How to tunnel (SSH/SSL)via proxy to remote server?
Hi,
Last night I wrote an email the the support team at Devsolutions, but thought I'd throw it open to others to see if this is a feasible idea.
I have been playing on and off with RDM for some time but I haven’t really looked at its full potential. I believe the application will pretty much do what I’m looking for (maybe with additional software) but I’d though I’d check before perusing any further.
We are a small team (5 techies) but manage a large number of remote servers and services using a variety protocols (mainly HTTPS (not remote desktop, but still remote management), SSH, VNC, etc.) and to do this we use a few access servers (will be Windows 2008) depending on the endpoint we are managing. The endpoints themselves site behind multiple corporate firewalls so the management of these services has to be initiated from the relevant access server. However, the connection to these access servers is generally via RDP, which means the techies are on their workstations/laptops, then RDP into an access server and can then remotely manage the relevant endpoint via the RDP session. However, there are a number of issues with this.
Firstly, the RDP sessions on a Windows box (not in Terminal Services mode) is limited to 2 per server. Secondary, RDP isn’t necessarily the securest protocol in the world. Thirdly, whilst the techies can easily RDP to the access server it they are on our site, if they are at the customer site they still may need this RDP access, which itself can often be blocked by the customers firewall rules – and often we don’t have simple physical access or local IP access to the relevant endpoints.
I initially thought of running RDM clients on the access servers, but I don’t think this would be the simplest solution – you would still need to use RDP to get into the access servers, and potentially set up separate password stores.
So, I was thinking that if we could create an SSL tunnel (something like sTunnel with uses OpenSSL) from the techies laptops to the access servers, they could then use the tunnel remote manage the endpoint in question using RDM on locally on their workstation/laptop, essentially using the access servers as a proxy. Because there are multiple access servers, I don’t think a single VPN would work without setting up some complex routing rules, but if each of the access servers were able to accept a tunnel connection, then maybe RDM could be used to direct the relevant connections using the relevant tunnel. Is this feasible, if not could RDM be used in another way? Has anyone setup anything similar to this, if so what did you use and how did you set it up?
The other issue we have is that of password security yet maintaining synchronisation. If I’m correct, RDM can connect through a backend MS SQL DB and maintain an offline cache thus enabling the techies to always have the latest passwords. Is this correct? What are the security implications of this, such as how are the passwords stored?
I look forward to your response.
Chris
edited by swinster on 11/18/2012
edited by swinster on 11/18/2012
edited by swinster on 11/18/2012
All Comments (3)
Just to clarify (a bit) here are a couple of quick diagrams showing generic outline of the current and proposed idea (not all possible connections are shown, but this should give an idea).
Current Usage
Proposed Usage
edited by swinster on 11/18/2012
edited by swinster on 11/18/2012
edited by swinster on 11/18/2012
Hey swinster, fairly sure all passwords are in fact encrypted within the SQL DB itself, another layer of security that could be added is encrypting the entire DB. I am currently not too sure how the local caching is done. Possibly XML? In such a scenario I still believe that the passwords will be encrypted and a "Master Password" must be used to decrypt the local cache upon opening RDM. Would need to look into this further for you. If you would like me to do a bit of research and get back to you please let me know. Also check out http://help.remotedesktopmanager.com
-Brendan
Cheers Brendan. WRT the password storage, I actually had this reponse from Normal 0 false false false EN-GB X-NONE X-NONE MicrosoftInternetExplorer4 David Hervieux (CEO ) at Devsolutions:
"For the offline mode, it’s double encrypted with AES and the NTFS encryption. You can also set an expiration to make sure that it’s not usable after a certain period."
WRT the main crux of the question, David was not able to offer any solutions, however, I have since been in touch with the guys at BitVise to see if the basic concept was at least achievable, and they had this to say:
"Given the situation as described, I think adding an SSH server to the access servers could be useful.
The SSH server could be used in multiple ways:
1) In an approach that's least different from what you're using now, the SSH server could be used to tunnel a Remote Desktop connection when your tech people need to access your infrastructure from a customer's location with restrictive port forwarding rules.
To enable connectivity in this situation, I would suggest configuring the SSH server to accept connections on port 443, as well as a random port number between 1024 and 65535. Only the most restrictive firewalls will prevent a connection to an SSH server configured this way. When you're accessing your servers from a client location, you could use Bitvise SSH Client to establish the SSH connection, and then use its single-click Remote Desktop forwarding feature to initiate the Remote Desktop session, all through an SSH tunnel.
2) In a different approach, it would also be possible to use SSH to tunnel connections using other remote access protocols (HTTPS, SSH, VNC) directly to remote devices you're administering. In this case, the client applications using those protocols would need to be moved from the access server to the client running SSH. This approach will be easier if the device-specific clients you're using support connecting through a SOCKS proxy, since you can then configure the SSH client to act as a proxy. However, it's also possible to configure port forwarding rules manually for applications that don't support connecting through a proxy.
If you established SSH tunnels this way, then yes, the TCP/IP connections arriving at your remote devices would appear to originate from the machine where the SSH server is installed, e.g. from the access server."
So, their is maybe hope. The long and short of it is that I don't know whether the remote devices will accept traffic via a SOCKS proxy - also, I haven't really dealt with SOCKS Proxies in the past, only ISA.
Chris
edited by swinster on 11/20/2012