About
Adito is an open-source, browser-based SSL VPN solution. It’s a remote access solution that provides users and businesses alike with a means of securely accessing network resources from outside the network perimeter using only a standard web browser.
Background
This is the open-source clone of SSL-Explorer after it went biz-o-matic.
Windows installer
My contribution to this project is a Windows-installer, check it out here
What the buzz about?
Pictures says more than words so please take a look in the pictureseries with description below.
You are first presented with a login window:
After successfully logging in you are at the main window
Usally the SSL Tunnel are common used. This technique open a port locally and forward it throught the server and to your destination.
In this example we create a port forwarding on port 4040 locally requests to google.com on port 80 (www-default-port)
After the creation we start the Agent. This is the software you run in the remote location straight from the browser. Since it uses default-java you would find access almost everywhere.
My rule is; if you can connect to your bank you can use Adito 
When it has launched you got a new little man-like icon in your sys-tray
By right-clicking on the agent you will find items you have configed on the server. In our case the tunnel “Test” is available
When the tunnel is activated the agent notify you and we are ready to use it
Now for some magic 
Connect to google through your server
As you can see this is pretty easy to use and manage a great product!
Please support these guys and donate!
![[BlogBookmark]](http://lars.werner.no/wp-content/plugins/bookmarkify/blogbookmark.png)
![[Bloglines]](http://lars.werner.no/wp-content/plugins/bookmarkify/bloglines.png)
![[del.icio.us]](http://lars.werner.no/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://lars.werner.no/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://lars.werner.no/wp-content/plugins/bookmarkify/facebook.png)
![[Google]](http://lars.werner.no/wp-content/plugins/bookmarkify/google.png)
![[LinkedIn]](http://lars.werner.no/wp-content/plugins/bookmarkify/linkedin.png)
![[MySpace]](http://lars.werner.no/wp-content/plugins/bookmarkify/myspace.png)
![[Propeller]](http://lars.werner.no/wp-content/plugins/bookmarkify/propeller.png)
![[Reddit]](http://lars.werner.no/wp-content/plugins/bookmarkify/reddit.png)
![[Shoutwire]](http://lars.werner.no/wp-content/plugins/bookmarkify/shoutwire.png)
![[Slashdot]](http://lars.werner.no/wp-content/plugins/bookmarkify/slashdot.png)
![[StumbleUpon]](http://lars.werner.no/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Twitter]](http://lars.werner.no/wp-content/plugins/bookmarkify/twitter.png)
![[Windows Live]](http://lars.werner.no/wp-content/plugins/bookmarkify/windowslive.png)
![[Yahoo!]](http://lars.werner.no/wp-content/plugins/bookmarkify/yahoo.png)
![[Email]](http://lars.werner.no/wp-content/plugins/bookmarkify/email.png)
Hello
Starting Adito service using wrapper
El servicio de Adito estĂ¡ iniciĂ¡ndose…
El servicio de Adito no ha podido iniciarse.
Error de sistema.
Error de sistema 1067.
El proceso ha terminado de forma inesperada.
Presione una tecla para continuar . . .
My spanish does not really exists
But I guess the Adito-service using the Wrapper did not work for you.
Try using it without the wrapper and see if it works. If so, write me the java-version and paste the wrapper.log file
what’s the different with the other feature called Web Forwards??
What should the destination host be if I want to pass all of my web traffic through the SSL tunnel not just one particular website like google.com?
Or should I use some other feature of Adito like Web Forward? Reverse Proxy?
Thanks!
Don
Earlier I used a SOCKS proxy on the Agent, running on the client machine. But the plugin is unsupported and does not work any more
My temporary solution is to create a Application using putty-application and create SOCKS on client. The connection goes like this: Web browser w/SOCKS -> Putty -> Adito-Client < -> SSH-Server < -> Internet.
If you are running Windows you could use the CopSSH-server (great package): http://www.itefix.no/i2/copssh
In linux you have to google it
The cool thing with Adito is that you don’t need to show the SSH-server to the world. That would be considered safe since the Adito doesn’t have any known security-breaches so far…
I installed Putty as an application in Adito. I can connect with Putty inside Adito to my OpenSSH server on my desktop machine…I get a DOS prompt. I then set my proxy settings in Firefox to Socks5 with 127.0.0.1 using port 7070. Then trying to surf the web with this setup. I get no connection to any website using this proxy on Firefox.
I have set the SSH/tunnel option in Putty to dynamic port 7070 (D7070) with auto set and Dynamic. I am clearly missing a piece of this puzzle to tunnel my web traffic over an SSH connection using Putty. Any ideas on what I am missing?
Thanks!
Don Screen:
Make sure that the ssh-config have the ForwardAgent=yes (default is no). Then it will start resolving & forwarding
The putty-setup can be copied off this guide: http://securitymusings.com/article/462/how-to-set-up-a-socks-proxy-using-putty-ssh
I also made a SOCKS-setup for a friend that didn’t want the CopSSH package installed on his server. The simple solution was Sockspuppet: http://socks.pendulus.net/
Just forward all trafic to the Sockspuppet-port and it will simply work. By blocking incomming connections from others (through sw/hw-firewall) or a user&pass setup you’ll be safe that no one else sees the socks server.
It was simple, and gets the job done. Best of all it works as a service
Thank you! I found the problem. I am using FreeSSHd and did not have the Tunnel option set to Allow Local Port Forwarding.
Adito now gets the job done without having to open another port on my router.
I would like to get TightVNC working via Adito. Not sure how to run the viewer from Adito….
Finally got the hang of Putty with the different settings available.
Don
PS. I really appreciate the time you took to get the answer to me. I spent a week with Adito figuring there had to be a way to tunnel all of my web traffic. Your solution was perfect!
Don Screen:
Glad to help
To setup VNC (In this case UltraVNC viewer) download & install this extension: http://lars.werner.no/adito-application-ultravnc.zip
All the parameters ect should be pretty the same IF you absolutly have to use TightVNC. Change the extension.xml to fit your needs.
I prefer UltraVNC because they have integrated the fullscreen-tool-bar-thingy that I made some years ago: http://lars.werner.no/?page_id=16
With the screen-hook-thingy the polling are just as quick as M$ Remote Desktop (As I usally prefer). That extension can be downloaded here: http://lars.werner.no/adito-application-advancednativerdpwin32.zip (if you make that a go, Remote desktop is enabled with just a hookoff in the System-tab
)
I installed the UltraVNC server on the desktop…and installed the UltraVNC extension into Adito as an application. When I click on it…it says “Application UltraVNC” launched but nothing else happens. No viewer…no login box. How do I get the viewer to run inside Adito?
The viewer does work and connects outside of Adito if I open port 5900 on my router.
Don
It looks like the extension file for just the UltraVNC viewer is not uploading to Adito.
I tried it several times ..using the upload..XML file…
It does not show up in installed applications in Adito.
Don
You are using the (Configuration) Extension Manager -> (Actions) Upload Extension , right?
Adito manage the whole *.zip file, not just the XML. Download and save adito-application-ultravnc.zip then upload the zip-file
Edit:
UltraVNC server goes one the machine that Adito is running on, so you don’t need to forward anything.
That way you can contact that machine remote.
If you are using linux a repack of the zip might be needed… Not so linux-clever yet
Yep..finally read page 126 of the manual! The whole zip file..not just the XML file like I was trying to do… DOH!!!
Thanks again…for solving both of my issues with Adito!
Don
You only change the XML-file inside the zip-file if there are fields / parameters that are wrong for the app you want to run.
If you have other programs you can create your own packages… I have modified a Firefox-portable to work with Adito. That way if a public / work computer don’t have Firefox I can download it through adito with my socks settings & extensions installed
I got the UltraVNC viewer working in Adito! One thing I had to change was the setting on the UltraVNC Server Property Page. I had to check the box to Allow Local Loopback Connections.
Not sure I want to tackle creating my own package for an Adito application install.
I used your Adito Installer recommended by Darren Kitchen at Hak5.
Thanks again,
Don
PS. Merry Christmas….
Great Don, glad it worked!
I didn’t know that Hak5 made a reference to this, that is pretty cool
I’ll put up the show on a post here too, that way people can see it in action.
Edit:
Merry Christmas to all
I have installed adito on XP machine, able run services like VNC and web fowarding. When i setup network places I am able to access the shared drive and see the doc. But when I trying opening the doc, I get an error 500 from the server. Any suggestion what i have miss out.
Thanks in advance
P.S – I m using freenas
Hello,
Great product thx.
But I’ve a little problem. I must install Adito in a DMZ but the internet access is not allowed from my Adito server.
How can I install Adito Extensions without online connection to the Extension Store ?
Thanks
Vince:
You don’t need to DMZ the Adito installation. Forward the port 443 to your Adito machine (based on default installation) and you’re good to go.
The Adito Extension doesn’t require online access.
On the right side in the “Actions” window you have a “Upload Extension” function, upload the zipped package. (Do not extract!)
Hello Large,
How do I create my own extension package? Lets say I want to use a program like dameware, can I create an extension for it?
Thanks
GConcepts:
First check if the software can run as a portable application. If so check out the existing package, WinUtil: http://lars.werner.no/WinUtil.zip
The XML-file shows how you can create your own simple applications. There are other extensions that you can look at here: http://lars.werner.no/?p=190
hello Large,
Thanks for your swift response. So i have a portable application like Clamwin Virus scanner. How do I install that into Adito. Also, how do i use the winutil you provided? sorry i’m a noob at this.
thanks
Also Large,
How do I configure Adito to require clients to have a certain kind of USB token before accepting connections. That is a user must have some kind of security token on a USB stick besides regular password authentication.
thanks
Gconcepts:
After you install the extension it becomes available as a application to deploy to users. The WinUtil app was made as an example for how you can manage the XML-file. You have todo xml-editing and do some testing to make the extension work as you like.
As for the USB-token thingy you are speaking of, it is unknown to me. But the SSL Explorer Enterprice had a one-time-code by SMS (cellphone) system. That worked quite good. Since Open VPN ALS is based on SSL Explorer community edition non of these features are present.
You can turn on the 5 questions after password was written as a extra “security”.
Lars,
Do you have or can you make an installer that has a version of openvpn-als compiled with agent timeout bug fix (the one in src\com\adito\properties\forms\AbstractPropertiesForm.java)?
Brian:
Sorry no, I don’t have time to mess with java these days. So I’ve made the installer scripts public to everyone. If someone picks up the ball and create a build of the svn-release the timeout bug will be fixed.
Meanwhile you can reinstall to reset it (without generating new certs ect).
Anyone know if there is a 64bit Adito Agent available anywhere?
Hi,
Is there a full SSL-VPN extention like a network connector or agent that provides full access to connected user to the LAN? or how do I configure a full tinnel not a single port ot port.
2nd On SSL-Explorer there was a Network Map Drive (when user logs in a network drive is automatically mapped like X: that points to an internal Server share)extention does somebody knows if it’s still out there somewhere?
Sadly,
it looks as though this great piece of software is gonna slowly be laid to rest. openvpn have made no attempt to bring the project forward and have decided to concentrate on their openvpn access server (which involves and openvpn client being installed from a web portal)
I will cling onto adito (nee sslexplorer) for as long as i can as it’s got me out of a mess on many occassion and has gone through every corporate firewall i have tried and didn’t upset any installation policies.
i do hope that somebody takes this great piece of software on and brings it more forward than it is (perhaps to the point it was in sslexplorer with drive mappings etc)
Hi
I am looking for similar requirement Paul had mentioned. I need to have a full access to the LAN using adtio ssl access. Could any one suggest me how to do this or any other open source free software?
Please reply
Thanks,
Siva
Thank you so much for this application.
I had a problem with a machine that refused to install SSL EXPLORER.
Then i found this software.
Excellent stuff man. Thank you !
I’m completely stumped on this one. I need to set up someone else as SUPERUSER besides myself. I’m at a complete loss. I’m sure it is in a config file somewhere or something, but for the life of me, I cannot find it.
We’re using AD integration, and my login is fine as SuperUser, but I need to get my boss as that as well (in addition to me). Is this even possible?
Thanks in advance
Is it possible to have Adito agent run on windows mobile 6.5?
Michael:
You should install the adito-server on a “dummy computer” and play around with it. Trial and error is your friend
The system only has one “superuser” as far as I know. But hey I’m not a superuser, hehe
Here is how I’ve done it for other admins (without AD):
1. Create a Policy called “Admins”
2. Do not add superuser, but all other admins to the policy
3. Go to the “Access Rights” tab and create a new “Resource Right”
4. Add all available rights
5. Add “Admins” policy in the “Policy” tab and save.
Please let us know if that also works with the AD integration.
gconcepts:
You are not the first one to ask that question, please see http://sourceforge.net/projects/openvpn-als/forums/forum/824507/topic/3492047
Works a charm, apart from…. I cannot get the Adito Agent to launch from a client. If I use 127.0.0.1 on the server then the agent does launch but fail to connect after “synchronizing”. If I use the server name or IP on the server then it fails in the same way as if I was on a client.
Java error:
load: class com.adito.agent.client.launcher.AgentLauncher not found.
java.lang.ClassNotFoundException: com.adito.agent.client.launcher.AgentLauncher
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: open HTTP connection failed:https://10.1.1.253:8443/fs/apps/adito-agent/com/adito/agent/client/launcher/AgentLauncher.class
at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader.access$000(Unknown Source)
at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
… 7 more
Exception: java.lang.ClassNotFoundException: com.adito.agent.client.launcher.AgentLauncher
Any ideas? Ive had a hunt around google but I havent found anything yet.
Hello KK20,
Did you check to make sure the setting “INVALID HOSTNAME ACTION” is not set to close connection immediately?
I have it set to “allow connection” – purely because I didnt want to lock myself out before I got everything working!
The actual login and “network places” links work perfectly internally I can use the IP address, netbios name or go external with the external domain name and all will work. It works external to the building (via 3G disconnected from the local network). Integration into active directory works perfectly. It is the “launch adito agent” that wont launch – which is a pain since that is the main reason for me wanting this (I plan to map drives somehow).
Anyway, I will continue and if I find a solution post it here. Thanks for the help in any case!
Under Resources (under the management console) I only have Network Places and Profiles. There is no Web Forwards, Applications, or SSL Tunnels. I have tried uninstalling and reinstalling several times. I would appreciate any help.
Robert:
Make sure that you make a clean install into a new directory.
The uninstall does not handle Adito-directories in “policies directories” etc, so a search for adito after uninstall could be needed.
Make sure that you login to the system as superuser (first user you created through config). Check also “Access Rights” tab for “Resource right” policy, you could “lock” superuser out of creating stuff through that.
Sorted my problem out. Originally I had published the website using ISA (2006) as a web server on port 8443. I have 3 SSL websites running on my external IP 443, 444 and 8444 (all going to the same webserver too – you *CAN* do this with M$ but that is another story…) Anyway, It seems that I needed to create a non-webserver rule with a new filter type that listened only on port 8443 (inbound TCP only). This has cured the agent launching – I can now launch internal or external.
The problem with this approach is that the JAVA agent throws up an issue saying that the *.mydomain.net is an invalid certificate. Obviously it isnt and I suspect that this has to do with the nonwebserver forward not carrying the original client domain request through (hence the webserver will only see the ip address forwarded by the ISA server). I may make a man-in-the-middle type certificate between the ISA server and webserver based on its IP address to see if this cures it.
Now onto mapping drives (if it can be done).
Any update on how to get the agent to work with Windows 7 64 bit? The agent works fine for me using any 32 bit Windows OS. W764 still fails to launch the agent.
I have had trouble when people try to access the site using Internet Explorer 8. Works fine with firefox. Any idea on how to fix it?
I get this error in my adito.log:
30-07-2010 09:24:47 [FeedManager] INFO Feed – Retrieving RSS feeds from http://download.localhost/feeds/.xml
30-07-2010 09:24:49 [FeedManager] ERROR FeedManager – Failed to load feed.
com.sun.syndication.io.ParsingFeedException: Invalid XML: Error on line 13: The reference to entity “ts” must end with the ‘;’ delim
iter.
at com.sun.syndication.io.WireFeedInput.build(WireFeedInput.java:174)
at com.sun.syndication.io.SyndFeedInput.build(SyndFeedInput.java:122)
at com.adito.rss.Feed.load(Feed.java:149)
at com.adito.rss.FeedManager.retrieveFeeds(FeedManager.java:254)
at com.adito.rss.FeedManager.run(FeedManager.java:161)
at java.lang.Thread.run(Thread.java:636)
Caused by: org.jdom.input.JDOMParseException: Error on line 13: The reference to entity “ts” must end with the ‘;’ delimiter.
at org.jdom.input.SAXBuilder.build(SAXBuilder.java:468)
at org.jdom.input.SAXBuilder.build(SAXBuilder.java:851)
at com.sun.syndication.io.WireFeedInput.build(WireFeedInput.java:170)
… 5 more
Caused by: org.xml.sax.SAXParseException: The reference to entity “ts” must end with the ‘;’ delimiter.
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:198)
at com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:177)
at com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:391)
at com.sun.org.apache.xerces.internal.impl.XMLScanner.reportFatalError(XMLScanner.java:1390)
at com.sun.org.apache.xerces.internal.impl.XMLScanner.scanAttributeValue(XMLScanner.java:844)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanAttribute(XMLNSDocumentScannerImpl.java:436)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:253)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScan
nerImpl.java:2723)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:624)
at com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:116)
at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:4
86)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:810)
at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:740)
at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:110)
at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1208)
at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:525)
at org.jdom.input.SAXBuilder.build(SAXBuilder.java:453)
…
Apparently, something with RSS is causing the adito service (running on ClearOS 5.2) to throw an exception. What is RSS doing here? I don’t see any way to configure this via the gui. I can restart the service and it runs fine for a while.
BTW, Adito is great. I’ve suggested to the ClearOS group that they try to incorporate portal functionality. It’s too bad Adito isn’t still in development. It works very well. I’ll continue to use it anyway.
Thanks for keeping this going!
I just installed a new Adito setup on to my vmware esxi home server via turnkey core.
The only gotcha with the numerous directions on the web was related to the Java steps due to Ubuntu moving the repository. Google got me past that and once again Adito is running at home.
Please ClearOS, rescue this wonderful application. I use OpenVPN when I have Adito problems. However Adito is always the preferred solution.
ClearOS (Clarkconnect’s future) can and should save this project!!
yes, it’s a shame. but when you read the reasons, it’s a fairly complicated piece of code that turns things on their head. i do hope it’s revived as x64 isn’t going to play nicely with adito. but as you say, i will continue to use it. it has got me out of so many situations in the past and has never failed yet to get through a firewall on 443.
David:
Why don’t you make a default ClearOS ESXi image for people to use?
A small guide & lists of usernames & password into a txt and the vmdk-file is all that is needed.
I can ofcourse host it here…
large,
I use ClarkConnect as my Gateway on the ESXi box. I am in the process of installing ClearOS 5.2 as a standalone ESXi image as I type this. Once I find that stable on my hardware, I will take the ClarkConnect off-line and change the ClearOS install to a Gateway configuration.
The process is pretty straightforward, so I am not sure there is much value in creating the ClearOS ESXi image. The iso image is uploaded to the ESXi datastore and then the new virtual machine is configured to boot from this iso image.
Now if you are asking for a ClearOS 5.2 configured with OpenVPN ALS/Adito, I don’t think I would do it that way. I like to use OpenVPN and OpenVPN ALS/Adito sharing the 443 port. I am not sure how one would do that on the same machine.
With ESXi, it is much easier for me to create very small Linux installations and use port forwarding to add features as experiments and/or final implementation.
FYI: My ESXi4 is on a powerful quad core desktop. That was a $700 investment that has worked out to be a wonderful way to make my home office ‘green’, save money on power, provide a (thus far) very dependable solution for family computing needs, my endless experiments, and my personal world wide access solution. Over the years I’ve played with VMplayer, VMserver, and now am a believer in this ESXi. Nothing against the many other fine products and other vendors, just where I am at the moment….
Hi Lars
Thanks to your work I got up and running the SSL-VPN Server on WinXP very well in just a few minutes! Now I like you to ask, if you know someone who translated the pages to german?
I try to find out how to do, but as I am no programmer, I gave it up after 3 hours of searching through the files…
Any help is appr.
regards,
Marius
Marius:
No, nobody has translated the pages into German as far as I know. But check this wiki out: http://sourceforge.net/apps/trac/openvpn-als/wiki/translating
If you actually do translate, please share with others. I can host it here
KK20 & other that hate the timeout!
I found a easy solution for the timeout-problem people have with the adito client shutting down after.
This is actually the session stored in the webbrowser, so if you use firefox (like I do) just do this:
Rightclick on page and select Reload Every -> 2 minutes.
That kept me signed in whole day@work
Since I moved my servers to 2008 over the summer I have now gone back to webdav as 2008 webdav is a lot more configurable than the old 2003 “webdav the lot” option. Since my clients all run a map drive script it will work in XP or W7. It was easier to create a VPN via ISA again and make a dialup script for remote users as educating them how to use adito was a pain (users eh?). Still, I had a lot of fun setting adito up and it worked a treat in the end.
KK20:
I would never use Adito “in production”… That is just a tool for you to get through every possible firewall known
looks like Ironport proxy is able to detect the Adito trying to get through on port 443. Is it possible for Adito to get through Ironport proxy in some way?
ranj:
Do you have a valid cert on your installation?
Unfortunately not, I am using a self signed certificate.