Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 11-06-2016, 09:39 PM
mr.dk mr.dk is offline
Registered User
 
Join Date: Nov 2016
Posts: 13
Help using session firewall option.

Hello,

While using 'firewall' setting in a 'session' the connection fails to connect.



Selecting a 'session' HostA..C session will login to the firewall and connect the session direct to the client.

Code:
[SecureCRT] --> [SSHD Jump] ------> ClientA
                              \---> ClientA
                              \---> ClientB
                              \---> ClientC
What has been successful:
Creating the SSHD Jump session:
[LOCAL] : SEND[0]: SSH_MSG_CHANNEL_OPEN('session')
[LOCAL] : SEND[0]: Pty Request (rows: 70, cols: 175)
[LOCAL] : RECV[0]: pty request succeeded
[LOCAL] : SEND[0]: agent forwarding request
[LOCAL] : RECV[0]: agent request succeeded
[LOCAL] : SEND[0]: exec request: null -tenant username -host hostname
[LOCAL] : RECV[0]: exec request succeeded
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3


What has been unsuccessful:
From the above you can see the current firewall is directly connected to the end client session yet the client session does not reply.

It seems that sCRT is trying to be fancy.
- sCRT modifies the first firewall session
- Adding: [LOCAL] : FIREWALL : Starting port forward from 127.0.0.1 on local 127.0.0.1:59340 to remote sv-vpn:22
- Issue: [LOCAL] : Changing state from STATE_NOT_CONNECTED to STATE_CLOSED



This is highly complex in dealing with how the sessions are reused.
Is it possible to reuse the firewall port/session for the client/session communication?


Please do ask questions if i have been unclear, I would be happy to provide more details / logs ...

Thank you.
Derek
Attached Images
File Type: jpg firewall.jpg (82.9 KB, 1163 views)
__________________
--------------------------------------------------------------

OS Name Microsoft Windows 10 Pro
Version 10.0.14393 Build 14393
Processor Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz, 4001 Mhz, 4 Core(s), 8 Logical Processor(s)
Installed Physical Memory (RAM) 32.0 GB
SecureCRT Version 8.0.3 (x64 build 1183) - Official Release - September 8, 2016

Last edited by mr.dk; 11-07-2016 at 02:17 PM.
Reply With Quote
  #2  
Old 11-07-2016, 11:52 AM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 937
You described success as:
Quote:
[LOCAL] : SEND[0]: exec request: null -tenant dvanveen -host sv-vpn
... in other words, you're performing a remote-exec of command 'null', passing along information to that remote app which connects you to sv-vpn and hooks up stdin/out/err pipes for you.

This isn't yet something that can be done in SecureCRT with a firewall configuration.

I've created a feature request on your behalf for the ability to specify a proxy command (which involves remote exec, as you've explained in your "success").

In the mean time, you can get close to this by using a *copy* of your jump host session and set up the Remote command to connect to your end host as you've done with the rexec 'null -tenant dvanveen -host sv-vpn', instead of trying to use the jump host session as a Firewall.

--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
  #3  
Old 11-07-2016, 02:16 PM
mr.dk mr.dk is offline
Registered User
 
Join Date: Nov 2016
Posts: 13
Hello,

Glad you understand, I'm on day 10 of sCRT use so I'm not expert yet

To clarify the " hooks up stdin/out/err " is done with ssh script @ client, tenant, and again a rsa key ...

For security reasons ssh' is not allowed on the server side, the script as you pointed out does the proxy and drops the session awaiting for the client session to continue ...

Thank you.
Dk
__________________
--------------------------------------------------------------

OS Name Microsoft Windows 10 Pro
Version 10.0.14393 Build 14393
Processor Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz, 4001 Mhz, 4 Core(s), 8 Logical Processor(s)
Installed Physical Memory (RAM) 32.0 GB
SecureCRT Version 8.0.3 (x64 build 1183) - Official Release - September 8, 2016

Last edited by mr.dk; 11-07-2016 at 02:21 PM.
Reply With Quote
  #4  
Old 01-09-2017, 08:55 PM
mr.dk mr.dk is offline
Registered User
 
Join Date: Nov 2016
Posts: 13
I may have been confusing you with, 'firewall' or 'tunneling' it seems the connection i'm after is more of a ssh proxy. (below is a working configuration from CentOS7)


Another use case for proxying connections:

PC ---> Proxy ---> Server
PC> ssh cloud@Server+


[root@CentOS7 .ssh]# cat config

Host *+
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
IdentityFile ~/.ssh/cloud_rsa
User cloud
ProxyCommand ssh proxy -- -tenant myself -host $(echo %h | sed -e 's?+virtual??g')

Host Proxy
Hostname proxy.hostname.com
StrictHostKeyChecking no
User jump
UserKnownHostsFile=/dev/null
IdentityFile ~/.ssh/jump_rsa
__________________
--------------------------------------------------------------

OS Name Microsoft Windows 10 Pro
Version 10.0.14393 Build 14393
Processor Intel(R) Core(TM) i7-6700K CPU @ 4.00GHz, 4001 Mhz, 4 Core(s), 8 Logical Processor(s)
Installed Physical Memory (RAM) 32.0 GB
SecureCRT Version 8.0.3 (x64 build 1183) - Official Release - September 8, 2016
Reply With Quote
  #5  
Old 01-10-2017, 11:46 AM
jdev's Avatar
jdev jdev is offline
VanDyke Technical Support
 
Join Date: Nov 2003
Location: Albuquerque, NM
Posts: 937
Quote:
Originally Posted by mr.dk View Post
I may have been confusing you with, 'firewall' or 'tunneling' it seems the connection i'm after is more of a ssh proxy. (below is a working configuration from CentOS7)
...
ProxyCommand ssh proxy -- -tenant myself -host $(echo %h | sed -e 's?+virtual??g')
Support for connecting to a secondary host through a primary host through something like openssh's ProxyCommand is the feature request that has been added for you.

FYI.
--Jake
__________________
Jake Devenport
VanDyke Software
Technical Support
YouTube Channel: https://www.youtube.com/vandykesoftware
Email: support@vandyke.com
Web: https://www.vandyke.com/support
Reply With Quote
Reply

Tags
firewall , proxy , session chaining


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 07:47 AM.