Create Service to connect Web App

Support
1

Hello, I am new to using OpenZiti, so I'm still getting used to it.
Currently, I have installed OpenZiti and have a Web App on Azure. I have blocked all traffic and opened only one flow to connect to the Web App from a virtual machine with OpenZiti installed. I tried to create a Service in the Ziti Admin Console, but it's not working yet.

Here is my host.v1 configuration:

json
{
"name": "test-connect1-host-config",
"configTypeId": "NH5p4FpGR",
"data": {
"address": "127.0.0.1",
"forwardProtocol": true,
"forwardPort": true,
"allowedPortRanges": [
{
"high": 443,
"low": 443
}
],
"allowedProtocols": [
"tcp"
],
"httpChecks": ,
"portChecks":
},
"tags": {}
}

And here is the intercept.v1 configuration:

json
{
"name": "test-connect1-intercept-config",
"configTypeId": "g7cIWbcGg",
"data": {
"portRanges": [
{
"high": 443,
"low": 443
}
],
"addresses": [
"https://caoduyet-webapp-cdbngebqfadmcdc7.z01.azurefd.net/"
],
"protocols": [
"tcp"
]
},
"tags": {}
}

Please help me fix it.

2

Hi @TranDung2ka1, welcome to the community and to OpenZiti (and zrok and browzer)!

NICE :slight_smile:

What isn't working? The configs look ok to me on first inspection. What client are you using to try to connect with? is it a tunneler or SDK? what about on the remote side?

First thing I always do is look at the client logs - they usually have a good pointer to help figure it out. Can you look at those logs and see if there's any logs that seem useful and share the log messages here?

3

On the Client machine, I used Ziti Desktop Edge to add Identities, I took the URL in there to access on Chrome. I don't know if I used the correct URL or not, I blocked access to this URL from other machines and opened it for the machine with Openziti installed.

image
image400×641 14.3 KB

4

On the UI if you go to Main Menu -> Advanced Settings -> Service Logs a text document should open that has logs of that tunneler. (or open C:\Program Files (x86)\NetFoundry Inc\Ziti Desktop Edge\logs\service\ziti-tunneler.log)

Look through that log for ERROR lines that might be useful to diagnose the issue. That is the proper url to put into the intercept as long as that url doesn't map to your controller or your router. If your router or controller is known by the same domain name exactly -- the tunneler can't intercept the same IP or FQDN of controllers/routers.