External (Reverse?) Captive Portal

tacabana

I have the current setup.

ISP
      |
  DMZ Subnet
      |
  IPSEC VPN Hardware
      |
  VPN Subnet
      |
Mail Server

I have been asked to allow access to the corporate mail server's web interface from the Internet without requiring VPN software for each user, however I don't want to have to move the mail server from the VPN subnet.  Could a Captive Portal be used to provide access to authenticated users from the Internet (SSL VPN)?  If so, how?  A WAN link (routable interface) can't be chosen for a captive portal.

IE.

ISP
      |
  DMZ Subnet
      |    |–--------------------
      |                                    |
  IPSEC VPN Hardware      SSL Captive Portal
      |                                    |
      |                                    |
  VPN Subnet-------------------
      |
Mail Server

Notes:
DMZ is routable /27 subnet using Proxy Arp.
Using pfSense 1.0.1

sullrich

That is not currently possible, unfortunately.

hoba

This is more suitable for your needs: http://sourceforge.net/projects/sslexplorer/

tacabana

SSL-Explorer looks to be just the ticket.  Didn't know this project existed…

Thanks to all for the very quick responses.

hoba

sslexplorer even has a built in java vpn client. It's pretty cool. Just forward the configured port to the ssl exporer and configure your users/apps there. I tested this at our office. works great.