Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

ICA portal in R80.10

Apparently, there is a built-in ICA portal in R80.10, but I am having trouble making it work.

According to documentation:

To enable the ICA Management tool: 

[Expert@HostName]# cpca_client [-d] set_mgmt_tool on [-a "administrator DN" | -u "user DN"] 

where:

  • -d - (optional) enables debug for this operation (output is printed on the terminal)
  • on - sets the status of the ICA Management Tool 
  • -a "administrator DN" | -u "user DN" - (optional) sets the DN of the authorized administrator ('-a' flag) or DN of the authorized user ('-u' flag) permitted to use the ICA Management tool (must specify the full DN as appears in SmartDashboard in administrator/user properties - on 'Certificates' pane - in the 'DN:' field)

Note: Having port 18265 open is not a vulnerability. The Management Tool Portal is secured and protected by SSL. In addition, only authorized administrators are allowed to access it using a certificate.

But I do not see the 'Certificates' pane not in the Smart console (where I can issue a cert for the user, but it does not contain DN:

Nor in SmartDashboard, where admins are not shown at all:

If someone was able to successfully do this, please chime in with pointers.

Thank you,

Vladimir

7 Replies
PhoneBoy
Admin
Admin

The certificates are managed on the user/admin record shown in your screenshot (i.e. there is no unique place to do so).

The DN for the user in your screenshot is "CN=icadmin,OU=users,O=SMSR8010..bhska4"

Since this is an admin user, you would issue the following on your management:

cpca_client set_mgmt_tool on -a "CN=icadmin,OU=users,O=SMSR8010..bhska4"

Access the URL https://mgmt-ip:18265

Assuming you have the certificate imported into your browser's certificate store, you should get something that looks like this:

Otherwise you will get an error message when you attempt to access the site.

Hope this helps.

0 Kudos
Vladimir
Champion
Champion

My bad: missed the "R" in the SMSR8010.

unfortunately you can't copy string from the cert properties in SmartConsole.

I'll keep trying...

0 Kudos
PhoneBoy
Admin
Admin

Maybe we should add a “copy to clipboard” button there.

RFE Tomer Sole ?

0 Kudos
Vladimir
Champion
Champion

Well, no dice so far:

[Expert@SMS8010:0]# cpca_client set_mgmt_tool print
Management tool is ON.
Using SSL.
The authorized administrators:
(
: ("CN=icadmin1,OU=users,O=SMS8010..bhska4")
)
The authorized users:
()
The authorized custom users:
()
[Expert@SMS8010:0]#

and cannot connect to 18265:

While nmap shows port as open:

0 Kudos
PhoneBoy
Admin
Admin

I'm guessing the issue is with Client Authentication with certificates.

It's not something that's used very often, and it seems browsers don't handle this very well. 

Perhaps this would be confirmed with Wireshark/tcpdump.

In any case, it worked for me from the Brave browser on the Mac, simply double-clicking the .p12 file and importing the certificate.

When I went to the site, it worked first time.

I also tried Chrome on Windows, but got an error that I was not authorized.

I ended up having to delete and reimport the certificate from the "Manage User Certificates" program in Windows 10.

Had to make sure "Client Authentication" was enabled.

I also had to restart Chrome, but then I was prompted to choose which certificate to provide for authentication when visiting the site.

0 Kudos
Vladimir
Champion
Champion

...I am getting ready to invest in a punching bag:

With SSL off, I have no problem connecting to ICA WebUI and am seeing the interface you have shown in the example above.

With SSL on, no dice in any of these browsers: IE11, Firefox, Chrome, Opera on Win 10 pro:

[Expert@SMS8010:0]# cpca_client set_mgmt_tool print
Management tool is ON.
Using SSL.
The authorized administrators:
(
: ("CN=icadmin1,OU=users,O=SMS8010..bhska4")
)
The authorized users:
()
The authorized custom users:
()
[Expert@SMS8010:0]#

Packet capture is not very informative, or I am not seeing something (see attached tcpdump from SMS and pcap from client).

The server is not responding to the initial client's TLS hello:

Is there a way to run a self-diagnostics on ICA?

0 Kudos
PhoneBoy
Admin
Admin

This is pointing to an issue with the SSL negotiation.

You can try the debugging steps for the CPCA process here: R80.x Security Management server main processes debugging 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events