+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 35
Internet Related/Filtering/Firewall Thread, Connecting Remotely through proxy in Technical; Originally Posted by sukh What was you trying to do with exch, you can always use RPC over HTTP which ...
  1. #16

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    Quote Originally Posted by sukh View Post
    What was you trying to do with exch, you can always use RPC over HTTP which uses 443 which would probably be open anyway.
    If you are not using 2k8R2 and Windows 7 then this is not secure (initiation of connection is, but traffic afterwards isn't). I've had a school trying it with XP Clients and the required patch and it is flaky ... I am eager to see a school get this running though.

  2. #17

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Quote Originally Posted by GrumbleDook View Post
    If you are not using 2k8R2 and Windows 7 then this is not secure (initiation of connection is, but traffic afterwards isn't). I've had a school trying it with XP Clients and the required patch and it is flaky ... I am eager to see a school get this running though.
    Forgot to add s on https:

    Secure then isnt it?

    Or did you mean something else?

  3. #18

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    So the guides I had read suggested the port 3390 but apparently this is blocked on Windows 7 so using port 3391 it works!

    Just to convince our provider that I should be allowed ssh rather than using their vpn at £600.

    Thanks for all the help!

  4. #19

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    Quote Originally Posted by KK20 View Post
    have you setup openssh to accept users for domain logins?
    I'm using a Debian VM, integrated with Active Directory via Samba - domain users can log in to the machine with their domain credentials. When I get the web-based admin utility finished I'll make it publically available as it might come in handy for someone else.

  5. #20

    Join Date
    Oct 2008
    Posts
    214
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    sorry, I should have been clearer, it was directed more at beany (as you have a working solution). When I setup openSSH on server 2008 installing it wasnt enough, you need to configure it to your own domain etc. Hence me asking.

  6. Thanks to KK20 from:

    dhicks (27th June 2011)

  7. #21

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    So I've received a response to my request for port 22 opening:


    With regards to your change request, I have read through your emails of late to the service desk and would like to advise.

    I feel that Port 22 inbound will not be allowed by our security team (the change would have to be sent to them for review due to the nature of connections over port 22) We have had issues before due to the number of known exploits using SSH.

    You have to remember that when making an inbound connection to your network you are opening up the server to the internet via a NAT’d IP address. This puts it at risk to all sorts of attacks and requires you to maintain and implement high security. As a result of this, a disclaimer sent to the head teacher accepting all responsibility for the network and its security before we can allow it.

    There are other solutions available for remote access to your network. I appreciate the price quoted for our VPN is high, but if you ask whoever has the Service Portfolio for 2011 which was provided to all schools you will get the accurate pricing for the VPN solution. (I believe it is £100 per token (user) per year) This is a secure and usable solution for RDP over the internet which can provide you full local network access whilst keeping the school network secure.

    Other solutions have been implemented by other schools, such as TSGateway on Windows Server 2008. This also requires a NAT’d IP and puts the security on the school, however it is a known “out of the box” secure solution and is accepted as such.



    Any thoughts / Opinions on this??? I know for a fact my school wouldn't consider the VPN of £600 setup then £100 per year.

  8. #22

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    I feel that Port 22 inbound will not be allowed by our security team (the change would have to be sent to them for review due to the nature of connections over port 22) We have had issues before due to the number of known exploits using SSH.
    Can they tell you what the exploits are? Does SSH get hacked more often than their VPN solution - is their VPN solution actually more secure, or has it just not had anyone try to break it? Can you ask them for RDP-over-HTTPS access and then just use port 443 for SSH anyway?

    You have to remember that when making an inbound connection to your network you are opening up the server to the internet via a NAT’d IP address.
    If you make your SSH server only accept connections with a certificate, then only people with a valid certificate should be able to log in, unless there's some way of getting around that. I'd also look at making sure the SSH server will only port-forward to your RDP server.

    I know for a fact my school wouldn't consider the VPN of £600 setup then £100 per year.
    Hang on, is that £100 per user per year?

  9. #23

    Join Date
    Oct 2008
    Posts
    214
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    openssh doesnt HAVE to listen on port 22. Indeed mine doesnt. Just change it to a port that IS open and forwarded on your network. Incidentally do you use FTP? FTP is far far more vulnerable than SSH, ask them can you have SFTP (which is SSH in a different coat) instead....

  10. #24

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    Thanks for the reply dhicks - glad I'm not the only one thinking the situation is ridiculous. I'm gonna forward on your questions and see what they say.

    Also for the firewall changes they requested a destination IP and source IP, so I supplied my home WAN ip. Surely that means that the only way to exploit ssh is from my home IP?

    This setup was literally for me to access the server from home and do any tasks that I don't have time or can't do at work - But yes the £100 is per user!

  11. #25

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    @KK20 thanks, Don't know how to get around the port issue the only ones open are standard ones like 80 and imap etc. To open a port they want to know all the details.

  12. #26

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    Quote Originally Posted by beany1 View Post
    Don't know how to get around the port issue the only ones open are standard ones like 80 and imap etc.
    If you already have a port for HTTP open (generally port 80, but doesn't have to be), then could you install a proxy server on that port to redirect traffic according to server name? So www.domain.com gets directed to your web server, but remote.domain.com could go to a web-based admin console (command prompt?) of some sort. You'd need access to add entries to your domain name's DNS settings, of course.

  13. #27

    Join Date
    May 2010
    Location
    UK
    Posts
    165
    Thank Post
    40
    Thanked 9 Times in 9 Posts
    Rep Power
    10
    @dhicks - I'd need to be able to port forward though then wouldn't I? I don't have access to the proxy, firewall, or even the switch that's connecting the school to the bt fibre connection. It's just all getting overly complex to say I just wanted to be able to catch up on some tasks at home!

    Think ill wait for the response to the questions you asked dhicks from our provider, but for now I've given in!

    Thanks for all the help everyone

  14. #28

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,624
    Thank Post
    1,240
    Thanked 778 Times in 675 Posts
    Rep Power
    235
    Quote Originally Posted by beany1 View Post
    I'd need to be able to port forward though then wouldn't I?
    No, this is a different solution (one that your LEA might consider more secure, too). You simply have a web-based application running inside your firewall that lets you log in and do admin tasks. This works just like any other web-based application, over HTTP. I'm sure there must be a Javascript-based shell somewhere, or does maybe VNC work over HTTP?

    If the issue is simply that your LEA don't think that a free solution is going to be as secure as a paid one then all we have to do is charge a £500 setup fee to install an SSH server appliance and, say, £50 per user per year and wait for the money to role in :-)

  15. #29

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Variation on the dhicks theme:

    If it's just one server you want to RDP to, then tell them you've put a TSG on the relevant IP address to get 443 opened/mapped. Pop stunnel on the server using port 443, and *importantly* configure it for mutual auth i.e so you need a client cert to connect the tunnel from home. Tunnel RDP over it.

    Or perhaps tell 'em you want to do that and ask them to justify why it is less secure than TSG (which it probably is NOT unless TSG folk are also using mutual auth).

  16. #30

    Join Date
    Mar 2010
    Location
    Leeds
    Posts
    418
    Thank Post
    77
    Thanked 46 Times in 41 Posts
    Rep Power
    18
    Hi guys, tried using putty to connect to my ssh server at the weekend, locally i get a connection in no problem but if i put in the external ip address i get connection refused, I have changed the SSHD_config file to allow to 443, so from work i assume i enter the external ip address and port 443 not 22 to get the connection through to my router, any help would be much appreciated, hemstoj02@leedslearning.net if anyone could contact me for help. Thanks.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Replies: 22
    Last Post: 2nd March 2011, 02:49 PM
  2. Uninstalling Sophos remotely
    By edie209 in forum How do you do....it?
    Replies: 17
    Last Post: 18th November 2009, 01:52 PM
  3. imaging machines remotely
    By PEO in forum O/S Deployment
    Replies: 4
    Last Post: 14th January 2009, 02:02 PM
  4. Edit registry remotely?
    By SYSMAN_MK in forum Windows
    Replies: 5
    Last Post: 3rd April 2006, 11:28 AM

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •