VanDyke Software Forums

VanDyke Software Forums (https://forums.vandyke.com/index.php)
-   General (https://forums.vandyke.com/forumdisplay.php?f=11)
-   -   VShell Connection Filter - what exactly does "Test filter" do? (https://forums.vandyke.com/showthread.php?t=13834)

dverbern 07-30-2019 10:00 PM

VShell Connection Filter - what exactly does "Test filter" do?
 
Using VShell 4.04. Within Connection Filter screen, at bottom there is a "Test filter" area, where I can input either an IP or hostname and hit a "Test..." button. Today we've had a situation where a 3rd party was unable to connect to us and as a troubleshooting step, I input the IP that I knew this 3rd party connected from into this "Test filter" and hit the "Test" button and it returned "Access denied. Reverse IP lookup failed".

Fast forward a few minutes and when I test that same IP again I'm now getting the expected result, "Access allowed".

I entirely grant that this sounds like an issue within our environment, but I would like to know what VShell is doing under the hood when it determines whether the IP or hostname being entered into the "Test Filter" will return the "Access allowed" or "Access denied" responses.

bgagnon 07-31-2019 11:57 AM

Hi dverbern,
Quote:

...but I would like to know what VShell is doing under the hood when it determines whether the IP or hostname being entered into the "Test Filter" will return the "Access allowed" or "Access denied" responses.
It's a developer question. It may take a few days to get an answer.

dverbern 07-31-2019 09:07 PM

Thank you Brenda, I would appreciate an answer, only because I've had some experiences of seemingly being unable to contact some 3rd parties via IP or hostname, then sometimes a short time later, I can and I don't have a ready explanation.

Here's another weird one - again, I can't guarantee this isn't our environment, but just say I type in an IP x.x.x.x in the Test field in the Connection Filter in VShell and hit Test - I've found that for a particular IP I'm testing at the moment, if I enter the IP properly (without any whitespace after it) it fails the test with "Access denied. Reverse IP lookup failed", whereas if I add at least one character of whitespace at the end of that same IP and hit Test, it succeeds, with "Access allowed". Seems strange.

bgagnon 08-01-2019 07:45 AM

Hi dverbern,
Quote:

...but just say I type in an IP x.x.x.x in the Test field in the Connection Filter in VShell and hit Test - I've found that for a particular IP I'm testing at the moment, if I enter the IP properly (without any whitespace after it) it fails the test with "Access denied. Reverse IP lookup failed", whereas if I add at least one character of whitespace at the end of that same IP and hit Test, it succeeds, with "Access allowed".

I do not see that in VShell 4.4.3, the current, official release. In fact, I get the opposite results. Adding a trailing space causes Access denied, just the IP address succeeds.

VShell 4.0.4 is pretty old (circa 2013). Why haven't you upgraded?

What problem is it you are trying to solve? Perhaps there have been enhancements since v4.0.4 that would aid in that objective.

dverbern 08-01-2019 04:16 PM

Hi Brenda,

Thanks for testing, must be an issue limited to this older version we have. You're right, there may be benefits in us upgrading. I'm actually not certain how to proceed with an upgrade.

We have a large number of file exchanges depending on VShell and my original plan was to gradually document each of these exchanges, specifically record the actual authentication mechanisms used by each. I was then going to be able to quickly see whether any of those mechanisms was turned off by default (or not present ?) within newer VShell version, indicating where we might need to liaise with 3rd parties to give them time to adopt newer algorithms.

bgagnon 08-02-2019 07:23 AM

Hi dverbern,

I would say contact support@vandyke.com directly. We would want to check the OS to determine what version you can install, etc.

All our products are designed to upgrade in-place, over the top, but you will likely want to backup the config first and we can provide some guidance to that.

But, it does not hurt to have a link to some resources here:

Exporting and Importing the VShell for Windows Configuration

Upgrading VShell for Windows

Moving VShell for Windows to a Different Server

And also list a few bullet points of changes in each version:

*Security enhancements
Version 4.1:
  • SFTP trigger action
  • User group support for internal database
  • Support for ECDSA host keys*
  • Support for ECDH key-exchange algorithms*

Version 4.2:
  • VShellConfig in control panel
  • X.509 support per RFC 6187
  • FTPS client certificate authentication
  • Ability to generate 4096 bit key size*

Version 4.3:
  • LDAP support
  • Support for chacha20-poly1305@openssh.com authenticated encryption cipher*
  • Windows Server 2016 support

Version 4.4:
  • HTTP/HTTPS support (requires licenses at an additional cost)
  • Allow/deny certain SFTP commands (ie: RMDIR, REMOVE, RENAME, etc.)
  • SFTP virtual roots
  • Unix: Internal User Database support
  • Added support for the SHA2-512-EtM and SHA2-256-EtM MAC algorithms*

bgagnon 08-15-2019 10:47 AM

Hi dverbern,
Quote:

...but I would like to know what VShell is doing under the hood when it determines whether the IP or hostname being entered into the "Test Filter" will return the "Access allowed" or "Access denied" responses.
I have the info you requested, but cannot post it in the public forums. Please send an email to support@vandyke.com and use Attn Brenda - Forum Thread #13834 in the subject line.


All times are GMT -6. The time now is 01:32 AM.