[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: Conserver through a proxy server?

John Stoffel john.stoffel@taec.toshiba.com
Thu, 7 May 2009 01:35:10 GMT 

Zonker>   I find myself in a situation where I must access a
Zonker> restricted network via a proxy server.

Do you have a terminal server on the restricted network?  And does it
understand SSL?

Zonker>   Conserver here is a "normal" setup... many local
Zonker> (in-building) console servers, and a few remote console
Zonker> servers via the WAN, all using RAW connections to the console
Zonker> server ports.

Zonker>   The new twist is that we need to manage ports on a secured
Zonker> network. Using a VPN is not an option offered to us. The
Zonker> Conserver host has a Production interface, and a backup net
Zonker> interface. The host does not have a free card slot for an
Zonker> additional Ethernet interface. (It would be politically
Zonker> difficult to put secondary addressing on the Production net,
Zonker> and it would be a security risk to overlay a new network on
Zonker> the Backup network...)

Hmm... can you get access to a host inside the restricted network to
setup a conserver, then use something like 'stunnel' to setup a secure
tunnel to it?  

How restricted is this network?  They obviously don't seem to have a
problem with you getting an IP address on there and adding a port to
your server.  

Can you swap out an interface card on the Conserver host and put in a
dual or quad port card in it's place?  That would expand your options...

God knows they should be cheap and easy to find these days for Solaris
boxes, heck I might even have some for Sbus still kicking around, and
I know I do for PCI.  You only need 10/100, so a quad port HME card
would work great.

Obviously, I'm assuming a bunch about your hardware.... can you share
more details?

Zonker>   It looks like I might be able to use IPTables to do this
Zonker> (point to a proxy for a specific subnet), then I need to see
Zonker> if I can get ports on the proxy to bounce me to the console
Zonker> ports. Has anyone done it this way? How did that work out for
Zonker> you?

That seems fragile to me.  Can you SSH into the restricted network?
If you can, could you deploy a Digi CM32 in there with SSH turned on
and some public/private SSH keys to be used by the conserver master
box to access those ports?

I also don't understand the difference between a proxy and a VPN
solution, they're both the same... though thinking about it, if you
can just route all your IP traffic from host CS (Console Server) to PH
(proxy Host) to be routed to the RN (restricted Net) that should do
the trick:

    route add net RN.IP.RAN.GE/SIZE gateway TH.IP.AD.DR 1

That might also do the trick, but doesn't address the question of how
you punch through the firewall (restrictions) into the funky RN.

Dunno... can you give more details?

Thanks,
John