Main menu

Pre-Amble:


I've worked with Nick for a few years and played with the Wikid Auth 2-Factor system for a while. I really wanted to get it working on my own network again. Unfortunately, I only have one IP address and a few sites that run on port 80 - Of course, the clients for Wikid all use port 80 as well (don't assume this is bad!)

What is Wikid Auth:


The WiKID Strong Authentication System is a patented dual-source, software-based two-factor authentication system designed to be less expensive and more extensible than hardware tokens.

What Is MikroTik RouterBoard:

Mikrotik develops high performance routers and wireless ISP systems, providing both hardware and software for most countries around the world.

Steps:


Previously, I had already setup my routerboard to act as a reverse proxy - You can follow these instructions to get that working: http://wiki.mikrotik.com/wiki/Multiple_Web_Servers

From here I needed to re-direct the Wikid Authentication requests to my new server.

Originally, I attempted to use the normal domain setup - by using the external IP address that the clients would use - however, this failed to work with the reverse proxy since it would have no domain name to look up in the local DNS system.

Fortunately, Wikid provides (for enterprise licences) a domain key server using [custom domain].wikidsystems.net - that custom key would be entered into the client and be mapped via DNS to the IP address as required. This domain is also used in the client HOST code for the web request. Thus, we can now use our reverse proxy in the routerboard router.

Step 1 - Request your custom domain key from the Wikid Staff - You should already be an enterprise customer - http://www.wikidsystems.com/company/company/contact-us

Step 2 - Ensure your Reverse proxy is configured (See above link)

Step 3 - Because the Client caches the IP address, if you move between internal dns and external DNS alot, you need to make sure the routerboard doesn't accept the incoming port 80 request (Firewall rule) - I don't use the web console, and I have a default deny all, so this is covered by that. YMMV.

Step 4 - Set the proxy to allow connections to the Domain Key address assigned by the Wikid team - We're adding a path of "/wikid/*" so that only the client communications is accepted.

/ip proxy access
add action=allow disabled=no dst-host=[Domain Key].wikidsystems.net dst-port=80 path=/wikid/*

Step 5 - Make an internal DNS record for the Domain Key address to point to your internal Wikid Server IP address

/ip dns static
add address=[Internal IP] disabled=no name=[Domain Key].wikidsystems.net ttl=1d

Step 6 - Enjoy.

You'll probably have some got-cha's if you use your routerboard as DNS server for your network - especially if the wikid client caches the internal IP address and move to an external area.



Comments   

0 #1 Ivo 2012-05-25 16:34
It was very useful for me. Only I have to add one more nat rule in the first link where is described the proxy seting. The second nat was for traffic from local netowrk so i can load page from inside local network.

Imagine, that you have only one public IP address i.e. xxx.xxx.xxx.xxx , but want to host 3 web servers:
.0.2
.0.3
.0.4

1. Configure your web proxy
/ip web-proxy
set enabled=yes src-address=0.0 .0.0 port=8080 hostname="your. proxy"
transparent-pro xy=yes parent-proxy=0. 0.0.0:o
cache-administr ator="webmaster " max-object-size =4096KiB cache-drive=sys tem
max-cache-size= unlimited max-ram-cache-s ize=unlimited
/ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying"
disabled=no
add dst-port=80 action=allow comment="Enable Http Connection" disabled=no
2. Configure Static DNS of domains to resolve to internal ip
/ip dns static add name=123.com address=192.168 .0.2
/ip dns static add name=abc.com address=192.168 .0.3
/ip dns static add name=456.com address=192.168 .0.4
/ip dns static add name=www.123.co m address=192.168 .0.2
/ip dns static add name=www.abc.co m address=192.168 .0.3
/ip dns static add name=www.456.co m address=192.168 .0.4
3. Configure NAT to redirect traffic to webproxy
/ip firewall nat
add chain=dstnat in-interface=ou tside dst-address=xxx .xxx.xxx.xxx protocol=tcp
dst-port=80 action=redirect to-ports=8080 comment="" disabled=no
add chain=dstnat in-interface=in side dst-address=xxx .xxx.xxx.xxx protocol=tcp
dst-port=80 action=redirect to-ports=8080 comment="" disabled=no
Quote

Add comment


Security code
Refresh