[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: Conserver through a proxy server?

Zonker consoleteam@gmail.com
Thu, 7 May 2009 02:16:44 GMT


  Hi John, Chris (and the group at large)

  Here's some more info...given that I can't talk about some specifics.  :-)

  For simplicity, let's call my conserver the "Lab", and the other one is "Other"...

  The Other conserver shares a subnet with a group of console servers. There is no router there. (I found this out after my last message...) So, the Other conserver host has two legs, one for the Management Net, and the other to the console servers.

    * I was trying to get access to two console servers directly, to access one port on each, while the Other conserver would still have control of all the other ports. (I knew that there was no VPN gear terminating on that console server net. I was thinking I needed a proxy, so I could get through their router...but there isn't one.) OK, I can't get there from here. :-(

    ** Due to security policies, I can't get a non-person account on the Other conserver, so my monitoring host cannot try to access the Other conserver to do tests. :-(

    BUT, my Lab conserver CAN access hosts on the subnet with the two hosts that I care about, so I'm going to buy an 8-port BREAK-safe console server, and get another IP on that subnet.

  One of the hosts I care about is relatively critical to day-to-day operations, so I need a BREAK-safe answer. And, I also can't put another conserver on that host...when I need it (to diagnose a problem on that host), it may be unavailable.

  The second host will be a newer replacement for the first host. While it's not mission-critical YET, it will be critical before the other machine can be decommissioned (so, it's also not a good candidate to an alternate conserver host). Both servers are SUN hardware.

  I'm sorry that I've missed the LISA hallway track the past couple years. But if anyone will be laying over in the SF Bay Area sometime, let me know, and we'll try to catch up in person again.

     Best regards,

           -Z-

On Wed, May 6, 2009 at 6:34 PM, John Stoffel <john.stoffel@taec.toshiba.com> wrote:

Zonker>   I find myself in a situation where I must access a
Zonker> restricted network via a proxy server.

Do you have a terminal server on the restricted network?  And does it
understand SSL?

Zonker>   Conserver here is a "normal" setup... many local
Zonker> (in-building) console servers, and a few remote console
Zonker> servers via the WAN, all using RAW connections to the console
Zonker> server ports.

Zonker>   The new twist is that we need to manage ports on a secured
Zonker> network. Using a VPN is not an option offered to us. The
Zonker> Conserver host has a Production interface, and a backup net
Zonker> interface. The host does not have a free card slot for an
Zonker> additional Ethernet interface. (It would be politically
Zonker> difficult to put secondary addressing on the Production net,
Zonker> and it would be a security risk to overlay a new network on
Zonker> the Backup network...)

Hmm... can you get access to a host inside the restricted network to
setup a conserver, then use something like 'stunnel' to setup a secure
tunnel to it?

How restricted is this network?  They obviously don't seem to have a
problem with you getting an IP address on there and adding a port to
your server.

Can you swap out an interface card on the Conserver host and put in a
dual or quad port card in it's place?  That would expand your options...

God knows they should be cheap and easy to find these days for Solaris
boxes, heck I might even have some for Sbus still kicking around, and
I know I do for PCI.  You only need 10/100, so a quad port HME card
would work great.

Obviously, I'm assuming a bunch about your hardware.... can you share
more details?

Zonker>   It looks like I might be able to use IPTables to do this
Zonker> (point to a proxy for a specific subnet), then I need to see
Zonker> if I can get ports on the proxy to bounce me to the console
Zonker> ports. Has anyone done it this way? How did that work out for
Zonker> you?

That seems fragile to me.  Can you SSH into the restricted network?
If you can, could you deploy a Digi CM32 in there with SSH turned on
and some public/private SSH keys to be used by the conserver master
box to access those ports?

I also don't understand the difference between a proxy and a VPN
solution, they're both the same... though thinking about it, if you
can just route all your IP traffic from host CS (Console Server) to PH
(proxy Host) to be routed to the RN (restricted Net) that should do
the trick:

   route add net RN.IP.RAN.GE/SIZE gateway TH.IP.AD.DR 1

That might also do the trick, but doesn't address the question of how
you punch through the firewall (restrictions) into the funky RN.

Dunno... can you give more details?

Thanks,
John



--
ConsoleTeam - Support and training services for Conserver users.
www.conserver.com/consoles/
consoleteam.blogspot.com