I have setup an app server that runs a web game to test a use case the positive use case works we setup the tunnel with an identity that has access to the game and we go through our terminator 192.168.1.1:8000(example ip) the game comes up and we are happy. we tried the negative case of going straight to the app 192.168.1.4:443 this failed as expected
we tried our last negative case which was to power off the tunnel and try and access the game through the same port 192.168.1.1:8000. I would have expected this to fail but I was able to access the game I believe this to be a fault on our policy but I am not quiet sure. I would think if the policy does not match then openziti would block the connection
On macOS and iOS, there are two processes. One for the UI and another for the tunnel. Quitting the UI app will leave the tunnel running, and you will see a VPN connection in System Settings that you can also use to control the tunnel connection.
Likewise, on Windows there are separate processes for the UI and the tunnel (installed as a Windows Service, I believe).
So - if by “power off the tunnel” you mean shutting down the UI app, the tunnel will still be connected.
The UI app does no work in our environment so we run the tunnel in command line, after killing there is no connection, After a review of our policies we had some settings wrong but now no connections to our app are allowed
2 Likes
So this is strange in my logs it is saying service added in the logs and connected but if I try to connect to the webui of our app which is just a web page it is denied
Can openziti do webui traffic
OpenZiti is capable of straight UDP/TCP traffic, so can definitely do “web” traffic. If webui (this? https://webui.me/) uses TCP/UDP, I would expect it to work perfectly fine.
Its definitely acting strange, I looked at my terminators tab and there are 2 newly created ones that were generated on their own
Is there documentation on how to create a service using the ZAC UI I think somehow we are messing that portion up
When using the web UI and you make changes it can add additional terminators. If you delete the service it will delete all the terminators. Then recreate the service and check the bindings as you will to reattach the services.
That said I have not had any issue with the ghost terminators but that is how I clean them up.
It is a windows IIS app being served out on port 80 if that helps at all. The tunnel is saying its connected but no joy on getting the web page to load
I have deleted the service and retired making it, it creates a terminator that points to hosted instead of an address
Can share screenshots of the configurations that you have. I use the ziti commands from here: Free Secure Access to NAS From Anywhere and mimic them in the console. Sorry away from desk at the moment.
I placed them in another posting by mistake No Access to service - openziti
Are there double dots on the client identities ? In the screenshot it is not showing any dots next to the client identities. Just want to confirm.
When you go into the identities screen and open up an identity you will see a service (space-invaders). When you click on it within a client identity it should say (dial configured correctly). On the server identity it should say Dial configured correctly or words to that effect. Can you let me know what they say for the client and server identity.
I cannot see in the screenshots an intercept configuration.
The clients say Dial Configured confirmed and the servers say bind configured confirmed
Could we consider making a new thread asking for generic help on making a service? I also would urge you to not create a terminator of your own and instead rely on the SDKs to do that on your behalf. It's just much easier that way imo.
Generally the flow goes like this:
- decide if you're doing application embedded, or not (most people start off with not at this time)
- create an identity for where you want to offload traffic and run
ziti-edge-tunnel there -- or -- deploy an edge-router with tunneling mode enabled wherever you want to offload traffic back to the underlay. Generally, I recommend using a ziti-edge-tunnel for offloading but it's kindof a 50/50 right now...
- create an "intercept.v1" configuration, "host.v1" configuration and join them together in a service
- authorize the dialing (clients/onboard) side by making a dial service policy...
- authorize the binding (server/offload) side by making a bind service policy...
and you're done. by making a 'bind' policy you'll get those terminators created for you. if anywhere, that's where I think you might have mistepped?