Mailing List Archive

Conserver through a proxy server?
I find myself in a situation where I must access a restricted network via
a proxy server.

Conserver here is a "normal" setup... many local (in-building) console
servers, and a few remote console servers via the WAN, all using RAW
connections to the console server ports.

The new twist is that we need to manage ports on a secured network. Using
a VPN is not an option offered to us. The Conserver host has a Production
interface, and a backup net interface. The host does not have a free card
slot for an additional Ethernet interface. (It would be politically
difficult to put secondary addressing on the Production net, and it would be
a security risk to overlay a new network on the Backup network...)

It looks like I might be able to use IPTables to do this (point to a proxy
for a specific subnet), then I need to see if I can get ports on the proxy
to bounce me to the console ports. Has anyone done it this way? How did that
work out for you?

Thanks in advance for your replies, and best regards,

-Z-

--
ConsoleTeam - Support and training services for Conserver users.
www.conserver.com/consoles/
consoleteam.blogspot.com
Re: Conserver through a proxy server? [ In reply to ]
Zonker> I find myself in a situation where I must access a
Zonker> restricted network via a proxy server.

Do you have a terminal server on the restricted network? And does it
understand SSL?

Zonker> Conserver here is a "normal" setup... many local
Zonker> (in-building) console servers, and a few remote console
Zonker> servers via the WAN, all using RAW connections to the console
Zonker> server ports.

Zonker> The new twist is that we need to manage ports on a secured
Zonker> network. Using a VPN is not an option offered to us. The
Zonker> Conserver host has a Production interface, and a backup net
Zonker> interface. The host does not have a free card slot for an
Zonker> additional Ethernet interface. (It would be politically
Zonker> difficult to put secondary addressing on the Production net,
Zonker> and it would be a security risk to overlay a new network on
Zonker> the Backup network...)

Hmm... can you get access to a host inside the restricted network to
setup a conserver, then use something like 'stunnel' to setup a secure
tunnel to it?

How restricted is this network? They obviously don't seem to have a
problem with you getting an IP address on there and adding a port to
your server.

Can you swap out an interface card on the Conserver host and put in a
dual or quad port card in it's place? That would expand your options...

God knows they should be cheap and easy to find these days for Solaris
boxes, heck I might even have some for Sbus still kicking around, and
I know I do for PCI. You only need 10/100, so a quad port HME card
would work great.

Obviously, I'm assuming a bunch about your hardware.... can you share
more details?

Zonker> It looks like I might be able to use IPTables to do this
Zonker> (point to a proxy for a specific subnet), then I need to see
Zonker> if I can get ports on the proxy to bounce me to the console
Zonker> ports. Has anyone done it this way? How did that work out for
Zonker> you?

That seems fragile to me. Can you SSH into the restricted network?
If you can, could you deploy a Digi CM32 in there with SSH turned on
and some public/private SSH keys to be used by the conserver master
box to access those ports?

I also don't understand the difference between a proxy and a VPN
solution, they're both the same... though thinking about it, if you
can just route all your IP traffic from host CS (Console Server) to PH
(proxy Host) to be routed to the RN (restricted Net) that should do
the trick:

route add net RN.IP.RAN.GE/SIZE gateway TH.IP.AD.DR 1

That might also do the trick, but doesn't address the question of how
you punch through the firewall (restrictions) into the funky RN.

Dunno... can you give more details?

Thanks,
John
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: Conserver through a proxy server? [ In reply to ]
Hi John, Chris (and the group at large)

Here's some more info...given that I can't talk about some specifics. :-)

For simplicity, let's call my conserver the "Lab", and the other one is
"Other"...

The Other conserver shares a subnet with a group of console servers. There
is no router there. (I found this out after my last message...) So, the
Other conserver host has two legs, one for the Management Net, and the other
to the console servers.

* I was trying to get access to two console servers directly, to access
one port on each, while the Other conserver would still have control of all
the other ports. (I knew that there was no VPN gear terminating on that
console server net. I was thinking I needed a proxy, so I could get through
their router...but there isn't one.) OK, I can't get there from here. :-(

** Due to security policies, I can't get a non-person account on the
Other conserver, so my monitoring host cannot try to access the Other
conserver to do tests. :-(

BUT, my Lab conserver CAN access hosts on the subnet with the two hosts
that I care about, so I'm going to buy an 8-port BREAK-safe console server,
and get another IP on that subnet.

One of the hosts I care about is relatively critical to day-to-day
operations, so I need a BREAK-safe answer. And, I also can't put another
conserver on that host...when I need it (to diagnose a problem on that
host), it may be unavailable.

The second host will be a newer replacement for the first host. While it's
not mission-critical YET, it will be critical before the other machine can
be decommissioned (so, it's also not a good candidate to an alternate
conserver host). Both servers are SUN hardware.

I'm sorry that I've missed the LISA hallway track the past couple years.
But if anyone will be laying over in the SF Bay Area sometime, let me know,
and we'll try to catch up in person again.

Best regards,

-Z-

On Wed, May 6, 2009 at 6:34 PM, John Stoffel
<john.stoffel@taec.toshiba.com>wrote:

>
> Zonker> I find myself in a situation where I must access a
> Zonker> restricted network via a proxy server.
>
> Do you have a terminal server on the restricted network? And does it
> understand SSL?
>
> Zonker> Conserver here is a "normal" setup... many local
> Zonker> (in-building) console servers, and a few remote console
> Zonker> servers via the WAN, all using RAW connections to the console
> Zonker> server ports.
>
> Zonker> The new twist is that we need to manage ports on a secured
> Zonker> network. Using a VPN is not an option offered to us. The
> Zonker> Conserver host has a Production interface, and a backup net
> Zonker> interface. The host does not have a free card slot for an
> Zonker> additional Ethernet interface. (It would be politically
> Zonker> difficult to put secondary addressing on the Production net,
> Zonker> and it would be a security risk to overlay a new network on
> Zonker> the Backup network...)
>
> Hmm... can you get access to a host inside the restricted network to
> setup a conserver, then use something like 'stunnel' to setup a secure
> tunnel to it?
>
> How restricted is this network? They obviously don't seem to have a
> problem with you getting an IP address on there and adding a port to
> your server.
>
> Can you swap out an interface card on the Conserver host and put in a
> dual or quad port card in it's place? That would expand your options...
>
> God knows they should be cheap and easy to find these days for Solaris
> boxes, heck I might even have some for Sbus still kicking around, and
> I know I do for PCI. You only need 10/100, so a quad port HME card
> would work great.
>
> Obviously, I'm assuming a bunch about your hardware.... can you share
> more details?
>
> Zonker> It looks like I might be able to use IPTables to do this
> Zonker> (point to a proxy for a specific subnet), then I need to see
> Zonker> if I can get ports on the proxy to bounce me to the console
> Zonker> ports. Has anyone done it this way? How did that work out for
> Zonker> you?
>
> That seems fragile to me. Can you SSH into the restricted network?
> If you can, could you deploy a Digi CM32 in there with SSH turned on
> and some public/private SSH keys to be used by the conserver master
> box to access those ports?
>
> I also don't understand the difference between a proxy and a VPN
> solution, they're both the same... though thinking about it, if you
> can just route all your IP traffic from host CS (Console Server) to PH
> (proxy Host) to be routed to the RN (restricted Net) that should do
> the trick:
>
> route add net RN.IP.RAN.GE/SIZE gateway TH.IP.AD.DR 1
>
> That might also do the trick, but doesn't address the question of how
> you punch through the firewall (restrictions) into the funky RN.
>
> Dunno... can you give more details?
>
> Thanks,
> John
>



--
ConsoleTeam - Support and training services for Conserver users.
www.conserver.com/consoles/
consoleteam.blogspot.com
Re: Conserver through a proxy server? [ In reply to ]
Zonker> Here's some more info...given that I can't talk about some
Zonker> specifics. :-)

Heh, security through obscurity. :]

Zonker> For simplicity, let's call my conserver the "Lab", and the
Zonker> other one is "Other"...

Zonker> The Other conserver shares a subnet with a group of console
Zonker> servers. There is no router there. (I found this out after my
Zonker> last message...) So, the Other conserver host has two legs,
Zonker> one for the Management Net, and the other to the console
Zonker> servers.

Zonker> * I was trying to get access to two console servers
Zonker> directly, to access one port on each, while the Other
Zonker> conserver would still have control of all the other ports. (I
Zonker> knew that there was no VPN gear terminating on that console
Zonker> server net. I was thinking I needed a proxy, so I could get
Zonker> through their router...but there isn't one.) OK, I can't get
Zonker> there from here. :-(

Umm... why? If you've already got a conserver Other managing ports on
that subnet, why the need for "Lab" to access "Other" ports?

Zonker> ** Due to security policies, I can't get a non-person
Zonker> account on the Other conserver, so my monitoring host cannot
Zonker> try to access the Other conserver to do tests. :-(

Zonker> BUT, my Lab conserver CAN access hosts on the subnet with
Zonker> the two hosts that I care about, so I'm going to buy an 8-port
Zonker> BREAK-safe console server, and get another IP on that subnet.

Zonker> One of the hosts I care about is relatively critical to
Zonker> day-to-day operations, so I need a BREAK-safe answer. And, I
Zonker> also can't put another conserver on that host...when I need it
Zonker> (to diagnose a problem on that host), it may be unavailable.

Zonker> The second host will be a newer replacement for the first
Zonker> host. While it's not mission-critical YET, it will be critical
Zonker> before the other machine can be decommissioned (so, it's also
Zonker> not a good candidate to an alternate conserver host). Both
Zonker> servers are SUN hardware.

So basically, it sounds like you're trying to setup a conserver for
the production WAN network which is firewalled off. And manage it
from your Lab network.

Honestly, it doesn't make sense to make to do it this way, but I'm
sure politics and management play into this.

Zonker> I'm sorry that I've missed the LISA hallway track the past
Zonker> couple years. But if anyone will be laying over in the SF Bay
Zonker> Area sometime, let me know, and we'll try to catch up in
Zonker> person again.

Yeah, I agree. I'm bummed I've missed LISA in general the past few
years. Maybe once this recession is over (and my kids are a little
older) I'll be able to make these again.

John
_______________________________________________
users mailing list
users@conserver.com
https://www.conserver.com/mailman/listinfo/users
Re: Conserver through a proxy server? [ In reply to ]
On Thu, May 7, 2009 at 1:34 PM, John Stoffel
<john.stoffel@taec.toshiba.com>wrote:

> Zonker> For simplicity, let's call my conserver the "Lab", and the
> Zonker> other one is "Other"...
>
> Zonker> The Other conserver shares a subnet with a group of console
> Zonker> servers. There is no router there. (I found this out after my
> Zonker> last message...) So, the Other conserver host has two legs,
> Zonker> one for the Management Net, and the other to the console
> Zonker> servers.
>
> Zonker> * I was trying to get access to two console servers
> Zonker> directly, to access one port on each, while the Other
> Zonker> conserver would still have control of all the other ports. (I
> Zonker> knew that there was no VPN gear terminating on that console
> Zonker> server net. I was thinking I needed a proxy, so I could get
> Zonker> through their router...but there isn't one.) OK, I can't get
> Zonker> there from here. :-(
>
> Umm... why? If you've already got a conserver Other managing ports on
> that subnet, why the need for "Lab" to access "Other" ports?
>

To clarify: The two hosts serve one business unit, but managing the
hardware and OS falls to a different unit.

The basic answer is that there are two different operations groups, and both
have picked Conserver as their tool of choice for managing remote access
tot heir consoles. (As a result, I cannot 'merge' the two into a
"distributed
configuration", since each business unit has different staff, needing access
to different sets of hosts.) If we could get past the politics of the two
groups,
I'd wager that nobody in either group (besides me) wants to consider being
in
charge of a combined Conserver config, handling user changes for both
groups. :-|

Given the politics (where " politics = time + $ " ), adding a $1200 console
server seems the faster, practical option, and it can be re-deployed if/when

the host(s) move to a different data center.

-Z-

--
ConsoleTeam - Support and training services for Conserver users.
www.conserver.com/consoles/
consoleteam.blogspot.com