Supporting Server on other side of NAT firewall?
Guys, My company has been supporting WIndows servers behind NAT firewalls by using MyPC for a couple of years. We want to start supporting SuSE boxes that same way. Does anyone know of a tool or technique for doing this? (We currently pay MyPC a $10/month/server fee and if there is an equivalent service for Linux boxes we would definitely consider it.) If there is not an existing solution to this problem, maybe SuSE should consider adding it to their list of purchased support options. === The issue. Assume the SuSE box allows telnet connections and that will give us all the access that we need. The trouble is that if the SuSE sever is behind a customer firewall, we have no way to connect to it. I know that we could "open the firewall" for our needs, but I have been down that road before and it can get very politically difficult. We have found for Windows support, it is much cleaner to just pay the $10/month and get on with life. === The MyPC solution A driver gets installed on the PC that causes a socket to be established to a central MyPC server at boot up. If we want to control the PC from our location, we connect to the MyPC central server and tell it which PC we want to talk to. The central server then sets up a dedicated socket for this communication, and performs IP forwarding on all the packets. The end result is that only MyPC server has to be directly on the Internet. Both the controlled PC and the controlling PC can be behind firewalls. Greg Freemyer Internet Engineer Deployment and Integration Specialist Compaq ASE - Tru64 Compaq Master ASE - SAN Architect The Norcross Group www.NorcrossGroup.com
On Mon, Jun 24, 2002 at 02:24:07PM -0400, Greg Freemyer wrote:
Guys,
My company has been supporting WIndows servers behind NAT firewalls by using MyPC for a couple of years.
Why not use openssh? Yes, you have to open port 22 on the firewall and forward it to the world, but you can set up access using dsa keys, deny root logins, and use very long randomly generated passwords (which don't have to be used since you are authenticating with keys). You only need to forward to 1 server on the inside, then you can ssh from there to other internal servers. I manage several remote servers this way. Once in a while, someone will rattle port 22, but then they go somewhere else looking for easier targets.
Assume the SuSE box allows telnet connections and that will give us all the access that we need.
Opening telnet is bad. I don't even use telnet on internal firewalled networks :) Best Regards, Keith -- LPIC-2, MCSE, N+ Right behind you, I see the millions Got spam? Get spastic http://spastic.sourceforge.net
participants (2)
-
Greg Freemyer
-
Keith Winston