On Mon, Jun 24, 2002 at 02:24:07PM -0400, Greg Freemyer wrote:
Guys,
My company has been supporting WIndows servers behind NAT firewalls by using MyPC for a couple of years.
Why not use openssh? Yes, you have to open port 22 on the firewall and forward it to the world, but you can set up access using dsa keys, deny root logins, and use very long randomly generated passwords (which don't have to be used since you are authenticating with keys). You only need to forward to 1 server on the inside, then you can ssh from there to other internal servers.
I have no problem with the security of what your describing. The problem is that my company is _hoping_ to install a dedicated Intranet server into about 1000 different companies during the next 18 months. If the admin connection is initiated from outside the firewall into the intranet server, we potentially have 1000 different corporate firewalls to get re-configured. I really don't like that idea. If the admin connection is initiated from the intranet server out to a well-known support server, we can ignore most firewall issues. Now that you bring up ssh, it does remind me that ssh has a VPN capability. I assume openssh does as well. Maybe I can install a central VPN router (i.e. just a dedicated SuSE box configured correctly) directly on the Internet, then configure the Intranet servers to use ssh to establish an outbound permanent connection to that VPN router. Then if I know the IP of the Intranet server I'm trying to get to, the VPN router box will forward my requests to the right box. I'll have to think about that some more, but it sounds like the start of a plan. :) Thanks for the memory jog. Greg Freemyer Internet Engineer Deployment and Integration Specialist Compaq ASE - Tru64 Compaq Master ASE - SAN Architect The Norcross Group www.NorcrossGroup.com