Fog Creek Software
Discussion Board




Network "tunnelling" for Terminal Server access?

Hi again!

I'm looking for advice on how to solve a networking tunnelling / access problem I'm facing right now.

I do quite (a lot, really) of work on client premises, as a deployment consultant. It'd be extremely helpful for me if I could access my (office) pc from the client's premises, but as they usually are Gvmnt. or Big Company, Internet access tends to be quite limited on the different offices (usually proxied and the like)

I wanted to know if there was a way for tunnelling Terminal Server traffic through a proxy I don't control. I can carry my own laptop to the premises, so getting an SSH (or similar) starting point would be no problem. At my company's end, I already have an open port on the router to access my computer (BTW, is there a way to proxy TS / SSH traffic so that I don't have to open direct routes to my PC, but rather proxy the traffic a bit more safely?)

Thanks a lot.

Javier Jarava
Friday, March 26, 2004

http://ccfaq.valar.co.uk/modules.php?name=News&file=article&sid=230

Just me (Sir to you)
Friday, March 26, 2004

Say the remote machine is 192.168.0.1 , and their gateway on the internet is 1.1.1.1, and ssh is open on the gateway. For example, to tunnel to port 80 on their remote machine (192.168.0.1),

ssh -L 2222:192.168.0.1:80 user@1.1.1.1

Then connect to localhost port 2222 and you've now got to 192.168.0.1 port 80

fw
Friday, March 26, 2004

Careful sparky. You may be violating some security regulation by doing that without permission. Better check with the supervisor of the Gummint entity you are doing it for, or you could end up with big legal woes, not to mention lack of a job.

old_timer
Friday, March 26, 2004

Thanks for the tips/pointers.

And for the advice about network security :) I do know it's not something to be done lightly, and never w/o their network guys knowing. I've been told that it's OK as long as I can go through the firewall w/o having to re-configure it (ie, have to be able to go as HTTP traffic, or at least as HTTPS); if it were _extremely_ necessary they could open up the FW for Remote Desktop traffic, but they'd rather not, if it can be avoided (and in the really-sensitive areas they have no outside network connection whatsoever, and of course no Internet, so the question is moot). That's why I was trying to find a way to avoid punching holes in a working system.

As for security, I am considerded a "trusted third party" (after all, we provide security software that is going to run on _all_ desktops, so we'd better be trusted and trustworthy ;)

So the requisites would really to be able to _tunnel_ through the gateway, but I can't conunt on their having any "particular" sw running, as the idea is to be able to connect from any client, not from an specific one.. All of them allow HTTP and HTTPS traffic (ie, traffic to the respective Ports)... I'd say that quite a number of them also have SSH running on the GW (though a number of them are windows-only)...

Any more ideas? Thanks a lot for the pointers you've already provided

Javier Jarava
Sunday, March 28, 2004

Use Citrix NFuse.

Citrix is not cheap but this would work and if your billing a professional rate ($50 or more per hour) then your time is expensive and this will pay for itself.

NFuse is browser based and is amazing. You can download 60 day evals of all citrix products, so try it out.  It will run fine on any P3 or faster as long as you have enough RAM.  Just assume that you'll need 256 MB Ram dedicated for the Citrix server apps.

Wunderkind
Tuesday, March 30, 2004

*  Recent Topics

*  Fog Creek Home