I have been meaning to write about SSL-Explorer for ages. This is a really really useful bit of virtual private network software. It works over standard https so it doesn’t require any special ports to be configured on firewalls. It works through proxies and network address translation, it works through pretty much any wierd and wonderful networking setup you care to mention, and this is how to access notes servers from anywhere . . .
SSL-Explorer is backed by 3SP, they sell some ‘enterprise’ features but the core product is Free Open Source Software licensed under the GNU GPL. For our purposes the GPL community edition is just fine. The download link takes you over to SourceForge, if you want to run it on Windows you want this file and if you want to run it on Linux you want this file. It really doesn’t matter much whether you run it on Windows or Linux, I have installed it on both and there is practically no difference. Unzip the file and run the installer, after clicking next a few times it will start a web server on port 28080 for you to configure it for the first time. It is quite simple, you just have to follow the instructions to create an administrator account and an SSL certificate. Don’t worry about buying one, it is fine to just create one from scratch. Buying a certificate just means that some trusted third party has validated that you are who you claim to be. All Notes client certifiers are self certified which is why you get the cross certificate request when encountering a new one. Once you have answered all the questions it will restart and listen to port 443 which is the https port. Point your browser at https://www.yourserver.com and you should get a certificate warning (basically like a cross certificate request asking you if you trust the certifier) then you will see the login screen.
All being well it should look like this:
Spend a few minutes looking round at the options available to you. Check out the extension store, here you can install some really useful applications such as a Java VNC client which will deploy from the SSL server and run over the SSL link. There is even a package which integrates the TN5250 applet to get a secure link to an iSeries, you should certainly look closely at that one 
OK, enough of fun and games, you are here for some serious port 1352 action and that is coming right up. On the left navigator choose ‘SSL tunnel’ from the Resources section. To create a new tunnel use the link in the actions box (top right corner of the screen, the box with a red title background) to start the wizard to create a new tunnel.
bung in a name and description, you might like to add it to favorites at this point. In the screenshots I am setting up a connection to a Domino server hosted by Lotus. It could just as easily be to a Domino server on my intranet, invisible to the outside world, but visible to the SSL-Explorer server.
Moving on to the next step you will need to put in some more details. Set the source and destination port to 1352, and set the destination host name. This is the host name from the point of view of the server running SSL-Explorer, an internal IP address starting 10.*.*.* or 192.168.*.* is fine, here I am pointing back from my server out to another box on the internet. Don’t mess with the source interface and don’t be tempted to change the ‘type’ field, that should stay ‘local’
Onwards to step 3. SSL-Explorer can deal with users sorted into groups with different levels of access to different tunnels, there is a policy based system to manage all this. It is quite comprehensive, but overkill for my single user system. Just add the tunnel to the ‘Everyone’ policy
nearly there now, just a couple of confirmation screens to click through.
so now you should have the tunnel listed in your admin screen.
You can’t use the tunnel from here, you have to first switch over to the user console by clicking on the person icon.
now you should see an icon for your tunnel, either in favorites, or in the SSL tunnels section
if you click on the tunnel icon a java applet will start (possibly with another certificate request and it might ask for details of a proxy server if you have one)
When the tunnel has started you should see the green glow on the three pronged icon and an information message letting you know the tunnel has started. You will also see a person icon in your system tray.
So now you have a tunnel running, but how to use it? Well first let me try to describe what is happening. The SSL-Explorer server opens a connection to the destination on port 1352. This is a regular connection, not encrypted (well it might be if port encryption is turned on, but it isn’t being specifically encrypted by SSL-Explorer) the server then wraps that connection up and serves it out to the SSL-Explorer client applet over a regular https connection. The applet is talking to the server on port 443 regardless of the port you are interested in. Now when the data gets to the applet it starts a local server process listening for connections on port 1352. At the client end localhost or 127.0.0.1 is to all intents and purposes acting exactly like it was the destination server. Now lets get our Notes client to talk to it.
Open your local name and address book and create a new connection document as shown. Here we are telling our Notes client that the destination sever is at address localhost.
File-database-open and type in the server name lotus-00 and it should connect to localhost, be transparently routed through the tunnel, passed back over the network, the real server replies to the SSL-Explorer server, it encrypts the reply, sends it to the client applet which reserves it up to the Notes client. Chances are that lotus-00 will respond to you with a cross certificate request and then boot you out pretty quick, but it should be enough to prove that you really have connected to it.
If you want to try it out without going through the install process you can have a go with my server. I set up an account for you, username “lotusguest” password “lotusguest”, just go to https://www.dominux.co.uk to log in. You can’t do any damage there, all you can do is connect a tunnel to lotus-00 on port 1352 all the normal Notes security still applies. You will find it a bit slower than connecting directly to the server on 1352, but then your connection is being encrypted, passed from wherever you are to my server in the UK (through my ADSL line) decrypted, passed over to Lotus-00 in America which then replies, this is then passed back to me (ADSL again) and encrypted then sent back to you. Pretty convoluted, but it works from anywhere.
Give me a shout if there are any other interesting public servers you would like to get to from inside a firewall that doesn’t allow 1352 outbound and I will set up a tunnel.
