2.XMLHTTP

in that order; note that the 'setOption' for SSL certificates is only available on the ServerXMLHTTP interface.

Now that I think about it though, perhaps just the CreateObject isn't enough -- we probably need to create the object, if it works attempt to send it, and if that works fallback to the next option.

Steph

Steph

Steph, tomorrow I will try on the affected systems a de-escalation like this:
[code]
Set objHTTP = WScript.CreateObject("MSXML2.ServerXMLHTTP.6.0")
if IsObject(objHTTP) then
objHTTP.SetOption 2, 13056 ' Ignore all SSL errors
else
Set objHTTP = WScript.CreateObject("MSXML2.ServerXMLHTTP.3.0")
if IsObject(objHTTP) then
objHTTP.SetOption 2, 13056 ' Ignore all SSL errors
else
Set objHTTP = WScript.CreateObject("MSXML2.XMLHTTP")
end if
end if
[/code]
It should allow all of us to successfully post xml data without new options in audit.config, regardless of what xml parser version is installed.

_________________
Edoardo